From 08e8d462fe7b3ed4aebc6e15c82924085ad8cebe Mon Sep 17 00:00:00 2001
From: Sam Sneed <163201376+sam-sneed@users.noreply.github.com>
Date: Thu, 25 Jul 2024 12:43:35 -0500
Subject: [PATCH] OMG ISTG PLS WORK
RED PILL :red_circle: :pill:
---
.gitignore | 2 +
LICENSE-YARA-RULES-NEO23X0 | 38 +
LICENSE-YARA-RULES-REVERSINGLABS | 19 +
README.md | 10 +-
main.py | 23 +-
requirements.txt | 2 +-
yara-Neo23x0/apt_aa19_024a.yar | 19 +
yara-Neo23x0/apt_agent_btz.yar | 106 +
yara-Neo23x0/apt_alienspy_rat.yar | 50 +
yara-Neo23x0/apt_apt10.yar | 1406 +
yara-Neo23x0/apt_apt10_redleaves.yar | 48 +
yara-Neo23x0/apt_apt12_malware.yar | 25 +
yara-Neo23x0/apt_apt15.yar | 307 +
yara-Neo23x0/apt_apt17_mal_sep17.yar | 107 +
yara-Neo23x0/apt_apt17_malware.yar | 36 +
yara-Neo23x0/apt_apt19.yar | 69 +
yara-Neo23x0/apt_apt27_hyperbro.yar | 389 +
yara-Neo23x0/apt_apt27_rshell.yar | 40 +
yara-Neo23x0/apt_apt28.yar | 159 +
yara-Neo23x0/apt_apt28_drovorub.yar | 115 +
yara-Neo23x0/apt_apt29_grizzly_steppe.yar | 311 +
yara-Neo23x0/apt_apt29_nobelium_apr22.yar | 38 +
yara-Neo23x0/apt_apt29_nobelium_may21.yar | 305 +
yara-Neo23x0/apt_apt30_backspace.yar | 1255 +
yara-Neo23x0/apt_apt32.yar | 49 +
yara-Neo23x0/apt_apt34.yar | 59 +
yara-Neo23x0/apt_apt37.yar | 17 +
yara-Neo23x0/apt_apt37_bluelight.yar | 144 +
yara-Neo23x0/apt_apt3_bemstour.yar | 275 +
yara-Neo23x0/apt_apt41.yar | 267 +
yara-Neo23x0/apt_apt6_malware.yar | 55 +
yara-Neo23x0/apt_ar18_165a.yar | 76 +
yara-Neo23x0/apt_area1_phishing_diplomacy.yar | 46 +
yara-Neo23x0/apt_aus_parl_compromise.yar | 172 +
yara-Neo23x0/apt_babyshark.yar | 53 +
yara-Neo23x0/apt_backdoor_ssh_python.yar | 17 +
...t_backdoor_sunburst_fnv1a_experimental.yar | 47 +
yara-Neo23x0/apt_backspace.yar | 19 +
.../apt_barracuda_esg_unc4841_jun23.yar | 228 +
yara-Neo23x0/apt_beepservice.yar | 31 +
yara-Neo23x0/apt_between-hk-and-burma.yar | 224 +
yara-Neo23x0/apt_bigbang.yar | 51 +
yara-Neo23x0/apt_bitter.yar | 21 +
yara-Neo23x0/apt_blackenergy.yar | 188 +
yara-Neo23x0/apt_blackenergy_installer.yar | 16 +
yara-Neo23x0/apt_bluetermite_emdivi.yar | 143 +
yara-Neo23x0/apt_bronze_butler.yar | 197 +
yara-Neo23x0/apt_buckeye.yar | 76 +
yara-Neo23x0/apt_camaro_dragon_oct23.yar | 56 +
yara-Neo23x0/apt_candiru.yar | 47 +
yara-Neo23x0/apt_carbon_paper_turla.yar | 71 +
yara-Neo23x0/apt_casper.yar | 104 +
yara-Neo23x0/apt_cheshirecat.yar | 108 +
.../apt_cisco_asa_line_dancer_apr24.yar | 16 +
yara-Neo23x0/apt_cloudatlas.yar | 37 +
yara-Neo23x0/apt_cloudduke.yar | 61 +
yara-Neo23x0/apt_cmstar.yar | 31 +
yara-Neo23x0/apt_cn_netfilter.yar | 52 +
yara-Neo23x0/apt_cn_pp_zerot.yar | 241 +
yara-Neo23x0/apt_cn_reddelta.yar | 78 +
yara-Neo23x0/apt_cn_twisted_panda.yar | 194 +
yara-Neo23x0/apt_cobaltstrike.yar | 122 +
yara-Neo23x0/apt_cobaltstrike_evasive.yar | 320 +
yara-Neo23x0/apt_codoso.yar | 367 +
yara-Neo23x0/apt_coreimpact_agent.yar | 27 +
yara-Neo23x0/apt_danti_svcmondr.yar | 77 +
yara-Neo23x0/apt_darkcaracal.yar | 30 +
yara-Neo23x0/apt_darkhydrus.yar | 91 +
yara-Neo23x0/apt_deeppanda.yar | 90 +
yara-Neo23x0/apt_derusbi.yar | 143 +
yara-Neo23x0/apt_dnspionage.yar | 48 +
yara-Neo23x0/apt_donotteam_ytyframework.yar | 43 +
yara-Neo23x0/apt_dragonfly.yar | 109 +
yara-Neo23x0/apt_dtrack.yar | 44 +
yara-Neo23x0/apt_dubnium.yar | 152 +
yara-Neo23x0/apt_duqu1_5_modules.yar | 17 +
yara-Neo23x0/apt_duqu2.yar | 104 +
yara-Neo23x0/apt_dustman.yar | 50 +
yara-Neo23x0/apt_emissary.yar | 43 +
yara-Neo23x0/apt_eqgrp.yar | 1948 +
yara-Neo23x0/apt_eqgrp_apr17.yar | 3626 +
yara-Neo23x0/apt_eqgrp_sparc_sbz_apr23.yar | 66 +
.../apt_eqgrp_triangulation_jun23.yar | 18 +
yara-Neo23x0/apt_eternalblue_non_wannacry.yar | 61 +
yara-Neo23x0/apt_exile_rat.yar | 26 +
yara-Neo23x0/apt_f5_bigip_expl_payloads.yar | 23 +
yara-Neo23x0/apt_fakem_backdoor.yar | 49 +
.../apt_fancybear_computrace_agent.yar | 14 +
yara-Neo23x0/apt_fancybear_dnc.yar | 42 +
yara-Neo23x0/apt_fancybear_osxagent.yar | 20 +
.../apt_fidelis_phishing_plain_sight.yar | 30 +
yara-Neo23x0/apt_fin7.yar | 323 +
yara-Neo23x0/apt_fin7_backdoor.yar | 74 +
yara-Neo23x0/apt_fin8.yar | 19 +
yara-Neo23x0/apt_flame2_orchestrator.yar | 34 +
yara-Neo23x0/apt_foudre.yar | 93 +
yara-Neo23x0/apt_four_element_sword.yar | 179 +
yara-Neo23x0/apt_freemilk.yar | 104 +
yara-Neo23x0/apt_fujinama_rat.yar | 22 +
yara-Neo23x0/apt_furtim.yar | 57 +
yara-Neo23x0/apt_fvey_shadowbroker_dec16.yar | 429 +
yara-Neo23x0/apt_fvey_shadowbroker_jan17.yar | 47 +
yara-Neo23x0/apt_ghostdragon_gh0st_rat.yar | 92 +
yara-Neo23x0/apt_glassRAT.yar | 72 +
yara-Neo23x0/apt_golddragon.yar | 154 +
yara-Neo23x0/apt_goldenspy.yar | 20 +
yara-Neo23x0/apt_greenbug.yar | 169 +
yara-Neo23x0/apt_greyenergy.yar | 97 +
yara-Neo23x0/apt_grizzlybear_uscert.yar | 1542 +
yara-Neo23x0/apt_hackingteam_rules.yar | 88 +
yara-Neo23x0/apt_hafnium.yar | 416 +
yara-Neo23x0/apt_hafnium_log_sigs.yar | 104 +
yara-Neo23x0/apt_ham_tofu_chches.yar | 24 +
yara-Neo23x0/apt_hatman.yar | 116 +
yara-Neo23x0/apt_hellsing_kaspersky.yar | 137 +
yara-Neo23x0/apt_hidden_cobra.yar | 185 +
yara-Neo23x0/apt_hiddencobra_bankshot.yar | 92 +
yara-Neo23x0/apt_hiddencobra_wiper.yar | 35 +
yara-Neo23x0/apt_hizor_rat.yar | 28 +
yara-Neo23x0/apt_hkdoor.yar | 99 +
yara-Neo23x0/apt_iamtheking.yar | 48 +
yara-Neo23x0/apt_icefog.yar | 32 +
yara-Neo23x0/apt_indetectables_rat.yar | 56 +
yara-Neo23x0/apt_industroyer.yar | 158 +
yara-Neo23x0/apt_inocnation.yar | 30 +
yara-Neo23x0/apt_irongate.yar | 82 +
yara-Neo23x0/apt_irontiger.yar | 160 +
yara-Neo23x0/apt_irontiger_trendmicro.yar | 276 +
yara-Neo23x0/apt_ism_rat.yar | 25 +
yara-Neo23x0/apt_kaspersky_duqu2.yar | 157 +
yara-Neo23x0/apt_ke3chang.yar | 42 +
yara-Neo23x0/apt_keyboys.yar | 155 +
yara-Neo23x0/apt_keylogger_cn.yar | 35 +
yara-Neo23x0/apt_khrat.yar | 62 +
yara-Neo23x0/apt_korplug_fast.yar | 27 +
yara-Neo23x0/apt_kwampirs.yar | 70 +
yara-Neo23x0/apt_laudanum_webshells.yar | 345 +
yara-Neo23x0/apt_lazarus_applejeus.yar | 100 +
yara-Neo23x0/apt_lazarus_aug20.yar | 42 +
yara-Neo23x0/apt_lazarus_dec17.yar | 89 +
yara-Neo23x0/apt_lazarus_dec20.yar | 218 +
yara-Neo23x0/apt_lazarus_gopuram.yar | 17 +
yara-Neo23x0/apt_lazarus_jan21.yar | 25 +
yara-Neo23x0/apt_lazarus_jun18.yar | 83 +
yara-Neo23x0/apt_lazarus_vhd_ransomware.yar | 43 +
yara-Neo23x0/apt_leviathan.yar | 96 +
yara-Neo23x0/apt_lnx_kobalos.yar | 76 +
yara-Neo23x0/apt_lnx_linadoor_rootkit.yar | 37 +
yara-Neo23x0/apt_lotusblossom_elise.yar | 32 +
yara-Neo23x0/apt_magichound.yar | 50 +
yara-Neo23x0/apt_mal_gopuram_apr23.yar | 90 +
yara-Neo23x0/apt_mal_ilo_board_elf.yar | 18 +
yara-Neo23x0/apt_mal_ru_snake_may23.yar | 82 +
yara-Neo23x0/apt_microcin.yar | 128 +
yara-Neo23x0/apt_middle_east_talosreport.yar | 100 +
yara-Neo23x0/apt_miniasp.yar | 38 +
yara-Neo23x0/apt_minidionis.yar | 89 +
yara-Neo23x0/apt_mofang.yar | 49 +
yara-Neo23x0/apt_molerats_jul17.yar | 112 +
yara-Neo23x0/apt_monsoon.yar | 64 +
yara-Neo23x0/apt_moonlightmaze.yar | 307 +
yara-Neo23x0/apt_ms_platinum.yara | 418 +
yara-Neo23x0/apt_muddywater.yar | 66 +
yara-Neo23x0/apt_naikon.yar | 36 +
yara-Neo23x0/apt_nanocore_rat.yar | 137 +
yara-Neo23x0/apt_nazar.yar | 49 +
yara-Neo23x0/apt_ncsc_report_04_2018.yar | 192 +
yara-Neo23x0/apt_netwire_rat.yar | 60 +
yara-Neo23x0/apt_nk_gen.yar | 35 +
yara-Neo23x0/apt_nk_goldbackdoor.yar | 58 +
yara-Neo23x0/apt_nk_inkysquid.yar | 179 +
yara-Neo23x0/apt_nk_tradingtech_apr23.yar | 242 +
yara-Neo23x0/apt_oilrig.yar | 326 +
yara-Neo23x0/apt_oilrig_chafer_mar18.yar | 107 +
yara-Neo23x0/apt_oilrig_oct17.yar | 116 +
yara-Neo23x0/apt_oilrig_rgdoor.yar | 39 +
yara-Neo23x0/apt_olympic_destroyer.yar | 60 +
yara-Neo23x0/apt_onhat_proxy.yar | 31 +
yara-Neo23x0/apt_op_cleaver.yar | 352 +
yara-Neo23x0/apt_op_cloudhopper.yar | 318 +
yara-Neo23x0/apt_op_honeybee.yar | 86 +
yara-Neo23x0/apt_op_shadowhammer.yar | 22 +
yara-Neo23x0/apt_op_wocao.yar | 394 +
yara-Neo23x0/apt_passcv.yar | 182 +
yara-Neo23x0/apt_passthehashtoolkit.yar | 156 +
yara-Neo23x0/apt_patchwork.yar | 30 +
yara-Neo23x0/apt_peach_sandstorm.yar | 31 +
yara-Neo23x0/apt_plead_downloader.yar | 21 +
yara-Neo23x0/apt_plugx.yar | 36 +
yara-Neo23x0/apt_poisonivy.yar | 230 +
yara-Neo23x0/apt_poisonivy_gen3.yar | 32 +
yara-Neo23x0/apt_poseidon_group.yar | 89 +
yara-Neo23x0/apt_poshspy.yar | 28 +
yara-Neo23x0/apt_prikormka.yar | 136 +
yara-Neo23x0/apt_project_m.yar | 51 +
yara-Neo23x0/apt_project_sauron.yara | 144 +
yara-Neo23x0/apt_project_sauron_extras.yar | 261 +
yara-Neo23x0/apt_promethium_neodymium.yar | 125 +
yara-Neo23x0/apt_pulsesecure.yar | 284 +
yara-Neo23x0/apt_putterpanda.yar | 276 +
yara-Neo23x0/apt_quarkspwdump.yar | 24 +
yara-Neo23x0/apt_quasar_rat.yar | 89 +
yara-Neo23x0/apt_quasar_vermin.yar | 71 +
yara-Neo23x0/apt_rancor.yar | 75 +
yara-Neo23x0/apt_ransom_darkbit_feb23.yar | 45 +
.../apt_ransom_lockbit_citrixbleed_nov23.yar | 86 +
yara-Neo23x0/apt_ransom_vicesociety_dec22.yar | 64 +
yara-Neo23x0/apt_reaver_sunorcal.yar | 104 +
yara-Neo23x0/apt_rehashed_rat.yar | 85 +
.../apt_report_ivanti_mandiant_jan24.yar | 120 +
yara-Neo23x0/apt_revenge_rat.yar | 34 +
yara-Neo23x0/apt_rocketkitten_keylogger.yar | 35 +
yara-Neo23x0/apt_rokrat.yar | 127 +
yara-Neo23x0/apt_royalroad.yar | 189 +
yara-Neo23x0/apt_ru_crywiper.yar | 19 +
yara-Neo23x0/apt_ruag.yar | 90 +
yara-Neo23x0/apt_rwmc_powershell_creddump.yar | 43 +
yara-Neo23x0/apt_sakula.yar | 80 +
yara-Neo23x0/apt_sandworm_centreon.yar | 233 +
yara-Neo23x0/apt_sandworm_cyclops_blink.yar | 200 +
yara-Neo23x0/apt_sandworm_exim_expl.yar | 167 +
yara-Neo23x0/apt_saudi_aramco_phish.yar | 27 +
yara-Neo23x0/apt_scanbox_deeppanda.yar | 34 +
yara-Neo23x0/apt_scarcruft.yar | 15 +
yara-Neo23x0/apt_seaduke_unit42.yar | 28 +
yara-Neo23x0/apt_sednit_delphidownloader.yar | 62 +
yara-Neo23x0/apt_servantshell.yar | 17 +
yara-Neo23x0/apt_shadowpad.yar | 35 +
yara-Neo23x0/apt_shamoon.yar | 13 +
yara-Neo23x0/apt_shamoon2.yar | 75 +
yara-Neo23x0/apt_sharptongue.yar | 46 +
yara-Neo23x0/apt_shellcrew_streamex.yar | 98 +
yara-Neo23x0/apt_sidewinder.yar | 50 +
yara-Neo23x0/apt_silence.yar | 64 +
yara-Neo23x0/apt_skeletonkey.yar | 46 +
yara-Neo23x0/apt_slingshot.yar | 144 +
yara-Neo23x0/apt_snaketurla_osx.yar | 87 +
yara-Neo23x0/apt_snowglobe_babar.yar | 37 +
yara-Neo23x0/apt_sofacy.yar | 78 +
yara-Neo23x0/apt_sofacy_cannon.yar | 32 +
yara-Neo23x0/apt_sofacy_dec15.yar | 143 +
yara-Neo23x0/apt_sofacy_fysbis.yar | 55 +
yara-Neo23x0/apt_sofacy_hospitality.yar | 33 +
yara-Neo23x0/apt_sofacy_jun16.yar | 65 +
yara-Neo23x0/apt_sofacy_oct17_camp.yar | 71 +
yara-Neo23x0/apt_sofacy_xtunnel_bundestag.yar | 116 +
yara-Neo23x0/apt_sofacy_zebrocy.yar | 22 +
yara-Neo23x0/apt_solarwinds_sunburst.yar | 174 +
yara-Neo23x0/apt_solarwinds_susp_sunburst.yar | 32 +
yara-Neo23x0/apt_sphinx_moth.yar | 120 +
yara-Neo23x0/apt_stealer_cisa_ar22_277a.yar | 67 +
yara-Neo23x0/apt_stonedrill.yar | 192 +
yara-Neo23x0/apt_strider.yara | 90 +
yara-Neo23x0/apt_stuxnet.yar | 188 +
yara-Neo23x0/apt_stuxshop.yar | 47 +
yara-Neo23x0/apt_suckfly.yar | 88 +
yara-Neo23x0/apt_sunspot.yar | 88 +
yara-Neo23x0/apt_sysscan.yar | 39 +
yara-Neo23x0/apt_ta17_293A.yar | 229 +
yara-Neo23x0/apt_ta17_318A.yar | 97 +
yara-Neo23x0/apt_ta17_318B.yar | 71 +
yara-Neo23x0/apt_ta18_074A.yar | 67 +
yara-Neo23x0/apt_ta18_149A.yar | 78 +
yara-Neo23x0/apt_ta459.yar | 45 +
yara-Neo23x0/apt_telebots.yar | 144 +
yara-Neo23x0/apt_terracotta.yar | 108 +
yara-Neo23x0/apt_terracotta_liudoor.yar | 25 +
yara-Neo23x0/apt_tetris.yar | 114 +
yara-Neo23x0/apt_threatgroup_3390.yar | 323 +
yara-Neo23x0/apt_thrip.yar | 367 +
yara-Neo23x0/apt_tick_datper.yar | 45 +
yara-Neo23x0/apt_tick_weaponized_usb.yar | 58 +
yara-Neo23x0/apt_tidepool.yar | 32 +
yara-Neo23x0/apt_tophat.yar | 78 +
yara-Neo23x0/apt_triton.yar | 85 +
yara-Neo23x0/apt_triton_mal_sshdoor.yar | 215 +
yara-Neo23x0/apt_turbo_campaign.yar | 189 +
yara-Neo23x0/apt_turla.yar | 295 +
yara-Neo23x0/apt_turla_gazer.yar | 54 +
yara-Neo23x0/apt_turla_kazuar.yar | 82 +
yara-Neo23x0/apt_turla_mosquito.yar | 156 +
yara-Neo23x0/apt_turla_neuron.yar | 143 +
yara-Neo23x0/apt_turla_penquin.yar | 66 +
yara-Neo23x0/apt_turla_png_dropper_nov18.yar | 77 +
yara-Neo23x0/apt_ua_caddywiper.yar | 22 +
yara-Neo23x0/apt_ua_hermetic_wiper.yar | 88 +
yara-Neo23x0/apt_ua_isaacwiper.yar | 29 +
yara-Neo23x0/apt_ua_wiper_whispergate.yar | 119 +
yara-Neo23x0/apt_uboat_rat.yar | 69 +
yara-Neo23x0/apt_unc1151_ua.yar | 16 +
yara-Neo23x0/apt_unc2447_sombrat.yar | 135 +
yara-Neo23x0/apt_unc2546_dewmode.yar | 25 +
yara-Neo23x0/apt_unc2891_mal_jan23.yar | 76 +
yara-Neo23x0/apt_unc3886_virtualpita.yar | 73 +
yara-Neo23x0/apt_unit78020_malware.yar | 132 +
yara-Neo23x0/apt_uscert_ta17-1117a.yar | 93 +
yara-Neo23x0/apt_venom_linux_rootkit.yar | 32 +
yara-Neo23x0/apt_volatile_cedar.yar | 126 +
yara-Neo23x0/apt_vpnfilter.yar | 95 +
yara-Neo23x0/apt_waterbear.yar | 261 +
yara-Neo23x0/apt_waterbug.yar | 129 +
yara-Neo23x0/apt_webmonitor_rat.yar | 34 +
yara-Neo23x0/apt_webshell_chinachopper.yar | 19 +
yara-Neo23x0/apt_wildneutron.yar | 300 +
yara-Neo23x0/apt_wilted_tulip.yar | 289 +
yara-Neo23x0/apt_win_plugx.yar | 62 +
yara-Neo23x0/apt_winnti.yar | 370 +
yara-Neo23x0/apt_winnti_br.yar | 46 +
yara-Neo23x0/apt_winnti_burning_umbrella.yar | 460 +
yara-Neo23x0/apt_winnti_hdroot.yar | 83 +
yara-Neo23x0/apt_winnti_linux.yar | 39 +
yara-Neo23x0/apt_winnti_ms_report_201701.yar | 42 +
yara-Neo23x0/apt_woolengoldfish.yar | 111 +
yara-Neo23x0/apt_xrat.yar | 41 +
yara-Neo23x0/apt_zxshell.yar | 138 +
yara-Neo23x0/bkdr_xz_util_cve_2024_3094.yar | 75 +
yara-Neo23x0/cn_pentestset_scripts.yar | 377 +
yara-Neo23x0/cn_pentestset_tools.yar | 2488 +
yara-Neo23x0/cn_pentestset_webshells.yar | 1171 +
yara-Neo23x0/configured_vulns_ext_vars.yar | 241 +
...crime_academic_data_centers_camp_may20.yar | 36 +
yara-Neo23x0/crime_andromeda_jun17.yar | 38 +
yara-Neo23x0/crime_antifw_installrex.yar | 19 +
yara-Neo23x0/crime_atm_dispenserxfs.yar | 24 +
yara-Neo23x0/crime_atm_javadipcash.yar | 21 +
yara-Neo23x0/crime_atm_loup.yar | 19 +
yara-Neo23x0/crime_atm_xfsadm.yar | 23 +
yara-Neo23x0/crime_atm_xfscashncr.yar | 23 +
yara-Neo23x0/crime_bad_patch.yar | 74 +
yara-Neo23x0/crime_badrabbit.yar | 59 +
yara-Neo23x0/crime_bazarbackdoor.yar | 18 +
yara-Neo23x0/crime_bernhard_pos.yar | 18 +
yara-Neo23x0/crime_bluenoroff_pos.yar | 20 +
yara-Neo23x0/crime_buzus_softpulse.yar | 26 +
yara-Neo23x0/crime_cmstar.yar | 20 +
yara-Neo23x0/crime_cn_campaign_njrat.yar | 160 +
yara-Neo23x0/crime_cn_group_btc.yar | 61 +
yara-Neo23x0/crime_cobalt_gang_pdf.yar | 12 +
yara-Neo23x0/crime_cobaltgang.yar | 95 +
yara-Neo23x0/crime_corkow_dll.yar | 24 +
yara-Neo23x0/crime_covid_ransom.yar | 20 +
yara-Neo23x0/crime_credstealer_generic.yar | 24 +
yara-Neo23x0/crime_crypto_miner.yar | 33 +
yara-Neo23x0/crime_cryptowall_svg.yar | 24 +
yara-Neo23x0/crime_dearcry_ransom.yar | 53 +
yara-Neo23x0/crime_dexter_trojan.yar | 17 +
yara-Neo23x0/crime_dridex_xml.yar | 23 +
yara-Neo23x0/crime_emotet.yar | 97 +
yara-Neo23x0/crime_enfal.yar | 57 +
yara-Neo23x0/crime_envrial.yar | 40 +
yara-Neo23x0/crime_eternalrocks.yar | 47 +
yara-Neo23x0/crime_evilcorp_dridex_banker.yar | 31 +
yara-Neo23x0/crime_fareit.yar | 30 +
yara-Neo23x0/crime_fireball.yar | 191 +
yara-Neo23x0/crime_floxif_flystudio.yar | 38 +
yara-Neo23x0/crime_gamaredon.yar | 16 +
yara-Neo23x0/crime_goldeneye.yar | 40 +
yara-Neo23x0/crime_gozi_crypter.yar | 13 +
yara-Neo23x0/crime_guloader.yar | 15 +
yara-Neo23x0/crime_h2miner_kinsing.yar | 20 +
yara-Neo23x0/crime_hermes_ransom.yar | 27 +
yara-Neo23x0/crime_icedid.yar | 94 +
yara-Neo23x0/crime_kasper_oct17.yar | 30 +
yara-Neo23x0/crime_kins_dropper.yar | 48 +
yara-Neo23x0/crime_kr_malware.yar | 35 +
yara-Neo23x0/crime_kraken_bot1.yar | 27 +
yara-Neo23x0/crime_kriskynote.yar | 64 +
yara-Neo23x0/crime_locky.yar | 21 +
yara-Neo23x0/crime_loki_bot.yar | 46 +
yara-Neo23x0/crime_mal_grandcrab.yar | 14 +
yara-Neo23x0/crime_mal_nitol.yar | 31 +
yara-Neo23x0/crime_mal_ransom_wadharma.yar | 13 +
yara-Neo23x0/crime_malumpos.yar | 17 +
yara-Neo23x0/crime_malware_generic.yar | 110 +
yara-Neo23x0/crime_malware_set_oct16.yar | 167 +
yara-Neo23x0/crime_maze_ransomware.yar | 17 +
yara-Neo23x0/crime_mikey_trojan.yar | 22 +
yara-Neo23x0/crime_mirai.yar | 181 +
yara-Neo23x0/crime_mywscript_dropper.yar | 26 +
yara-Neo23x0/crime_nansh0u.yar | 136 +
yara-Neo23x0/crime_nkminer.yar | 39 +
yara-Neo23x0/crime_nopetya_jun17.yar | 41 +
.../crime_ole_loadswf_cve_2018_4878.yar | 31 +
yara-Neo23x0/crime_parallax_rat.yar | 38 +
yara-Neo23x0/crime_phish_gina_dec15.yar | 73 +
yara-Neo23x0/crime_ransom_conti.yar | 16 +
yara-Neo23x0/crime_ransom_darkside.yar | 77 +
yara-Neo23x0/crime_ransom_generic.yar | 35 +
yara-Neo23x0/crime_ransom_germanwiper.yar | 27 +
yara-Neo23x0/crime_ransom_lockergoga.yar | 26 +
yara-Neo23x0/crime_ransom_prolock.yar | 20 +
yara-Neo23x0/crime_ransom_ragna_locker.yar | 70 +
yara-Neo23x0/crime_ransom_revil.yar | 23 +
yara-Neo23x0/crime_ransom_robinhood.yar | 21 +
.../crime_ransom_stealbit_lockbit.yar | 14 +
yara-Neo23x0/crime_ransom_venus.yar | 39 +
yara-Neo23x0/crime_rat_parallax.yar | 16 +
yara-Neo23x0/crime_revil_general.yar | 57 +
.../crime_rombertik_carbongrabber.yar | 117 +
yara-Neo23x0/crime_ryuk_ransomware.yar | 24 +
yara-Neo23x0/crime_shifu_trojan.yar | 63 +
yara-Neo23x0/crime_snarasite.yar | 17 +
yara-Neo23x0/crime_socgholish.yar | 73 +
yara-Neo23x0/crime_stealer_exfil_zip.yar | 30 +
yara-Neo23x0/crime_teledoor.yar | 31 +
yara-Neo23x0/crime_trickbot.yar | 115 +
yara-Neo23x0/crime_upatre_oct15.yar | 45 +
yara-Neo23x0/crime_wannacry.yar | 147 +
yara-Neo23x0/crime_wsh_rat.yar | 17 +
yara-Neo23x0/crime_xbash.yar | 66 +
yara-Neo23x0/crime_zeus_panda.yar | 33 +
yara-Neo23x0/crime_zloader_maldocs.yar | 22 +
.../expl_adselfservice_cve_2021_40539.yar | 29 +
...tscaler_adc_exploitation_cve_2023_3519.yar | 102 +
...l_connectwise_screenconnect_vuln_feb24.yar | 328 +
yara-Neo23x0/expl_cve_2021_1647.yar | 18 +
.../expl_cve_2021_26084_confluence_log.yar | 24 +
yara-Neo23x0/expl_cve_2021_40444.yar | 98 +
.../expl_cve_2022_41040_proxynoshell.yar | 26 +
yara-Neo23x0/expl_cve_2022_46169_cacti.yar | 13 +
..._ivanti_epmm_mobileiron_cve_2023_35078.yar | 53 +
yara-Neo23x0/expl_keepass_cve_2023_24055.yar | 37 +
yara-Neo23x0/expl_libcue_cve_2023_43641.yar | 17 +
.../expl_libssh_cve_2023_2283_jun23.yar | 15 +
yara-Neo23x0/expl_log4j_cve_2021_44228.yar | 226 +
yara-Neo23x0/expl_macos_switcharoo_dec22.yar | 54 +
yara-Neo23x0/expl_manageengine_jan23.yar | 15 +
yara-Neo23x0/expl_outlook_cve_2023_23397.yar | 110 +
yara-Neo23x0/expl_outlook_cve_2024_21413.yar | 20 +
.../expl_proxynotshell_owassrf_dec22.yar | 87 +
yara-Neo23x0/expl_proxyshell.yar | 266 +
.../expl_sharepoint_cve_2023_29357.yar | 64 +
yara-Neo23x0/expl_spring4shell.yar | 50 +
yara-Neo23x0/expl_sysaid_cve_2023_47246.yar | 59 +
yara-Neo23x0/expl_teamcity_2023_42793.yar | 34 +
yara-Neo23x0/exploit_cve_2014_4076.yar | 18 +
yara-Neo23x0/exploit_cve_2015_1674.yar | 29 +
yara-Neo23x0/exploit_cve_2015_1701.yar | 29 +
yara-Neo23x0/exploit_cve_2015_2426.yar | 57 +
yara-Neo23x0/exploit_cve_2015_2545.yar | 16 +
yara-Neo23x0/exploit_cve_2015_5119.yar | 21 +
yara-Neo23x0/exploit_cve_2017_11882.yar | 101 +
yara-Neo23x0/exploit_cve_2017_8759.yar | 110 +
yara-Neo23x0/exploit_cve_2017_9800.yar | 17 +
yara-Neo23x0/exploit_cve_2018_0802.yar | 14 +
yara-Neo23x0/exploit_cve_2018_16858.yar | 17 +
yara-Neo23x0/exploit_cve_2021_31166.yar | 14 +
.../exploit_cve_2021_33766_proxytoken.yar | 22 +
...it_cve_2022_22954_vmware_workspace_one.yar | 22 +
yara-Neo23x0/exploit_cve_2023_38146.yar | 17 +
.../exploit_f5_bigip_cve_2021_22986_log.yar | 15 +
.../exploit_gitlab_cve_2021_22205.yar | 44 +
yara-Neo23x0/exploit_rtf_ole2link.yar | 23 +
yara-Neo23x0/exploit_shitrix.yar | 29 +
yara-Neo23x0/exploit_tlb_scripts.yar | 19 +
yara-Neo23x0/exploit_uac_elevators.yar | 174 +
yara-Neo23x0/gen_100days_of_yara_2023.yar | 242 +
yara-Neo23x0/gen_Excel4Macro_Sharpshooter.yar | 69 +
yara-Neo23x0/gen_ace_with_exe.yar | 22 +
yara-Neo23x0/gen_anomalies_keyword_combos.yar | 33 +
.../gen_anydesk_compromised_cert_feb23.yar | 77 +
yara-Neo23x0/gen_armitage.yar | 68 +
yara-Neo23x0/gen_autocad_lsp_malware.yar | 52 +
yara-Neo23x0/gen_b374k_extra.yar | 24 +
yara-Neo23x0/gen_bad_pdf.yar | 15 +
yara-Neo23x0/gen_case_anomalies.yar | 84 +
yara-Neo23x0/gen_cert_payloads.yar | 22 +
yara-Neo23x0/gen_chaos_payload.yar | 26 +
yara-Neo23x0/gen_cmd_script_obfuscated.yar | 18 +
yara-Neo23x0/gen_cn_hacktool_scripts.yar | 145 +
yara-Neo23x0/gen_cn_hacktools.yar | 2587 +
yara-Neo23x0/gen_cn_webshells.yar | 717 +
yara-Neo23x0/gen_cobaltstrike.yar | 42 +
yara-Neo23x0/gen_cobaltstrike_by_avast.yar | 801 +
yara-Neo23x0/gen_crime_bitpaymer.yar | 12 +
yara-Neo23x0/gen_crimson_rat.yar | 42 +
yara-Neo23x0/gen_crunchrat.yar | 23 +
yara-Neo23x0/gen_dde_in_office_docs.yar | 63 +
yara-Neo23x0/gen_deviceguard_evasion.yar | 17 +
yara-Neo23x0/gen_doc_follina.yar | 257 +
yara-Neo23x0/gen_dropper_pdb.yar | 17 +
yara-Neo23x0/gen_elf_file_anomalies.yar | 21 +
yara-Neo23x0/gen_empire.yar | 601 +
yara-Neo23x0/gen_enigma_protector.yar | 55 +
yara-Neo23x0/gen_event_mute_hook.yar | 14 +
yara-Neo23x0/gen_excel_auto_open_evasion.yar | 26 +
.../gen_excel_xll_addin_suspicious.yar | 64 +
..._excel_xor_obfuscation_velvetsweatshop.yar | 25 +
.../gen_exploit_cve_2017_10271_weblogic.yar | 26 +
yara-Neo23x0/gen_fake_amsi_dll.yar | 68 +
yara-Neo23x0/gen_faked_versions.yar | 1 +
yara-Neo23x0/gen_file_anomalies.yar | 84 +
yara-Neo23x0/gen_fireeye_redteam_tools.yar | 3032 +
yara-Neo23x0/gen_floxif.yar | 17 +
yara-Neo23x0/gen_frp_proxy.yar | 44 +
yara-Neo23x0/gen_gcti_cobaltstrike.yar | 4849 +
yara-Neo23x0/gen_gcti_sliver.yar | 171 +
yara-Neo23x0/gen_gen_cactustorch.yar | 45 +
.../gen_github_net_redteam_tools_guids.yar | 5578 ++
.../gen_github_net_redteam_tools_names.yar | 821 +
.../gen_github_repo_compromise_myjino_ru.yar | 15 +
yara-Neo23x0/gen_gobfuscate.yar | 18 +
yara-Neo23x0/gen_google_anomaly.yar | 22 +
yara-Neo23x0/gen_gpp_cpassword.yar | 21 +
yara-Neo23x0/gen_hawkeye.yar | 34 +
yara-Neo23x0/gen_hktl_koh_tokenstealer.yar | 18 +
yara-Neo23x0/gen_hktl_roothelper.yar | 55 +
yara-Neo23x0/gen_hktl_venom_lib.yar | 30 +
yara-Neo23x0/gen_hta_anomalies.yar | 42 +
yara-Neo23x0/gen_hunting_susp_rar.yar | 29 +
yara-Neo23x0/gen_icon_anomalies.yar | 68 +
yara-Neo23x0/gen_impacket_tools.yar | 443 +
yara-Neo23x0/gen_imphash_detection.yar | 329 +
yara-Neo23x0/gen_invoke_mimikatz.yar | 24 +
yara-Neo23x0/gen_invoke_psimage.yar | 27 +
yara-Neo23x0/gen_invoke_thehash.yar | 90 +
yara-Neo23x0/gen_javascript_powershell.yar | 15 +
yara-Neo23x0/gen_kerberoast.yar | 59 +
yara-Neo23x0/gen_khepri.yar | 44 +
yara-Neo23x0/gen_kirbi_mimkatz.yar | 23 +
yara-Neo23x0/gen_lnx_malware_indicators.yar | 24 +
yara-Neo23x0/gen_loaders.yar | 176 +
.../gen_macro_ShellExecute_action.yar | 33 +
yara-Neo23x0/gen_macro_builders.yar | 19 +
.../gen_macro_staroffice_suspicious.yar | 38 +
yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar | 428 +
yara-Neo23x0/gen_mal_backnet.yar | 20 +
yara-Neo23x0/gen_mal_link.yar | 26 +
yara-Neo23x0/gen_mal_scripts.yar | 155 +
yara-Neo23x0/gen_maldoc.yar | 16 +
.../gen_malware_MacOS_plist_suspicious.yar | 66 +
yara-Neo23x0/gen_malware_set_qa.yar | 161 +
yara-Neo23x0/gen_merlin_agent.yar | 27 +
.../gen_metasploit_loader_rsmudge.yar | 27 +
yara-Neo23x0/gen_metasploit_payloads.yar | 363 +
yara-Neo23x0/gen_mimikatz.yar | 239 +
yara-Neo23x0/gen_mimikittenz.yar | 29 +
yara-Neo23x0/gen_mimipenguin.yar | 69 +
yara-Neo23x0/gen_net_xorstrings.yar | 28 +
yara-Neo23x0/gen_nighthawk_c2.yar | 50 +
yara-Neo23x0/gen_nimpackt.yar | 23 +
yara-Neo23x0/gen_nopowershell.yar | 23 +
yara-Neo23x0/gen_nvidia_leaked_cert.yar | 22 +
yara-Neo23x0/gen_onenote_phish.yar | 125 +
yara-Neo23x0/gen_osx_backdoor_bella.yar | 42 +
yara-Neo23x0/gen_osx_evilosx.yar | 34 +
yara-Neo23x0/gen_osx_pyagent_persistence.yar | 40 +
yara-Neo23x0/gen_p0wnshell.yar | 196 +
yara-Neo23x0/gen_phish_attachments.yar | 141 +
yara-Neo23x0/gen_pirpi.yar | 65 +
yara-Neo23x0/gen_powerkatz.yar | 32 +
yara-Neo23x0/gen_powershdll.yar | 25 +
yara-Neo23x0/gen_powershell_empire.yar | 188 +
yara-Neo23x0/gen_powershell_invocation.yar | 76 +
yara-Neo23x0/gen_powershell_obfuscation.yar | 75 +
yara-Neo23x0/gen_powershell_suite.yar | 63 +
yara-Neo23x0/gen_powershell_susp.yar | 284 +
yara-Neo23x0/gen_powershell_toolkit.yar | 248 +
yara-Neo23x0/gen_powersploit_dropper.yar | 15 +
yara-Neo23x0/gen_ps1_shellcode.yar | 15 +
yara-Neo23x0/gen_ps_empire_eval.yar | 41 +
yara-Neo23x0/gen_ps_osiris.yar | 28 +
yara-Neo23x0/gen_pua.yar | 20 +
yara-Neo23x0/gen_pupy_rat.yar | 44 +
yara-Neo23x0/gen_python_encoded_adware.yar | 22 +
yara-Neo23x0/gen_python_pty_shell.yar | 16 +
.../gen_python_pyminifier_encoded_payload.yar | 29 +
yara-Neo23x0/gen_python_reverse_shell.yara | 36 +
yara-Neo23x0/gen_qakbot_uninstaller.yar | 34 +
yara-Neo23x0/gen_rar_exfil.yar | 18 +
yara-Neo23x0/gen_rats_malwareconfig.yar | 1072 +
yara-Neo23x0/gen_recon_indicators.yar | 74 +
yara-Neo23x0/gen_redmimicry.yar | 59 +
yara-Neo23x0/gen_redsails.yar | 45 +
yara-Neo23x0/gen_regsrv32_issue.yar | 1 +
yara-Neo23x0/gen_remote_potato0.yar | 17 +
yara-Neo23x0/gen_rottenpotato.yar | 34 +
yara-Neo23x0/gen_rtf_malver_objects.yar | 37 +
.../gen_sfx_with_microsoft_copyright.yar | 50 +
yara-Neo23x0/gen_sharpcat.yar | 23 +
yara-Neo23x0/gen_shikataganai.yar | 22 +
yara-Neo23x0/gen_sign_anomalies.yar | 214 +
.../gen_solarwinds_credential_stealer.yar | 28 +
yara-Neo23x0/gen_susp_bat2exe.yar | 24 +
yara-Neo23x0/gen_susp_bat_aux.yar | 19 +
yara-Neo23x0/gen_susp_cmd_var_expansion.yar | 14 +
yara-Neo23x0/gen_susp_hacktool.yar | 35 +
yara-Neo23x0/gen_susp_indicators.yar | 22 +
yara-Neo23x0/gen_susp_js_obfuscatorio.yar | 39 +
yara-Neo23x0/gen_susp_lnk.yar | 12 +
yara-Neo23x0/gen_susp_lnk_files.yar | 66 +
yara-Neo23x0/gen_susp_net_msil.yar | 31 +
yara-Neo23x0/gen_susp_obfuscation.yar | 121 +
yara-Neo23x0/gen_susp_office_dropper.yar | 139 +
yara-Neo23x0/gen_susp_ps_jab.yar | 29 +
yara-Neo23x0/gen_susp_sfx.yar | 20 +
yara-Neo23x0/gen_susp_strings_in_ole.yar | 27 +
yara-Neo23x0/gen_susp_wer_files.yar | 54 +
yara-Neo23x0/gen_susp_xor.yar | 44 +
.../gen_suspicious_InPage_dropper.yar | 23 +
yara-Neo23x0/gen_suspicious_strings.yar | 448 +
yara-Neo23x0/gen_sysinternals_anomaly.yar | 31 +
yara-Neo23x0/gen_tempracer.yar | 27 +
yara-Neo23x0/gen_thumbs_cloaking.yar | 1 +
yara-Neo23x0/gen_transformed_strings.yar | 56 +
yara-Neo23x0/gen_tscookie_rat.yar | 32 +
.../gen_unicorn_obfuscated_powershell.yar | 26 +
yara-Neo23x0/gen_unsigned_thor.yar | 22 +
yara-Neo23x0/gen_unspecified_malware.yar | 26 +
yara-Neo23x0/gen_url_persitence.yar | 297 +
yara-Neo23x0/gen_url_to_local_exe.yar | 15 +
.../gen_vcruntime140_dll_sideloading.yar | 30 +
yara-Neo23x0/gen_vhd_anomaly.yar | 28 +
yara-Neo23x0/gen_webshell_csharp.yar | 25 +
yara-Neo23x0/gen_webshells.yar | 6887 ++
yara-Neo23x0/gen_webshells_ext_vars.yar | 103 +
yara-Neo23x0/gen_win_privesc.yar | 62 +
yara-Neo23x0/gen_winpayloads.yar | 50 +
yara-Neo23x0/gen_winshells.yar | 122 +
yara-Neo23x0/gen_wmi_implant.yar | 28 +
yara-Neo23x0/gen_xor_hunting.yar | 52 +
yara-Neo23x0/gen_xored_pe.yar | 28 +
yara-Neo23x0/gen_xtreme_rat.yar | 86 +
yara-Neo23x0/gen_ysoserial_payloads.yar | 113 +
yara-Neo23x0/gen_zoho_rcef_logs.yar | 27 +
yara-Neo23x0/general_cloaking.yar | 153 +
yara-Neo23x0/general_officemacros.yar | 66 +
yara-Neo23x0/generic_anomalies.yar | 518 +
yara-Neo23x0/generic_cryptors.yar | 24 +
yara-Neo23x0/generic_dumps.yar | 60 +
yara-Neo23x0/generic_exe2hex_payload.yar | 28 +
yara-Neo23x0/hktl_bruteratel_c4.yar | 290 +
yara-Neo23x0/hktl_bruteratel_c4_badger.yar | 19 +
yara-Neo23x0/hktl_natbypass.yar | 24 +
.../log_teamviewer_keyboard_layouts.yar | 40 +
yara-Neo23x0/mal_avemaria_rat.yar | 16 +
yara-Neo23x0/mal_bibi_wiper_oct23.yar | 47 +
yara-Neo23x0/mal_codecov_hack.yar | 17 +
yara-Neo23x0/mal_crime_unknown.yar | 50 +
yara-Neo23x0/mal_cryp_rat.yar | 19 +
.../mal_ducktail_compromised_certs_jun23.yar | 37 +
yara-Neo23x0/mal_efile_apr23.yar | 32 +
yara-Neo23x0/mal_fake_document_software.yar | 20 +
.../mal_fortinet_coathanger_feb24.yar | 38 +
yara-Neo23x0/mal_go_modbus.yar | 27 +
.../mal_lnx_barracuda_cve_2023_2868.yar | 46 +
yara-Neo23x0/mal_lnx_implant_may22.yar | 215 +
yara-Neo23x0/mal_lockbit_lnx_macos_apr23.yar | 101 +
yara-Neo23x0/mal_netsha.yar | 36 +
yara-Neo23x0/mal_passwordstate_backdoor.yar | 24 +
yara-Neo23x0/mal_qbot_feb23.yar | 55 +
yara-Neo23x0/mal_qbot_payloads.yar | 55 +
.../mal_ransom_esxi_attacks_feb23.yar | 120 +
yara-Neo23x0/mal_ransom_lorenz.yar | 28 +
yara-Neo23x0/mal_ru_sparepart_dec22.yar | 39 +
yara-Neo23x0/pua_cryptocoin_miner.yar | 88 +
yara-Neo23x0/pua_xmrig_monero_miner.yar | 84 +
yara-Neo23x0/pup_lightftp.yar | 41 +
yara-Neo23x0/spy_equation_fiveeyes.yar | 603 +
yara-Neo23x0/spy_querty_fiveeyes.yar | 251 +
yara-Neo23x0/spy_regin_fiveeyes.yar | 367 +
yara-Neo23x0/susp_bat_obfusc_jul24.yar | 51 +
..._hp_hardware_diagnostics_etdsupp_may23.yar | 16 +
yara-Neo23x0/thor-hacktools.yar | 4716 +
yara-Neo23x0/thor-webshells.yar | 9937 ++
yara-Neo23x0/thor_inverse_matches.yar | 581 +
yara-Neo23x0/threat_lenovo_superfish.yar | 23 +
yara-Neo23x0/vul_backdoor_antitheftweb.yar | 31 +
...luence_questions_plugin_cve_2022_26138.yar | 24 +
yara-Neo23x0/vul_cve_2020_0688.yar | 15 +
yara-Neo23x0/vul_cve_2020_1938.yar | 23 +
.../vul_cve_2021_3438_printdriver.yar | 22 +
yara-Neo23x0/vul_cve_2021_386471_omi.yar | 37 +
yara-Neo23x0/vul_dell_bios_upd_driver.yar | 18 +
yara-Neo23x0/vul_drivecrypt.yar | 38 +
.../vul_jquery_fileupload_cve_2018_9206.yar | 16 +
yara-Neo23x0/vul_php_zlib_backdoor.yar | 15 +
yara-Neo23x0/vuln_gigabyte_driver.yar | 28 +
yara-Neo23x0/vuln_keepass_brute_forcible.yar | 17 +
yara-Neo23x0/vuln_moveit_0day_jun23.yar | 94 +
.../vuln_paloalto_cve_2024_3400_apr24.yar | 96 +
.../vuln_proxynotshell_cve_2022_41040.yar | 20 +
yara-Neo23x0/webshell_regeorg.yar | 20 +
yara-Neo23x0/webshell_xsl_transform.yar | 19 +
yara-Neo23x0/yara-rules_mal_drivers.yar | 265 +
.../yara-rules_vuln_drivers_strict.yar | 6831 ++
...yara-rules_vuln_drivers_strict_renamed.yar | 6831 ++
yara-Neo23x0/yara_mixed_ext_vars.yar | 556 +
.../ByteCode.MSIL.Backdoor.AgentRacoon.yara | 0
.../ByteCode.MSIL.Backdoor.AsyncRAT.yara | 0
.../ByteCode.MSIL.Backdoor.LimeRAT.yara | 0
.../ByteCode.MSIL.Backdoor.Menorah.yara | 0
.../backdoor/Linux.Backdoor.Krasue.yara | 0
.../backdoor/Linux.Backdoor.Linodas.yara | 0
.../backdoor/Win32.Backdoor.Konni.yara | 0
.../backdoor/Win64.Backdoor.Konni.yara | 0
.../backdoor/Win64.Backdoor.Minodo.yara | 0
.../backdoor/Win64.Backdoor.SideTwist.yara | 0
.../certificate/blocklist.yara | 0
.../Win32.Downloader.dlMarlboro.yara | 0
.../exploit/Win32.Exploit.CVE20200601.yara | 0
.../Win32.Infostealer.LumarStealer.yara | 0
.../Win32.Infostealer.MultigrainPOS.yara | 0
.../Win32.Infostealer.ProjectHookPOS.yara | 0
.../infostealer/Win32.Infostealer.StealC.yara | 0
.../pua/Win32.PUA.Domaiq.yara | 0
.../ByteCode.MSIL.Ransomware.Apis.yara | 0
.../ByteCode.MSIL.Ransomware.ChupaCabra.yara | 0
.../ByteCode.MSIL.Ransomware.Cring.yara | 0
.../ByteCode.MSIL.Ransomware.Dusk.yara | 0
.../ByteCode.MSIL.Ransomware.EAF.yara | 0
.../ByteCode.MSIL.Ransomware.Eternity.yara | 0
.../ByteCode.MSIL.Ransomware.Fantom.yara | 0
...teCode.MSIL.Ransomware.GhosTEncryptor.yara | 0
.../ByteCode.MSIL.Ransomware.Ghostbin.yara | 0
.../ByteCode.MSIL.Ransomware.GoodWill.yara | 0
...yteCode.MSIL.Ransomware.HarpoonLocker.yara | 0
.../ByteCode.MSIL.Ransomware.Hog.yara | 0
.../ByteCode.MSIL.Ransomware.Invert.yara | 0
.../ByteCode.MSIL.Ransomware.Janelle.yara | 0
.../ByteCode.MSIL.Ransomware.Khonsari.yara | 0
.../ByteCode.MSIL.Ransomware.McBurglar.yara | 0
.../ByteCode.MSIL.Ransomware.Moisha.yara | 0
.../ByteCode.MSIL.Ransomware.Namaste.yara | 0
.../ByteCode.MSIL.Ransomware.Oct.yara | 0
.../ByteCode.MSIL.Ransomware.Pacman.yara | 0
...yteCode.MSIL.Ransomware.PoliceRecords.yara | 0
.../ByteCode.MSIL.Ransomware.Povlsomware.yara | 0
.../ByteCode.MSIL.Ransomware.Retis.yara | 0
.../ByteCode.MSIL.Ransomware.TaRRaK.yara | 0
.../ByteCode.MSIL.Ransomware.Thanos.yara | 0
.../ByteCode.MSIL.Ransomware.TimeCrypt.yara | 0
.../ByteCode.MSIL.Ransomware.TimeTime.yara | 0
.../ByteCode.MSIL.Ransomware.Venom.yara | 0
.../ByteCode.MSIL.Ransomware.WildFire.yara | 0
.../ByteCode.MSIL.Ransomware.WormLocker.yara | 0
.../ByteCode.MSIL.Ransomware.ZeroLocker.yara | 0
.../Bytecode.MSIL.Ransomware.CobraLocker.yara | 0
.../Linux.Ransomware.GwisinLocker.yara | 0
.../ransomware/Linux.Ransomware.KillDisk.yara | 0
.../ransomware/Linux.Ransomware.LuckyJoe.yara | 0
.../ransomware/Linux.Ransomware.RedAlert.yara | 0
.../ransomware/Win32.Ransomware.5ss5c.yara | 0
.../Win32.Ransomware.ASN1Encoder.yara | 0
.../ransomware/Win32.Ransomware.Acepy.yara | 0
.../ransomware/Win32.Ransomware.Afrodita.yara | 0
.../ransomware/Win32.Ransomware.Ako.yara | 0
.../ransomware/Win32.Ransomware.Alcatraz.yara | 0
.../Win32.Ransomware.AnteFrigus.yara | 0
.../Win32.Ransomware.Archiveus.yara | 0
.../ransomware/Win32.Ransomware.Armage.yara | 0
.../ransomware/Win32.Ransomware.Atlas.yara | 0
.../ransomware/Win32.Ransomware.Avaddon.yara | 0
.../Win32.Ransomware.AvosLocker.yara | 0
.../Win32.Ransomware.BKRansomware.yara | 0
.../ransomware/Win32.Ransomware.Babuk.yara | 0
.../ransomware/Win32.Ransomware.BadBlock.yara | 0
.../Win32.Ransomware.Badbeeteam.yara | 0
.../Win32.Ransomware.Balaclava.yara | 0
.../ransomware/Win32.Ransomware.Bam2021.yara | 0
.../Win32.Ransomware.BananaCrypt.yara | 0
.../Win32.Ransomware.BandarChor.yara | 0
.../ransomware/Win32.Ransomware.BitCrypt.yara | 0
.../Win32.Ransomware.BlackBasta.yara | 0
.../ransomware/Win32.Ransomware.BlackCat.yara | 0
.../Win32.Ransomware.BlackMoon.yara | 0
.../Win32.Ransomware.Blitzkrieg.yara | 0
.../Win32.Ransomware.BlueLocker.yara | 0
.../Win32.Ransomware.BrainCrypt.yara | 0
.../ransomware/Win32.Ransomware.Buran.yara | 0
.../ransomware/Win32.Ransomware.ChiChi.yara | 0
.../ransomware/Win32.Ransomware.Cincoo.yara | 0
.../ransomware/Win32.Ransomware.Clop.yara | 0
.../ransomware/Win32.Ransomware.Conti.yara | 0
.../ransomware/Win32.Ransomware.Cryakl.yara | 0
.../ransomware/Win32.Ransomware.Crypmic.yara | 0
.../ransomware/Win32.Ransomware.Crypren.yara | 0
.../Win32.Ransomware.CryptoBit.yara | 0
.../Win32.Ransomware.CryptoFortress.yara | 0
.../Win32.Ransomware.CryptoJoker.yara | 0
.../Win32.Ransomware.CryptoLocker.yara | 0
.../Win32.Ransomware.CryptoWall.yara | 0
.../ransomware/Win32.Ransomware.Crysis.yara | 0
.../ransomware/Win32.Ransomware.Cuba.yara | 0
.../Win32.Ransomware.DMALocker.yara | 0
.../ransomware/Win32.Ransomware.DMR.yara | 0
.../ransomware/Win32.Ransomware.DarkSide.yara | 0
.../ransomware/Win32.Ransomware.DearCry.yara | 0
.../ransomware/Win32.Ransomware.Defray.yara | 0
.../Win32.Ransomware.Delphimorix.yara | 0
.../Win32.Ransomware.DenizKizi.yara | 0
.../Win32.Ransomware.DesuCrypt.yara | 0
.../ransomware/Win32.Ransomware.Dharma.yara | 0
.../Win32.Ransomware.DirtyDecrypt.yara | 0
.../ransomware/Win32.Ransomware.District.yara | 0
.../Win32.Ransomware.DogeCrypt.yara | 0
.../ransomware/Win32.Ransomware.Dragon.yara | 0
.../ransomware/Win32.Ransomware.Dualshot.yara | 0
.../Win32.Ransomware.Encoded01.yara | 0
.../ransomware/Win32.Ransomware.Erica.yara | 0
.../ransomware/Win32.Ransomware.FCT.yara | 0
.../ransomware/Win32.Ransomware.FLKR.yara | 0
.../Win32.Ransomware.FarAttack.yara | 0
.../Win32.Ransomware.FenixLocker.yara | 0
.../ransomware/Win32.Ransomware.Ferrlock.yara | 0
.../ransomware/Win32.Ransomware.Flamingo.yara | 0
.../ransomware/Win32.Ransomware.FuxSocy.yara | 0
.../Win32.Ransomware.GPGQwerty.yara | 0
.../ransomware/Win32.Ransomware.GandCrab.yara | 0
.../Win32.Ransomware.GarrantyDecrypt.yara | 0
.../ransomware/Win32.Ransomware.Gibon.yara | 0
.../Win32.Ransomware.GlobeImposter.yara | 0
.../ransomware/Win32.Ransomware.Gomer.yara | 0
.../ransomware/Win32.Ransomware.Good.yara | 0
.../ransomware/Win32.Ransomware.Gpcode.yara | 0
.../Win32.Ransomware.GusCrypter.yara | 0
.../Win32.Ransomware.HDDCryptor.yara | 0
.../ransomware/Win32.Ransomware.HDMR.yara | 0
.../Win32.Ransomware.HakunaMatata.yara | 0
.../ransomware/Win32.Ransomware.Henry.yara | 0
.../Win32.Ransomware.HentaiOniichan.yara | 0
.../ransomware/Win32.Ransomware.Hermes.yara | 0
.../Win32.Ransomware.Horsedeal.yara | 0
.../Win32.Ransomware.HowAreYou.yara | 0
.../Win32.Ransomware.HydraCrypt.yara | 0
.../ransomware/Win32.Ransomware.IFN643.yara | 0
.../ransomware/Win32.Ransomware.InfoDot.yara | 0
.../ransomware/Win32.Ransomware.JSWorm.yara | 0
.../ransomware/Win32.Ransomware.Jamper.yara | 0
.../ransomware/Win32.Ransomware.Jemd.yara | 0
.../Win32.Ransomware.Jormungand.yara | 0
.../Win32.Ransomware.JuicyLemon.yara | 0
.../ransomware/Win32.Ransomware.Kangaroo.yara | 0
.../Win32.Ransomware.KawaiiLocker.yara | 0
.../ransomware/Win32.Ransomware.KillDisk.yara | 0
.../ransomware/Win32.Ransomware.Knot.yara | 0
.../ransomware/Win32.Ransomware.Kovter.yara | 0
.../ransomware/Win32.Ransomware.Koxic.yara | 0
.../ransomware/Win32.Ransomware.Kraken.yara | 0
.../ransomware/Win32.Ransomware.Ladon.yara | 0
.../Win32.Ransomware.LeChiffre.yara | 0
.../ransomware/Win32.Ransomware.LockBit.yara | 0
.../ransomware/Win32.Ransomware.Lolkek.yara | 0
.../Win32.Ransomware.LooCipher.yara | 0
.../ransomware/Win32.Ransomware.Lorenz.yara | 0
.../ransomware/Win32.Ransomware.MRAC.yara | 0
.../ransomware/Win32.Ransomware.MZP.yara | 0
.../ransomware/Win32.Ransomware.Mafia.yara | 0
.../ransomware/Win32.Ransomware.Magniber.yara | 0
.../ransomware/Win32.Ransomware.Major.yara | 0
.../ransomware/Win32.Ransomware.Makop.yara | 0
.../ransomware/Win32.Ransomware.Maktub.yara | 0
.../ransomware/Win32.Ransomware.Marlboro.yara | 0
.../ransomware/Win32.Ransomware.MarsJoke.yara | 0
.../ransomware/Win32.Ransomware.Matsnu.yara | 0
.../Win32.Ransomware.MedusaLocker.yara | 0
.../ransomware/Win32.Ransomware.Meow.yara | 0
.../ransomware/Win32.Ransomware.Monalisa.yara | 0
.../Win32.Ransomware.Montserrat.yara | 0
.../ransomware/Win32.Ransomware.Motocos.yara | 0
.../Win32.Ransomware.MountLocker.yara | 0
.../ransomware/Win32.Ransomware.NB65.yara | 0
.../Win32.Ransomware.NanoLocker.yara | 0
.../ransomware/Win32.Ransomware.Nefilim.yara | 0
.../ransomware/Win32.Ransomware.Nemty.yara | 0
.../ransomware/Win32.Ransomware.Networm.yara | 0
.../ransomware/Win32.Ransomware.NotPetya.yara | 0
.../ransomware/Win32.Ransomware.Oni.yara | 0
.../Win32.Ransomware.OphionLocker.yara | 0
.../Win32.Ransomware.Ouroboros.yara | 0
.../ransomware/Win32.Ransomware.Outsider.yara | 0
.../ransomware/Win32.Ransomware.PXJ.yara | 0
.../ransomware/Win32.Ransomware.Paradise.yara | 0
.../ransomware/Win32.Ransomware.Pay2Key.yara | 0
.../ransomware/Win32.Ransomware.Petya.yara | 0
.../ransomware/Win32.Ransomware.Plague17.yara | 0
.../Win32.Ransomware.PrincessLocker.yara | 0
.../ransomware/Win32.Ransomware.Prometey.yara | 0
.../Win32.Ransomware.RagnarLocker.yara | 0
.../ransomware/Win32.Ransomware.Ragnarok.yara | 0
.../ransomware/Win32.Ransomware.Ransoc.yara | 0
.../Win32.Ransomware.RansomPlus.yara | 0
.../Win32.Ransomware.Ransomexx.yara | 0
.../ransomware/Win32.Ransomware.Redeemer.yara | 0
.../Win32.Ransomware.RegretLocker.yara | 0
.../Win32.Ransomware.RetMyData.yara | 0
.../ransomware/Win32.Ransomware.Reveton.yara | 0
.../ransomware/Win32.Ransomware.Revil.yara | 0
.../ransomware/Win32.Ransomware.Rokku.yara | 0
.../ransomware/Win32.Ransomware.Ryuk.yara | 0
.../ransomware/Win32.Ransomware.Sage.yara | 0
.../ransomware/Win32.Ransomware.Sanwai.yara | 0
.../ransomware/Win32.Ransomware.Sarbloh.yara | 0
.../ransomware/Win32.Ransomware.Satan.yara | 0
.../ransomware/Win32.Ransomware.Satana.yara | 0
.../ransomware/Win32.Ransomware.Saturn.yara | 0
.../ransomware/Win32.Ransomware.Sepsis.yara | 0
.../ransomware/Win32.Ransomware.Serpent.yara | 0
.../Win32.Ransomware.SevenSevenSeven.yara | 0
.../Win32.Ransomware.ShadowCryptor.yara | 0
.../Win32.Ransomware.Sherminator.yara | 0
.../Win32.Ransomware.Sifrelendi.yara | 0
.../ransomware/Win32.Ransomware.Sifreli.yara | 0
.../ransomware/Win32.Ransomware.Sigrun.yara | 0
.../ransomware/Win32.Ransomware.Skystars.yara | 0
.../ransomware/Win32.Ransomware.Spora.yara | 0
.../ransomware/Win32.Ransomware.TBLocker.yara | 0
.../Win32.Ransomware.TargetCompany.yara | 0
.../Win32.Ransomware.TechandStrat.yara | 0
.../Win32.Ransomware.TeleCrypt.yara | 0
.../ransomware/Win32.Ransomware.Termite.yara | 0
.../Win32.Ransomware.Teslacrypt.yara | 0
.../Win32.Ransomware.Teslarvng.yara | 0
.../ransomware/Win32.Ransomware.Thanatos.yara | 0
.../Win32.Ransomware.TorrentLocker.yara | 0
.../Win32.Ransomware.VHDLocker.yara | 0
.../Win32.Ransomware.VegaLocker.yara | 0
.../ransomware/Win32.Ransomware.Velso.yara | 0
.../ransomware/Win32.Ransomware.WannaCry.yara | 0
.../Win32.Ransomware.WaspLocker.yara | 0
.../Win32.Ransomware.Wastedlocker.yara | 0
.../Win32.Ransomware.WinWord64.yara | 0
.../ransomware/Win32.Ransomware.WsIR.yara | 0
.../ransomware/Win32.Ransomware.Xorist.yara | 0
.../ransomware/Win32.Ransomware.Zeoticus.yara | 0
.../ransomware/Win32.Ransomware.Zeppelin.yara | 0
.../Win32.Ransomware.ZeroCrypt.yara | 0
.../ransomware/Win32.Ransomware.Zhen.yara | 0
.../ransomware/Win32.Ransomware.Zoldon.yara | 0
.../ransomware/Win64.Ransomware.Ako.yara | 0
.../ransomware/Win64.Ransomware.Albabat.yara | 0
.../ransomware/Win64.Ransomware.AntiWar.yara | 0
.../Win64.Ransomware.AwesomeScott.yara | 0
.../Win64.Ransomware.BlackBasta.yara | 0
.../ransomware/Win64.Ransomware.Cactus.yara | 0
.../ransomware/Win64.Ransomware.Curator.yara | 0
.../ransomware/Win64.Ransomware.DST.yara | 0
.../Win64.Ransomware.HermeticRansom.yara | 0
.../Win64.Ransomware.HotCoffee.yara | 0
.../ransomware/Win64.Ransomware.Nokoyawa.yara | 0
.../ransomware/Win64.Ransomware.Pandora.yara | 0
.../ransomware/Win64.Ransomware.RedRoman.yara | 0
.../ransomware/Win64.Ransomware.Rook.yara | 0
.../Win64.Ransomware.SeedLocker.yara | 0
.../ransomware/Win64.Ransomware.Seth.yara | 0
.../ransomware/Win64.Ransomware.Solaso.yara | 0
.../ransomware/Win64.Ransomware.Vovalex.yara | 0
.../Win64.Ransomware.WhiteBlackCrypt.yara | 0
.../ransomware/Win64.Ransomware.Wintenzz.yara | 0
.../trojan/Linux.Trojan.AcidRain.yara | 0
.../trojan/Linux.Trojan.BiBiWiper.yara | 0
.../trojan/Win32.Trojan.BiBiWiper.yara | 0
.../trojan/Win32.Trojan.CaddyWiper.yara | 0
.../trojan/Win32.Trojan.Dridex.yara | 0
.../trojan/Win32.Trojan.Emotet.yara | 0
.../trojan/Win32.Trojan.HermeticWiper.yara | 0
.../trojan/Win32.Trojan.IsaacWiper.yara | 0
.../trojan/Win32.Trojan.TrickBot.yara | 0
.../virus/Linux.Virus.Vit.yara | 0
.../virus/Win32.Virus.Awfull.yara | 0
.../virus/Win32.Virus.Cmay.yara | 0
.../virus/Win32.Virus.DeadCode.yara | 0
.../virus/Win32.Virus.Elerad.yara | 0
.../virus/Win32.Virus.Greenp.yara | 0
.../virus/Win32.Virus.Mocket.yara | 0
.../virus/Win32.Virus.Negt.yara | 0
yara-mikesxrs/.gitignore | 2 +
yara-mikesxrs/1aN0rmus/1aN0rmus_index.yara | 396 +
yara-mikesxrs/1aN0rmus/PCAPs.yara | 15 +
yara-mikesxrs/1aN0rmus/exe_rules.yara | 20 +
yara-mikesxrs/1aN0rmus/memory.yara | 19 +
yara-mikesxrs/1aN0rmus/pos_malware.yara | 76 +
yara-mikesxrs/1aN0rmus/rtf_rules.yara | 71 +
yara-mikesxrs/1aN0rmus/web_log_review.yara | 56 +
yara-mikesxrs/1aN0rmus/web_rules.yara | 132 +
.../73mp74710n/73mp74710n_index.yara | 53 +
.../73mp74710n/android_metasploit.yar | 16 +
yara-mikesxrs/73mp74710n/njrat.yar | 34 +
yara-mikesxrs/AirBnB/MachO.yar | 7 +
yara-mikesxrs/AirBnB/eicar.yar | 18 +
.../hacktool_macos_exploit_cve_2015_5889.yara | 16 +
.../AirBnB/hacktool_macos_exploit_tpwn.yara | 14 +
.../hacktool_macos_juuso_keychaindump.yara | 16 +
...ktool_macos_keylogger_b4rsby_swiftlog.yara | 11 +
...tool_macos_keylogger_caseyscarborough.yara | 14 +
.../hacktool_macos_keylogger_dannvix.yara | 13 +
..._macos_keylogger_eldeveloper_keystats.yara | 13 +
.../hacktool_macos_keylogger_giacomolaw.yara | 13 +
.../hacktool_macos_keylogger_logkext.yara | 25 +
...ol_macos_keylogger_roxlu_ofxkeylogger.yara | 13 +
...macos_keylogger_skreweverything_swift.yara | 15 +
.../AirBnB/hacktool_macos_macpmem.yara | 22 +
...cktool_macos_manwhoami_icloudcontacts.yara | 14 +
...ktool_macos_manwhoami_mmetokendecrypt.yara | 15 +
...tool_macos_manwhoami_osxchromedecrypt.yara | 16 +
.../hacktool_macos_n0fate_chainbreaker.yara | 13 +
...cktool_macos_ptoomey3_keychain_dumper.yara | 15 +
.../hacktool_multi_bloodhound_owned.yara | 20 +
.../hacktool_multi_jtesta_ssh_mitm.yara | 12 +
.../AirBnB/hacktool_multi_masscan.yara | 17 +
.../AirBnB/hacktool_multi_ncc_ABPTTS.yara | 19 +
.../AirBnB/hacktool_multi_ntlmrelayx.yara | 15 +
.../AirBnB/hacktool_multi_pyrasite_py.yara | 24 +
.../AirBnB/hacktool_multi_responder_py.yara | 17 +
.../AirBnB/hacktool_windows_hot_potato.yara | 15 +
.../hacktool_windows_mimikatz_copywrite.yara | 24 +
.../hacktool_windows_mimikatz_errors.yara | 16 +
.../hacktool_windows_mimikatz_files.yara | 15 +
.../hacktool_windows_mimikatz_modules.yara | 18 +
.../hacktool_windows_mimikatz_sekurlsa.yara | 18 +
.../hacktool_windows_moyix_creddump.yara | 16 +
.../AirBnB/hacktool_windows_ncc_wmicmd.yara | 18 +
.../hacktool_windows_rdp_cmd_delivery.yara | 14 +
.../AirBnB/hacktool_windows_wmi_implant.yara | 21 +
.../malware_macos_apt_sofacy_xagent.yara | 62 +
yara-mikesxrs/AirBnB/malware_macos_bella.yara | 22 +
.../AirBnB/malware_macos_macspy.yara | 17 +
.../malware_macos_marten4n6_evilosx.yara | 16 +
.../malware_macos_neoneggplant_eggshell.yara | 24 +
.../malware_macos_proton_rat_generic.yara | 21 +
.../AirBnB/malware_multi_pupy_rat.yara | 16 +
.../AirBnB/malware_multi_vesche_basicrat.yara | 15 +
...alware_windows_apt_red_leaves_generic.yara | 27 +
...windows_apt_whitebear_binary_loader_1.yara | 22 +
...windows_apt_whitebear_binary_loader_2.yara | 17 +
...windows_apt_whitebear_binary_loader_3.yara | 16 +
...indows_moonlightmaze_IRIX_exploit_GEN.yara | 20 +
...alware_windows_moonlightmaze_cle_tool.yara | 17 +
..._windows_moonlightmaze_custom_sniffer.yara | 20 +
...malware_windows_moonlightmaze_de_tool.yara | 16 +
...dows_moonlightmaze_encrypted_keyloger.yara | 11 +
.../malware_windows_moonlightmaze_loki.yara | 27 +
...are_windows_moonlightmaze_loki2crypto.yara | 16 +
...re_windows_moonlightmaze_u_logcleaner.yara | 18 +
.../malware_windows_moonlightmaze_wipe.yara | 18 +
...re_windows_moonlightmaze_xk_keylogger.yara | 22 +
.../AirBnB/malware_windows_pony_stealer.yara | 21 +
.../AirBnB/malware_windows_remcos_rat.yara | 20 +
.../malware_windows_t3ntman_crunchrat.yara | 19 +
...re_windows_winnti_loadperf_dll_loader.yara | 13 +
.../malware_windows_xrat_quasarrat.yara | 31 +
yara-mikesxrs/Airbus/Airbus_index.yara | 331 +
yara-mikesxrs/Airbus/derusbi_kernel.yar | 17 +
yara-mikesxrs/Airbus/derusbi_linux.yar | 17 +
yara-mikesxrs/Airbus/sakula_dropper_v3-1.yar | 16 +
yara-mikesxrs/Airbus/sakula_packed_v2-0.yar | 15 +
yara-mikesxrs/Airbus/sakula_packed_v2-1.yar | 14 +
yara-mikesxrs/Airbus/sakula_packed_v2-2.yar | 14 +
yara-mikesxrs/Airbus/sakula_packed_v3-1.yar | 17 +
yara-mikesxrs/Airbus/sakula_v1-0.yar | 19 +
yara-mikesxrs/Airbus/sakula_v1-1.yar | 19 +
yara-mikesxrs/Airbus/sakula_v1-2.yar | 18 +
yara-mikesxrs/Airbus/sakula_v1-3.yar | 18 +
yara-mikesxrs/Airbus/sakula_v1-4.yar | 18 +
yara-mikesxrs/Airbus/sakula_v2-0.yar | 15 +
yara-mikesxrs/Airbus/sakula_v2-1.yar | 17 +
yara-mikesxrs/Airbus/sakula_v2-2.yar | 17 +
yara-mikesxrs/Airbus/sakula_v3-0.yar | 19 +
yara-mikesxrs/Airbus/sakula_v3-1.yar | 20 +
yara-mikesxrs/Airbus/sakula_v3-2.yar | 18 +
yara-mikesxrs/Airbus/sakula_vx_protector.yar | 14 +
.../Lazarus_wipe_file_routine.yar | 28 +
.../Anomali Labs/PyInstaller_Binary.yar | 16 +
yara-mikesxrs/ApoNie/HeapLib.yar | 26 +
yara-mikesxrs/Artemonsecurity/snake.yar | 13 +
.../Artemonsecurity/snake_packed.yar | 16 +
yara-mikesxrs/BAESystems/Hermes.yar | 26 +
yara-mikesxrs/Blackberry/BoratRAT.yar | 41 +
.../Blackberry/BoratRATInformation.yar | 45 +
.../Blackberry/BoratRATKeylogger.yar | 39 +
yara-mikesxrs/Blackberry/EternityClipper.yar | 30 +
yara-mikesxrs/Blackberry/EternityRansom.yar | 28 +
yara-mikesxrs/Blackberry/EternityStealer.yar | 32 +
yara-mikesxrs/Blackberry/EternityWorm.yar | 31 +
yara-mikesxrs/Blackberry/HeaderTip.yar | 18 +
.../Blackberry/Mal_Backdoor_ChaChi_RAT.yar | 25 +
.../Mal_Infostealer_EXE_Jupyter_Cert_36ff.yar | 18 +
...nfostealer_MSI_EXE_Jupyter_Certificate.yar | 43 +
...tealer_MSI_Jupyter_Embedded_PowerShell.yar | 20 +
...ler_PowerShell_Jupyter_Updated_Samples.yar | 18 +
.../Mal_Infostealer_Win32_BlackGuard.yar | 39 +
...32_Jupyter_Download_and_Execute_Module.yar | 30 +
...ealer_Win32_Jupyter_InfoStealer_Module.yar | 37 +
..._Infostealer_Win32_Jupyter_Main_Module.yar | 42 +
.../Mal_Win32_ChaosRansomware_2022.yar | 47 +
...al_Win32_Chaos_Builder_Ransomware_2022.yar | 44 +
...in32_Onyx_Strain_Chaos_Ransomware_2022.yar | 29 +
yara-mikesxrs/Blackberry/Snake.yar | 19 +
.../Blackberry/Windealer_Library.yar | 26 +
.../Blackberry/Windealer_executable.yar | 23 +
.../Double_Pulsar_Petya.yar | 33 +
.../Booz Allen Hamilton/PolishBankRAT.yar | 57 +
.../archives_w_chinapic.yar | 18 +
.../Brian Carter -carterb/demuzacert.yar | 20 +
.../injector_panel_sqlite.yar | 21 +
.../Brian Carter -carterb/mal_pdf.yar | 19 +
.../Brian Carter -carterb/panelzips.yar | 128 +
.../Brian Carter -carterb/pony_config.yar | 21 +
.../tables_inject_panel.yar | 21 +
.../vt_pony_post2gate.yar | 14 +
yara-mikesxrs/CISA/CADDYWIPER.yar | 27 +
.../CISA/HAFIUM_webshell_CVE_2021_27065.yar | 23 +
...IUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar | 21 +
yara-mikesxrs/CISA/HERMETICWIZARD.yar | 34 +
yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar | 24 +
.../CISA/HERMETICWIZARD_WORM_CODE.yar | 21 +
yara-mikesxrs/CISA/ISAACWIPER.yar | 29 +
yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar | 30 +
yara-mikesxrs/CSE/APT28_Hospitality.yar | 39 +
yara-mikesxrs/CSE/config_decoder_sigs.yar | 629 +
.../Cado Security/Lambda_Malware.yar | 17 +
.../Cado Security/Linux_Wiper_AWFULSHRED.yar | 26 +
.../Cado Security/Linux_Wiper_SOLOSHRED.yar | 17 +
.../Cado Security/Linux_Worm_ORCSHRED.yar | 19 +
.../Powershell_Downloader_POWERGAP.yar | 19 +
.../Cado Security/Whispergate_Stage_1.yar | 16 +
.../Cado Security/Whispergate_Stage_2.yar | 20 +
.../Cado Security/Wiper_Ukr_Feb_2022.yar | 18 +
yara-mikesxrs/Checkpoint/ElMachete_doc.yar | 14 +
yara-mikesxrs/Checkpoint/ElMachete_msi.yar | 17 +
yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar | 11 +
.../Checkpoint/Russia_Detector_rules.yar | 7777 ++
.../Checkpoint/TeamViwer_backdoor.yar | 16 +
.../Checkpoint/ZZ_breakwin_config.yar | 14 +
.../ZZ_breakwin_meteor_batch_files.yar | 23 +
.../Checkpoint/ZZ_breakwin_stardust_vbs.yar | 20 +
.../Checkpoint/ZZ_breakwin_wiper.yar | 120 +
.../apt3_bemstour_implant_byte_patch.yar | 39 +
...emstour_implant_command_stack_variable.yar | 169 +
.../Checkpoint/apt3_bemstour_strings.yar | 68 +
.../apt_CN_TwistedPanda_64bit_Loader.yar | 34 +
.../apt_CN_TwistedPanda_SPINNER_1.yar | 33 +
.../apt_CN_TwistedPanda_SPINNER_2.yar | 35 +
.../apt_CN_TwistedPanda_droppers.yar | 36 +
.../Checkpoint/apt_CN_TwistedPanda_loader.yar | 42 +
.../apt_WebAssistant_TcahfUpdate.yar | 17 +
.../Checkpoint/apt_nazar_component_guids.yar | 32 +
.../Checkpoint/apt_nazar_svchost_commands.yar | 19 +
.../Checkpoint/checkpoint_index.yara | 206 +
yara-mikesxrs/Checkpoint/explosive_dll.yar | 15 +
yara-mikesxrs/Checkpoint/explosive_exe.yar | 15 +
yara-mikesxrs/Checkpoint/goziv3_trojan.yar | 11 +
.../Checkpoint/injector_ZZ_dotRunpeX.yar | 58 +
.../injector_ZZ_dotRunpeX_oldnew.yar | 45 +
.../Checkpoint/lyceum_dotnet_dns_backdoor.yar | 29 +
.../lyceum_dotnet_http_backdoor.yar | 52 +
.../Checkpoint/lyceum_golang_backdoor.yar | 37 +
.../Checkpoint/malware_bumblebee_packed.yar | 31 +
.../Checkpoint/nazar_component_guids.yar | 32 +
yara-mikesxrs/Checkpoint/qbot_vbs.yar | 16 +
.../Checkpoint/ransomware_ZZ_azov_wiper.yar | 18 +
yara-mikesxrs/Citizen Lab/3102.yara | 40 +
yara-mikesxrs/Citizen Lab/9002.yara | 47 +
.../Citizen Lab/Citizen_Lab_index.yara | 2512 +
yara-mikesxrs/Citizen Lab/bangat.yara | 45 +
.../Citizen Lab/between-hk-and-burma.yara | 190 +
yara-mikesxrs/Citizen Lab/boouset.yara | 42 +
yara-mikesxrs/Citizen Lab/comfoo.yara | 43 +
yara-mikesxrs/Citizen Lab/cookies.yara | 38 +
yara-mikesxrs/Citizen Lab/cves.yara | 1 +
yara-mikesxrs/Citizen Lab/cxpid.yara | 42 +
yara-mikesxrs/Citizen Lab/enfal.yara | 69 +
yara-mikesxrs/Citizen Lab/ezcob.yara | 28 +
yara-mikesxrs/Citizen Lab/fakem.yara | 42 +
yara-mikesxrs/Citizen Lab/favorite.yara | 42 +
yara-mikesxrs/Citizen Lab/filetypes.yara | 40 +
yara-mikesxrs/Citizen Lab/glasses.yara | 43 +
yara-mikesxrs/Citizen Lab/iexpl0re.yara | 57 +
yara-mikesxrs/Citizen Lab/imuler.yara | 60 +
yara-mikesxrs/Citizen Lab/insta11.yara | 43 +
yara-mikesxrs/Citizen Lab/luckycat.yara | 46 +
yara-mikesxrs/Citizen Lab/lurk0+cctv0.yara | 86 +
yara-mikesxrs/Citizen Lab/maccontrol.yara | 47 +
.../Citizen Lab/malware-families.yara | 42 +
yara-mikesxrs/Citizen Lab/mirage.yara | 25 +
yara-mikesxrs/Citizen Lab/mongal.yara | 41 +
yara-mikesxrs/Citizen Lab/msattacker.yara | 35 +
yara-mikesxrs/Citizen Lab/naikon.yara | 45 +
yara-mikesxrs/Citizen Lab/naspyupdate.yara | 42 +
yara-mikesxrs/Citizen Lab/nettraveler.yara | 88 +
yara-mikesxrs/Citizen Lab/nsfree.yara | 44 +
yara-mikesxrs/Citizen Lab/oleidentifiers.yara | 265 +
yara-mikesxrs/Citizen Lab/olyx.yara | 39 +
yara-mikesxrs/Citizen Lab/payloads.yara | 14 +
yara-mikesxrs/Citizen Lab/plugx.yara | 52 +
yara-mikesxrs/Citizen Lab/pubsab.yara | 40 +
yara-mikesxrs/Citizen Lab/quarian.yara | 64 +
yara-mikesxrs/Citizen Lab/regsubdat.yara | 47 +
yara-mikesxrs/Citizen Lab/remote.yara | 81 +
yara-mikesxrs/Citizen Lab/rookie.yara | 43 +
yara-mikesxrs/Citizen Lab/rooter.yara | 43 +
yara-mikesxrs/Citizen Lab/safenet.yara | 42 +
yara-mikesxrs/Citizen Lab/scarhikn.yara | 41 +
yara-mikesxrs/Citizen Lab/surtr.yara | 51 +
yara-mikesxrs/Citizen Lab/t5000.yara | 37 +
yara-mikesxrs/Citizen Lab/vidgrab.yara | 46 +
yara-mikesxrs/Citizen Lab/warp.yara | 41 +
yara-mikesxrs/Citizen Lab/wimmie.yara | 45 +
yara-mikesxrs/Citizen Lab/xtreme.yara | 42 +
yara-mikesxrs/Citizen Lab/yayih.yara | 42 +
.../Cluster 25/APT28_SkinnyBoy_Dropper.yar | 13 +
.../Cluster 25/APT28_SkinnyBoy_Implanter.yar | 16 +
.../Cluster 25/APT28_SkinnyBoy_Launcher.yar | 19 +
.../APT29_HTMLSmuggling_ZIP_82733_00001.yar | 16 +
.../Cluster 25/APT29_Loader_87221_00001.yar | 28 +
.../GhostWriter_MicroBackdoor_72632_00001.yar | 15 +
.../GhostWriter_MicroLoader_72632_00001.yar | 14 +
.../UNC1222_HermeticWiper_23433_10001.yar | 17 +
.../UNC1222_HermeticWiper_23433_10002.yar | 41 +
.../sidewinder_apt_rtf_cve_2017_0199.yar | 18 +
yara-mikesxrs/CyberDefenses/installmonstr.yar | 22 +
yara-mikesxrs/CyberDefenses/u34.yar | 15 +
.../CyberDefenses/wirenet_dropper.yar | 16 +
yara-mikesxrs/DFIR_Report/CobaltStrike.yar | 233 +
.../DFIR_Report/Quantum_Case_12647.yar | 176 +
.../Damian Baran/rule LinuxDDOS_Agent.yar | 34 +
.../Didier Stevens/Didier_Stevens_index.yara | 78063 ++++++++++++++++
.../JPEG_EXIF_Contains_eval.yara | 29 +
yara-mikesxrs/Didier Stevens/Nviso.yar | 53 +
.../Didier Stevens/PE_PyInstaller.yar | 25 +
.../Didier Stevens/contains_pe_file.yara | 24 +
.../Didier Stevens/contains_vbe_file.yara | 23 +
yara-mikesxrs/Didier Stevens/maldoc.yara | 171 +
.../peid-userdb-rules-with-pe-module.yara | 39164 ++++++++
.../peid-userdb-rules-without-pe-module.yara | 38977 ++++++++
.../apt_c16_win32_dropper.yar | 18 +
.../apt_c16_win64_dropper.yar | 18 +
.../apt_c16_win_disk_pcclient.yar | 13 +
.../apt_c16_win_memory_pcclient.yar | 19 +
.../Dragonthreatlabs/apt_c16_win_swisyn.yar | 17 +
.../apt_c16_win_wateringhole.yar | 14 +
.../Dragonthreatlabs/apt_win_mocelpa.yar | 11 +
.../dragonthreatlabs_index.yara | 104 +
.../Elastic/APT_APT40_Implant_June2020.yar | 19 +
.../Elastic/Linux_Trojan_BPFDoor_1.yar | 23 +
.../Elastic/Mozi_Obfuscation_Technique.yar | 15 +
.../Elastic/Windows_Ransomware_Cuba.yar | 20 +
.../Elastic/Windows_Trojan_BLISTER.yar | 23 +
.../Elastic/Windows_Trojan_Deimos_DLL.yar | 23 +
.../Elastic/Windows_Wiper_HERMETICWIPER.yar | 24 +
yara-mikesxrs/EmersonElectricCo/ft_cab.yara | 14 +
yara-mikesxrs/EmersonElectricCo/ft_elf.yara | 14 +
yara-mikesxrs/EmersonElectricCo/ft_exe.yara | 14 +
yara-mikesxrs/EmersonElectricCo/ft_gzip.yara | 14 +
yara-mikesxrs/EmersonElectricCo/ft_jar.yara | 15 +
.../EmersonElectricCo/ft_java_class.yara | 14 +
.../EmersonElectricCo/ft_office_open_xml.yara | 19 +
.../EmersonElectricCo/ft_ole_cf.yara | 14 +
yara-mikesxrs/EmersonElectricCo/ft_pdf.yara | 14 +
yara-mikesxrs/EmersonElectricCo/ft_rar.yara | 15 +
yara-mikesxrs/EmersonElectricCo/ft_rtf.yara | 14 +
yara-mikesxrs/EmersonElectricCo/ft_swf.yara | 51 +
yara-mikesxrs/EmersonElectricCo/ft_tar.yara | 14 +
yara-mikesxrs/EmersonElectricCo/ft_zip.yara | 14 +
.../misc_compressed_exe.yara | 50 +
.../misc_no_dosmode_header.yara | 51 +
.../misc_ooxml_core_properties.yara | 16 +
.../EmersonElectricCo/misc_pe_signature.yara | 13 +
.../misc_upx_packed_binary.yara | 13 +
yara-mikesxrs/Fidelis/AlienSpy.yar | 34 +
yara-mikesxrs/Fidelis/DarkComet.yar | 18 +
yara-mikesxrs/Fidelis/DarkCometDownloader.yar | 12 +
yara-mikesxrs/Fidelis/Scanbox.yar | 44 +
.../Fidelis/Ursnif_report_variant_memory.yar | 20 +
yara-mikesxrs/Fidelis/XenonCrypter.yar | 12 +
...ix_elf_Derusbi_Linux_SharedMemCreation.yar | 13 +
.../apt_nix_elf_Derusbi_Linux_Strings.yar | 28 +
yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar | 48 +
.../apt_nix_elf_derusbi_kernelModule.yar | 30 +
...apt_win32_dll_bergard_pgv_pvid_variant.yar | 40 +
.../Fidelis/apt_win32_dll_rat_hiZorRAT.yar | 30 +
.../Fidelis/apt_win_exe_trojan_derusbi.yar | 61 +
.../Fidelis/crime_win32_exe_rat_netwire.yar | 51 +
.../Fidelis/crime_win_PWS_Fareit.yar | 28 +
.../Fidelis/network_traffic_njRAT.yar | 47 +
yara-mikesxrs/Fidelis/win_exe_njRAT.yar | 45 +
yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara | 128 +
.../Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara | 113 +
.../Fireeye/APT32_ActiveMime_Lure.yar | 18 +
.../Fireeye/APT_DeputyDog_Strings.yar | 20 +
yara-mikesxrs/Fireeye/BadRabbit.yar | 120 +
yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar | 19 +
yara-mikesxrs/Fireeye/FE_petya_ransomware,yar | 75 +
.../Fireeye_red_team_tool_countermeasures.yar | 2947 +
yara-mikesxrs/Fireeye/Fireye_index.yara | 141 +
yara-mikesxrs/Fireeye/MACROCHECK.YAR | 20 +
yara-mikesxrs/Fireeye/Molerats_certs.yar | 25 +
yara-mikesxrs/Fireeye/TRITON_Framework.yar | 63 +
.../Fireeye/callTogether_certificate.yar | 26 +
yara-mikesxrs/Fireeye/hastati.yar | 25 +
yara-mikesxrs/Fireeye/qti_certificate.yar | 25 +
.../Florian Roth/Florian_Roth_index.yara | 34866 +++++++
yara-mikesxrs/Florian Roth/Havex_Trojan.yar | 24 +
.../Florian Roth/Havex_Trojan_PHP_Server.yar | 14 +
.../Florian Roth/POSCardStealer_SpyBot.yar | 23 +
.../Florian Roth/apt_alienspy_rat.yar | 49 +
.../Florian Roth/apt_apt17_malware.yar | 34 +
yara-mikesxrs/Florian Roth/apt_apt28.yar | 94 +
.../Florian Roth/apt_apt30_backspace.yar | 1142 +
.../Florian Roth/apt_apt6_malware.yar | 53 +
.../Florian Roth/apt_backdoor_ssh_python.yar | 18 +
yara-mikesxrs/Florian Roth/apt_backspace.yar | 18 +
.../Florian Roth/apt_beepservice.yar | 29 +
.../Florian Roth/apt_between-hk-and-burma.yar | 215 +
.../Florian Roth/apt_blackenergy.yar | 171 +
.../apt_blackenergy_installer.yar | 15 +
.../Florian Roth/apt_bluetermite_emdivi.yar | 136 +
yara-mikesxrs/Florian Roth/apt_buckeye.yar | 68 +
yara-mikesxrs/Florian Roth/apt_casper.yar | 97 +
.../Florian Roth/apt_cheshirecat.yar | 102 +
yara-mikesxrs/Florian Roth/apt_cloudduke.yar | 77 +
yara-mikesxrs/Florian Roth/apt_codoso.yar | 335 +
.../Florian Roth/apt_coreimpact_agent.yar | 44 +
.../Florian Roth/apt_cve2015_5119.yar | 19 +
.../Florian Roth/apt_danti_svcmondr.yar | 70 +
yara-mikesxrs/Florian Roth/apt_deeppanda.yar | 92 +
yara-mikesxrs/Florian Roth/apt_derusbi.yar | 115 +
yara-mikesxrs/Florian Roth/apt_dubnium.yar | 138 +
yara-mikesxrs/Florian Roth/apt_duqu2.yar | 94 +
yara-mikesxrs/Florian Roth/apt_emissary.yar | 41 +
yara-mikesxrs/Florian Roth/apt_eqgrp.yar | 1213 +
.../Florian Roth/apt_fakem_backdoor.yar | 46 +
.../Florian Roth/apt_fancybear_dnc.yar | 54 +
.../apt_fidelis_phishing_plain_sight.yar | 27 +
.../Florian Roth/apt_four_element_sword.yar | 161 +
yara-mikesxrs/Florian Roth/apt_furtim.yar | 53 +
.../apt_ghostdragon_gh0st_rat.yar | 87 +
yara-mikesxrs/Florian Roth/apt_glassRAT.yar | 69 +
.../Florian Roth/apt_hackingteam_rules.yar | 82 +
.../Florian Roth/apt_hellsing_kaspersky.yar | 137 +
yara-mikesxrs/Florian Roth/apt_hizor_rat.yar | 27 +
.../Florian Roth/apt_indetectables_rat.yar | 52 +
yara-mikesxrs/Florian Roth/apt_inocnation.yar | 29 +
yara-mikesxrs/Florian Roth/apt_irongate.yar | 96 +
yara-mikesxrs/Florian Roth/apt_irontiger.yar | 146 +
.../Florian Roth/apt_irontiger_trendmicro.yar | 289 +
.../Florian Roth/apt_kaspersky_duqu2.yar | 147 +
.../Florian Roth/apt_keylogger_cn.yar | 33 +
.../Florian Roth/apt_korplug_fast.yar | 25 +
.../Florian Roth/apt_laudanum_webshells.yar | 309 +
yara-mikesxrs/Florian Roth/apt_miniasp.yar | 36 +
yara-mikesxrs/Florian Roth/apt_minidionis.yar | 81 +
yara-mikesxrs/Florian Roth/apt_mofang.yar | 47 +
.../Florian Roth/apt_ms_platinum.yara | 398 +
yara-mikesxrs/Florian Roth/apt_naikon.yar | 36 +
.../Florian Roth/apt_nanocore_rat.yar | 72 +
.../Florian Roth/apt_onhat_proxy.yar | 29 +
yara-mikesxrs/Florian Roth/apt_op_cleaver.yar | 329 +
.../Florian Roth/apt_passthehashtoolkit.yar | 142 +
yara-mikesxrs/Florian Roth/apt_plugx.yar | 35 +
yara-mikesxrs/Florian Roth/apt_poisonivy.yar | 215 +
.../Florian Roth/apt_poisonivy_gen3.yar | 30 +
.../Florian Roth/apt_poseidon_group.yar | 82 +
yara-mikesxrs/Florian Roth/apt_prikormka.yar | 141 +
yara-mikesxrs/Florian Roth/apt_project_m.yar | 46 +
.../Florian Roth/apt_project_sauron.yara | 137 +
.../apt_project_sauron_extras.yar | 224 +
.../Florian Roth/apt_putterpanda.yar | 258 +
.../Florian Roth/apt_quarkspwdump.yar | 22 +
.../apt_rocketkitten_keylogger.yar | 33 +
yara-mikesxrs/Florian Roth/apt_ruag.yar | 85 +
.../apt_rwmc_powershell_creddump.yar | 39 +
yara-mikesxrs/Florian Roth/apt_sakula.yar | 78 +
.../Florian Roth/apt_scanbox_deeppanda.yar | 32 +
.../Florian Roth/apt_seaduke_unit42.yar | 26 +
yara-mikesxrs/Florian Roth/apt_shamoon.yar | 12 +
.../Florian Roth/apt_skeletonkey.yar | 44 +
.../Florian Roth/apt_snowglobe_babar.yar | 36 +
.../Florian Roth/apt_sofacy_dec15.yar | 129 +
.../Florian Roth/apt_sofacy_fysbis.yar | 50 +
.../Florian Roth/apt_sofacy_jun16.yar | 59 +
.../apt_sofacy_xtunnel_bundestag.yar | 98 +
.../Florian Roth/apt_sphinx_moth.yar | 114 +
yara-mikesxrs/Florian Roth/apt_strider.yara | 84 +
yara-mikesxrs/Florian Roth/apt_stuxnet.yar | 172 +
yara-mikesxrs/Florian Roth/apt_suckfly.yar | 73 +
yara-mikesxrs/Florian Roth/apt_sysscan.yar | 37 +
yara-mikesxrs/Florian Roth/apt_terracotta.yar | 98 +
.../Florian Roth/apt_terracotta_liudoor.yar | 24 +
.../Florian Roth/apt_threatgroup_3390.yar | 307 +
yara-mikesxrs/Florian Roth/apt_tidepool.yar | 30 +
.../Florian Roth/apt_turbo_campaign.yar | 192 +
yara-mikesxrs/Florian Roth/apt_turla.yar | 142 +
.../Florian Roth/apt_unit78020_malware.yar | 129 +
.../Florian Roth/apt_volatile_cedar.yar | 115 +
yara-mikesxrs/Florian Roth/apt_waterbug.yar | 123 +
.../apt_webshell_chinachopper.yar | 13 +
.../Florian Roth/apt_wildneutron.yar | 297 +
yara-mikesxrs/Florian Roth/apt_win_plugx.yar | 58 +
yara-mikesxrs/Florian Roth/apt_winnti.yar | 130 +
.../Florian Roth/apt_woolengoldfish.yar | 103 +
.../Florian Roth/cn_pentestset_scripts.yar | 336 +
.../Florian Roth/cn_pentestset_tools.yar | 2225 +
.../Florian Roth/cn_pentestset_webshells.yar | 1038 +
yara-mikesxrs/Florian Roth/cridex.yar | 14 +
.../Florian Roth/crime_antifw_installrex.yar | 17 +
.../Florian Roth/crime_bernhard_pos.yar | 17 +
.../Florian Roth/crime_buzus_softpulse.yar | 24 +
yara-mikesxrs/Florian Roth/crime_cmstar.yar | 19 +
.../Florian Roth/crime_cryptowall_svg.yar | 22 +
.../Florian Roth/crime_dexter_trojan.yar | 15 +
.../Florian Roth/crime_dridex_xml.yar | 22 +
yara-mikesxrs/Florian Roth/crime_enfal.yar | 53 +
yara-mikesxrs/Florian Roth/crime_fareit.yar | 28 +
.../Florian Roth/crime_kins_dropper.yar | 46 +
.../Florian Roth/crime_kraken_bot1.yar | 25 +
yara-mikesxrs/Florian Roth/crime_locky.yar | 20 +
yara-mikesxrs/Florian Roth/crime_malumpos.yar | 32 +
.../Florian Roth/crime_malware_generic.yar | 39 +
.../Florian Roth/crime_mikey_trojan.yar | 20 +
.../Florian Roth/crime_petya_ransom.yar | 31 +
.../Florian Roth/crime_phish_gina_dec15.yar | 67 +
.../crime_rombertik_carbongrabber.yar | 107 +
.../Florian Roth/crime_shifu_trojan.yar | 59 +
.../Florian Roth/crime_upatre_oct15.yar | 43 +
.../Florian Roth/exploit_cve_2015_1674.yar | 27 +
.../Florian Roth/exploit_cve_2015_1701.yar | 27 +
.../Florian Roth/exploit_cve_2015_2426.yar | 53 +
.../Florian Roth/exploit_uac_elevators.yar | 131 +
.../Florian Roth/gen_ace_with_exe.yar | 21 +
.../Florian Roth/gen_b374k_extra.yar | 22 +
.../Florian Roth/gen_cn_hacktool_scripts.yar | 129 +
.../Florian Roth/gen_cn_hacktools.yar | 2471 +
.../Florian Roth/gen_cn_webshells.yar | 701 +
.../Florian Roth/gen_deviceguard_evasion.yar | 13 +
.../Florian Roth/gen_faked_versions.yar | 29 +
.../Florian Roth/gen_gpp_cpassword.yar | 19 +
.../Florian Roth/gen_invoke_mimikatz.yar | 20 +
yara-mikesxrs/Florian Roth/gen_kerberoast.yar | 53 +
.../Florian Roth/gen_kirbi_mimkatz.yar | 22 +
.../Florian Roth/gen_malware_set_qa.yar | 189 +
.../gen_metasploit_loader_rsmudge.yar | 25 +
.../Florian Roth/gen_mimikittenz.yar | 27 +
.../Florian Roth/gen_nopowershell.yar | 21 +
yara-mikesxrs/Florian Roth/gen_pirpi.yar | 61 +
yara-mikesxrs/Florian Roth/gen_powerkatz.yar | 30 +
.../Florian Roth/gen_powershell_empire.yar | 168 +
.../Florian Roth/gen_powershell_toolkit.yar | 226 +
.../Florian Roth/gen_regsrv32_issue.yar | 23 +
yara-mikesxrs/Florian Roth/gen_sharpcat.yar | 21 +
yara-mikesxrs/Florian Roth/gen_tempracer.yar | 25 +
.../Florian Roth/gen_thumbs_cloaking.yar | 10 +
.../Florian Roth/gen_transformed_strings.yar | 54 +
.../Florian Roth/gen_win_privesc.yar | 56 +
yara-mikesxrs/Florian Roth/gen_winshells.yar | 112 +
.../Florian Roth/general_cloaking.yar | 84 +
.../Florian Roth/general_officemacros.yar | 46 +
.../Florian Roth/generic_anomalies.yar | 268 +
.../Florian Roth/generic_cryptors.yar | 22 +
yara-mikesxrs/Florian Roth/generic_dumps.yar | 27 +
.../Florian Roth/generic_exe2hex_payload.yar | 26 +
yara-mikesxrs/Florian Roth/pup_lightftp.yar | 37 +
.../Florian Roth/spy_equation_fiveeyes.yar | 575 +
.../Florian Roth/spy_querty_fiveeyes.yar | 233 +
.../Florian Roth/spy_regin_fiveeyes.yar | 353 +
yara-mikesxrs/Florian Roth/thor-hacktools.yar | 3324 +
yara-mikesxrs/Florian Roth/thor-webshells.yar | 8723 ++
.../Florian Roth/thor_inverse_matches.yar | 356 +
.../Florian Roth/threat_lenovo_superfish.yar | 23 +
yara-mikesxrs/GoDaddy/IsElfFile.yara | 6 +
yara-mikesxrs/GoDaddy/IsPeFile.yara | 6 +
yara-mikesxrs/GoDaddy/IsZipFile.yara | 6 +
yara-mikesxrs/GoDaddy/alphacrypt.yara | 15 +
yara-mikesxrs/GoDaddy/appraisel.yara | 28 +
yara-mikesxrs/GoDaddy/aspack.yara | 16 +
yara-mikesxrs/GoDaddy/emotet.yara | 322 +
yara-mikesxrs/GoDaddy/granite_coroner.yara | 64 +
yara-mikesxrs/GoDaddy/l_exe.yara | 10 +
yara-mikesxrs/GoDaddy/mimikatz.yara | 25 +
yara-mikesxrs/GoDaddy/reign.yara | 26 +
yara-mikesxrs/GoDaddy/rlpack.yara | 15 +
yara-mikesxrs/GoDaddy/sogu_packer.yara | 14 +
yara-mikesxrs/GoDaddy/turla.yara | 26 +
yara-mikesxrs/GoDaddy/upx.yara | 18 +
yara-mikesxrs/GoDaddy/vmprotect.yara | 17 +
yara-mikesxrs/GoDaddy/wiper.yara | 77 +
yara-mikesxrs/HP_Security/doc_efax_buran.yar | 17 +
yara-mikesxrs/HP_Security/js_RATDispenser.yar | 31 +
.../HP_Security/js_downloader_gootloader.yar | 27 +
...bot_maldoc_embedded_dll_september_2020.yar | 18 +
yara-mikesxrs/HP_Security/win_l0rdix.yar | 25 +
yara-mikesxrs/HP_Security/win_ostap_jse.yar | 18 +
.../HP_Security/xll_custom_builder.yar | 19 +
.../HorribleCanoe/HorribleCanoe_index.yara | 179 +
.../HorribleCanoe/compiled_autoit.yara | 7 +
.../connection_manager_phonebook.yara | 28 +
yara-mikesxrs/HorribleCanoe/delphi-wlan.yara | 27 +
yara-mikesxrs/HorribleCanoe/ejects_cdrom.yara | 9 +
.../HorribleCanoe/lowers_security.yara | 10 +
yara-mikesxrs/HorribleCanoe/pcre.yara | 74 +
.../HorribleCanoe/reads_clipboard.yara | 16 +
.../Adobe_Flash_DRM_Use_After_Free.yar | 35 +
yara-mikesxrs/InQuest/AgentTesla.yar | 54 +
.../InQuest/CVE_2018_4878_0day_ITW.yar | 62 +
yara-mikesxrs/InQuest/Embedded_PE_File.yar | 14 +
yara-mikesxrs/InQuest/Excel_IQY_File.yar | 20 +
.../Excel_IQY_File_Suspicious_Request.yar | 69 +
.../Excel_IQY_File_With_file_extension.yar | 26 +
yara-mikesxrs/InQuest/Hiddenbee.yar | 58 +
yara-mikesxrs/InQuest/MC_Office_DDE.yar | 91 +
...fice_Document_with_Embedded_Flash_File.yar | 19 +
.../InQuest/NTLM_Credential_Theft_via_PDF.yar | 59 +
.../RTF_Byte_Nibble_Obfuscation_method.yar | 96 +
yara-mikesxrs/Intezer/1 | 1 +
yara-mikesxrs/Intezer/APT15.yar | 48 +
yara-mikesxrs/Intezer/AgeLocker.yar | 19 +
yara-mikesxrs/Intezer/ChinaZ_Managers.yar | 60 +
yara-mikesxrs/Intezer/DarkComet.yar | 262 +
yara-mikesxrs/Intezer/Doki_Attack.yar | 17 +
yara-mikesxrs/Intezer/ElectroRAT | 21 +
yara-mikesxrs/Intezer/EvilGnome.yar | 49 +
yara-mikesxrs/Intezer/Gh0stRAT.yar | 37 +
yara-mikesxrs/Intezer/GreedyAntd.yar | 13 +
yara-mikesxrs/Intezer/HiddenWasp.yar | 44 +
yara-mikesxrs/Intezer/IPStorm.yar | 18 +
yara-mikesxrs/Intezer/Iranian_Wipers.yar | 111 +
yara-mikesxrs/Intezer/Lazarus_2020.yar | 32 +
yara-mikesxrs/Intezer/NexePirateSteal.yar | 13 +
yara-mikesxrs/Intezer/QNAPCrypt.yar | 19 +
yara-mikesxrs/Intezer/RedDelta.yar | 59 +
yara-mikesxrs/Intezer/Rekoobe.yar | 16 +
yara-mikesxrs/Intezer/RussianAPT.yar | 7634 ++
yara-mikesxrs/Intezer/Trickbot.yar | 184 +
yara-mikesxrs/Intezer/WatchBog.yar | 25 +
yara-mikesxrs/Ironnet/nspps_RC4_Key.yar | 13 +
.../Ironnet/nspss_executable_strings.yar | 47 +
yara-mikesxrs/JSCU-NL/COATHANGER_beacon.yar | 23 +
yara-mikesxrs/JSCU-NL/COATHANGER_files.yar | 22 +
yara-mikesxrs/Jipe_/AutoIT.yar | 15 +
yara-mikesxrs/Jipe_/BlackShades.yar | 20 +
yara-mikesxrs/Jipe_/Bolonyokte.yar | 45 +
yara-mikesxrs/Jipe_/Cerberus.yar | 18 +
yara-mikesxrs/Jipe_/Citadel.yar | 22 +
yara-mikesxrs/Jipe_/DarkComet.yar | 19 +
yara-mikesxrs/Jipe_/Dotfuscator.yar | 15 +
yara-mikesxrs/Jipe_/Ice-IX.yar | 21 +
yara-mikesxrs/Jipe_/Jipe__index.yara | 491 +
yara-mikesxrs/Jipe_/NetWiredRC_B.yar | 42 +
yara-mikesxrs/Jipe_/PlugX.yar | 22 +
yara-mikesxrs/Jipe_/Poisonivy.yar | 16 +
yara-mikesxrs/Jipe_/Qadars.yar | 26 +
yara-mikesxrs/Jipe_/Shylock.yar | 49 +
yara-mikesxrs/Jipe_/Spyeye.yar | 64 +
yara-mikesxrs/Jipe_/Swrort.yar | 15 +
yara-mikesxrs/Jipe_/Terminator.yar | 17 +
yara-mikesxrs/Jipe_/XTremRat.yar | 21 +
yara-mikesxrs/Jipe_/jRAT_conf.yar | 17 +
yara-mikesxrs/Jipe_/office_document_vba.yar | 22 +
.../Kevin Falcoz/BlackShades_Trojan.yar | 17 +
.../Kevin Falcoz/Bublik_Downloader.yar | 14 +
.../Kevin Falcoz/Grozlex_Stealer.yar | 13 +
.../Kevin Falcoz/Kevin_Falcoz_index.yara | 437 +
yara-mikesxrs/Kevin Falcoz/Packers.yar | 216 +
yara-mikesxrs/Kevin Falcoz/Wabot_Worm.yar | 14 +
yara-mikesxrs/Kevin Falcoz/YahLover_Worm.yar | 13 +
yara-mikesxrs/Kevin Falcoz/Zegost_Trojan.yar | 14 +
yara-mikesxrs/Kevin Falcoz/compilers.yar | 88 +
.../Kevin Falcoz/lost_door_Trojan.yar | 13 +
.../universal_1337_stealer_serveur.yar | 16 +
yara-mikesxrs/Kevin Falcoz/xtreme_rat.yar | 13 +
yara-mikesxrs/Koodous/ASSDdeveloper.yar | 24 +
yara-mikesxrs/Koodous/Android.yar | 16 +
.../Koodous/Android_VirusPolicia.yar | 43 +
yara-mikesxrs/Koodous/Android_adware.yar | 22 +
yara-mikesxrs/Koodous/Android_mapin.yar | 44 +
.../Koodous/BatteryBot_ClickFraud.yar | 25 +
yara-mikesxrs/Koodous/ChinesePorn.yar | 75 +
yara-mikesxrs/Koodous/Drendoid_RAT.yar | 48 +
yara-mikesxrs/Koodous/FakeApps.yar | 103 +
yara-mikesxrs/Koodous/Fake_MosKow.yar | 27 +
yara-mikesxrs/Koodous/HackingTeam.yar | 51 +
yara-mikesxrs/Koodous/Koodous_index.yara | 99 +
yara-mikesxrs/Koodous/MalwareCertificates.yar | 27 +
yara-mikesxrs/Koodous/Ramsonware.yar | 111 +
yara-mikesxrs/Koodous/SMSsender.yar | 99 +
yara-mikesxrs/Koodous/Tinhvan.yar | 24 +
yara-mikesxrs/Koodous/generic_adware.yar | 20 +
yara-mikesxrs/Koodous/generic_smsfraud.yar | 38 +
yara-mikesxrs/Koodous/koler_ransomware.yar | 62 +
yara-mikesxrs/Koodous/malware_Advertising.yar | 22 +
yara-mikesxrs/Koodous/malware_Dropper.yar | 16 +
yara-mikesxrs/Koodous/mobidash.yar | 25 +
yara-mikesxrs/Koodous/realshell.yar | 10 +
yara-mikesxrs/Koodous/xbot007.yar | 16 +
yara-mikesxrs/LastLine/AgentTesla.yar | 12 +
yara-mikesxrs/M4r14ch1/Havex_NetScan.yar | 16 +
yara-mikesxrs/Mandiant/Backdoor_Win_C3_1.yar | 20 +
.../Mandiant/Dropper_Win_Darkside_1.yar | 19 +
yara-mikesxrs/Mandiant/LOCKBIT_Note_PE_v1.yar | 32 +
yara-mikesxrs/Mandiant/LOCKBIT_Note_PE_v2.yar | 29 +
...I_Hunting_AsRockDriver_Exploit_Generic.yar | 29 +
.../MTI_Hunting_AsRockDriver_Exploit_PDB.yar | 30 +
.../MTI_Hunting_INDUSTROYERv2_Bytes.yar | 29 +
.../MTI_Hunting_INDUSTROYERv2_Strings.yar | 58 +
.../Mandiant/M_APT_Downloader_BEATDROP.yar | 30 +
.../Mandiant/M_APT_Downloader_BOOMMIC.yar | 36 +
yara-mikesxrs/Mandiant/QUIETEXIT_strings.yar | 37 +
.../Mandiant/REGEORG_Tuneller_generic.yar | 40 +
.../Ransomware_Win_DARKSIDE_v1__1.yar | 13 +
yara-mikesxrs/Mandiant/UNC3524_sha1.yar | 25 +
yara-mikesxrs/Mandiant/atrium.yar | 17 +
yara-mikesxrs/Mandiant/atrium2.yar | 18 +
yara-mikesxrs/Mandiant/bloodbank.yar | 14 +
yara-mikesxrs/Mandiant/bloodbank2.yar | 15 +
yara-mikesxrs/Mandiant/bloodmine.yar | 13 +
yara-mikesxrs/Mandiant/bloodmine2.yar | 15 +
yara-mikesxrs/Mandiant/cleanpulse.yar | 17 +
yara-mikesxrs/Mandiant/cleanpulse2.yar | 16 +
yara-mikesxrs/Mandiant/hardpulse.yar | 21 +
yara-mikesxrs/Mandiant/lockpick.yar | 16 +
yara-mikesxrs/Mandiant/pacemaker_linux32.yar | 19 +
yara-mikesxrs/Mandiant/pacemaker_linux64.yar | 18 +
yara-mikesxrs/Mandiant/pulsecheck.yar | 22 +
yara-mikesxrs/Mandiant/pulsejump.yar | 18 +
yara-mikesxrs/Mandiant/quietpulse.yar | 20 +
yara-mikesxrs/Mandiant/radialpulse.yar | 19 +
yara-mikesxrs/Mandiant/radialpulse2.yar | 19 +
yara-mikesxrs/Mandiant/radialpulse3.yar | 19 +
yara-mikesxrs/Mandiant/rapidpulse.yar | 16 +
yara-mikesxrs/Mandiant/slightpulse.yar | 19 +
yara-mikesxrs/Mandiant/slowpulse.yar | 20 +
yara-mikesxrs/Mandiant/slowpulse2.yar | 15 +
yara-mikesxrs/Mandiant/steadypulse.yar | 21 +
yara-mikesxrs/Mandiant/thinblood.yar | 17 +
yara-mikesxrs/Mandiant/thinblood2.yar | 18 +
yara-mikesxrs/Mandiant/thinblood3.yar | 12 +
yara-mikesxrs/McAfee/APT_KimSuky_dllbckdr.yar | 43 +
yara-mikesxrs/McAfee/BadRabbit_Ransomware.yar | 39 +
.../McAfee/CTB_Locker_Ransomware.yar | 16 +
yara-mikesxrs/McAfee/CredStealer.yar | 25 +
yara-mikesxrs/McAfee/CryptoLocker_rule2.yar | 27 +
yara-mikesxrs/McAfee/CryptoLocker_set1.yar | 29 +
yara-mikesxrs/McAfee/GPGQwerty_ransomware.yar | 27 +
yara-mikesxrs/McAfee/McAfee_index.yara | 57 +
yara-mikesxrs/McAfee/NionSpy.yar | 19 +
yara-mikesxrs/McAfee/OLE_JSRAT.yar | 18 +
yara-mikesxrs/McAfee/SAmSAmRansom2016,yar | 50 +
.../McAfee/SamSam_Ransomware_Latest.yar | 47 +
yara-mikesxrs/McAfee/Spygate_2.9_RAT.yar | 17 +
yara-mikesxrs/McAfee/W97M_Vawtrak_dropper.yar | 20 +
yara-mikesxrs/McAfee/WannaCry.yar | 59 +
yara-mikesxrs/McAfee/kraken_ransomware.yar | 78 +
yara-mikesxrs/McAfee/rovnix_downloader.yar | 29 +
yara-mikesxrs/McAfee/shifu.yar | 17 +
.../Microsoft/DevilsTongue_HijackDll.yar | 45 +
yara-mikesxrs/Microsoft/Platinum.yara | 414 +
.../Mike Schladt/Mike_Schladt_index.yara | 70 +
.../apt_win_blackenergy3_core.yar | 49 +
.../apt_win_blackenergy3_installer.yar | 19 +
yara-mikesxrs/Mikesxrs/ALFA_TEaM_Shell_V1.yar | 21 +
yara-mikesxrs/Mikesxrs/ALFA_TEaM_Shell_V2.yar | 21 +
yara-mikesxrs/Mikesxrs/APT3_PDB_Paths.yar | 19 +
yara-mikesxrs/Mikesxrs/AppleJeus_PDB.yar | 19 +
yara-mikesxrs/Mikesxrs/Aurora_PDB.yar | 13 +
yara-mikesxrs/Mikesxrs/BADPATCH_PDB.yar | 18 +
yara-mikesxrs/Mikesxrs/CN_group_PDB.yar | 14 +
yara-mikesxrs/Mikesxrs/Cleaver_PDB.yar | 19 +
yara-mikesxrs/Mikesxrs/FREEMILK_PDB.yar | 16 +
yara-mikesxrs/Mikesxrs/Final1stspy_PDB.yar | 17 +
yara-mikesxrs/Mikesxrs/GravityRAT_G1-GX.yar | 62 +
yara-mikesxrs/Mikesxrs/Greenbug_PDB.yar | 15 +
.../Mikesxrs/HTTPBrowser_PDB_Path.yar | 13 +
yara-mikesxrs/Mikesxrs/HermeticWiperCert.yar | 11 +
yara-mikesxrs/Mikesxrs/IRONGATE_SCADA.yar | 35 +
yara-mikesxrs/Mikesxrs/JRAT.yar | 14 +
.../Mikesxrs/KASPERAGENT_MICROPSIA_PDB.yar | 23 +
yara-mikesxrs/Mikesxrs/KONNI_PDB.yar | 16 +
yara-mikesxrs/Mikesxrs/Luckymouse_cert.yar | 14 +
yara-mikesxrs/Mikesxrs/Nitlove_PoS.yar | 14 +
yara-mikesxrs/Mikesxrs/OSX_XSL.yar | 35 +
yara-mikesxrs/Mikesxrs/PDB_Arachnophobia.yar | 16 +
yara-mikesxrs/Mikesxrs/Pirates.yar | 14 +
yara-mikesxrs/Mikesxrs/PlugX_PDB_Paths.yar | 79 +
.../Mikesxrs/Poisioned_Hurricane_Certs.yar | 17 +
yara-mikesxrs/Mikesxrs/REHASHED_PDB.yar | 14 +
yara-mikesxrs/Mikesxrs/Ratty.yar | 17 +
.../Mikesxrs/SAFFRON_ROSE_PDB_PATH.yar | 13 +
yara-mikesxrs/Mikesxrs/Sengoku_PDB.yar | 24 +
yara-mikesxrs/Mikesxrs/SyberSpace_PDB.yar | 20 +
.../Syrian_Malware_Team_Blackworm.yar | 26 +
.../Mikesxrs/TropicTrooper_keyboy_PDB.yar | 34 +
.../android_tempting_cedar_spyware.yar | 15 +
yara-mikesxrs/NCCGroup/APT15.yar | 214 +
yara-mikesxrs/NCCGroup/ISMRAT.yar | 15 +
yara-mikesxrs/NCCGroup/Sakula.yar | 121 +
.../NCCGroup/authenticode_anomalies.yara | 16 +
yara-mikesxrs/NCCGroup/badwinmail.yara | 33 +
yara-mikesxrs/NCCGroup/heartbleed.yar | 12 +
yara-mikesxrs/NCCGroup/metaStealer_memory.yar | 14 +
yara-mikesxrs/NCCGroup/package_manager.yara | 121 +
yara-mikesxrs/NCCGroup/redleaves.yar | 51 +
.../NCCGroup/turla_neuron_nautilus.yar | 176 +
yara-mikesxrs/NCSC/SparrowDoor_apipatch.yar | 17 +
yara-mikesxrs/NCSC/SparrowDoor_clipshot.yar | 20 +
yara-mikesxrs/NCSC/SparrowDoor_config.yar | 14 +
yara-mikesxrs/NCSC/SparrowDoor_loader.yar | 15 +
yara-mikesxrs/NCSC/SparrowDoor_shellcode.yar | 15 +
.../NCSC/SparrowDoor_sleep_routine.yar | 12 +
yara-mikesxrs/NCSC/SparrowDoor_strings.yar | 23 +
yara-mikesxrs/NCSC/SparrowDoor_xor.yar | 14 +
yara-mikesxrs/NCSC/turla_neuron_nautilus.yar | 176 +
yara-mikesxrs/Nick Hoffman/Check_Debugger.yar | 11 +
yara-mikesxrs/Nick Hoffman/Check_Dlls.yar | 17 +
.../Nick Hoffman/Check_DriveSize.yar | 17 +
.../Nick Hoffman/Check_FilePaths.yar | 14 +
.../Nick Hoffman/Check_Qemu_Description.yar | 13 +
.../Nick Hoffman/Check_Qemu_DeviceMap.yar | 13 +
.../Nick Hoffman/Check_UserNames.yar | 16 +
.../Nick Hoffman/Check_VBox_Description.yar | 13 +
.../Nick Hoffman/Check_VBox_DeviceMap.yar | 13 +
.../Check_VBox_GuestAdditions.yar | 11 +
.../Nick Hoffman/Check_VBox_VideoDrivers.yar | 13 +
yara-mikesxrs/Nick Hoffman/Check_VMWare.yar | 13 +
yara-mikesxrs/Nick Hoffman/Check_VmTools.yar | 11 +
yara-mikesxrs/Nick Hoffman/Check_Wine.yar | 12 +
.../Nick Hoffman/Dropper_Hancitor.yar | 93 +
yara-mikesxrs/Nick Hoffman/N3utrino.yar | 24 +
.../Nick Hoffman/Nick_Hoffman_index.yara | 311 +
yara-mikesxrs/Nick Hoffman/bernhardpos.yar | 84 +
yara-mikesxrs/Nick Hoffman/korlia.yar | 55 +
yara-mikesxrs/Nick Hoffman/logpos.yar | 17 +
yara-mikesxrs/Nick Hoffman/mozart.yar | 15 +
yara-mikesxrs/Niels Warnars/encoded_vbs.yar | 14 +
.../Niels Warnars/office_filetype.yar | 160 +
yara-mikesxrs/Novetta/DeltaCharlie.yara | 21 +
yara-mikesxrs/Novetta/Derusbi_Server.yar | 15 +
yara-mikesxrs/Novetta/HotelAlfa.yara | 35 +
yara-mikesxrs/Novetta/IndiaAlfa.yara | 29 +
yara-mikesxrs/Novetta/IndiaBravo.yara | 122 +
yara-mikesxrs/Novetta/IndiaCharlie.yara | 32 +
yara-mikesxrs/Novetta/IndiaDelta.yara | 37 +
yara-mikesxrs/Novetta/IndiaEcho.yara | 54 +
yara-mikesxrs/Novetta/IndiaGolf.yara | 43 +
yara-mikesxrs/Novetta/IndiaHotel.yara | 29 +
yara-mikesxrs/Novetta/IndiaJuliett.yara | 76 +
yara-mikesxrs/Novetta/IndiaWhiskey.yara | 65 +
yara-mikesxrs/Novetta/KiloAlfa.yara | 83 +
yara-mikesxrs/Novetta/LimaAlfa.yara | 40 +
yara-mikesxrs/Novetta/LimaBravo.yara | 34 +
yara-mikesxrs/Novetta/LimaCharlie.yara | 65 +
yara-mikesxrs/Novetta/LimaDelta.yara | 72 +
yara-mikesxrs/Novetta/Novetta_index.yara | 3068 +
yara-mikesxrs/Novetta/PapaAlfa.yara | 15 +
yara-mikesxrs/Novetta/RomeoAlfa.yara | 68 +
yara-mikesxrs/Novetta/RomeoBravo.yara | 57 +
yara-mikesxrs/Novetta/RomeoCharlie.yara | 87 +
yara-mikesxrs/Novetta/RomeoDelta.yara | 33 +
yara-mikesxrs/Novetta/RomeoEcho.yara | 18 +
yara-mikesxrs/Novetta/RomeoFoxtrot.yara | 56 +
yara-mikesxrs/Novetta/RomeoGolf.yara | 31 +
yara-mikesxrs/Novetta/RomeoHotel.yara | 76 +
yara-mikesxrs/Novetta/RomeoWhiskey.yara | 85 +
yara-mikesxrs/Novetta/SierraAlfa.yara | 73 +
yara-mikesxrs/Novetta/SierraBravo.yara | 114 +
yara-mikesxrs/Novetta/SierraCharlie.yara | 39 +
.../Novetta/SierraJuliettMikeOne.yara | 34 +
.../Novetta/SierraJuliettMikeTwo.yara | 73 +
yara-mikesxrs/Novetta/TangoAlfa.yara | 19 +
yara-mikesxrs/Novetta/TangoBravo.yara | 43 +
yara-mikesxrs/Novetta/UniformAlfa.yara | 37 +
yara-mikesxrs/Novetta/UniformJuliett.yara | 40 +
yara-mikesxrs/Novetta/WhiskeyAlfa.yara | 69 +
yara-mikesxrs/Novetta/WhiskeyBravo.yara | 49 +
yara-mikesxrs/Novetta/WhiskeyCharlie.yara | 83 +
yara-mikesxrs/Novetta/WhiskeyDelta.yara | 66 +
yara-mikesxrs/Novetta/cert_wiper.yara | 261 +
yara-mikesxrs/Novetta/general.yara | 66 +
yara-mikesxrs/Novetta/hidkit.yar | 13 +
yara-mikesxrs/Novetta/hikit.yar | 20 +
yara-mikesxrs/Novetta/hikit2.yar | 13 +
yara-mikesxrs/Novetta/mastersig.yara | 72 +
yara-mikesxrs/Novetta/sharedcode.yara | 457 +
yara-mikesxrs/Novetta/suicidescripts.yara | 42 +
yara-mikesxrs/Novetta/zox.yar | 12 +
yara-mikesxrs/Nvisio/CCleaner.yar | 33 +
yara-mikesxrs/Nvisio/Office_DDE.yar | 40 +
yara-mikesxrs/PL CERT/Madprotect_packer.yar | 27 +
.../PL CERT/Polish_Bankbot_mobile.yar | 42 +
yara-mikesxrs/PL CERT/cryptomix_packer.yar | 17 +
yara-mikesxrs/PL CERT/cryptomix_payload.yar | 19 +
yara-mikesxrs/PL CERT/kbot.yar | 17 +
yara-mikesxrs/PL CERT/necurs.yar | 31 +
yara-mikesxrs/PL CERT/nymaim.yar | 26 +
yara-mikesxrs/PL CERT/ramnit.yar | 62 +
yara-mikesxrs/PL CERT/sage.yar | 26 +
yara-mikesxrs/PL CERT/tofsee.yar | 35 +
yara-mikesxrs/PWC/Elise_lstudio.yar | 25 +
yara-mikesxrs/PWC/Lightserver_variant_B.yar | 38 +
yara-mikesxrs/PWC/MSSUP.yar | 46 +
yara-mikesxrs/PWC/OrcaRAT.yar | 34 +
yara-mikesxrs/PWC/Tendrit_2014.yar | 49 +
yara-mikesxrs/PWC/smbWormTool.yar | 39 +
.../Pasquale Stirparo/beef_hooked.yar | 36 +
.../UNC5221_WIREFIRE_Webshell.yar | 14 +
yara-mikesxrs/RSA/Artifact_ORION_aPlib.yar | 15 +
yara-mikesxrs/RSA/Kingslayer_codekey.yar | 18 +
yara-mikesxrs/RSA/PNGRat.yar | 39 +
yara-mikesxrs/RSA/RSA_index.yar | 150 +
yara-mikesxrs/RSA/RTF_Shellcode.yar | 16 +
yara-mikesxrs/RSA/Squiblydoo.yar | 21 +
yara-mikesxrs/RSA/TROJAN_Notepad.yar | 13 +
yara-mikesxrs/RSA/Trojan_Derusbi.yar | 22 +
.../RSA/Trojan_Derusbi_AP32_Orion.yar | 27 +
yara-mikesxrs/RSA/Trojan_HIKIT.yar | 20 +
yara-mikesxrs/RSA/Trojan_Lurker2_ORION.yar | 18 +
yara-mikesxrs/RSA/liudoor.yar | 26 +
yara-mikesxrs/Rapid7/KeyBoy_Backdoor.yar | 17 +
yara-mikesxrs/Rapid7/KeyBoy_Dropper.yar | 17 +
yara-mikesxrs/Rapid7/Rapid7_index.yara | 36 +
.../TEMP.Periscope_Spearphish.yar | 19 +
.../Recorded Future/ext4_linuxlistener.yar | 19 +
.../ReversingLabs/BadRabbitRansomware.yar | 56 +
.../ReversingLabs/CVE_2017_11882.yar | 24 +
.../ReversingLabs/Rana_Android_resources.yar | 11 +
yara-mikesxrs/ReversingLabs/Unpacker_Stub.yar | 13 +
.../ReversingLabs/image_eval_hunt.yar | 13 +
.../ReversingLabs/obfuscated_dde.yar | 12 +
yara-mikesxrs/Root 9B/PoSLURP | 175 +
.../SadFud/DMALocker-All-Versions.yara | 18 +
yara-mikesxrs/SadFud/Remcos_RAT.yara | 16 +
yara-mikesxrs/SadFud/Ripper_ATM.yara | 17 +
yara-mikesxrs/SadFud/SadFud_index.yara | 95 +
.../Secuinfra/APT_Bitter_Almond_Rat.yar | 39 +
.../Secuinfra/APT_Bitter_Maldoc_Verify.yar | 41 +
.../Secuinfra/APT_Bitter_PDB_Paths.yar | 33 +
.../Secuinfra/APT_Bitter_ZxxZ_Downloader.yar | 49 +
yara-mikesxrs/SenseCy/ORXLocker.yar | 23 +
yara-mikesxrs/SenseCy/njrat_08d.yar | 23 +
yara-mikesxrs/Seth Hardy/3102.yar | 40 +
yara-mikesxrs/Seth Hardy/9002.yar | 47 +
yara-mikesxrs/Seth Hardy/APT_NGO_wuaclt.yar | 26 +
yara-mikesxrs/Seth Hardy/Babar.yar | 33 +
yara-mikesxrs/Seth Hardy/GeorBot.yar | 17 +
yara-mikesxrs/Seth Hardy/Scieron.yar | 27 +
.../Seth Hardy/Seth_Hardy_index.yara | 2381 +
yara-mikesxrs/Seth Hardy/Swisyn.yar | 83 +
yara-mikesxrs/Seth Hardy/Waterbug.yar | 160 +
yara-mikesxrs/Seth Hardy/apt1.yar | 1182 +
yara-mikesxrs/Seth Hardy/bangat.yar | 45 +
yara-mikesxrs/Seth Hardy/boouset.yar | 42 +
yara-mikesxrs/Seth Hardy/comfoo.yar | 43 +
yara-mikesxrs/Seth Hardy/cookies.yar | 38 +
yara-mikesxrs/Seth Hardy/cxpid.yar | 43 +
yara-mikesxrs/Seth Hardy/enfal.yar | 69 +
yara-mikesxrs/Seth Hardy/ezcob.yar | 28 +
yara-mikesxrs/Seth Hardy/f0xy.yar | 14 +
yara-mikesxrs/Seth Hardy/fakem.yar | 42 +
yara-mikesxrs/Seth Hardy/favorite.yar | 42 +
yara-mikesxrs/Seth Hardy/glasses.yar | 43 +
yara-mikesxrs/Seth Hardy/hangover.yar | 307 +
yara-mikesxrs/Seth Hardy/iexpl0re.yar | 58 +
yara-mikesxrs/Seth Hardy/imuler.yar | 61 +
yara-mikesxrs/Seth Hardy/insta11.yar | 43 +
yara-mikesxrs/Seth Hardy/kins.yar | 44 +
yara-mikesxrs/Seth Hardy/leverage.yar | 18 +
yara-mikesxrs/Seth Hardy/luckycat.yar | 46 +
yara-mikesxrs/Seth Hardy/lurk0+cctv0.yar | 121 +
yara-mikesxrs/Seth Hardy/maccontrol.yar | 47 +
yara-mikesxrs/Seth Hardy/mask.yar | 85 +
yara-mikesxrs/Seth Hardy/mirage.yar | 25 +
yara-mikesxrs/Seth Hardy/mongal.yar | 41 +
yara-mikesxrs/Seth Hardy/naikon.yar | 45 +
yara-mikesxrs/Seth Hardy/naspyupdate.yar | 42 +
yara-mikesxrs/Seth Hardy/nettraveler.yar | 88 +
yara-mikesxrs/Seth Hardy/nsfree.yar | 44 +
yara-mikesxrs/Seth Hardy/olyx.yar | 38 +
yara-mikesxrs/Seth Hardy/plugx.yar | 52 +
yara-mikesxrs/Seth Hardy/pubsab.yar | 40 +
yara-mikesxrs/Seth Hardy/quarian.yar | 64 +
yara-mikesxrs/Seth Hardy/regsubdat.yar | 47 +
yara-mikesxrs/Seth Hardy/remote.yar | 81 +
yara-mikesxrs/Seth Hardy/rookie.yar | 43 +
yara-mikesxrs/Seth Hardy/rooter.yar | 44 +
yara-mikesxrs/Seth Hardy/safenet.yar | 42 +
yara-mikesxrs/Seth Hardy/scarhikn.yar | 41 +
yara-mikesxrs/Seth Hardy/shell_crew.yar | 32 +
yara-mikesxrs/Seth Hardy/surtr.yar | 51 +
yara-mikesxrs/Seth Hardy/t5000.yar | 37 +
yara-mikesxrs/Seth Hardy/urausy_skypedat.yar | 14 +
yara-mikesxrs/Seth Hardy/vidgrab.yar | 46 +
yara-mikesxrs/Seth Hardy/warp.yar | 42 +
yara-mikesxrs/Seth Hardy/wimmie.yar | 45 +
yara-mikesxrs/Seth Hardy/xtreme.yar | 42 +
yara-mikesxrs/Seth Hardy/yayih.yar | 42 +
.../Spider-labs/Spiderlabs_index.yara | 115 +
.../Spider-labs/apacheInjection.yara | 47 +
yara-mikesxrs/Spider-labs/cherryPicker.yar | 35 +
yara-mikesxrs/Spider-labs/punkey.yar | 31 +
yara-mikesxrs/Stairwell/MauiRansomware.yar | 31 +
.../Stairwell/NK_GOLDBACKDOOR_LNK.yar | 14 +
.../Stairwell/NK_GOLDBACKDOOR_LNK_payload.yar | 12 +
.../Stairwell/NK_GOLDBACKDOOR_Main.yar | 21 +
.../NK_GOLDBACKDOOR_generic_shellcode.yar | 13 +
.../NK_GOLDBACKDOOR_inital_shellcode.yar | 21 +
.../NK_GOLDBACKDOOR_injected_shellcode.yar | 16 +
.../Stairwell/NK_GOLDBACKDOOR_obf_payload.yar | 12 +
.../TTP_Mutation_StackPush_Windows_DLLs.yar | 41 +
yara-mikesxrs/Storm Shield/AcidRain.yar | 35 +
yara-mikesxrs/Storm Shield/AgentTesla.yar | 18 +
.../Tenable/Generic_JSP_Webshell.yar | 14 +
yara-mikesxrs/Tenable/Tenablebot.yar | 14 +
yara-mikesxrs/Tenable/UPX_PACKED.yar | 8 +
yara-mikesxrs/Tenable/cerber3.yar | 21 +
yara-mikesxrs/Tenable/elf_format.yar | 77 +
yara-mikesxrs/Tenable/fopo_webshell.yar | 16 +
yara-mikesxrs/Tenable/kaiten.yar | 23 +
yara-mikesxrs/Tenable/obfuscated_php.yar | 49 +
yara-mikesxrs/Tenable/pbot.yar | 19 +
yara-mikesxrs/Tenable/venom.yar | 20 +
.../ThreatStreamLabs/PyInstaller_Binary.yar | 17 +
yara-mikesxrs/Trend Micro/FighterPOS.yar | 92 +
.../Trend Micro/PoS_Malware_MalumPOS.yar | 17 +
.../PoS_Malware_NewPOSThings2015.yar | 23 +
.../PoS_Malware_RawPOS2015_dumper.yar | 22 +
.../PoS_Malware_RawPOS2015_dumper_old.yar | 24 +
.../PoS_Malware_RawPOS2015_service.yar | 24 +
yara-mikesxrs/Trend Micro/VBS.yar | 22 +
yara-mikesxrs/Trend Micro/cracked_loki.yar | 19 +
.../crime_linux_umbreon _ rootkit.yar | 60 +
yara-mikesxrs/US CERT/APT10 Dropper.yar | 12 +
.../US CERT/APT10 Redleaves Plugx.yar | 29 +
.../US CERT/APT10 Redleaves loader.yar | 13 +
yara-mikesxrs/US CERT/APT10 Redleaves.yar | 14 +
.../US CERT/APT10 redleaves handkerchief.yar | 12 +
yara-mikesxrs/US CERT/APT28_IMPLANT_1.yara | 93 +
yara-mikesxrs/US CERT/APT28_IMPLANT_2.yara | 311 +
yara-mikesxrs/US CERT/APT28_IMPLANT_3.yara | 49 +
yara-mikesxrs/US CERT/APT28_IMPLANT_5.yara | 192 +
yara-mikesxrs/US CERT/APT28_IMPLANT_6.yara | 125 +
yara-mikesxrs/US CERT/APT28_implant_4.yara | 420 +
yara-mikesxrs/US CERT/APT29_IMPLANT_10.yara | 31 +
yara-mikesxrs/US CERT/APT29_IMPLANT_11.yara | 20 +
yara-mikesxrs/US CERT/APT29_IMPLANT_12.yara | 13 +
yara-mikesxrs/US CERT/APT29_IMPLANT_7.yara | 15 +
yara-mikesxrs/US CERT/APT29_IMPLANT_8.yara | 40 +
yara-mikesxrs/US CERT/APT29_IMPLANT_9.yara | 15 +
yara-mikesxrs/US CERT/APT29_unidentified.yara | 23 +
.../US CERT/Destructive_Hard_Drive_Tool.yar | 21 +
.../Destructive_Target_Cleaning_Tool.yar | 15 +
.../Destructive_Target_Cleaning_Tool_2.yar | 15 +
.../Destructive_Target_Cleaning_Tool_3.yar | 17 +
.../Destructive_Target_Cleaning_Tool_5.yar | 14 +
.../Destructive_Target_Cleaning_Tool_6.yar | 19 +
.../Destructive_Target_Cleaning_Tool_7.yar | 15 +
.../Destructive_Target_Cleaning_Tool_8.yar | 14 +
yara-mikesxrs/US CERT/Dragonfly.yar | 118 +
yara-mikesxrs/US CERT/Dragonfly2.0.yar | 305 +
.../US CERT/HIDDENCOBRA_RSA_MODULUS.yar | 14 +
yara-mikesxrs/US CERT/HIDDEN_COBRA.yar | 69 +
yara-mikesxrs/US CERT/Hidden Cobra Enfal.yar | 29 +
.../US CERT/Hidden_Cobra_DPRK_DDoS_Tool.yara | 40 +
.../US CERT/Lightweight_Backdoor.yar | 14 +
.../US CERT/Lightweight_Backdoor_2.yar | 15 +
.../US CERT/Lightweight_Backdoor_3.yar | 15 +
.../US CERT/Lightweight_Backdoor_4.yar | 16 +
.../US CERT/Lightweight_Backdoor_5.yar | 15 +
.../US CERT/Lightweight_Backdoor_6.yar | 15 +
.../Malware_used_by_cyber_threat_actor_1.yar | 16 +
.../Malware_used_by_cyber_threat_actor_2.yar | 20 +
.../Malware_used_by_cyber_threat_actor_3.yar | 13 +
.../US CERT/PAS_TOOL_PHP_WEB_KIT.yar | 18 +
yara-mikesxrs/US CERT/Proxy Tool.yar | 14 +
yara-mikesxrs/US CERT/Proxy_Tool_2.yar | 14 +
yara-mikesxrs/US CERT/Proxy_Tool_3.yar | 12 +
yara-mikesxrs/US CERT/SMB_Worm_Tool.yar | 18 +
yara-mikesxrs/US CERT/US_CERT_index.yara | 369 +
yara-mikesxrs/US CERT/WannaCry.yara | 46 +
yara-mikesxrs/US CERT/fallchill.yar | 25 +
yara-mikesxrs/US CERT/hatman.yar | 111 +
yara-mikesxrs/VectraThreatLab/re.yar | 1172 +
.../Vinsula_Sayad_Binder_infostealer.yar | 20 +
.../Vinsula_Sayad_Client_infostealer.yar | 36 +
yara-mikesxrs/Vinsula/Vinsula_index.yara | 57 +
yara-mikesxrs/Volexity/apt_macOS_gimmick.yar | 53 +
.../Volexity/apt_py_bluelight_ldr.yar | 20 +
.../Volexity/apt_rb_rokrat_loader.yar | 26 +
yara-mikesxrs/Volexity/apt_win_bluelight.yar | 32 +
.../Volexity/apt_win_bluelight_b.yar | 101 +
yara-mikesxrs/Volexity/apt_win_decrok.yar | 24 +
.../Volexity/apt_win_flipflop_ldr.yar | 19 +
yara-mikesxrs/Volexity/apt_win_freshfire.yar | 28 +
.../Volexity/apt_win_gimmick_dotnet_base.yar | 26 +
yara-mikesxrs/Volexity/apt_win_rokload.yar | 16 +
.../Volexity/ebshell_jsp_converge.yar | 16 +
.../general_java_encoding_and_classloader.yar | 20 +
...general_jsp_possible_tiny_fileuploader.yar | 36 +
.../Volexity/general_php_call_user_func.yar | 18 +
.../Volexity/general_php_fileinput_eval.yar | 18 +
.../Volexity/trojan_any_pupyrat_b.yar | 35 +
.../Volexity/trojan_backwash_iis_scout.yar | 28 +
.../Volexity/trojan_golang_pantegana.yar | 27 +
.../Volexity/trojan_win_backwash_cpp.yar | 19 +
.../Volexity/trojan_win_backwash_iis.yar | 25 +
.../Volexity/trojan_win_cobaltstrike.yar | 22 +
.../Volexity/trojan_win_iis_shellsave.yar | 20 +
yara-mikesxrs/Volexity/trojan_win_pngexe.yar | 31 +
.../Volexity/trojan_win_xe_backwash.yar | 33 +
yara-mikesxrs/Volexity/web_js_xeskimmer.yar | 33 +
.../Volexity/webshell_aspx_reGeorgTunnel.yar | 24 +
.../Volexity/webshell_aspx_simpleseesharp.yar | 20 +
.../Volexity/webshell_aspx_sportsball.yar | 25 +
.../webshell_java_behinder_shellservice.yar | 24 +
.../Volexity/webshell_java_realcmd.yar | 29 +
.../Volexity/webshell_php_icescorpion.yar | 20 +
.../webshell_php_str_replace_create_func.yar | 30 +
.../cs_hexlified_stager_sc.yar | 11 +
yara-mikesxrs/WithSecure/SILKLOADER.yar | 21 +
.../WithSecure/ducktail_artifacts.yar | 21 +
.../ducktail_dotnet_core_infostealer.yar | 104 +
.../WithSecure/ducktail_exceldna_packed.yar | 28 +
.../WithSecure/ducktail_nativeaot.yar | 23 +
yara-mikesxrs/Xecscan/Yarochkin.yar | 18 +
yara-mikesxrs/Xylitol/Malware.yar | 26 +
yara-mikesxrs/Xylitol/Zeus_1134.yar | 18 +
yara-mikesxrs/Xylitol/ibanking.yar | 19 +
yara-mikesxrs/Xylitol/malware_banker.yar | 42 +
yara-mikesxrs/Yoroi/CobianRAT.yar | 19 +
yara-mikesxrs/Zerk Labs/CVE_2012_0158_1.yar | 77 +
.../Zerk Labs/Intel_Virtualization_Wizard.yar | 33 +
yara-mikesxrs/Zerk Labs/Zerk_Labs_index.yara | 111 +
yara-mikesxrs/abhinavbom/APT.yara | 37 +
yara-mikesxrs/abhinavbom/Banbra-banker.yara | 17 +
yara-mikesxrs/abhinavbom/Duqu2-0.yara | 30 +
yara-mikesxrs/abhinavbom/XMLshell.yara | 18 +
.../abhinavbom/abhinavbom_index.yara | 322 +
yara-mikesxrs/abhinavbom/ghostRAT.yara | 19 +
yara-mikesxrs/abhinavbom/pos_malwares.yara | 18 +
.../abhinavbom/virustotal-rules.yara | 89 +
yara-mikesxrs/abhinavbom/vm-detect.yara | 86 +
yara-mikesxrs/adamburt/adamburt_index.yara | 167 +
yara-mikesxrs/adamburt/win_BackoffPOS.yara | 63 +
yara-mikesxrs/adamburt/win_Dexter.yara | 22 +
.../adamburt/win_metasploit_related.yara | 49 +
.../adamburt/win_trojan-poweliks-dropper.yara | 16 +
yara-mikesxrs/alienvault/APT1_GDOCUPLOAD.yar | 14 +
yara-mikesxrs/alienvault/APT1_GETMAIL.yar | 17 +
yara-mikesxrs/alienvault/APT1_HACKSFASE1.yar | 12 +
yara-mikesxrs/alienvault/APT1_HACKSFASE2.yar | 13 +
yara-mikesxrs/alienvault/APT1_LIGHTBOLT.yar | 14 +
yara-mikesxrs/alienvault/APT1_MAPIGET.yar | 16 +
.../alienvault/APT1_RARSilent_EXE_PDF.yar | 16 +
yara-mikesxrs/alienvault/APT1_Revird_svc.yar | 19 +
.../alienvault/APT1_TARSIP_ECLIPSE.yar | 14 +
yara-mikesxrs/alienvault/APT1_TARSIP_MOON.yar | 19 +
yara-mikesxrs/alienvault/APT1_WARP.yar | 15 +
.../alienvault/APT1_WEBC2_ADSPACE.yar | 12 +
yara-mikesxrs/alienvault/APT1_WEBC2_AUSOV.yar | 15 +
yara-mikesxrs/alienvault/APT1_WEBC2_BOLID.yar | 12 +
.../alienvault/APT1_WEBC2_CLOVER.yar | 17 +
yara-mikesxrs/alienvault/APT1_WEBC2_CSON.yar | 16 +
yara-mikesxrs/alienvault/APT1_WEBC2_DIV.yar | 14 +
.../alienvault/APT1_WEBC2_GREENCAT.yar | 14 +
yara-mikesxrs/alienvault/APT1_WEBC2_HEAD.yar | 14 +
yara-mikesxrs/alienvault/APT1_WEBC2_KT3.yar | 13 +
yara-mikesxrs/alienvault/APT1_WEBC2_QBP.yar | 15 +
yara-mikesxrs/alienvault/APT1_WEBC2_RAVE.yar | 14 +
yara-mikesxrs/alienvault/APT1_WEBC2_TABLE.yar | 14 +
yara-mikesxrs/alienvault/APT1_WEBC2_TOCK.yar | 13 +
yara-mikesxrs/alienvault/APT1_WEBC2_UGX.yar | 16 +
yara-mikesxrs/alienvault/APT1_WEBC2_Y21K.yar | 15 +
yara-mikesxrs/alienvault/APT1_WEBC2_YAHOO.yar | 13 +
yara-mikesxrs/alienvault/APT1_dbg_mess.yar | 17 +
.../APT1_known_malicious_RARSilent.yar | 14 +
yara-mikesxrs/alienvault/APT1_letusgo.yar | 11 +
yara-mikesxrs/alienvault/AURIGA_APT1.yar | 16 +
.../alienvault/AURIGA_driver_APT1.yar | 16 +
yara-mikesxrs/alienvault/BANGAT_APT1.yar | 21 +
.../alienvault/BISCUIT_GREENCAT_APT1.yar | 16 +
yara-mikesxrs/alienvault/BOUNCER_APT1.yar | 16 +
yara-mikesxrs/alienvault/BOUNCER_DLL_APT1.yar | 12 +
yara-mikesxrs/alienvault/CALENDAR_APT1.yar | 21 +
yara-mikesxrs/alienvault/CCREWBACK1.yar | 22 +
yara-mikesxrs/alienvault/COMBOS_APT1.yar | 18 +
yara-mikesxrs/alienvault/CVE2012XXXX.yar | 19 +
yara-mikesxrs/alienvault/CaptainWord.yar | 17 +
.../Careto generic malware signature.yar | 32 +
yara-mikesxrs/alienvault/Careto_CnC.yar | 13 +
.../alienvault/Careto_CnC_domains.yar | 12 +
yara-mikesxrs/alienvault/Careto_OSX_SBD.yar | 11 +
yara-mikesxrs/alienvault/Careto_SGH.yar | 14 +
yara-mikesxrs/alienvault/DAIRY_APT1.yar | 16 +
.../alienvault/DownloaderPossibleCCrew.yar | 16 +
.../alienvault/EclipseSunCloudRAT.yar | 17 +
yara-mikesxrs/alienvault/Elise.yar | 12 +
yara-mikesxrs/alienvault/EzuriLoader.yar | 16 +
yara-mikesxrs/alienvault/EzuriLoaderOSX.yar | 22 +
.../alienvault/FatalRAT_unpacked.yar | 16 +
yara-mikesxrs/alienvault/GEN_CCREW1.yar | 13 +
yara-mikesxrs/alienvault/GLOOXMAIL_APT1.yar | 16 +
yara-mikesxrs/alienvault/GOGGLES_APT1.yar | 16 +
yara-mikesxrs/alienvault/GeorBotBinary.yar | 11 +
yara-mikesxrs/alienvault/GeorBotMemory.yar | 12 +
yara-mikesxrs/alienvault/HACKSFASE1_APT1.yar | 11 +
yara-mikesxrs/alienvault/HACKSFASE2_APT1.yar | 13 +
.../alienvault/Hangover2_Downloader.yar | 22 +
.../alienvault/Hangover2_Keylogger.yar | 20 +
.../alienvault/Hangover2_backdoor_shell.yar | 19 +
.../alienvault/Hangover2_stealer.yar | 18 +
.../alienvault/Hangover_Appinbot.yar | 17 +
yara-mikesxrs/alienvault/Hangover_Auspo.yar | 14 +
yara-mikesxrs/alienvault/Hangover_Deksila.yar | 14 +
yara-mikesxrs/alienvault/Hangover_Foler.yar | 14 +
yara-mikesxrs/alienvault/Hangover_Fuddol.yar | 12 +
yara-mikesxrs/alienvault/Hangover_Gimwlog.yar | 15 +
yara-mikesxrs/alienvault/Hangover_Gimwup.yar | 14 +
.../alienvault/Hangover_Iconfall.yar | 14 +
yara-mikesxrs/alienvault/Hangover_Linog.yar | 16 +
.../alienvault/Hangover_Slidewin.yar | 26 +
.../Hangover_Smackdown_Downloader.yar | 25 +
.../alienvault/Hangover_Smackdown_various.yar | 20 +
.../alienvault/Hangover_Tymtin_Degrab.yar | 14 +
.../alienvault/Hangover_UpdateEx.yar | 17 +
.../Hangover_Vacrhan_Downloader.yar | 17 +
.../alienvault/Hangover_ron_babylon.yar | 43 +
.../Java0daycve2012xxxx_generic.yar | 19 +
yara-mikesxrs/alienvault/KINS_DLL_zeus.yar | 19 +
yara-mikesxrs/alienvault/KINS_dropper.yar | 24 +
yara-mikesxrs/alienvault/KURTON_APT1.yar | 14 +
.../alienvault/Keyboy_document_ppsx_sct.yar | 29 +
.../alienvault/Keyboy_mobile_titan.yar | 29 +
yara-mikesxrs/alienvault/LIGHTDART_APT1.yar | 14 +
yara-mikesxrs/alienvault/LONGRUN_APT1.yar | 14 +
yara-mikesxrs/alienvault/MACROMAIL_APT1.yar | 14 +
yara-mikesxrs/alienvault/MANITSME_APT1.yar | 22 +
yara-mikesxrs/alienvault/MINIASP_APT1.yar | 16 +
yara-mikesxrs/alienvault/MiniASP.yar | 13 +
yara-mikesxrs/alienvault/MoonProject.yar | 15 +
yara-mikesxrs/alienvault/NEWSREELS_APT1.yar | 19 +
yara-mikesxrs/alienvault/NKRivts.yar | 12 +
yara-mikesxrs/alienvault/OSX_Dok.yar | 34 +
yara-mikesxrs/alienvault/OSX_MacSpy.yar | 15 +
yara-mikesxrs/alienvault/OSX_Proton.B.yar | 30 +
.../alienvault/OSX_Proton_B_systemd.1.yar | 35 +
yara-mikesxrs/alienvault/PRISM.yar | 69 +
.../alienvault/PrismaticSuccessor.yar | 105 +
yara-mikesxrs/alienvault/SEASALT_APT1.yar | 16 +
yara-mikesxrs/alienvault/STARSYPOUND_APT1.yar | 15 +
yara-mikesxrs/alienvault/SWORD_APT1.yar | 15 +
yara-mikesxrs/alienvault/TABMSGSQL_APT1.yar | 15 +
.../alienvault/TrojanCookies_CCREW.yar | 17 +
.../alienvault/alienvault_index.yara | 2168 +
yara-mikesxrs/alienvault/avdetect_procs.yar | 210 +
yara-mikesxrs/alienvault/ccrewDownloader1.yar | 12 +
yara-mikesxrs/alienvault/ccrewDownloader2.yar | 14 +
yara-mikesxrs/alienvault/ccrewDownloader3.yar | 17 +
yara-mikesxrs/alienvault/ccrewMiniasp.yar | 13 +
yara-mikesxrs/alienvault/ccrewQAZ.yar | 12 +
yara-mikesxrs/alienvault/ccrewSSLBack1.yar | 13 +
yara-mikesxrs/alienvault/ccrewSSLBack2.yar | 12 +
yara-mikesxrs/alienvault/ccrewSSLBack3.yar | 12 +
yara-mikesxrs/alienvault/dbgdetect_files.yar | 15 +
yara-mikesxrs/alienvault/dbgdetect_funcs.yar | 23 +
yara-mikesxrs/alienvault/dbgdetect_procs.yar | 23 +
yara-mikesxrs/alienvault/leverage_a.yar | 18 +
yara-mikesxrs/alienvault/metaxcd.yar | 12 +
yara-mikesxrs/alienvault/nkminer_monero.yar | 35 +
.../alienvault/oceanlotus_constants.yar | 14 +
.../alienvault/oceanlotus_xor_decode.yar | 12 +
.../alienvault/sandboxdetect_misc.yar | 21 +
.../alienvault/thequickbrow_APT1.yar | 12 +
yara-mikesxrs/alienvault/urasay skype.yar | 14 +
yara-mikesxrs/alienvault/vmdetect_misc.yar | 83 +
yara-mikesxrs/arbor/Athena.yar | 56 +
yara-mikesxrs/arbor/Black_Revolution_DDoS.yar | 31 +
yara-mikesxrs/arbor/Computrace.yar | 23 +
yara-mikesxrs/arbor/buhtrapknock.yar | 20 +
yara-mikesxrs/arbor/chicken.yar | 35 +
yara-mikesxrs/arbor/dirtjumper_drive.yar | 24 +
yara-mikesxrs/arbor/dirtjumper_drive2.yar | 26 +
yara-mikesxrs/arbor/dirtjumper_drive3.yar | 26 +
yara-mikesxrs/arbor/flusihoc.yar | 38 +
yara-mikesxrs/ballastsecurity/alina.yara | 13 +
yara-mikesxrs/ballastsecurity/andromeda.yara | 13 +
yara-mikesxrs/ballastsecurity/athenahttp.yara | 20 +
yara-mikesxrs/ballastsecurity/backoff.yara | 13 +
.../ballastsecurity/blackshades.yara | 13 +
yara-mikesxrs/ballastsecurity/blackworm.yara | 21 +
yara-mikesxrs/ballastsecurity/cybergate.yara | 23 +
yara-mikesxrs/ballastsecurity/cythosia.yara | 11 +
yara-mikesxrs/ballastsecurity/darkcomet.yara | 12 +
yara-mikesxrs/ballastsecurity/dendroid.yara | 17 +
yara-mikesxrs/ballastsecurity/dexter.yara | 15 +
yara-mikesxrs/ballastsecurity/diamondfox.yara | 17 +
.../ballastsecurity/easterjackpos.yara | 13 +
yara-mikesxrs/ballastsecurity/elise.yara | 16 +
yara-mikesxrs/ballastsecurity/evora.yara | 17 +
yara-mikesxrs/ballastsecurity/genome.yara | 13 +
yara-mikesxrs/ballastsecurity/glassrat.yara | 11 +
yara-mikesxrs/ballastsecurity/herpes.yara | 15 +
yara-mikesxrs/ballastsecurity/jackpos.yara | 16 +
yara-mikesxrs/ballastsecurity/maazben.yara | 16 +
yara-mikesxrs/ballastsecurity/madnesspro.yar | 31 +
yara-mikesxrs/ballastsecurity/madnesspro.yara | 31 +
yara-mikesxrs/ballastsecurity/nanocore.yara | 15 +
yara-mikesxrs/ballastsecurity/njrat.yara | 19 +
yara-mikesxrs/ballastsecurity/pbot.yara | 13 +
yara-mikesxrs/ballastsecurity/poisonivy.yara | 19 +
yara-mikesxrs/ballastsecurity/pony.yara | 17 +
.../ballastsecurity/projecthook.yara | 13 +
yara-mikesxrs/ballastsecurity/solarbot.yara | 11 +
yara-mikesxrs/ballastsecurity/vertexnet.yara | 15 +
yara-mikesxrs/ballastsecurity/vskimmer.yara | 13 +
yara-mikesxrs/ballastsecurity/xtreme.yara | 22 +
yara-mikesxrs/bluecoat/Bluecoat_index.yara | 123 +
yara-mikesxrs/bluecoat/InceptionAndroid.yar | 13 +
.../bluecoat/InceptionBlackberry.yar | 17 +
yara-mikesxrs/bluecoat/InceptionDLL.yar | 27 +
yara-mikesxrs/bluecoat/InceptionIOS.yar | 15 +
yara-mikesxrs/bluecoat/InceptionMips.yar | 14 +
yara-mikesxrs/bluecoat/InceptionRTF.yar | 14 +
yara-mikesxrs/bluecoat/InceptionVBS.yar | 15 +
yara-mikesxrs/blueliv/WannaCryptor.yar | 118 +
yara-mikesxrs/blueliv/banswift.yar | 45 +
yara-mikesxrs/blueliv/banswift_wiper.yar | 12 +
yara-mikesxrs/blueliv/petya_eternalblue.yar | 18 +
yara-mikesxrs/carbon black/DPRK_ROKRAT.yar | 141 +
yara-mikesxrs/carbon black/PNG_dropper.yar | 95 +
yara-mikesxrs/carbon black/Plugx.yar | 39 +
yara-mikesxrs/carbon black/emotet.yar | 52 +
yara-mikesxrs/chuongdong/BabukRansomware.yar | 20 +
.../chuongdong/BabukRansomwareV3.yar | 21 +
yara-mikesxrs/chuongdong/ContiV2.yar | 19 +
.../chuongdong/DarksideRansomware1_8_6_2.yar | 16 +
yara-mikesxrs/chuongdong/MountLocker5_0.yar | 18 +
yara-mikesxrs/chuongdong/Regretlocker.yar | 21 +
.../clamsrch signatures/signsrch.yar | 22874 +++++
yara-mikesxrs/clearskysec/comlook.yar | 48 +
yara-mikesxrs/clearskysec/gholee.yar | 28 +
.../codewatchorg/angler_ek_checkpoint.yar | 10 +
.../codewatchorg/angler_ek_redirector.yar | 18 +
yara-mikesxrs/codewatchorg/angler_flash.yar | 28 +
yara-mikesxrs/codewatchorg/angler_flash2.yar | 28 +
yara-mikesxrs/codewatchorg/angler_flash4.yar | 30 +
yara-mikesxrs/codewatchorg/angler_flash5.yar | 26 +
.../angler_flash_uncompressed.yar | 31 +
yara-mikesxrs/codewatchorg/angler_html.yar | 32 +
yara-mikesxrs/codewatchorg/angler_html2.yar | 32 +
yara-mikesxrs/codewatchorg/angler_jar.yar | 23 +
yara-mikesxrs/codewatchorg/angler_js.yar | 31 +
yara-mikesxrs/codewatchorg/blackhole1_jar.yar | 26 +
yara-mikesxrs/codewatchorg/blackhole2_css.yar | 22 +
yara-mikesxrs/codewatchorg/blackhole2_htm.yar | 36 +
.../codewatchorg/blackhole2_htm10.yar | 37 +
.../codewatchorg/blackhole2_htm11.yar | 33 +
.../codewatchorg/blackhole2_htm12.yar | 36 +
.../codewatchorg/blackhole2_htm3.yar | 19 +
.../codewatchorg/blackhole2_htm5.yar | 34 +
.../codewatchorg/blackhole2_htm6.yar | 30 +
.../codewatchorg/blackhole2_htm8.yar | 28 +
yara-mikesxrs/codewatchorg/blackhole2_jar.yar | 27 +
.../codewatchorg/blackhole2_jar2.yar | 26 +
.../codewatchorg/blackhole2_jar3.yar | 26 +
yara-mikesxrs/codewatchorg/blackhole2_pdf.yar | 32 +
.../codewatchorg/blackhole_basic.yar | 7 +
.../bleedinglife2_adobe_2010_1297_exploit.yar | 31 +
.../bleedinglife2_adobe_2010_2884_exploit.yar | 31 +
.../codewatchorg/bleedinglife2_jar2.yar | 23 +
.../bleedinglife2_java_2010_0842_exploit.yar | 23 +
.../codewatchorg/codewatchorg_index.yar | 2883 +
yara-mikesxrs/codewatchorg/crimepack_jar.yar | 20 +
yara-mikesxrs/codewatchorg/crimepack_jar3.yar | 25 +
yara-mikesxrs/codewatchorg/cve_2013_0074.yar | 17 +
yara-mikesxrs/codewatchorg/cve_2013_0422.yar | 21 +
yara-mikesxrs/codewatchorg/eleonore_jar.yar | 26 +
yara-mikesxrs/codewatchorg/eleonore_jar2.yar | 28 +
yara-mikesxrs/codewatchorg/eleonore_jar3.yar | 26 +
yara-mikesxrs/codewatchorg/eleonore_js.yar | 25 +
yara-mikesxrs/codewatchorg/eleonore_js2.yar | 29 +
yara-mikesxrs/codewatchorg/eleonore_js3.yar | 31 +
yara-mikesxrs/codewatchorg/fragus_htm.yar | 30 +
yara-mikesxrs/codewatchorg/fragus_js.yar | 32 +
yara-mikesxrs/codewatchorg/fragus_js2.yar | 31 +
.../codewatchorg/fragus_js_flash.yar | 29 +
yara-mikesxrs/codewatchorg/fragus_js_java.yar | 31 +
.../codewatchorg/fragus_js_quicktime.yar | 29 +
yara-mikesxrs/codewatchorg/fragus_js_vml.yar | 28 +
.../codewatchorg/malicious_office.yar | 145 +
yara-mikesxrs/codewatchorg/malicious_pdf.yar | 456 +
yara-mikesxrs/codewatchorg/phoenix_html.yar | 23 +
yara-mikesxrs/codewatchorg/phoenix_html10.yar | 31 +
yara-mikesxrs/codewatchorg/phoenix_html11.yar | 32 +
yara-mikesxrs/codewatchorg/phoenix_html2.yar | 31 +
yara-mikesxrs/codewatchorg/phoenix_html3.yar | 32 +
yara-mikesxrs/codewatchorg/phoenix_html4.yar | 27 +
yara-mikesxrs/codewatchorg/phoenix_html5.yar | 30 +
yara-mikesxrs/codewatchorg/phoenix_html6.yar | 31 +
yara-mikesxrs/codewatchorg/phoenix_html7.yar | 31 +
yara-mikesxrs/codewatchorg/phoenix_html8.yar | 30 +
yara-mikesxrs/codewatchorg/phoenix_html9.yar | 32 +
yara-mikesxrs/codewatchorg/phoenix_jar.yar | 24 +
yara-mikesxrs/codewatchorg/phoenix_jar2.yar | 28 +
yara-mikesxrs/codewatchorg/phoenix_jar3.yar | 23 +
yara-mikesxrs/codewatchorg/phoenix_pdf.yar | 26 +
yara-mikesxrs/codewatchorg/phoenix_pdf2.yar | 27 +
yara-mikesxrs/codewatchorg/phoenix_pdf3.yar | 25 +
.../codewatchorg/redkit_bin_basic.yar | 7 +
yara-mikesxrs/codewatchorg/sakura_jar.yar | 31 +
yara-mikesxrs/codewatchorg/sakura_jar2.yar | 31 +
yara-mikesxrs/codewatchorg/zeroaccess_css.yar | 32 +
.../codewatchorg/zeroaccess_css2.yar | 25 +
yara-mikesxrs/codewatchorg/zeroaccess_htm.yar | 30 +
yara-mikesxrs/codewatchorg/zeroaccess_js.yar | 32 +
yara-mikesxrs/codewatchorg/zeroaccess_js2.yar | 32 +
yara-mikesxrs/codewatchorg/zeroaccess_js3.yar | 29 +
yara-mikesxrs/codewatchorg/zeroaccess_js4.yar | 31 +
yara-mikesxrs/codewatchorg/zerox88_js2.yar | 25 +
yara-mikesxrs/codewatchorg/zerox88_js3.yar | 30 +
yara-mikesxrs/codewatchorg/zeus_js.yar | 28 +
.../Trojan_W32_Gh0stMiancha_1_0_0.yar | 27 +
yara-mikesxrs/crowdstrike/CVE_2014_4113.yar | 15 +
...terPanda _02 - rc4_dropper putterpanda.yar | 32 +
...3 - threepara_para_implant putterpanda.yar | 20 +
...tterPanda _05 _ httpclient putterpanda.yar | 16 +
...terPanda _06 _ xor_dropper putterpanda.yar | 16 +
.../crowdstrike/CrowdStrike_CSIT_14003_03.yar | 31 +
.../crowdstrike/CrowdStrike_CSIT_14004_02.yar | 19 +
.../crowdstrike/CrowdStrike_FlyingKitten.yar | 37 +
...a_01 - fourh_stack_strings putterpanda.yar | 59 +
.../crowdstrike/Crowdstrike_index.yara | 293 +
.../crowdstrike/Crowdstrike_target_breach.yar | 88 +
yara-mikesxrs/crowdstrike/gameover zeus.yar | 39 +
..._PutterPanda_04_ pngdowner putterpanda.yar | 19 +
yara-mikesxrs/crysys/duqu2.yar | 12 +
yara-mikesxrs/cylance/BackDoorLogger.yar | 12 +
yara-mikesxrs/cylance/Hkdoor_DLL.yar | 22 +
yara-mikesxrs/cylance/Hkdoor_backdoor.yar | 24 +
yara-mikesxrs/cylance/Hkdoor_driver.yar | 19 +
yara-mikesxrs/cylance/Hkdoor_dropper.yar | 28 +
yara-mikesxrs/cylance/Jasus.yar | 13 +
yara-mikesxrs/cylance/LoggerModule.yar | 12 +
.../cylance/MiSType_Backdoor_Packed.yar | 14 +
yara-mikesxrs/cylance/Misdat_Backdoor.yar | 28 +
.../cylance/Misdat_Backdoor_Packed.yar | 15 +
yara-mikesxrs/cylance/NetC.yar | 12 +
yara-mikesxrs/cylance/SType_Backdoor.yar | 33 +
yara-mikesxrs/cylance/ShellCreator2.yar | 12 +
yara-mikesxrs/cylance/SmartCopy2.yar | 12 +
yara-mikesxrs/cylance/StreamEX.yar | 18 +
yara-mikesxrs/cylance/SynFlooder.yar | 13 +
yara-mikesxrs/cylance/TinyZBot.yar | 20 +
yara-mikesxrs/cylance/WannaCryptor.yar | 41 +
yara-mikesxrs/cylance/ZhoupinExploitCrew.yar | 11 +
yara-mikesxrs/cylance/Zlib_Backdoor.yar | 43 +
yara-mikesxrs/cylance/antivirusdetector.yar | 13 +
yara-mikesxrs/cylance/baijiu.yar | 57 +
yara-mikesxrs/cylance/csext.yar | 12 +
yara-mikesxrs/cylance/cylance_index.yara | 392 +
yara-mikesxrs/cylance/kagent.yar | 12 +
yara-mikesxrs/cylance/mimikatzWrapper.yar | 12 +
yara-mikesxrs/cylance/pvz_in.yar | 12 +
yara-mikesxrs/cylance/pvz_out.yar | 12 +
yara-mikesxrs/cylance/snakewine.yar | 24 +
yara-mikesxrs/cylance/wndTest.yar | 12 +
yara-mikesxrs/cylance/zhCat.yar | 11 +
yara-mikesxrs/cylance/zhLookUp.yar | 11 +
yara-mikesxrs/cylance/zhmimikatz.yar | 11 +
yara-mikesxrs/dragos/Crashoverride.yara | 126 +
.../dragos/crashoverride_configReader.yar | 14 +
.../dragos_crashoverride_moduleStrings.yar | 14 +
yara-mikesxrs/dragos/embedded_psexec.yar | 12 +
.../olympic_destroyer_service_manipulator.yar | 20 +
yara-mikesxrs/dragos/shutdown_scheduling.yar | 12 +
yara-mikesxrs/eset/Animal_Farm.yar | 96 +
yara-mikesxrs/eset/ESET_index.yara | 3788 +
yara-mikesxrs/eset/Gazer.yar | 41 +
yara-mikesxrs/eset/InvisiMole.yar | 297 +
yara-mikesxrs/eset/Linux_Moose.yar | 76 +
yara-mikesxrs/eset/Mumblehard_packer.yar | 47 +
yara-mikesxrs/eset/OSX_Keydnap_backdoor.yar | 50 +
yara-mikesxrs/eset/OSX_Keydnap_packer.yar | 51 +
yara-mikesxrs/eset/OSX_keydnap_downloader.yar | 49 +
yara-mikesxrs/eset/Operation Potao.yar | 108 +
yara-mikesxrs/eset/Operation Windigo.yar | 59 +
yara-mikesxrs/eset/PotaoNew.yara | 108 +
yara-mikesxrs/eset/Prikormka.yar | 165 +
yara-mikesxrs/eset/SparklingGoblin.yar | 489 +
yara-mikesxrs/eset/Turla_Carbon.yar | 28 +
yara-mikesxrs/eset/badiis.yar | 552 +
yara-mikesxrs/eset/kobalos.yar | 57 +
.../eset/kobalos_ssh_credential_stealer.yar | 50 +
yara-mikesxrs/eset/linux_rakos.yar | 53 +
yara-mikesxrs/eset/skip20_sqllang_hook.yar | 69 +
yara-mikesxrs/eset/sshdoor.yar | 572 +
yara-mikesxrs/eset/stantinko.yar | 255 +
yara-mikesxrs/eset/ta410.yar | 741 +
yara-mikesxrs/eset/turla-outlook.yar | 169 +
.../evild3ad/contains_ah_encoded_pe_file.yara | 20 +
.../contains_ascii_hex_encoded_pe_file.yara | 20 +
..._pe_file_inside_a_sequence_of_numbers.yara | 18 +
.../evild3ad/contains_userform_object_1.yara | 20 +
.../evild3ad/contains_userform_object_2.yara | 19 +
.../evild3ad/contains_userform_object_3.yara | 20 +
.../evild3ad/contains_vba_macro_code.yara | 22 +
yara-mikesxrs/evild3ad/evild3ad_index.yara | 160 +
.../evild3ad/mime_mso_activemime_base64.yara | 17 +
yara-mikesxrs/forcepoint/CVE_2014_6352.yar | 19 +
yara-mikesxrs/forcepoint/Zbot.yar | 19 +
yara-mikesxrs/forcepoint/f0xy.yar | 15 +
.../fox-it/rule Ponmocup_plugins.yar | 52 +
yara-mikesxrs/fox-it/shimrat.yar | 26 +
yara-mikesxrs/fox-it/shimratreporter.yar | 25 +
yara-mikesxrs/g00dv1n/Adware.AdGazelle.yar | 20 +
yara-mikesxrs/g00dv1n/Adware.Adpeak.yar | 14 +
yara-mikesxrs/g00dv1n/Adware.Agent.yar | 24 +
yara-mikesxrs/g00dv1n/Adware.BetterSurf.yar | 16 +
yara-mikesxrs/g00dv1n/Adware.BrowseFox.yar | 31 +
yara-mikesxrs/g00dv1n/Adware.Conduit.yar | 37 +
yara-mikesxrs/g00dv1n/Adware.ConvertAd.yar | 15 +
yara-mikesxrs/g00dv1n/Adware.Crossrider.yar | 54 +
yara-mikesxrs/g00dv1n/Adware.DealPly.yar | 13 +
yara-mikesxrs/g00dv1n/Adware.Dlhelper.yar | 27 +
yara-mikesxrs/g00dv1n/Adware.Downloader.yar | 18 +
yara-mikesxrs/g00dv1n/Adware.ELEX.yar | 65 +
yara-mikesxrs/g00dv1n/Adware.Gen.yar | 16 +
yara-mikesxrs/g00dv1n/Adware.Genieo.yar | 27 +
yara-mikesxrs/g00dv1n/Adware.Imali.yar | 13 +
yara-mikesxrs/g00dv1n/Adware.InstallCore.yar | 18 +
yara-mikesxrs/g00dv1n/Adware.Linkury.yar | 41 +
yara-mikesxrs/g00dv1n/Adware.MyWebSearch.yar | 17 +
yara-mikesxrs/g00dv1n/Adware.NextLive.yar | 15 +
yara-mikesxrs/g00dv1n/Adware.ObronaAds.yar | 35 +
yara-mikesxrs/g00dv1n/Adware.OpenCandy.yar | 13 +
yara-mikesxrs/g00dv1n/Adware.OutBrowse.yar | 17 +
yara-mikesxrs/g00dv1n/Adware.PullUpdate.yar | 73 +
yara-mikesxrs/g00dv1n/Adware.SProtect.yar | 38 +
yara-mikesxrs/g00dv1n/Adware.SearchSuite.yar | 26 +
yara-mikesxrs/g00dv1n/Adware.Sendori.yar | 34 +
yara-mikesxrs/g00dv1n/Adware.SimplyTech.yar | 16 +
yara-mikesxrs/g00dv1n/Adware.SmartApps.yar | 23 +
yara-mikesxrs/g00dv1n/Adware.Solimbda.yar | 13 +
yara-mikesxrs/g00dv1n/Adware.Trioris.yar | 17 +
yara-mikesxrs/g00dv1n/Adware.Vitruvian.yar | 18 +
yara-mikesxrs/g00dv1n/Adware.Wajam.yar | 27 +
yara-mikesxrs/g00dv1n/Adware.WebTools.yar | 40 +
yara-mikesxrs/g00dv1n/Adware.WebWatcher.yar | 16 +
yara-mikesxrs/g00dv1n/Adware.iBryte.yar | 14 +
yara-mikesxrs/g00dv1n/Adware.uKor.yar | 25 +
yara-mikesxrs/g00dv1n/Backdoor.Bladabindi.yar | 26 +
yara-mikesxrs/g00dv1n/Backdoor.Dedipros.yar | 16 +
yara-mikesxrs/g00dv1n/Backdoor.Fynloski.yar | 33 +
yara-mikesxrs/g00dv1n/Backdoor.Gen.yar | 16 +
yara-mikesxrs/g00dv1n/Backdoor.Liudoor.yar | 27 +
yara-mikesxrs/g00dv1n/Backdoor.Mirage.yar | 14 +
yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar | 49 +
yara-mikesxrs/g00dv1n/Backdoor.Zegost.yar | 17 +
.../g00dv1n/Malware.BitCoinMiner.yar | 16 +
yara-mikesxrs/g00dv1n/Malware.Downloader.yar | 13 +
yara-mikesxrs/g00dv1n/Malware.PWS.yar | 15 +
yara-mikesxrs/g00dv1n/PUP.SystemOptimizer.yar | 14 +
yara-mikesxrs/g00dv1n/PUP.Systweak.yar | 14 +
yara-mikesxrs/g00dv1n/Ransom.Crypters.yar | 230 +
yara-mikesxrs/g00dv1n/Risk.DetectAnalysis.yar | 343 +
yara-mikesxrs/g00dv1n/Risk.NetFilter.yar | 26 +
yara-mikesxrs/g00dv1n/Rogue.AVSoft.yar | 40 +
yara-mikesxrs/g00dv1n/Rogue.Braviax.yar | 39 +
yara-mikesxrs/g00dv1n/Rogue.FakePAV.yar | 31 +
yara-mikesxrs/g00dv1n/Rogue.FakeRean.yar | 128 +
yara-mikesxrs/g00dv1n/Rogue.FakeSysDef.yar | 38 +
yara-mikesxrs/g00dv1n/Rogue.LiveSP.yar | 59 +
yara-mikesxrs/g00dv1n/Rogue.SDef.yar | 20 +
yara-mikesxrs/g00dv1n/Rogue.SysDoc.yar | 49 +
yara-mikesxrs/g00dv1n/Rogue.Winwebsec.yar | 25 +
yara-mikesxrs/g00dv1n/Trojan.Antivar.yar | 11 +
yara-mikesxrs/g00dv1n/Trojan.Cbeplay.yar | 58 +
yara-mikesxrs/g00dv1n/Trojan.ChStartPage.yar | 24 +
yara-mikesxrs/g00dv1n/Trojan.Citadel.yar | 15 +
yara-mikesxrs/g00dv1n/Trojan.Comfoo.yar | 38 +
yara-mikesxrs/g00dv1n/Trojan.Cutwail.yar | 18 +
yara-mikesxrs/g00dv1n/Trojan.Dllpatcher.yar | 15 +
yara-mikesxrs/g00dv1n/Trojan.Downloader.yar | 49 +
yara-mikesxrs/g00dv1n/Trojan.Dropper.yar | 12 +
yara-mikesxrs/g00dv1n/Trojan.Frethog.yar | 30 +
yara-mikesxrs/g00dv1n/Trojan.GBot.yar | 15 +
.../g00dv1n/Trojan.Gamarue.Andromeda.yar | 21 +
yara-mikesxrs/g00dv1n/Trojan.Injector.yar | 14 +
yara-mikesxrs/g00dv1n/Trojan.Kovter.yar | 29 +
yara-mikesxrs/g00dv1n/Trojan.Kuluoz.yar | 16 +
yara-mikesxrs/g00dv1n/Trojan.Lethic.yar | 13 +
yara-mikesxrs/g00dv1n/Trojan.Necurs.yar | 61 +
yara-mikesxrs/g00dv1n/Trojan.Nedsym.yar | 15 +
yara-mikesxrs/g00dv1n/Trojan.Neurevt.yar | 117 +
yara-mikesxrs/g00dv1n/Trojan.PowerLoader.yar | 22 +
yara-mikesxrs/g00dv1n/Trojan.Ransom.yar | 56 +
yara-mikesxrs/g00dv1n/Trojan.Regin.yar | 101 +
yara-mikesxrs/g00dv1n/Trojan.Rovnix.yar | 36 +
yara-mikesxrs/g00dv1n/Trojan.Simda.yar | 19 +
yara-mikesxrs/g00dv1n/Trojan.Sirefef.yar | 180 +
yara-mikesxrs/g00dv1n/Trojan.Upatre.yar | 12 +
.../g00dv1n/Trojan.Virtool.Obfuscator.yar | 12 +
yara-mikesxrs/g00dv1n/TrojanPSW.Tepfer.yar | 68 +
yara-mikesxrs/g00dv1n/TrojanPSW.ZBot.yar | 21 +
yara-mikesxrs/g00dv1n/TrojanSpy.Ursnif.yar | 33 +
yara-mikesxrs/g00dv1n/Virus.Chir.yar | 14 +
yara-mikesxrs/g00dv1n/Virus.Madang.yar | 12 +
yara-mikesxrs/g00dv1n/Worm.Cridex.yar | 21 +
yara-mikesxrs/g00dv1n/Worm.Dorkbot.yar | 97 +
yara-mikesxrs/g00dv1n/Worm.Phorpiex.yar | 99 +
yara-mikesxrs/g00dv1n/Worm.SillyP2P.yar | 19 +
yara-mikesxrs/g00dv1n/Worm.SkypeSpamer.yar | 13 +
yara-mikesxrs/g00dv1n/g00dvin_index.yara | 3548 +
yara-mikesxrs/group-ib/CorkowDLL.yar | 15 +
.../group-ib/albaniiutas_dropper_exe.yar | 37 +
.../group-ib/albaniiutas_rat_dll.yar | 33 +
yara-mikesxrs/group-ib/webdavo_rat.yar | 30 +
yara-mikesxrs/h3x2b/cab.yara | 25 +
yara-mikesxrs/h3x2b/compiler.yara | 67 +
yara-mikesxrs/h3x2b/exe.yara | 57 +
yara-mikesxrs/h3x2b/injection.yara | 78 +
yara-mikesxrs/h3x2b/java_adwind.yara | 50 +
yara-mikesxrs/h3x2b/lin_coolmemes.yara | 29 +
yara-mikesxrs/h3x2b/lin_darlloz.yara | 26 +
yara-mikesxrs/h3x2b/lin_elfiot.yara | 33 +
yara-mikesxrs/h3x2b/lin_irctelnet.yara | 107 +
yara-mikesxrs/h3x2b/lin_jellyfish.yara | 34 +
yara-mikesxrs/h3x2b/lin_kaiten.yara | 24 +
yara-mikesxrs/h3x2b/lin_ladylinux.yara | 51 +
yara-mikesxrs/h3x2b/lin_mirai.yara | 22 +
yara-mikesxrs/h3x2b/lin_stdbot.yara | 65 +
yara-mikesxrs/h3x2b/lin_torlus.yara | 181 +
yara-mikesxrs/h3x2b/lin_venom.yara | 21 +
yara-mikesxrs/h3x2b/maldoc.yara | 36 +
yara-mikesxrs/h3x2b/malrtf.yara | 111 +
yara-mikesxrs/h3x2b/math.yara | 57 +
yara-mikesxrs/h3x2b/nccgroup_stdolelink.yara | 36 +
yara-mikesxrs/h3x2b/networking.yara | 20 +
yara-mikesxrs/h3x2b/obfuscation.yara | 15 +
yara-mikesxrs/h3x2b/win_asprox.vt_yara | 20 +
yara-mikesxrs/h3x2b/win_bookworm.yara | 69 +
yara-mikesxrs/h3x2b/win_geodo.yara | 35 +
yara-mikesxrs/h3x2b/win_hancitor.yara | 20 +
yara-mikesxrs/h3x2b/win_locky.yara | 84 +
yara-mikesxrs/h3x2b/win_pax.yara | 26 +
yara-mikesxrs/h3x2b/win_plugx.yara | 337 +
yara-mikesxrs/h3x2b/win_plugx_av.vt_yara | 49 +
yara-mikesxrs/h3x2b/win_spora.yara | 17 +
.../hidd3ncod3s/trojan_win_dridex.yar | 47 +
yara-mikesxrs/iDefense/WannaCrypt0r.yara | 35 +
yara-mikesxrs/iSightPartners/SDBFile.yar | 20 +
.../iocbucket/APT_NGO_wuaclt_PDF.yar | 13 +
yara-mikesxrs/iocbucket/apt_ngo_wuaclt.yar | 20 +
yara-mikesxrs/iocbucket/iocbucket_index.yara | 34 +
yara-mikesxrs/jackcr/gh0st.yar | 12 +
yara-mikesxrs/jackcr/pivy.yar | 11 +
yara-mikesxrs/jackcr/shylock.yar | 17 +
.../apt_RU_Turla_Kazuar_DebugView.yara | 82 +
.../juanandresgs/apt_ZZ_Sig37_NAZAR.yara | 122 +
.../sta_Voltron_0xFancyFilter.yara | 109 +
yara-mikesxrs/kaspersky/Adwind.yar | 27 +
yara-mikesxrs/kaspersky/Crime_eyepyramid.yar | 58 +
yara-mikesxrs/kaspersky/LazarusWannaCry.yar | 39 +
.../apt_ProjectSauron_encrypted_LSA.yar | 33 +
.../apt_ProjectSauron_encrypted_SSPI.yar | 19 +
.../apt_ProjectSauron_encrypted_container.yar | 22 +
.../apt_ProjectSauron_encryption.yar | 22 +
...pt_ProjectSauron_generic_pipe_backdoor.yar | 23 +
.../apt_ProjectSauron_pipe_backdoor.yar | 24 +
yara-mikesxrs/kaspersky/apt_duqu2_drivers.yar | 26 +
yara-mikesxrs/kaspersky/apt_duqu2_loaders.yar | 36 +
.../kaspersky/apt_equation_cryptotable.yar | 12 +
...equation_doublefantasy_genericresource.yar | 15 +
..._equation_equationlaser_runtimeclasses.yar | 17 +
.../apt_equation_exploitlib_mutexes.yar | 28 +
.../kaspersky/apt_hellsing_implantstrings.yar | 31 +
.../kaspersky/apt_hellsing_installer.yar | 28 +
.../kaspersky/apt_hellsing_irene.yar | 22 +
.../kaspersky/apt_hellsing_msgertype2.yar | 22 +
.../kaspersky/apt_hellsing_proxytool.yar | 22 +
yara-mikesxrs/kaspersky/apt_hellsing_xkat.yar | 28 +
.../kaspersky/apt_regin_2013_64bit_stage1.yar | 24 +
.../apt_regin_dispatcher_disp_dll.yar | 22 +
yara-mikesxrs/kaspersky/apt_regin_vfs.yar | 21 +
yara-mikesxrs/kaspersky/backdoored_ssh.yar | 12 +
...xploit_Silverlight_Toropov_Generic_XAP.yar | 21 +
yara-mikesxrs/kaspersky/kaspersky_index.yara | 578 +
.../kaspersky/ransomware_PetrWrap.yar | 19 +
yara-mikesxrs/kaspersky/stonedrill.yar | 45 +
.../kaspersky/xDedic_SysScan_unpacked.yar | 26 +
.../kaspersky/xdedic_packed_syscan.yar | 13 +
yara-mikesxrs/kevthehermit/AAR.yar | 21 +
yara-mikesxrs/kevthehermit/Adzok.yar | 24 +
yara-mikesxrs/kevthehermit/AlienSpy.yar | 46 +
yara-mikesxrs/kevthehermit/Ap0calypse.yar | 20 +
yara-mikesxrs/kevthehermit/Arcom.yar | 20 +
yara-mikesxrs/kevthehermit/Bandook.yar | 27 +
yara-mikesxrs/kevthehermit/BlackNix.yar | 20 +
yara-mikesxrs/kevthehermit/BlackShades.yar | 16 +
yara-mikesxrs/kevthehermit/BlueBanana.yar | 21 +
yara-mikesxrs/kevthehermit/Bozok.yar | 19 +
yara-mikesxrs/kevthehermit/ClientMesh.yar | 20 +
yara-mikesxrs/kevthehermit/Crimson.yar | 20 +
yara-mikesxrs/kevthehermit/CyberGate.yar | 23 +
yara-mikesxrs/kevthehermit/DarkComet.yar | 27 +
yara-mikesxrs/kevthehermit/DarkRAT.yar | 21 +
yara-mikesxrs/kevthehermit/Greame.yar | 24 +
.../kevthehermit/Hangover_ron_babylon.yar | 307 +
yara-mikesxrs/kevthehermit/HawkEye.yar | 23 +
yara-mikesxrs/kevthehermit/Imminent3.yar | 28 +
yara-mikesxrs/kevthehermit/Infinity.yar | 22 +
yara-mikesxrs/kevthehermit/JavaDropper.yar | 25 +
yara-mikesxrs/kevthehermit/LostDoor.yar | 24 +
yara-mikesxrs/kevthehermit/LuminosityLink.yar | 25 +
yara-mikesxrs/kevthehermit/LuxNet.yar | 20 +
yara-mikesxrs/kevthehermit/NanoCore.yar | 26 +
yara-mikesxrs/kevthehermit/NetWire.yar | 19 +
yara-mikesxrs/kevthehermit/Pandora.yar | 27 +
yara-mikesxrs/kevthehermit/Paradox.yar | 21 +
yara-mikesxrs/kevthehermit/PoisonIvy.yar | 19 +
yara-mikesxrs/kevthehermit/Punisher.yar | 21 +
yara-mikesxrs/kevthehermit/PythoRAT.yar | 22 +
yara-mikesxrs/kevthehermit/ShadowTech.yar | 21 +
yara-mikesxrs/kevthehermit/SmallNet.yar | 19 +
yara-mikesxrs/kevthehermit/SpyGate.yar | 26 +
yara-mikesxrs/kevthehermit/Sub7Nation.yar | 28 +
yara-mikesxrs/kevthehermit/Vertex.yar | 23 +
yara-mikesxrs/kevthehermit/VirusRat.yar | 26 +
yara-mikesxrs/kevthehermit/Xena.yar | 22 +
yara-mikesxrs/kevthehermit/Xtreme.yar | 20 +
yara-mikesxrs/kevthehermit/adWind.yar | 18 +
yara-mikesxrs/kevthehermit/jRat.yar | 23 +
.../kevthehermit/kevthehermit_index.yara | 1335 +
yara-mikesxrs/kevthehermit/njRat.yar | 24 +
yara-mikesxrs/kevthehermit/unrecom.yar | 19 +
yara-mikesxrs/kevthehermit/xRAT.yar | 28 +
yara-mikesxrs/malc0de/auriga_apt1.yar | 11 +
yara-mikesxrs/malc0de/bouncer2_exe_apt1.yar | 9 +
yara-mikesxrs/malc0de/bouncer_dll_apt1.yar | 11 +
yara-mikesxrs/malc0de/bouncer_exe_apt1.yar | 9 +
yara-mikesxrs/malc0de/calendar_apt1.yar | 11 +
yara-mikesxrs/malc0de/combos_apt1.yar | 11 +
yara-mikesxrs/malc0de/cookiebag_apt1.yar | 11 +
yara-mikesxrs/malc0de/dairy_apt1.yar | 11 +
yara-mikesxrs/malc0de/gdocupload_apt1.yar | 11 +
yara-mikesxrs/malc0de/getmail_apt1.yar | 11 +
yara-mikesxrs/malc0de/glooxmail_apt1.yar | 9 +
yara-mikesxrs/malc0de/goggles_apt1.yar | 8 +
yara-mikesxrs/malc0de/greencat_apt1.yar | 11 +
yara-mikesxrs/malc0de/hacksfase_apt1.yar | 9 +
yara-mikesxrs/malc0de/helauto_apt.yar | 9 +
yara-mikesxrs/malc0de/kurton_apt1.yar | 11 +
yara-mikesxrs/malc0de/lightbolt_apt1.yar | 11 +
yara-mikesxrs/malc0de/lightdart_apt1.yar | 11 +
yara-mikesxrs/malc0de/longrun_apt1.yar | 8 +
yara-mikesxrs/malc0de/macromail_apt1.yar | 11 +
yara-mikesxrs/malc0de/malc0de_index.yara | 503 +
yara-mikesxrs/malc0de/manitsme_apt1.yar | 9 +
yara-mikesxrs/malc0de/mapiget_apt1.yar | 11 +
yara-mikesxrs/malc0de/miniasp_apt1.yar | 10 +
yara-mikesxrs/malc0de/newsreels_apt1.yar | 8 +
yara-mikesxrs/malc0de/seasalt_apt1.yar | 10 +
yara-mikesxrs/malc0de/starsypound_apt1.yar | 10 +
yara-mikesxrs/malc0de/sword_apt1.yar | 10 +
yara-mikesxrs/malc0de/tabmsgsql_apt1.yar | 10 +
yara-mikesxrs/malc0de/tarsip_apt1.yar | 10 +
yara-mikesxrs/malc0de/tarsip_eclipse_apt1.yar | 11 +
yara-mikesxrs/malc0de/warp_apt1.yar | 11 +
yara-mikesxrs/malc0de/webc2_adspace_apt1.yar | 8 +
yara-mikesxrs/malc0de/webc2_ausov_apt1.yar | 8 +
yara-mikesxrs/malc0de/webc2_bolid_apt1.yar | 10 +
yara-mikesxrs/malc0de/webc2_clover_apt1.yar | 10 +
yara-mikesxrs/malc0de/webc2_cson_apt.yar | 10 +
yara-mikesxrs/malc0de/webc2_div_apt1.yar | 9 +
yara-mikesxrs/malc0de/webc2_greencat_apt1.yar | 10 +
yara-mikesxrs/malc0de/webc2_head_apt1.yar | 11 +
yara-mikesxrs/malc0de/webc2_kt3_apt1.yar | 9 +
yara-mikesxrs/malc0de/webc2_qbp_apt1.yar | 9 +
yara-mikesxrs/malc0de/webc2_rave_apt1.yar | 9 +
yara-mikesxrs/malc0de/webc2_table_apt1.yar | 9 +
yara-mikesxrs/malc0de/webc2_ugx_apt1.yar | 9 +
yara-mikesxrs/malc0de/webc2_y21k_apt1.yar | 9 +
yara-mikesxrs/malc0de/webc2_yahoo_apt1.yar | 9 +
yara-mikesxrs/malwarebytes/MonkerTrojan.yar | 12 +
yara-mikesxrs/malwarebytes/zeroaccess.yar | 12 +
yara-mikesxrs/malwarecookbook/packer.yara | 16487 ++++
.../apt_actor_tran_duy_linh.yar | 11 +
.../malwaretracker/doc_zws_flash.yar | 14 +
yara-mikesxrs/malwaretracker/mime_mso.yar | 125 +
yara-mikesxrs/mimikatz/kiwi_passwords.yar | 104 +
yara-mikesxrs/n3sfox/Tinba2.yar | 31 +
yara-mikesxrs/naxonez/DebuggerCheck.yar | 262 +
yara-mikesxrs/netlab360/elknot_billgates.yar | 40 +
yara-mikesxrs/nex/embedded_macho.yar | 15 +
yara-mikesxrs/nex/embedded_pe.yar | 15 +
yara-mikesxrs/nex/embedded_win_api.yar | 29 +
yara-mikesxrs/nex/nex_index.yara | 164 +
yara-mikesxrs/nex/shellcode.yar | 20 +
yara-mikesxrs/nex/vm_detect.yar | 80 +
yara-mikesxrs/nshadov/RANSOMWARE_RAA.yar | 22 +
yara-mikesxrs/one offs/9002Rat.yar | 16 +
yara-mikesxrs/one offs/AdwindRat.yar | 14 +
yara-mikesxrs/one offs/CVE-2013-3660.yar | 22 +
yara-mikesxrs/one offs/ComputraceAgent.yar | 21 +
yara-mikesxrs/one offs/CoreFlood_ldr.yar | 31 +
yara-mikesxrs/one offs/Cridex.yar | 13 +
yara-mikesxrs/one offs/Hancidoc_Dropper.yar | 14 +
yara-mikesxrs/one offs/Mebroot_Torpig.yar | 17 +
yara-mikesxrs/one offs/OSX_Malware.yar | 112 +
yara-mikesxrs/one offs/Pegasus.yar | 24 +
yara-mikesxrs/one offs/Qadars_DGA.yar | 10 +
yara-mikesxrs/one offs/Shellphish.yar | 12 +
yara-mikesxrs/one offs/W32ChirB.yar | 90 +
yara-mikesxrs/one offs/XorDDoS.yar | 17 +
yara-mikesxrs/one offs/ammyy_cerber3.yar | 21 +
.../crime_ole_loadswf_cve_2018_4878.yar | 35 +
.../crime_win32_gratefulpos_trojan.yar | 30 +
yara-mikesxrs/one offs/dridex.yar | 17 +
yara-mikesxrs/one offs/fastposloader.yar | 33 +
yara-mikesxrs/one offs/marcher.yar | 18 +
yara-mikesxrs/one offs/mwi_document.yar | 14 +
yara-mikesxrs/one offs/nettraveler.yar | 26 +
.../one offs/packager_cve2017_11882.yar | 16 +
yara-mikesxrs/one offs/snake_uroburos.yar | 30 +
yara-mikesxrs/openanalysis/andromeda.yara | 18 +
.../optiv/autoit_scripting_pos_malware.yar | 65 +
yara-mikesxrs/paloalto/Palo_Alto_index.yara | 207 +
.../paloalto/ce_enfal_cmstar_debug_msg.yar | 37 +
.../paloalto/cobalt_gang_builder.yar | 41 +
yara-mikesxrs/paloalto/findpos.yar | 28 +
.../paloalto/general_win_dll_golang_socks.yar | 15 +
.../general_win_faked_dlls_export_popo.yar | 22 +
.../paloalto/general_win_golang_socks.yar | 30 +
yara-mikesxrs/paloalto/hancitor_dropper.yar | 80 +
yara-mikesxrs/paloalto/hancitor_payload.yar | 70 +
yara-mikesxrs/paloalto/hancitor_stage1.yar | 16 +
yara-mikesxrs/paloalto/powerstager.yar | 40 +
.../paloalto/webshell_chinachopper_oab.yar | 70 +
.../patrickrolsen/Armadillo_v1xx__v2xx.yar | 11 +
.../patrickrolsen/Backdoor_APT_Mongall.yar | 18 +
yara-mikesxrs/patrickrolsen/CVE_2013_1347.yar | 19 +
yara-mikesxrs/patrickrolsen/GIF_exploit.yar | 22 +
yara-mikesxrs/patrickrolsen/LNK_files.yar | 20 +
yara-mikesxrs/patrickrolsen/PCAPs.yar | 15 +
yara-mikesxrs/patrickrolsen/UPX_290_LZMA.yar | 12 +
.../patrickrolsen/UPX_Protector_v10x_2.yar | 9 +
yara-mikesxrs/patrickrolsen/UPX_V200V290.yar | 9 +
yara-mikesxrs/patrickrolsen/UPX_v0896.yar | 11 +
.../patrickrolsen/acunetix_web_scanner.yar | 14 +
yara-mikesxrs/patrickrolsen/bcp_sql_tool.yar | 18 +
.../patrickrolsen/beep_remote_shell.yar | 22 +
.../patrickrolsen/blat_email_301.yar | 10 +
yara-mikesxrs/patrickrolsen/blazingtools.yar | 12 +
yara-mikesxrs/patrickrolsen/cmd_shell.yar | 14 +
yara-mikesxrs/patrickrolsen/dark_edition.yar | 12 +
yara-mikesxrs/patrickrolsen/dump_tool.yar | 15 +
yara-mikesxrs/patrickrolsen/gsec_generic.yar | 18 +
.../patrickrolsen/html_exploit_GIF.yar | 15 +
yara-mikesxrs/patrickrolsen/jpg_web_shell.yar | 17 +
.../patrickrolsen/keyfinder_tool.yar | 13 +
yara-mikesxrs/patrickrolsen/luxnet.yar | 14 +
yara-mikesxrs/patrickrolsen/misc_iocs.yar | 14 +
.../patrickrolsen/misc_php_exploits.yar | 32 +
yara-mikesxrs/patrickrolsen/misc_shells.yar | 78 +
.../patrickrolsen/monitor_tool_pos.yar | 17 +
.../mpress_2_xx_net _ Packer.yar | 11 +
.../mpress_2_xx_x64 _ Packer.yar | 15 +
.../mpress_2_xx_x86 _ Packer.yar | 14 +
yara-mikesxrs/patrickrolsen/nbtscan.yar | 16 +
yara-mikesxrs/patrickrolsen/osql_tool.yar | 16 +
.../patrickrolsen/patrickrolsen_index.yara | 1460 +
.../patrickrolsen/port_forward_tool.yar | 17 +
yara-mikesxrs/patrickrolsen/pos_malware.yar | 365 +
yara-mikesxrs/patrickrolsen/pos_memory.yar | 20 +
.../patrickrolsen/pos_memory_scrapper.yar | 20 +
yara-mikesxrs/patrickrolsen/procdump.yar | 15 +
.../patrickrolsen/psexec_generic.yar | 16 +
yara-mikesxrs/patrickrolsen/pstgdump.yar | 12 +
yara-mikesxrs/patrickrolsen/rtf_Kaba_jDoe.yar | 20 +
yara-mikesxrs/patrickrolsen/rtf_multiple.yar | 17 +
yara-mikesxrs/patrickrolsen/rtf_yahoo_ken.yar | 18 +
.../patrickrolsen/rule _Armadillo_v171 | 11 +
.../patrickrolsen/scanline_mcafee.yar | 17 +
.../patrickrolsen/seven_zip_cmdversion.yar | 15 +
.../patrickrolsen/shell_functions.yar | 20 +
yara-mikesxrs/patrickrolsen/shell_names.yar | 32 +
.../patrickrolsen/sneakernet_trojan.yar | 15 +
yara-mikesxrs/patrickrolsen/tran_duy_linh.yar | 15 +
.../patrickrolsen/unknown_creds_dump.yar | 16 +
.../patrickrolsen/web_log_review.yar | 52 +
.../patrickrolsen/web_shell_crews.yar | 129 +
.../windows_credentials_editor.yar | 16 +
yara-mikesxrs/patrickrolsen/winrar_4xx.yar | 14 +
yara-mikesxrs/patrickrolsen/wp_shell.yar | 20 +
.../patrickrolsen/zend_framework.yar | 13 +
yara-mikesxrs/phbiohazard/APT20140414_1NT.yar | 13 +
yara-mikesxrs/phbiohazard/APT20140414_1PE.yar | 20 +
.../phbiohazard/ID2015032010000026.yar | 15 +
.../phbiohazard/phbiohazard_index.yara | 50 +
.../phish me/Cryptowall_docx_macro.yar | 18 +
...e_Delivery _ dyre cryptowall crimeware.yar | 23 +
..._Delivery _ dyre cryptowall crimeware2.yar | 36 +
.../phish me/PM_Dyre_Voice_Message.yar | 16 +
yara-mikesxrs/phish me/PM_Zip_With_Exe.yar | 17 +
.../phish me/PM_docx_with_vba_bin.yar | 14 +
.../phish me/PM_outlook_setting_pdf_exe.yar | 16 +
yara-mikesxrs/phish me/PPS_With_OLEObject.yar | 16 +
yara-mikesxrs/phish me/PhishMe_index.yara | 320 +
.../phish me/PowerPoint_Embedded_OLE.yar | 12 +
yara-mikesxrs/phish me/Zip_with_JS.yar | 19 +
yara-mikesxrs/phish me/criakl_metadata.yar | 16 +
yara-mikesxrs/phish me/cryptowall_phish.yar | 28 +
yara-mikesxrs/phish me/mailers.yar | 19 +
yara-mikesxrs/phish me/rar_with_JS.yar | 18 +
yara-mikesxrs/phish me/rockloader.yar | 14 +
yara-mikesxrs/phish me/viotto_keylogger.yar | 18 +
yara-mikesxrs/phoul/BLOWFISH_Constants.yar | 22 +
yara-mikesxrs/phoul/MD5_Constants.yar | 22 +
yara-mikesxrs/phoul/RC6_Constants.yar | 16 +
yara-mikesxrs/phoul/RIPEMD160_Constants.yar | 20 +
yara-mikesxrs/phoul/SHA1_Constants.yar | 20 +
yara-mikesxrs/phoul/SHA256_Constants.yar | 21 +
yara-mikesxrs/phoul/SHA512_Constants.yar | 20 +
yara-mikesxrs/phoul/WHIRLPOOL_Constants.yar | 16 +
yara-mikesxrs/phoul/phoul_index.yara | 171 +
yara-mikesxrs/plxsertr/ntserverdll.yar | 22 +
yara-mikesxrs/plxsertr/ntserverexe.yar | 20 +
yara-mikesxrs/plxsertr/plxsertr_index.yara | 46 +
.../pombredanne/Android_AVITOMMS_Variant.yar | 33 +
.../pombredanne/Android_AndroRat.yar | 15 +
.../pombredanne/Android_BadMirror.yar | 14 +
.../pombredanne/Android_Banker_Sberbank.yar | 15 +
.../pombredanne/Android_Clicker_G.yar | 14 +
yara-mikesxrs/pombredanne/Android_Copy9.yar | 14 +
.../pombredanne/Android_DeathRing.yar | 14 +
.../pombredanne/Android_Dendroid.yar | 15 +
.../pombredanne/Android_Dogspectus.yar | 16 +
.../pombredanne/Android_FakeBank_Fanta.yar | 17 +
yara-mikesxrs/pombredanne/Android_Godless.yar | 37 +
yara-mikesxrs/pombredanne/Android_Marcher.yar | 14 +
.../pombredanne/Android_MazarBot.yar | 16 +
yara-mikesxrs/pombredanne/Android_OmniRat.yar | 17 +
yara-mikesxrs/pombredanne/Android_RuMMS.yar | 19 +
.../pombredanne/PDF_Embedded_Exe.yar | 8 +
yara-mikesxrs/pombredanne/SandroRat.yar | 13 +
yara-mikesxrs/pombredanne/Spartan_SWF.yar | 14 +
.../proofpoint/AVIDVIPER_APT_BACKDOOR.yar | 26 +
yara-mikesxrs/proofpoint/AdGholas_mem.yar | 20 +
.../proofpoint/AdGholas_mem_MIME.yar | 18 +
.../proofpoint/AdGholas_mem_MIME_M2.yar | 20 +
.../proofpoint/AdGholas_mem_antisec.yar | 41 +
.../proofpoint/AdGholas_mem_antisec_M2.yar | 19 +
yara-mikesxrs/proofpoint/abaddon.yara | 15 +
yara-mikesxrs/proofpoint/blackmoon_banker.yar | 26 +
yara-mikesxrs/pveutin/magic_numbers.yar | 135 +
.../secureworks/Mirage_APT_Backdoor.yar | 18 +
.../secureworks/Secureworks_index.yara | 70 +
.../skeleton_key_injected_code.yar | 30 +
.../secureworks/skeleton_key_patcher.yar | 20 +
.../securityartwork/Erebus_Ransomware.yar | 17 +
.../securityartwork/HardcodeHunter.yar | 13 +
yara-mikesxrs/securityartwork/IoT_Reaper.yar | 17 +
yara-mikesxrs/securityartwork/Linux_Bew.yar | 17 +
.../securityartwork/Linux_Helios.yar | 17 +
.../securityartwork/Meterpreter_rev_tcp.yar | 16 +
.../OfficeMacrosWinintelDLL.yar | 18 +
yara-mikesxrs/securityartwork/linux_Okiru.yar | 17 +
yara-mikesxrs/securityartwork/multibanker.yar | 81 +
.../shellcode_cve_2013_2729.yar | 23 +
yara-mikesxrs/securityartwork/trickbot.yar | 66 +
yara-mikesxrs/sentinelone/IDAnt_wanna.yara | 14 +
yara-mikesxrs/sentinelone/iOS.GuiInject.yara | 75 +
yara-mikesxrs/srozb/isfb.yar | 153 +
yara-mikesxrs/srozb/kronos.yar | Bin 0 -> 5524 bytes
yara-mikesxrs/srozb/nymaim.yar | 75 +
yara-mikesxrs/swood/browser_pass.yar | 29 +
yara-mikesxrs/symantec/Bannerjack.yar | 17 +
yara-mikesxrs/symantec/Cadelle_1.yar | 13 +
yara-mikesxrs/symantec/Cadelle_2.yar | 30 +
yara-mikesxrs/symantec/Cadelle_3.yar | 22 +
yara-mikesxrs/symantec/Cadelle_4.yar | 13 +
yara-mikesxrs/symantec/Eventlog.yar | 17 +
yara-mikesxrs/symantec/Hacktool.yar | 18 +
yara-mikesxrs/symantec/Kwampirs.yar | 74 +
yara-mikesxrs/symantec/Multipurpose.yar | 15 +
yara-mikesxrs/symantec/Proxy.yar | 17 +
yara-mikesxrs/symantec/Securetunnel.yar | 17 +
yara-mikesxrs/symantec/comrat.yar | 18 +
yara-mikesxrs/symantec/fa.yar | 19 +
yara-mikesxrs/symantec/isPE.yar | 9 +
.../jiripbot _ ascii _ str _ decrypt.yar | 12 +
.../jiripbot _ unicode _ str _ decrypt.yar | 13 +
.../symantec/remsec_encrypted_api.yar | 15 +
.../symantec/remsec_executable_blob_32.yar | 26 +
.../symantec/remsec_executable_blob_64.yar | 27 +
.../remsec_executable_blob_parser.yar | 30 +
yara-mikesxrs/symantec/remsec_packer_A.yar | 26 +
yara-mikesxrs/symantec/remsec_packer_B.yar | 63 +
yara-mikesxrs/symantec/sav _ dropper.yar | 14 +
yara-mikesxrs/symantec/sav.yar | 137 +
yara-mikesxrs/symantec/symantec_index.yara | 746 +
yara-mikesxrs/symantec/turla _ dll.yar | 14 +
yara-mikesxrs/symantec/turla _ dropper.yar | 14 +
.../symantec/wipbot _ 2013 _ core _ PDF.yar | 14 +
.../symantec/wipbot _ 2013 _ core.yar | 45 +
.../symantec/wipbot _ 2013 _ dll.yar | 18 +
yara-mikesxrs/tekdefense/DarkComet.yara | 105 +
yara-mikesxrs/unknown/AutoIt_Script.yar | 15 +
yara-mikesxrs/unknown/SANSDFIR.yara | 88 +
yara-mikesxrs/unknown/UserDB.yara | 15128 +++
.../unknown/Windows_0day_Exploit.yara | 22 +
yara-mikesxrs/unknown/epcompilersigs.yara | 535 +
yara-mikesxrs/unknown/eppackersigs.yara | 3205 +
yara-mikesxrs/unknown/packers.yara | 119 +
.../unknown/undocumentedFPUAtEntryPoint.yar | 11 +
yara-mikesxrs/unknown/userdb_exeinfope.yara | 38753 ++++++++
yara-mikesxrs/unknown/userdb_jclausing.yara | 22520 +++++
yara-mikesxrs/unknown/userdb_panda.yara | 15524 +++
yara-mikesxrs/venom23/Neurevt.yar | 28 +
yara-mikesxrs/vitorafonso/banker.yar | 68 +
yara-mikesxrs/vitorafonso/crisis.yar | 19 +
yara-mikesxrs/vitorafonso/dropper.yar | 19 +
yara-mikesxrs/vitorafonso/exploit.yar | 17 +
yara-mikesxrs/vitorafonso/shedun.yar | 16 +
yara-mikesxrs/vitorafonso/zitmo.yar | 23 +
yara-mikesxrs/vred/W32HavexNetscan.yar | 23 +
yara-mikesxrs/xanda/MS12_052.yar | 19 +
.../xanda/counterPHPredirectBHEK.yar | 16 +
yara-mikesxrs/xanda/iframeRedKit.yar | 23 +
yara-mikesxrs/xanda/jjEncode.yar | 16 +
yara-mikesxrs/xme/Worm_VBS_Uaper_B.yar | 17 +
yara-mikesxrs/xme/office_macro.yar | 14 +
2919 files changed, 597734 insertions(+), 5 deletions(-)
create mode 100644 .gitignore
create mode 100644 LICENSE-YARA-RULES-NEO23X0
create mode 100644 LICENSE-YARA-RULES-REVERSINGLABS
create mode 100644 yara-Neo23x0/apt_aa19_024a.yar
create mode 100644 yara-Neo23x0/apt_agent_btz.yar
create mode 100644 yara-Neo23x0/apt_alienspy_rat.yar
create mode 100644 yara-Neo23x0/apt_apt10.yar
create mode 100644 yara-Neo23x0/apt_apt10_redleaves.yar
create mode 100644 yara-Neo23x0/apt_apt12_malware.yar
create mode 100644 yara-Neo23x0/apt_apt15.yar
create mode 100644 yara-Neo23x0/apt_apt17_mal_sep17.yar
create mode 100644 yara-Neo23x0/apt_apt17_malware.yar
create mode 100644 yara-Neo23x0/apt_apt19.yar
create mode 100644 yara-Neo23x0/apt_apt27_hyperbro.yar
create mode 100644 yara-Neo23x0/apt_apt27_rshell.yar
create mode 100644 yara-Neo23x0/apt_apt28.yar
create mode 100644 yara-Neo23x0/apt_apt28_drovorub.yar
create mode 100644 yara-Neo23x0/apt_apt29_grizzly_steppe.yar
create mode 100644 yara-Neo23x0/apt_apt29_nobelium_apr22.yar
create mode 100644 yara-Neo23x0/apt_apt29_nobelium_may21.yar
create mode 100644 yara-Neo23x0/apt_apt30_backspace.yar
create mode 100644 yara-Neo23x0/apt_apt32.yar
create mode 100644 yara-Neo23x0/apt_apt34.yar
create mode 100644 yara-Neo23x0/apt_apt37.yar
create mode 100644 yara-Neo23x0/apt_apt37_bluelight.yar
create mode 100644 yara-Neo23x0/apt_apt3_bemstour.yar
create mode 100644 yara-Neo23x0/apt_apt41.yar
create mode 100644 yara-Neo23x0/apt_apt6_malware.yar
create mode 100644 yara-Neo23x0/apt_ar18_165a.yar
create mode 100644 yara-Neo23x0/apt_area1_phishing_diplomacy.yar
create mode 100644 yara-Neo23x0/apt_aus_parl_compromise.yar
create mode 100644 yara-Neo23x0/apt_babyshark.yar
create mode 100644 yara-Neo23x0/apt_backdoor_ssh_python.yar
create mode 100644 yara-Neo23x0/apt_backdoor_sunburst_fnv1a_experimental.yar
create mode 100644 yara-Neo23x0/apt_backspace.yar
create mode 100644 yara-Neo23x0/apt_barracuda_esg_unc4841_jun23.yar
create mode 100644 yara-Neo23x0/apt_beepservice.yar
create mode 100644 yara-Neo23x0/apt_between-hk-and-burma.yar
create mode 100644 yara-Neo23x0/apt_bigbang.yar
create mode 100644 yara-Neo23x0/apt_bitter.yar
create mode 100644 yara-Neo23x0/apt_blackenergy.yar
create mode 100644 yara-Neo23x0/apt_blackenergy_installer.yar
create mode 100644 yara-Neo23x0/apt_bluetermite_emdivi.yar
create mode 100644 yara-Neo23x0/apt_bronze_butler.yar
create mode 100644 yara-Neo23x0/apt_buckeye.yar
create mode 100644 yara-Neo23x0/apt_camaro_dragon_oct23.yar
create mode 100644 yara-Neo23x0/apt_candiru.yar
create mode 100644 yara-Neo23x0/apt_carbon_paper_turla.yar
create mode 100644 yara-Neo23x0/apt_casper.yar
create mode 100644 yara-Neo23x0/apt_cheshirecat.yar
create mode 100644 yara-Neo23x0/apt_cisco_asa_line_dancer_apr24.yar
create mode 100644 yara-Neo23x0/apt_cloudatlas.yar
create mode 100644 yara-Neo23x0/apt_cloudduke.yar
create mode 100644 yara-Neo23x0/apt_cmstar.yar
create mode 100644 yara-Neo23x0/apt_cn_netfilter.yar
create mode 100644 yara-Neo23x0/apt_cn_pp_zerot.yar
create mode 100644 yara-Neo23x0/apt_cn_reddelta.yar
create mode 100644 yara-Neo23x0/apt_cn_twisted_panda.yar
create mode 100644 yara-Neo23x0/apt_cobaltstrike.yar
create mode 100644 yara-Neo23x0/apt_cobaltstrike_evasive.yar
create mode 100644 yara-Neo23x0/apt_codoso.yar
create mode 100644 yara-Neo23x0/apt_coreimpact_agent.yar
create mode 100644 yara-Neo23x0/apt_danti_svcmondr.yar
create mode 100644 yara-Neo23x0/apt_darkcaracal.yar
create mode 100644 yara-Neo23x0/apt_darkhydrus.yar
create mode 100644 yara-Neo23x0/apt_deeppanda.yar
create mode 100644 yara-Neo23x0/apt_derusbi.yar
create mode 100644 yara-Neo23x0/apt_dnspionage.yar
create mode 100644 yara-Neo23x0/apt_donotteam_ytyframework.yar
create mode 100644 yara-Neo23x0/apt_dragonfly.yar
create mode 100644 yara-Neo23x0/apt_dtrack.yar
create mode 100644 yara-Neo23x0/apt_dubnium.yar
create mode 100644 yara-Neo23x0/apt_duqu1_5_modules.yar
create mode 100644 yara-Neo23x0/apt_duqu2.yar
create mode 100644 yara-Neo23x0/apt_dustman.yar
create mode 100644 yara-Neo23x0/apt_emissary.yar
create mode 100644 yara-Neo23x0/apt_eqgrp.yar
create mode 100644 yara-Neo23x0/apt_eqgrp_apr17.yar
create mode 100644 yara-Neo23x0/apt_eqgrp_sparc_sbz_apr23.yar
create mode 100644 yara-Neo23x0/apt_eqgrp_triangulation_jun23.yar
create mode 100644 yara-Neo23x0/apt_eternalblue_non_wannacry.yar
create mode 100644 yara-Neo23x0/apt_exile_rat.yar
create mode 100644 yara-Neo23x0/apt_f5_bigip_expl_payloads.yar
create mode 100644 yara-Neo23x0/apt_fakem_backdoor.yar
create mode 100644 yara-Neo23x0/apt_fancybear_computrace_agent.yar
create mode 100644 yara-Neo23x0/apt_fancybear_dnc.yar
create mode 100644 yara-Neo23x0/apt_fancybear_osxagent.yar
create mode 100644 yara-Neo23x0/apt_fidelis_phishing_plain_sight.yar
create mode 100644 yara-Neo23x0/apt_fin7.yar
create mode 100644 yara-Neo23x0/apt_fin7_backdoor.yar
create mode 100644 yara-Neo23x0/apt_fin8.yar
create mode 100644 yara-Neo23x0/apt_flame2_orchestrator.yar
create mode 100644 yara-Neo23x0/apt_foudre.yar
create mode 100644 yara-Neo23x0/apt_four_element_sword.yar
create mode 100644 yara-Neo23x0/apt_freemilk.yar
create mode 100644 yara-Neo23x0/apt_fujinama_rat.yar
create mode 100644 yara-Neo23x0/apt_furtim.yar
create mode 100644 yara-Neo23x0/apt_fvey_shadowbroker_dec16.yar
create mode 100644 yara-Neo23x0/apt_fvey_shadowbroker_jan17.yar
create mode 100644 yara-Neo23x0/apt_ghostdragon_gh0st_rat.yar
create mode 100644 yara-Neo23x0/apt_glassRAT.yar
create mode 100644 yara-Neo23x0/apt_golddragon.yar
create mode 100644 yara-Neo23x0/apt_goldenspy.yar
create mode 100644 yara-Neo23x0/apt_greenbug.yar
create mode 100644 yara-Neo23x0/apt_greyenergy.yar
create mode 100644 yara-Neo23x0/apt_grizzlybear_uscert.yar
create mode 100644 yara-Neo23x0/apt_hackingteam_rules.yar
create mode 100644 yara-Neo23x0/apt_hafnium.yar
create mode 100644 yara-Neo23x0/apt_hafnium_log_sigs.yar
create mode 100644 yara-Neo23x0/apt_ham_tofu_chches.yar
create mode 100644 yara-Neo23x0/apt_hatman.yar
create mode 100644 yara-Neo23x0/apt_hellsing_kaspersky.yar
create mode 100644 yara-Neo23x0/apt_hidden_cobra.yar
create mode 100644 yara-Neo23x0/apt_hiddencobra_bankshot.yar
create mode 100644 yara-Neo23x0/apt_hiddencobra_wiper.yar
create mode 100644 yara-Neo23x0/apt_hizor_rat.yar
create mode 100644 yara-Neo23x0/apt_hkdoor.yar
create mode 100644 yara-Neo23x0/apt_iamtheking.yar
create mode 100644 yara-Neo23x0/apt_icefog.yar
create mode 100644 yara-Neo23x0/apt_indetectables_rat.yar
create mode 100644 yara-Neo23x0/apt_industroyer.yar
create mode 100644 yara-Neo23x0/apt_inocnation.yar
create mode 100644 yara-Neo23x0/apt_irongate.yar
create mode 100644 yara-Neo23x0/apt_irontiger.yar
create mode 100644 yara-Neo23x0/apt_irontiger_trendmicro.yar
create mode 100644 yara-Neo23x0/apt_ism_rat.yar
create mode 100644 yara-Neo23x0/apt_kaspersky_duqu2.yar
create mode 100644 yara-Neo23x0/apt_ke3chang.yar
create mode 100644 yara-Neo23x0/apt_keyboys.yar
create mode 100644 yara-Neo23x0/apt_keylogger_cn.yar
create mode 100644 yara-Neo23x0/apt_khrat.yar
create mode 100644 yara-Neo23x0/apt_korplug_fast.yar
create mode 100644 yara-Neo23x0/apt_kwampirs.yar
create mode 100644 yara-Neo23x0/apt_laudanum_webshells.yar
create mode 100644 yara-Neo23x0/apt_lazarus_applejeus.yar
create mode 100644 yara-Neo23x0/apt_lazarus_aug20.yar
create mode 100644 yara-Neo23x0/apt_lazarus_dec17.yar
create mode 100644 yara-Neo23x0/apt_lazarus_dec20.yar
create mode 100644 yara-Neo23x0/apt_lazarus_gopuram.yar
create mode 100644 yara-Neo23x0/apt_lazarus_jan21.yar
create mode 100644 yara-Neo23x0/apt_lazarus_jun18.yar
create mode 100644 yara-Neo23x0/apt_lazarus_vhd_ransomware.yar
create mode 100644 yara-Neo23x0/apt_leviathan.yar
create mode 100644 yara-Neo23x0/apt_lnx_kobalos.yar
create mode 100644 yara-Neo23x0/apt_lnx_linadoor_rootkit.yar
create mode 100644 yara-Neo23x0/apt_lotusblossom_elise.yar
create mode 100644 yara-Neo23x0/apt_magichound.yar
create mode 100644 yara-Neo23x0/apt_mal_gopuram_apr23.yar
create mode 100644 yara-Neo23x0/apt_mal_ilo_board_elf.yar
create mode 100644 yara-Neo23x0/apt_mal_ru_snake_may23.yar
create mode 100644 yara-Neo23x0/apt_microcin.yar
create mode 100644 yara-Neo23x0/apt_middle_east_talosreport.yar
create mode 100644 yara-Neo23x0/apt_miniasp.yar
create mode 100644 yara-Neo23x0/apt_minidionis.yar
create mode 100644 yara-Neo23x0/apt_mofang.yar
create mode 100644 yara-Neo23x0/apt_molerats_jul17.yar
create mode 100644 yara-Neo23x0/apt_monsoon.yar
create mode 100644 yara-Neo23x0/apt_moonlightmaze.yar
create mode 100644 yara-Neo23x0/apt_ms_platinum.yara
create mode 100644 yara-Neo23x0/apt_muddywater.yar
create mode 100644 yara-Neo23x0/apt_naikon.yar
create mode 100644 yara-Neo23x0/apt_nanocore_rat.yar
create mode 100644 yara-Neo23x0/apt_nazar.yar
create mode 100644 yara-Neo23x0/apt_ncsc_report_04_2018.yar
create mode 100644 yara-Neo23x0/apt_netwire_rat.yar
create mode 100644 yara-Neo23x0/apt_nk_gen.yar
create mode 100644 yara-Neo23x0/apt_nk_goldbackdoor.yar
create mode 100644 yara-Neo23x0/apt_nk_inkysquid.yar
create mode 100644 yara-Neo23x0/apt_nk_tradingtech_apr23.yar
create mode 100644 yara-Neo23x0/apt_oilrig.yar
create mode 100644 yara-Neo23x0/apt_oilrig_chafer_mar18.yar
create mode 100644 yara-Neo23x0/apt_oilrig_oct17.yar
create mode 100644 yara-Neo23x0/apt_oilrig_rgdoor.yar
create mode 100644 yara-Neo23x0/apt_olympic_destroyer.yar
create mode 100644 yara-Neo23x0/apt_onhat_proxy.yar
create mode 100644 yara-Neo23x0/apt_op_cleaver.yar
create mode 100644 yara-Neo23x0/apt_op_cloudhopper.yar
create mode 100644 yara-Neo23x0/apt_op_honeybee.yar
create mode 100644 yara-Neo23x0/apt_op_shadowhammer.yar
create mode 100644 yara-Neo23x0/apt_op_wocao.yar
create mode 100644 yara-Neo23x0/apt_passcv.yar
create mode 100644 yara-Neo23x0/apt_passthehashtoolkit.yar
create mode 100644 yara-Neo23x0/apt_patchwork.yar
create mode 100644 yara-Neo23x0/apt_peach_sandstorm.yar
create mode 100644 yara-Neo23x0/apt_plead_downloader.yar
create mode 100644 yara-Neo23x0/apt_plugx.yar
create mode 100644 yara-Neo23x0/apt_poisonivy.yar
create mode 100644 yara-Neo23x0/apt_poisonivy_gen3.yar
create mode 100644 yara-Neo23x0/apt_poseidon_group.yar
create mode 100644 yara-Neo23x0/apt_poshspy.yar
create mode 100644 yara-Neo23x0/apt_prikormka.yar
create mode 100644 yara-Neo23x0/apt_project_m.yar
create mode 100644 yara-Neo23x0/apt_project_sauron.yara
create mode 100644 yara-Neo23x0/apt_project_sauron_extras.yar
create mode 100644 yara-Neo23x0/apt_promethium_neodymium.yar
create mode 100644 yara-Neo23x0/apt_pulsesecure.yar
create mode 100644 yara-Neo23x0/apt_putterpanda.yar
create mode 100644 yara-Neo23x0/apt_quarkspwdump.yar
create mode 100644 yara-Neo23x0/apt_quasar_rat.yar
create mode 100644 yara-Neo23x0/apt_quasar_vermin.yar
create mode 100644 yara-Neo23x0/apt_rancor.yar
create mode 100644 yara-Neo23x0/apt_ransom_darkbit_feb23.yar
create mode 100644 yara-Neo23x0/apt_ransom_lockbit_citrixbleed_nov23.yar
create mode 100644 yara-Neo23x0/apt_ransom_vicesociety_dec22.yar
create mode 100644 yara-Neo23x0/apt_reaver_sunorcal.yar
create mode 100644 yara-Neo23x0/apt_rehashed_rat.yar
create mode 100644 yara-Neo23x0/apt_report_ivanti_mandiant_jan24.yar
create mode 100644 yara-Neo23x0/apt_revenge_rat.yar
create mode 100644 yara-Neo23x0/apt_rocketkitten_keylogger.yar
create mode 100644 yara-Neo23x0/apt_rokrat.yar
create mode 100644 yara-Neo23x0/apt_royalroad.yar
create mode 100644 yara-Neo23x0/apt_ru_crywiper.yar
create mode 100644 yara-Neo23x0/apt_ruag.yar
create mode 100644 yara-Neo23x0/apt_rwmc_powershell_creddump.yar
create mode 100644 yara-Neo23x0/apt_sakula.yar
create mode 100644 yara-Neo23x0/apt_sandworm_centreon.yar
create mode 100644 yara-Neo23x0/apt_sandworm_cyclops_blink.yar
create mode 100644 yara-Neo23x0/apt_sandworm_exim_expl.yar
create mode 100644 yara-Neo23x0/apt_saudi_aramco_phish.yar
create mode 100644 yara-Neo23x0/apt_scanbox_deeppanda.yar
create mode 100644 yara-Neo23x0/apt_scarcruft.yar
create mode 100644 yara-Neo23x0/apt_seaduke_unit42.yar
create mode 100644 yara-Neo23x0/apt_sednit_delphidownloader.yar
create mode 100644 yara-Neo23x0/apt_servantshell.yar
create mode 100644 yara-Neo23x0/apt_shadowpad.yar
create mode 100644 yara-Neo23x0/apt_shamoon.yar
create mode 100644 yara-Neo23x0/apt_shamoon2.yar
create mode 100644 yara-Neo23x0/apt_sharptongue.yar
create mode 100644 yara-Neo23x0/apt_shellcrew_streamex.yar
create mode 100644 yara-Neo23x0/apt_sidewinder.yar
create mode 100644 yara-Neo23x0/apt_silence.yar
create mode 100644 yara-Neo23x0/apt_skeletonkey.yar
create mode 100644 yara-Neo23x0/apt_slingshot.yar
create mode 100644 yara-Neo23x0/apt_snaketurla_osx.yar
create mode 100644 yara-Neo23x0/apt_snowglobe_babar.yar
create mode 100644 yara-Neo23x0/apt_sofacy.yar
create mode 100644 yara-Neo23x0/apt_sofacy_cannon.yar
create mode 100644 yara-Neo23x0/apt_sofacy_dec15.yar
create mode 100644 yara-Neo23x0/apt_sofacy_fysbis.yar
create mode 100644 yara-Neo23x0/apt_sofacy_hospitality.yar
create mode 100644 yara-Neo23x0/apt_sofacy_jun16.yar
create mode 100644 yara-Neo23x0/apt_sofacy_oct17_camp.yar
create mode 100644 yara-Neo23x0/apt_sofacy_xtunnel_bundestag.yar
create mode 100644 yara-Neo23x0/apt_sofacy_zebrocy.yar
create mode 100644 yara-Neo23x0/apt_solarwinds_sunburst.yar
create mode 100644 yara-Neo23x0/apt_solarwinds_susp_sunburst.yar
create mode 100644 yara-Neo23x0/apt_sphinx_moth.yar
create mode 100644 yara-Neo23x0/apt_stealer_cisa_ar22_277a.yar
create mode 100644 yara-Neo23x0/apt_stonedrill.yar
create mode 100644 yara-Neo23x0/apt_strider.yara
create mode 100644 yara-Neo23x0/apt_stuxnet.yar
create mode 100644 yara-Neo23x0/apt_stuxshop.yar
create mode 100644 yara-Neo23x0/apt_suckfly.yar
create mode 100644 yara-Neo23x0/apt_sunspot.yar
create mode 100644 yara-Neo23x0/apt_sysscan.yar
create mode 100644 yara-Neo23x0/apt_ta17_293A.yar
create mode 100644 yara-Neo23x0/apt_ta17_318A.yar
create mode 100644 yara-Neo23x0/apt_ta17_318B.yar
create mode 100644 yara-Neo23x0/apt_ta18_074A.yar
create mode 100644 yara-Neo23x0/apt_ta18_149A.yar
create mode 100644 yara-Neo23x0/apt_ta459.yar
create mode 100644 yara-Neo23x0/apt_telebots.yar
create mode 100644 yara-Neo23x0/apt_terracotta.yar
create mode 100644 yara-Neo23x0/apt_terracotta_liudoor.yar
create mode 100644 yara-Neo23x0/apt_tetris.yar
create mode 100644 yara-Neo23x0/apt_threatgroup_3390.yar
create mode 100644 yara-Neo23x0/apt_thrip.yar
create mode 100644 yara-Neo23x0/apt_tick_datper.yar
create mode 100644 yara-Neo23x0/apt_tick_weaponized_usb.yar
create mode 100644 yara-Neo23x0/apt_tidepool.yar
create mode 100644 yara-Neo23x0/apt_tophat.yar
create mode 100644 yara-Neo23x0/apt_triton.yar
create mode 100644 yara-Neo23x0/apt_triton_mal_sshdoor.yar
create mode 100644 yara-Neo23x0/apt_turbo_campaign.yar
create mode 100644 yara-Neo23x0/apt_turla.yar
create mode 100644 yara-Neo23x0/apt_turla_gazer.yar
create mode 100644 yara-Neo23x0/apt_turla_kazuar.yar
create mode 100644 yara-Neo23x0/apt_turla_mosquito.yar
create mode 100644 yara-Neo23x0/apt_turla_neuron.yar
create mode 100644 yara-Neo23x0/apt_turla_penquin.yar
create mode 100644 yara-Neo23x0/apt_turla_png_dropper_nov18.yar
create mode 100644 yara-Neo23x0/apt_ua_caddywiper.yar
create mode 100644 yara-Neo23x0/apt_ua_hermetic_wiper.yar
create mode 100644 yara-Neo23x0/apt_ua_isaacwiper.yar
create mode 100644 yara-Neo23x0/apt_ua_wiper_whispergate.yar
create mode 100644 yara-Neo23x0/apt_uboat_rat.yar
create mode 100644 yara-Neo23x0/apt_unc1151_ua.yar
create mode 100644 yara-Neo23x0/apt_unc2447_sombrat.yar
create mode 100644 yara-Neo23x0/apt_unc2546_dewmode.yar
create mode 100644 yara-Neo23x0/apt_unc2891_mal_jan23.yar
create mode 100644 yara-Neo23x0/apt_unc3886_virtualpita.yar
create mode 100644 yara-Neo23x0/apt_unit78020_malware.yar
create mode 100644 yara-Neo23x0/apt_uscert_ta17-1117a.yar
create mode 100644 yara-Neo23x0/apt_venom_linux_rootkit.yar
create mode 100644 yara-Neo23x0/apt_volatile_cedar.yar
create mode 100644 yara-Neo23x0/apt_vpnfilter.yar
create mode 100644 yara-Neo23x0/apt_waterbear.yar
create mode 100644 yara-Neo23x0/apt_waterbug.yar
create mode 100644 yara-Neo23x0/apt_webmonitor_rat.yar
create mode 100644 yara-Neo23x0/apt_webshell_chinachopper.yar
create mode 100644 yara-Neo23x0/apt_wildneutron.yar
create mode 100644 yara-Neo23x0/apt_wilted_tulip.yar
create mode 100644 yara-Neo23x0/apt_win_plugx.yar
create mode 100644 yara-Neo23x0/apt_winnti.yar
create mode 100644 yara-Neo23x0/apt_winnti_br.yar
create mode 100644 yara-Neo23x0/apt_winnti_burning_umbrella.yar
create mode 100644 yara-Neo23x0/apt_winnti_hdroot.yar
create mode 100644 yara-Neo23x0/apt_winnti_linux.yar
create mode 100644 yara-Neo23x0/apt_winnti_ms_report_201701.yar
create mode 100644 yara-Neo23x0/apt_woolengoldfish.yar
create mode 100644 yara-Neo23x0/apt_xrat.yar
create mode 100644 yara-Neo23x0/apt_zxshell.yar
create mode 100644 yara-Neo23x0/bkdr_xz_util_cve_2024_3094.yar
create mode 100644 yara-Neo23x0/cn_pentestset_scripts.yar
create mode 100644 yara-Neo23x0/cn_pentestset_tools.yar
create mode 100644 yara-Neo23x0/cn_pentestset_webshells.yar
create mode 100644 yara-Neo23x0/configured_vulns_ext_vars.yar
create mode 100644 yara-Neo23x0/crime_academic_data_centers_camp_may20.yar
create mode 100644 yara-Neo23x0/crime_andromeda_jun17.yar
create mode 100644 yara-Neo23x0/crime_antifw_installrex.yar
create mode 100644 yara-Neo23x0/crime_atm_dispenserxfs.yar
create mode 100644 yara-Neo23x0/crime_atm_javadipcash.yar
create mode 100644 yara-Neo23x0/crime_atm_loup.yar
create mode 100644 yara-Neo23x0/crime_atm_xfsadm.yar
create mode 100644 yara-Neo23x0/crime_atm_xfscashncr.yar
create mode 100644 yara-Neo23x0/crime_bad_patch.yar
create mode 100644 yara-Neo23x0/crime_badrabbit.yar
create mode 100644 yara-Neo23x0/crime_bazarbackdoor.yar
create mode 100644 yara-Neo23x0/crime_bernhard_pos.yar
create mode 100644 yara-Neo23x0/crime_bluenoroff_pos.yar
create mode 100644 yara-Neo23x0/crime_buzus_softpulse.yar
create mode 100644 yara-Neo23x0/crime_cmstar.yar
create mode 100644 yara-Neo23x0/crime_cn_campaign_njrat.yar
create mode 100644 yara-Neo23x0/crime_cn_group_btc.yar
create mode 100644 yara-Neo23x0/crime_cobalt_gang_pdf.yar
create mode 100644 yara-Neo23x0/crime_cobaltgang.yar
create mode 100644 yara-Neo23x0/crime_corkow_dll.yar
create mode 100644 yara-Neo23x0/crime_covid_ransom.yar
create mode 100644 yara-Neo23x0/crime_credstealer_generic.yar
create mode 100644 yara-Neo23x0/crime_crypto_miner.yar
create mode 100644 yara-Neo23x0/crime_cryptowall_svg.yar
create mode 100644 yara-Neo23x0/crime_dearcry_ransom.yar
create mode 100644 yara-Neo23x0/crime_dexter_trojan.yar
create mode 100644 yara-Neo23x0/crime_dridex_xml.yar
create mode 100644 yara-Neo23x0/crime_emotet.yar
create mode 100644 yara-Neo23x0/crime_enfal.yar
create mode 100644 yara-Neo23x0/crime_envrial.yar
create mode 100644 yara-Neo23x0/crime_eternalrocks.yar
create mode 100644 yara-Neo23x0/crime_evilcorp_dridex_banker.yar
create mode 100644 yara-Neo23x0/crime_fareit.yar
create mode 100644 yara-Neo23x0/crime_fireball.yar
create mode 100644 yara-Neo23x0/crime_floxif_flystudio.yar
create mode 100644 yara-Neo23x0/crime_gamaredon.yar
create mode 100644 yara-Neo23x0/crime_goldeneye.yar
create mode 100644 yara-Neo23x0/crime_gozi_crypter.yar
create mode 100644 yara-Neo23x0/crime_guloader.yar
create mode 100644 yara-Neo23x0/crime_h2miner_kinsing.yar
create mode 100644 yara-Neo23x0/crime_hermes_ransom.yar
create mode 100644 yara-Neo23x0/crime_icedid.yar
create mode 100644 yara-Neo23x0/crime_kasper_oct17.yar
create mode 100644 yara-Neo23x0/crime_kins_dropper.yar
create mode 100644 yara-Neo23x0/crime_kr_malware.yar
create mode 100644 yara-Neo23x0/crime_kraken_bot1.yar
create mode 100644 yara-Neo23x0/crime_kriskynote.yar
create mode 100644 yara-Neo23x0/crime_locky.yar
create mode 100644 yara-Neo23x0/crime_loki_bot.yar
create mode 100644 yara-Neo23x0/crime_mal_grandcrab.yar
create mode 100644 yara-Neo23x0/crime_mal_nitol.yar
create mode 100644 yara-Neo23x0/crime_mal_ransom_wadharma.yar
create mode 100644 yara-Neo23x0/crime_malumpos.yar
create mode 100644 yara-Neo23x0/crime_malware_generic.yar
create mode 100644 yara-Neo23x0/crime_malware_set_oct16.yar
create mode 100644 yara-Neo23x0/crime_maze_ransomware.yar
create mode 100644 yara-Neo23x0/crime_mikey_trojan.yar
create mode 100644 yara-Neo23x0/crime_mirai.yar
create mode 100644 yara-Neo23x0/crime_mywscript_dropper.yar
create mode 100644 yara-Neo23x0/crime_nansh0u.yar
create mode 100644 yara-Neo23x0/crime_nkminer.yar
create mode 100644 yara-Neo23x0/crime_nopetya_jun17.yar
create mode 100644 yara-Neo23x0/crime_ole_loadswf_cve_2018_4878.yar
create mode 100644 yara-Neo23x0/crime_parallax_rat.yar
create mode 100644 yara-Neo23x0/crime_phish_gina_dec15.yar
create mode 100644 yara-Neo23x0/crime_ransom_conti.yar
create mode 100644 yara-Neo23x0/crime_ransom_darkside.yar
create mode 100644 yara-Neo23x0/crime_ransom_generic.yar
create mode 100644 yara-Neo23x0/crime_ransom_germanwiper.yar
create mode 100644 yara-Neo23x0/crime_ransom_lockergoga.yar
create mode 100644 yara-Neo23x0/crime_ransom_prolock.yar
create mode 100644 yara-Neo23x0/crime_ransom_ragna_locker.yar
create mode 100644 yara-Neo23x0/crime_ransom_revil.yar
create mode 100644 yara-Neo23x0/crime_ransom_robinhood.yar
create mode 100644 yara-Neo23x0/crime_ransom_stealbit_lockbit.yar
create mode 100644 yara-Neo23x0/crime_ransom_venus.yar
create mode 100644 yara-Neo23x0/crime_rat_parallax.yar
create mode 100644 yara-Neo23x0/crime_revil_general.yar
create mode 100644 yara-Neo23x0/crime_rombertik_carbongrabber.yar
create mode 100644 yara-Neo23x0/crime_ryuk_ransomware.yar
create mode 100644 yara-Neo23x0/crime_shifu_trojan.yar
create mode 100644 yara-Neo23x0/crime_snarasite.yar
create mode 100644 yara-Neo23x0/crime_socgholish.yar
create mode 100644 yara-Neo23x0/crime_stealer_exfil_zip.yar
create mode 100644 yara-Neo23x0/crime_teledoor.yar
create mode 100644 yara-Neo23x0/crime_trickbot.yar
create mode 100644 yara-Neo23x0/crime_upatre_oct15.yar
create mode 100644 yara-Neo23x0/crime_wannacry.yar
create mode 100644 yara-Neo23x0/crime_wsh_rat.yar
create mode 100644 yara-Neo23x0/crime_xbash.yar
create mode 100644 yara-Neo23x0/crime_zeus_panda.yar
create mode 100644 yara-Neo23x0/crime_zloader_maldocs.yar
create mode 100644 yara-Neo23x0/expl_adselfservice_cve_2021_40539.yar
create mode 100644 yara-Neo23x0/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar
create mode 100644 yara-Neo23x0/expl_connectwise_screenconnect_vuln_feb24.yar
create mode 100644 yara-Neo23x0/expl_cve_2021_1647.yar
create mode 100644 yara-Neo23x0/expl_cve_2021_26084_confluence_log.yar
create mode 100644 yara-Neo23x0/expl_cve_2021_40444.yar
create mode 100644 yara-Neo23x0/expl_cve_2022_41040_proxynoshell.yar
create mode 100644 yara-Neo23x0/expl_cve_2022_46169_cacti.yar
create mode 100644 yara-Neo23x0/expl_ivanti_epmm_mobileiron_cve_2023_35078.yar
create mode 100644 yara-Neo23x0/expl_keepass_cve_2023_24055.yar
create mode 100644 yara-Neo23x0/expl_libcue_cve_2023_43641.yar
create mode 100644 yara-Neo23x0/expl_libssh_cve_2023_2283_jun23.yar
create mode 100644 yara-Neo23x0/expl_log4j_cve_2021_44228.yar
create mode 100644 yara-Neo23x0/expl_macos_switcharoo_dec22.yar
create mode 100644 yara-Neo23x0/expl_manageengine_jan23.yar
create mode 100644 yara-Neo23x0/expl_outlook_cve_2023_23397.yar
create mode 100644 yara-Neo23x0/expl_outlook_cve_2024_21413.yar
create mode 100644 yara-Neo23x0/expl_proxynotshell_owassrf_dec22.yar
create mode 100644 yara-Neo23x0/expl_proxyshell.yar
create mode 100644 yara-Neo23x0/expl_sharepoint_cve_2023_29357.yar
create mode 100644 yara-Neo23x0/expl_spring4shell.yar
create mode 100644 yara-Neo23x0/expl_sysaid_cve_2023_47246.yar
create mode 100644 yara-Neo23x0/expl_teamcity_2023_42793.yar
create mode 100644 yara-Neo23x0/exploit_cve_2014_4076.yar
create mode 100644 yara-Neo23x0/exploit_cve_2015_1674.yar
create mode 100644 yara-Neo23x0/exploit_cve_2015_1701.yar
create mode 100644 yara-Neo23x0/exploit_cve_2015_2426.yar
create mode 100644 yara-Neo23x0/exploit_cve_2015_2545.yar
create mode 100644 yara-Neo23x0/exploit_cve_2015_5119.yar
create mode 100644 yara-Neo23x0/exploit_cve_2017_11882.yar
create mode 100644 yara-Neo23x0/exploit_cve_2017_8759.yar
create mode 100644 yara-Neo23x0/exploit_cve_2017_9800.yar
create mode 100644 yara-Neo23x0/exploit_cve_2018_0802.yar
create mode 100644 yara-Neo23x0/exploit_cve_2018_16858.yar
create mode 100644 yara-Neo23x0/exploit_cve_2021_31166.yar
create mode 100644 yara-Neo23x0/exploit_cve_2021_33766_proxytoken.yar
create mode 100644 yara-Neo23x0/exploit_cve_2022_22954_vmware_workspace_one.yar
create mode 100644 yara-Neo23x0/exploit_cve_2023_38146.yar
create mode 100644 yara-Neo23x0/exploit_f5_bigip_cve_2021_22986_log.yar
create mode 100644 yara-Neo23x0/exploit_gitlab_cve_2021_22205.yar
create mode 100644 yara-Neo23x0/exploit_rtf_ole2link.yar
create mode 100644 yara-Neo23x0/exploit_shitrix.yar
create mode 100644 yara-Neo23x0/exploit_tlb_scripts.yar
create mode 100644 yara-Neo23x0/exploit_uac_elevators.yar
create mode 100644 yara-Neo23x0/gen_100days_of_yara_2023.yar
create mode 100644 yara-Neo23x0/gen_Excel4Macro_Sharpshooter.yar
create mode 100644 yara-Neo23x0/gen_ace_with_exe.yar
create mode 100644 yara-Neo23x0/gen_anomalies_keyword_combos.yar
create mode 100644 yara-Neo23x0/gen_anydesk_compromised_cert_feb23.yar
create mode 100644 yara-Neo23x0/gen_armitage.yar
create mode 100644 yara-Neo23x0/gen_autocad_lsp_malware.yar
create mode 100644 yara-Neo23x0/gen_b374k_extra.yar
create mode 100644 yara-Neo23x0/gen_bad_pdf.yar
create mode 100644 yara-Neo23x0/gen_case_anomalies.yar
create mode 100644 yara-Neo23x0/gen_cert_payloads.yar
create mode 100644 yara-Neo23x0/gen_chaos_payload.yar
create mode 100644 yara-Neo23x0/gen_cmd_script_obfuscated.yar
create mode 100644 yara-Neo23x0/gen_cn_hacktool_scripts.yar
create mode 100644 yara-Neo23x0/gen_cn_hacktools.yar
create mode 100644 yara-Neo23x0/gen_cn_webshells.yar
create mode 100644 yara-Neo23x0/gen_cobaltstrike.yar
create mode 100644 yara-Neo23x0/gen_cobaltstrike_by_avast.yar
create mode 100644 yara-Neo23x0/gen_crime_bitpaymer.yar
create mode 100644 yara-Neo23x0/gen_crimson_rat.yar
create mode 100644 yara-Neo23x0/gen_crunchrat.yar
create mode 100644 yara-Neo23x0/gen_dde_in_office_docs.yar
create mode 100644 yara-Neo23x0/gen_deviceguard_evasion.yar
create mode 100644 yara-Neo23x0/gen_doc_follina.yar
create mode 100644 yara-Neo23x0/gen_dropper_pdb.yar
create mode 100644 yara-Neo23x0/gen_elf_file_anomalies.yar
create mode 100644 yara-Neo23x0/gen_empire.yar
create mode 100644 yara-Neo23x0/gen_enigma_protector.yar
create mode 100644 yara-Neo23x0/gen_event_mute_hook.yar
create mode 100644 yara-Neo23x0/gen_excel_auto_open_evasion.yar
create mode 100644 yara-Neo23x0/gen_excel_xll_addin_suspicious.yar
create mode 100644 yara-Neo23x0/gen_excel_xor_obfuscation_velvetsweatshop.yar
create mode 100644 yara-Neo23x0/gen_exploit_cve_2017_10271_weblogic.yar
create mode 100644 yara-Neo23x0/gen_fake_amsi_dll.yar
create mode 100644 yara-Neo23x0/gen_faked_versions.yar
create mode 100644 yara-Neo23x0/gen_file_anomalies.yar
create mode 100644 yara-Neo23x0/gen_fireeye_redteam_tools.yar
create mode 100644 yara-Neo23x0/gen_floxif.yar
create mode 100644 yara-Neo23x0/gen_frp_proxy.yar
create mode 100644 yara-Neo23x0/gen_gcti_cobaltstrike.yar
create mode 100644 yara-Neo23x0/gen_gcti_sliver.yar
create mode 100644 yara-Neo23x0/gen_gen_cactustorch.yar
create mode 100644 yara-Neo23x0/gen_github_net_redteam_tools_guids.yar
create mode 100644 yara-Neo23x0/gen_github_net_redteam_tools_names.yar
create mode 100644 yara-Neo23x0/gen_github_repo_compromise_myjino_ru.yar
create mode 100644 yara-Neo23x0/gen_gobfuscate.yar
create mode 100644 yara-Neo23x0/gen_google_anomaly.yar
create mode 100644 yara-Neo23x0/gen_gpp_cpassword.yar
create mode 100644 yara-Neo23x0/gen_hawkeye.yar
create mode 100644 yara-Neo23x0/gen_hktl_koh_tokenstealer.yar
create mode 100644 yara-Neo23x0/gen_hktl_roothelper.yar
create mode 100644 yara-Neo23x0/gen_hktl_venom_lib.yar
create mode 100644 yara-Neo23x0/gen_hta_anomalies.yar
create mode 100644 yara-Neo23x0/gen_hunting_susp_rar.yar
create mode 100644 yara-Neo23x0/gen_icon_anomalies.yar
create mode 100644 yara-Neo23x0/gen_impacket_tools.yar
create mode 100644 yara-Neo23x0/gen_imphash_detection.yar
create mode 100644 yara-Neo23x0/gen_invoke_mimikatz.yar
create mode 100644 yara-Neo23x0/gen_invoke_psimage.yar
create mode 100644 yara-Neo23x0/gen_invoke_thehash.yar
create mode 100644 yara-Neo23x0/gen_javascript_powershell.yar
create mode 100644 yara-Neo23x0/gen_kerberoast.yar
create mode 100644 yara-Neo23x0/gen_khepri.yar
create mode 100644 yara-Neo23x0/gen_kirbi_mimkatz.yar
create mode 100644 yara-Neo23x0/gen_lnx_malware_indicators.yar
create mode 100644 yara-Neo23x0/gen_loaders.yar
create mode 100644 yara-Neo23x0/gen_macro_ShellExecute_action.yar
create mode 100644 yara-Neo23x0/gen_macro_builders.yar
create mode 100644 yara-Neo23x0/gen_macro_staroffice_suspicious.yar
create mode 100644 yara-Neo23x0/gen_mal_3cx_compromise_mar23.yar
create mode 100644 yara-Neo23x0/gen_mal_backnet.yar
create mode 100644 yara-Neo23x0/gen_mal_link.yar
create mode 100644 yara-Neo23x0/gen_mal_scripts.yar
create mode 100644 yara-Neo23x0/gen_maldoc.yar
create mode 100644 yara-Neo23x0/gen_malware_MacOS_plist_suspicious.yar
create mode 100644 yara-Neo23x0/gen_malware_set_qa.yar
create mode 100644 yara-Neo23x0/gen_merlin_agent.yar
create mode 100644 yara-Neo23x0/gen_metasploit_loader_rsmudge.yar
create mode 100644 yara-Neo23x0/gen_metasploit_payloads.yar
create mode 100644 yara-Neo23x0/gen_mimikatz.yar
create mode 100644 yara-Neo23x0/gen_mimikittenz.yar
create mode 100644 yara-Neo23x0/gen_mimipenguin.yar
create mode 100644 yara-Neo23x0/gen_net_xorstrings.yar
create mode 100644 yara-Neo23x0/gen_nighthawk_c2.yar
create mode 100644 yara-Neo23x0/gen_nimpackt.yar
create mode 100644 yara-Neo23x0/gen_nopowershell.yar
create mode 100644 yara-Neo23x0/gen_nvidia_leaked_cert.yar
create mode 100644 yara-Neo23x0/gen_onenote_phish.yar
create mode 100644 yara-Neo23x0/gen_osx_backdoor_bella.yar
create mode 100644 yara-Neo23x0/gen_osx_evilosx.yar
create mode 100644 yara-Neo23x0/gen_osx_pyagent_persistence.yar
create mode 100644 yara-Neo23x0/gen_p0wnshell.yar
create mode 100644 yara-Neo23x0/gen_phish_attachments.yar
create mode 100644 yara-Neo23x0/gen_pirpi.yar
create mode 100644 yara-Neo23x0/gen_powerkatz.yar
create mode 100644 yara-Neo23x0/gen_powershdll.yar
create mode 100644 yara-Neo23x0/gen_powershell_empire.yar
create mode 100644 yara-Neo23x0/gen_powershell_invocation.yar
create mode 100644 yara-Neo23x0/gen_powershell_obfuscation.yar
create mode 100644 yara-Neo23x0/gen_powershell_suite.yar
create mode 100644 yara-Neo23x0/gen_powershell_susp.yar
create mode 100644 yara-Neo23x0/gen_powershell_toolkit.yar
create mode 100644 yara-Neo23x0/gen_powersploit_dropper.yar
create mode 100644 yara-Neo23x0/gen_ps1_shellcode.yar
create mode 100644 yara-Neo23x0/gen_ps_empire_eval.yar
create mode 100644 yara-Neo23x0/gen_ps_osiris.yar
create mode 100644 yara-Neo23x0/gen_pua.yar
create mode 100644 yara-Neo23x0/gen_pupy_rat.yar
create mode 100644 yara-Neo23x0/gen_python_encoded_adware.yar
create mode 100644 yara-Neo23x0/gen_python_pty_shell.yar
create mode 100644 yara-Neo23x0/gen_python_pyminifier_encoded_payload.yar
create mode 100644 yara-Neo23x0/gen_python_reverse_shell.yara
create mode 100644 yara-Neo23x0/gen_qakbot_uninstaller.yar
create mode 100644 yara-Neo23x0/gen_rar_exfil.yar
create mode 100644 yara-Neo23x0/gen_rats_malwareconfig.yar
create mode 100644 yara-Neo23x0/gen_recon_indicators.yar
create mode 100644 yara-Neo23x0/gen_redmimicry.yar
create mode 100644 yara-Neo23x0/gen_redsails.yar
create mode 100644 yara-Neo23x0/gen_regsrv32_issue.yar
create mode 100644 yara-Neo23x0/gen_remote_potato0.yar
create mode 100644 yara-Neo23x0/gen_rottenpotato.yar
create mode 100644 yara-Neo23x0/gen_rtf_malver_objects.yar
create mode 100644 yara-Neo23x0/gen_sfx_with_microsoft_copyright.yar
create mode 100644 yara-Neo23x0/gen_sharpcat.yar
create mode 100644 yara-Neo23x0/gen_shikataganai.yar
create mode 100644 yara-Neo23x0/gen_sign_anomalies.yar
create mode 100644 yara-Neo23x0/gen_solarwinds_credential_stealer.yar
create mode 100644 yara-Neo23x0/gen_susp_bat2exe.yar
create mode 100644 yara-Neo23x0/gen_susp_bat_aux.yar
create mode 100644 yara-Neo23x0/gen_susp_cmd_var_expansion.yar
create mode 100644 yara-Neo23x0/gen_susp_hacktool.yar
create mode 100644 yara-Neo23x0/gen_susp_indicators.yar
create mode 100644 yara-Neo23x0/gen_susp_js_obfuscatorio.yar
create mode 100644 yara-Neo23x0/gen_susp_lnk.yar
create mode 100644 yara-Neo23x0/gen_susp_lnk_files.yar
create mode 100644 yara-Neo23x0/gen_susp_net_msil.yar
create mode 100644 yara-Neo23x0/gen_susp_obfuscation.yar
create mode 100644 yara-Neo23x0/gen_susp_office_dropper.yar
create mode 100644 yara-Neo23x0/gen_susp_ps_jab.yar
create mode 100644 yara-Neo23x0/gen_susp_sfx.yar
create mode 100644 yara-Neo23x0/gen_susp_strings_in_ole.yar
create mode 100644 yara-Neo23x0/gen_susp_wer_files.yar
create mode 100644 yara-Neo23x0/gen_susp_xor.yar
create mode 100644 yara-Neo23x0/gen_suspicious_InPage_dropper.yar
create mode 100644 yara-Neo23x0/gen_suspicious_strings.yar
create mode 100644 yara-Neo23x0/gen_sysinternals_anomaly.yar
create mode 100644 yara-Neo23x0/gen_tempracer.yar
create mode 100644 yara-Neo23x0/gen_thumbs_cloaking.yar
create mode 100644 yara-Neo23x0/gen_transformed_strings.yar
create mode 100644 yara-Neo23x0/gen_tscookie_rat.yar
create mode 100644 yara-Neo23x0/gen_unicorn_obfuscated_powershell.yar
create mode 100644 yara-Neo23x0/gen_unsigned_thor.yar
create mode 100644 yara-Neo23x0/gen_unspecified_malware.yar
create mode 100644 yara-Neo23x0/gen_url_persitence.yar
create mode 100644 yara-Neo23x0/gen_url_to_local_exe.yar
create mode 100644 yara-Neo23x0/gen_vcruntime140_dll_sideloading.yar
create mode 100644 yara-Neo23x0/gen_vhd_anomaly.yar
create mode 100644 yara-Neo23x0/gen_webshell_csharp.yar
create mode 100644 yara-Neo23x0/gen_webshells.yar
create mode 100644 yara-Neo23x0/gen_webshells_ext_vars.yar
create mode 100644 yara-Neo23x0/gen_win_privesc.yar
create mode 100644 yara-Neo23x0/gen_winpayloads.yar
create mode 100644 yara-Neo23x0/gen_winshells.yar
create mode 100644 yara-Neo23x0/gen_wmi_implant.yar
create mode 100644 yara-Neo23x0/gen_xor_hunting.yar
create mode 100644 yara-Neo23x0/gen_xored_pe.yar
create mode 100644 yara-Neo23x0/gen_xtreme_rat.yar
create mode 100644 yara-Neo23x0/gen_ysoserial_payloads.yar
create mode 100644 yara-Neo23x0/gen_zoho_rcef_logs.yar
create mode 100644 yara-Neo23x0/general_cloaking.yar
create mode 100644 yara-Neo23x0/general_officemacros.yar
create mode 100644 yara-Neo23x0/generic_anomalies.yar
create mode 100644 yara-Neo23x0/generic_cryptors.yar
create mode 100644 yara-Neo23x0/generic_dumps.yar
create mode 100644 yara-Neo23x0/generic_exe2hex_payload.yar
create mode 100644 yara-Neo23x0/hktl_bruteratel_c4.yar
create mode 100644 yara-Neo23x0/hktl_bruteratel_c4_badger.yar
create mode 100644 yara-Neo23x0/hktl_natbypass.yar
create mode 100644 yara-Neo23x0/log_teamviewer_keyboard_layouts.yar
create mode 100644 yara-Neo23x0/mal_avemaria_rat.yar
create mode 100644 yara-Neo23x0/mal_bibi_wiper_oct23.yar
create mode 100644 yara-Neo23x0/mal_codecov_hack.yar
create mode 100644 yara-Neo23x0/mal_crime_unknown.yar
create mode 100644 yara-Neo23x0/mal_cryp_rat.yar
create mode 100644 yara-Neo23x0/mal_ducktail_compromised_certs_jun23.yar
create mode 100644 yara-Neo23x0/mal_efile_apr23.yar
create mode 100644 yara-Neo23x0/mal_fake_document_software.yar
create mode 100644 yara-Neo23x0/mal_fortinet_coathanger_feb24.yar
create mode 100644 yara-Neo23x0/mal_go_modbus.yar
create mode 100644 yara-Neo23x0/mal_lnx_barracuda_cve_2023_2868.yar
create mode 100644 yara-Neo23x0/mal_lnx_implant_may22.yar
create mode 100644 yara-Neo23x0/mal_lockbit_lnx_macos_apr23.yar
create mode 100644 yara-Neo23x0/mal_netsha.yar
create mode 100644 yara-Neo23x0/mal_passwordstate_backdoor.yar
create mode 100644 yara-Neo23x0/mal_qbot_feb23.yar
create mode 100644 yara-Neo23x0/mal_qbot_payloads.yar
create mode 100644 yara-Neo23x0/mal_ransom_esxi_attacks_feb23.yar
create mode 100644 yara-Neo23x0/mal_ransom_lorenz.yar
create mode 100644 yara-Neo23x0/mal_ru_sparepart_dec22.yar
create mode 100644 yara-Neo23x0/pua_cryptocoin_miner.yar
create mode 100644 yara-Neo23x0/pua_xmrig_monero_miner.yar
create mode 100644 yara-Neo23x0/pup_lightftp.yar
create mode 100644 yara-Neo23x0/spy_equation_fiveeyes.yar
create mode 100644 yara-Neo23x0/spy_querty_fiveeyes.yar
create mode 100644 yara-Neo23x0/spy_regin_fiveeyes.yar
create mode 100644 yara-Neo23x0/susp_bat_obfusc_jul24.yar
create mode 100644 yara-Neo23x0/susp_vulndriver_hp_hardware_diagnostics_etdsupp_may23.yar
create mode 100644 yara-Neo23x0/thor-hacktools.yar
create mode 100644 yara-Neo23x0/thor-webshells.yar
create mode 100644 yara-Neo23x0/thor_inverse_matches.yar
create mode 100644 yara-Neo23x0/threat_lenovo_superfish.yar
create mode 100644 yara-Neo23x0/vul_backdoor_antitheftweb.yar
create mode 100644 yara-Neo23x0/vul_confluence_questions_plugin_cve_2022_26138.yar
create mode 100644 yara-Neo23x0/vul_cve_2020_0688.yar
create mode 100644 yara-Neo23x0/vul_cve_2020_1938.yar
create mode 100644 yara-Neo23x0/vul_cve_2021_3438_printdriver.yar
create mode 100644 yara-Neo23x0/vul_cve_2021_386471_omi.yar
create mode 100644 yara-Neo23x0/vul_dell_bios_upd_driver.yar
create mode 100644 yara-Neo23x0/vul_drivecrypt.yar
create mode 100644 yara-Neo23x0/vul_jquery_fileupload_cve_2018_9206.yar
create mode 100644 yara-Neo23x0/vul_php_zlib_backdoor.yar
create mode 100644 yara-Neo23x0/vuln_gigabyte_driver.yar
create mode 100644 yara-Neo23x0/vuln_keepass_brute_forcible.yar
create mode 100644 yara-Neo23x0/vuln_moveit_0day_jun23.yar
create mode 100644 yara-Neo23x0/vuln_paloalto_cve_2024_3400_apr24.yar
create mode 100644 yara-Neo23x0/vuln_proxynotshell_cve_2022_41040.yar
create mode 100644 yara-Neo23x0/webshell_regeorg.yar
create mode 100644 yara-Neo23x0/webshell_xsl_transform.yar
create mode 100644 yara-Neo23x0/yara-rules_mal_drivers.yar
create mode 100644 yara-Neo23x0/yara-rules_vuln_drivers_strict.yar
create mode 100644 yara-Neo23x0/yara-rules_vuln_drivers_strict_renamed.yar
create mode 100644 yara-Neo23x0/yara_mixed_ext_vars.yar
rename {yara => yara-ReversingLabs}/backdoor/ByteCode.MSIL.Backdoor.AgentRacoon.yara (100%)
rename {yara => yara-ReversingLabs}/backdoor/ByteCode.MSIL.Backdoor.AsyncRAT.yara (100%)
rename {yara => yara-ReversingLabs}/backdoor/ByteCode.MSIL.Backdoor.LimeRAT.yara (100%)
rename {yara => yara-ReversingLabs}/backdoor/ByteCode.MSIL.Backdoor.Menorah.yara (100%)
rename {yara => yara-ReversingLabs}/backdoor/Linux.Backdoor.Krasue.yara (100%)
rename {yara => yara-ReversingLabs}/backdoor/Linux.Backdoor.Linodas.yara (100%)
rename {yara => yara-ReversingLabs}/backdoor/Win32.Backdoor.Konni.yara (100%)
rename {yara => yara-ReversingLabs}/backdoor/Win64.Backdoor.Konni.yara (100%)
rename {yara => yara-ReversingLabs}/backdoor/Win64.Backdoor.Minodo.yara (100%)
rename {yara => yara-ReversingLabs}/backdoor/Win64.Backdoor.SideTwist.yara (100%)
rename {yara => yara-ReversingLabs}/certificate/blocklist.yara (100%)
rename {yara => yara-ReversingLabs}/downloader/Win32.Downloader.dlMarlboro.yara (100%)
rename {yara => yara-ReversingLabs}/exploit/Win32.Exploit.CVE20200601.yara (100%)
rename {yara => yara-ReversingLabs}/infostealer/Win32.Infostealer.LumarStealer.yara (100%)
rename {yara => yara-ReversingLabs}/infostealer/Win32.Infostealer.MultigrainPOS.yara (100%)
rename {yara => yara-ReversingLabs}/infostealer/Win32.Infostealer.ProjectHookPOS.yara (100%)
rename {yara => yara-ReversingLabs}/infostealer/Win32.Infostealer.StealC.yara (100%)
rename {yara => yara-ReversingLabs}/pua/Win32.PUA.Domaiq.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Apis.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.ChupaCabra.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Cring.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Dusk.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.EAF.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Eternity.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Fantom.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.GhosTEncryptor.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Ghostbin.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.GoodWill.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.HarpoonLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Hog.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Invert.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Janelle.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Khonsari.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.McBurglar.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Moisha.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Namaste.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Oct.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Pacman.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.PoliceRecords.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Povlsomware.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Retis.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.TaRRaK.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Thanos.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.TimeCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.TimeTime.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.Venom.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.WildFire.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.WormLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/ByteCode.MSIL.Ransomware.ZeroLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Bytecode.MSIL.Ransomware.CobraLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Linux.Ransomware.GwisinLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Linux.Ransomware.KillDisk.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Linux.Ransomware.LuckyJoe.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Linux.Ransomware.RedAlert.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.5ss5c.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.ASN1Encoder.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Acepy.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Afrodita.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Ako.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Alcatraz.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.AnteFrigus.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Archiveus.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Armage.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Atlas.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Avaddon.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.AvosLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BKRansomware.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Babuk.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BadBlock.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Badbeeteam.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Balaclava.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Bam2021.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BananaCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BandarChor.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BitCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BlackBasta.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BlackCat.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BlackMoon.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Blitzkrieg.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BlueLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.BrainCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Buran.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.ChiChi.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Cincoo.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Clop.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Conti.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Cryakl.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Crypmic.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Crypren.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.CryptoBit.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.CryptoFortress.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.CryptoJoker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.CryptoLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.CryptoWall.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Crysis.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Cuba.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.DMALocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.DMR.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.DarkSide.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.DearCry.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Defray.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Delphimorix.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.DenizKizi.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.DesuCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Dharma.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.DirtyDecrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.District.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.DogeCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Dragon.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Dualshot.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Encoded01.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Erica.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.FCT.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.FLKR.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.FarAttack.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.FenixLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Ferrlock.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Flamingo.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.FuxSocy.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.GPGQwerty.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.GandCrab.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.GarrantyDecrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Gibon.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.GlobeImposter.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Gomer.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Good.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Gpcode.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.GusCrypter.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.HDDCryptor.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.HDMR.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.HakunaMatata.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Henry.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.HentaiOniichan.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Hermes.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Horsedeal.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.HowAreYou.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.HydraCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.IFN643.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.InfoDot.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.JSWorm.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Jamper.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Jemd.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Jormungand.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.JuicyLemon.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Kangaroo.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.KawaiiLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.KillDisk.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Knot.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Kovter.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Koxic.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Kraken.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Ladon.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.LeChiffre.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.LockBit.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Lolkek.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.LooCipher.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Lorenz.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.MRAC.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.MZP.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Mafia.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Magniber.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Major.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Makop.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Maktub.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Marlboro.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.MarsJoke.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Matsnu.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.MedusaLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Meow.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Monalisa.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Montserrat.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Motocos.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.MountLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.NB65.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.NanoLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Nefilim.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Nemty.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Networm.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.NotPetya.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Oni.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.OphionLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Ouroboros.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Outsider.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.PXJ.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Paradise.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Pay2Key.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Petya.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Plague17.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.PrincessLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Prometey.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.RagnarLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Ragnarok.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Ransoc.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.RansomPlus.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Ransomexx.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Redeemer.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.RegretLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.RetMyData.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Reveton.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Revil.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Rokku.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Ryuk.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Sage.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Sanwai.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Sarbloh.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Satan.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Satana.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Saturn.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Sepsis.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Serpent.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.SevenSevenSeven.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.ShadowCryptor.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Sherminator.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Sifrelendi.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Sifreli.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Sigrun.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Skystars.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Spora.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.TBLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.TargetCompany.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.TechandStrat.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.TeleCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Termite.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Teslacrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Teslarvng.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Thanatos.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.TorrentLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.VHDLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.VegaLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Velso.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.WannaCry.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.WaspLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Wastedlocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.WinWord64.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.WsIR.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Xorist.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Zeoticus.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Zeppelin.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.ZeroCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Zhen.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win32.Ransomware.Zoldon.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Ako.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Albabat.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.AntiWar.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.AwesomeScott.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.BlackBasta.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Cactus.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Curator.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.DST.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.HermeticRansom.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.HotCoffee.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Nokoyawa.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Pandora.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.RedRoman.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Rook.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.SeedLocker.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Seth.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Solaso.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Vovalex.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.WhiteBlackCrypt.yara (100%)
rename {yara => yara-ReversingLabs}/ransomware/Win64.Ransomware.Wintenzz.yara (100%)
rename {yara => yara-ReversingLabs}/trojan/Linux.Trojan.AcidRain.yara (100%)
rename {yara => yara-ReversingLabs}/trojan/Linux.Trojan.BiBiWiper.yara (100%)
rename {yara => yara-ReversingLabs}/trojan/Win32.Trojan.BiBiWiper.yara (100%)
rename {yara => yara-ReversingLabs}/trojan/Win32.Trojan.CaddyWiper.yara (100%)
rename {yara => yara-ReversingLabs}/trojan/Win32.Trojan.Dridex.yara (100%)
rename {yara => yara-ReversingLabs}/trojan/Win32.Trojan.Emotet.yara (100%)
rename {yara => yara-ReversingLabs}/trojan/Win32.Trojan.HermeticWiper.yara (100%)
rename {yara => yara-ReversingLabs}/trojan/Win32.Trojan.IsaacWiper.yara (100%)
rename {yara => yara-ReversingLabs}/trojan/Win32.Trojan.TrickBot.yara (100%)
rename {yara => yara-ReversingLabs}/virus/Linux.Virus.Vit.yara (100%)
rename {yara => yara-ReversingLabs}/virus/Win32.Virus.Awfull.yara (100%)
rename {yara => yara-ReversingLabs}/virus/Win32.Virus.Cmay.yara (100%)
rename {yara => yara-ReversingLabs}/virus/Win32.Virus.DeadCode.yara (100%)
rename {yara => yara-ReversingLabs}/virus/Win32.Virus.Elerad.yara (100%)
rename {yara => yara-ReversingLabs}/virus/Win32.Virus.Greenp.yara (100%)
rename {yara => yara-ReversingLabs}/virus/Win32.Virus.Mocket.yara (100%)
rename {yara => yara-ReversingLabs}/virus/Win32.Virus.Negt.yara (100%)
create mode 100644 yara-mikesxrs/.gitignore
create mode 100644 yara-mikesxrs/1aN0rmus/1aN0rmus_index.yara
create mode 100644 yara-mikesxrs/1aN0rmus/PCAPs.yara
create mode 100644 yara-mikesxrs/1aN0rmus/exe_rules.yara
create mode 100644 yara-mikesxrs/1aN0rmus/memory.yara
create mode 100644 yara-mikesxrs/1aN0rmus/pos_malware.yara
create mode 100644 yara-mikesxrs/1aN0rmus/rtf_rules.yara
create mode 100644 yara-mikesxrs/1aN0rmus/web_log_review.yara
create mode 100644 yara-mikesxrs/1aN0rmus/web_rules.yara
create mode 100644 yara-mikesxrs/73mp74710n/73mp74710n_index.yara
create mode 100644 yara-mikesxrs/73mp74710n/android_metasploit.yar
create mode 100644 yara-mikesxrs/73mp74710n/njrat.yar
create mode 100644 yara-mikesxrs/AirBnB/MachO.yar
create mode 100644 yara-mikesxrs/AirBnB/eicar.yar
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_exploit_cve_2015_5889.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_exploit_tpwn.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_juuso_keychaindump.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_keylogger_b4rsby_swiftlog.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_keylogger_caseyscarborough.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_keylogger_dannvix.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_keylogger_eldeveloper_keystats.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_keylogger_giacomolaw.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_keylogger_logkext.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_keylogger_roxlu_ofxkeylogger.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_keylogger_skreweverything_swift.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_macpmem.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_manwhoami_icloudcontacts.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_manwhoami_mmetokendecrypt.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_manwhoami_osxchromedecrypt.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_n0fate_chainbreaker.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_macos_ptoomey3_keychain_dumper.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_multi_bloodhound_owned.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_multi_jtesta_ssh_mitm.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_multi_masscan.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_multi_ncc_ABPTTS.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_multi_ntlmrelayx.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_multi_pyrasite_py.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_multi_responder_py.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_hot_potato.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_mimikatz_copywrite.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_mimikatz_errors.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_mimikatz_files.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_mimikatz_modules.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_mimikatz_sekurlsa.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_moyix_creddump.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_ncc_wmicmd.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_rdp_cmd_delivery.yara
create mode 100644 yara-mikesxrs/AirBnB/hacktool_windows_wmi_implant.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_macos_apt_sofacy_xagent.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_macos_bella.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_macos_macspy.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_macos_marten4n6_evilosx.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_macos_neoneggplant_eggshell.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_macos_proton_rat_generic.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_multi_pupy_rat.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_multi_vesche_basicrat.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_apt_red_leaves_generic.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_apt_whitebear_binary_loader_1.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_apt_whitebear_binary_loader_2.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_apt_whitebear_binary_loader_3.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_IRIX_exploit_GEN.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_cle_tool.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_custom_sniffer.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_de_tool.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_encrypted_keyloger.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_loki.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_loki2crypto.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_u_logcleaner.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_wipe.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_moonlightmaze_xk_keylogger.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_pony_stealer.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_remcos_rat.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_t3ntman_crunchrat.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_winnti_loadperf_dll_loader.yara
create mode 100644 yara-mikesxrs/AirBnB/malware_windows_xrat_quasarrat.yara
create mode 100644 yara-mikesxrs/Airbus/Airbus_index.yara
create mode 100644 yara-mikesxrs/Airbus/derusbi_kernel.yar
create mode 100644 yara-mikesxrs/Airbus/derusbi_linux.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_dropper_v3-1.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_packed_v2-0.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_packed_v2-1.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_packed_v2-2.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_packed_v3-1.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v1-0.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v1-1.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v1-2.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v1-3.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v1-4.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v2-0.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v2-1.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v2-2.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v3-0.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v3-1.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_v3-2.yar
create mode 100644 yara-mikesxrs/Airbus/sakula_vx_protector.yar
create mode 100644 yara-mikesxrs/Anomali Labs/Lazarus_wipe_file_routine.yar
create mode 100644 yara-mikesxrs/Anomali Labs/PyInstaller_Binary.yar
create mode 100644 yara-mikesxrs/ApoNie/HeapLib.yar
create mode 100644 yara-mikesxrs/Artemonsecurity/snake.yar
create mode 100644 yara-mikesxrs/Artemonsecurity/snake_packed.yar
create mode 100644 yara-mikesxrs/BAESystems/Hermes.yar
create mode 100644 yara-mikesxrs/Blackberry/BoratRAT.yar
create mode 100644 yara-mikesxrs/Blackberry/BoratRATInformation.yar
create mode 100644 yara-mikesxrs/Blackberry/BoratRATKeylogger.yar
create mode 100644 yara-mikesxrs/Blackberry/EternityClipper.yar
create mode 100644 yara-mikesxrs/Blackberry/EternityRansom.yar
create mode 100644 yara-mikesxrs/Blackberry/EternityStealer.yar
create mode 100644 yara-mikesxrs/Blackberry/EternityWorm.yar
create mode 100644 yara-mikesxrs/Blackberry/HeaderTip.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Backdoor_ChaChi_RAT.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Infostealer_EXE_Jupyter_Cert_36ff.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Infostealer_MSI_EXE_Jupyter_Certificate.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Infostealer_MSI_Jupyter_Embedded_PowerShell.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Infostealer_PowerShell_Jupyter_Updated_Samples.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Infostealer_Win32_BlackGuard.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Infostealer_Win32_Jupyter_Download_and_Execute_Module.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Infostealer_Win32_Jupyter_InfoStealer_Module.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Infostealer_Win32_Jupyter_Main_Module.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Win32_ChaosRansomware_2022.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Win32_Chaos_Builder_Ransomware_2022.yar
create mode 100644 yara-mikesxrs/Blackberry/Mal_Win32_Onyx_Strain_Chaos_Ransomware_2022.yar
create mode 100644 yara-mikesxrs/Blackberry/Snake.yar
create mode 100644 yara-mikesxrs/Blackberry/Windealer_Library.yar
create mode 100644 yara-mikesxrs/Blackberry/Windealer_executable.yar
create mode 100644 yara-mikesxrs/Booz Allen Hamilton/Double_Pulsar_Petya.yar
create mode 100644 yara-mikesxrs/Booz Allen Hamilton/PolishBankRAT.yar
create mode 100644 yara-mikesxrs/Brian Carter -carterb/archives_w_chinapic.yar
create mode 100644 yara-mikesxrs/Brian Carter -carterb/demuzacert.yar
create mode 100644 yara-mikesxrs/Brian Carter -carterb/injector_panel_sqlite.yar
create mode 100644 yara-mikesxrs/Brian Carter -carterb/mal_pdf.yar
create mode 100644 yara-mikesxrs/Brian Carter -carterb/panelzips.yar
create mode 100644 yara-mikesxrs/Brian Carter -carterb/pony_config.yar
create mode 100644 yara-mikesxrs/Brian Carter -carterb/tables_inject_panel.yar
create mode 100644 yara-mikesxrs/Brian Carter -carterb/vt_pony_post2gate.yar
create mode 100644 yara-mikesxrs/CISA/CADDYWIPER.yar
create mode 100644 yara-mikesxrs/CISA/HAFIUM_webshell_CVE_2021_27065.yar
create mode 100644 yara-mikesxrs/CISA/HAFNIUM_CVE_2021_27065_Exchange_OAB_VD_MOD.yar
create mode 100644 yara-mikesxrs/CISA/HERMETICWIZARD.yar
create mode 100644 yara-mikesxrs/CISA/HERMETICWIZARD_WORM.yar
create mode 100644 yara-mikesxrs/CISA/HERMETICWIZARD_WORM_CODE.yar
create mode 100644 yara-mikesxrs/CISA/ISAACWIPER.yar
create mode 100644 yara-mikesxrs/CISA/ISAACWIPER_BYTES.yar
create mode 100644 yara-mikesxrs/CSE/APT28_Hospitality.yar
create mode 100644 yara-mikesxrs/CSE/config_decoder_sigs.yar
create mode 100644 yara-mikesxrs/Cado Security/Lambda_Malware.yar
create mode 100644 yara-mikesxrs/Cado Security/Linux_Wiper_AWFULSHRED.yar
create mode 100644 yara-mikesxrs/Cado Security/Linux_Wiper_SOLOSHRED.yar
create mode 100644 yara-mikesxrs/Cado Security/Linux_Worm_ORCSHRED.yar
create mode 100644 yara-mikesxrs/Cado Security/Powershell_Downloader_POWERGAP.yar
create mode 100644 yara-mikesxrs/Cado Security/Whispergate_Stage_1.yar
create mode 100644 yara-mikesxrs/Cado Security/Whispergate_Stage_2.yar
create mode 100644 yara-mikesxrs/Cado Security/Wiper_Ukr_Feb_2022.yar
create mode 100644 yara-mikesxrs/Checkpoint/ElMachete_doc.yar
create mode 100644 yara-mikesxrs/Checkpoint/ElMachete_msi.yar
create mode 100644 yara-mikesxrs/Checkpoint/Gozi_JJ_struct.yar
create mode 100644 yara-mikesxrs/Checkpoint/Russia_Detector_rules.yar
create mode 100644 yara-mikesxrs/Checkpoint/TeamViwer_backdoor.yar
create mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_config.yar
create mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_meteor_batch_files.yar
create mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_stardust_vbs.yar
create mode 100644 yara-mikesxrs/Checkpoint/ZZ_breakwin_wiper.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt3_bemstour_implant_byte_patch.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt3_bemstour_implant_command_stack_variable.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt3_bemstour_strings.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_64bit_Loader.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_1.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_SPINNER_2.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_droppers.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt_CN_TwistedPanda_loader.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt_WebAssistant_TcahfUpdate.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt_nazar_component_guids.yar
create mode 100644 yara-mikesxrs/Checkpoint/apt_nazar_svchost_commands.yar
create mode 100644 yara-mikesxrs/Checkpoint/checkpoint_index.yara
create mode 100644 yara-mikesxrs/Checkpoint/explosive_dll.yar
create mode 100644 yara-mikesxrs/Checkpoint/explosive_exe.yar
create mode 100644 yara-mikesxrs/Checkpoint/goziv3_trojan.yar
create mode 100644 yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX.yar
create mode 100644 yara-mikesxrs/Checkpoint/injector_ZZ_dotRunpeX_oldnew.yar
create mode 100644 yara-mikesxrs/Checkpoint/lyceum_dotnet_dns_backdoor.yar
create mode 100644 yara-mikesxrs/Checkpoint/lyceum_dotnet_http_backdoor.yar
create mode 100644 yara-mikesxrs/Checkpoint/lyceum_golang_backdoor.yar
create mode 100644 yara-mikesxrs/Checkpoint/malware_bumblebee_packed.yar
create mode 100644 yara-mikesxrs/Checkpoint/nazar_component_guids.yar
create mode 100644 yara-mikesxrs/Checkpoint/qbot_vbs.yar
create mode 100644 yara-mikesxrs/Checkpoint/ransomware_ZZ_azov_wiper.yar
create mode 100644 yara-mikesxrs/Citizen Lab/3102.yara
create mode 100644 yara-mikesxrs/Citizen Lab/9002.yara
create mode 100644 yara-mikesxrs/Citizen Lab/Citizen_Lab_index.yara
create mode 100644 yara-mikesxrs/Citizen Lab/bangat.yara
create mode 100644 yara-mikesxrs/Citizen Lab/between-hk-and-burma.yara
create mode 100644 yara-mikesxrs/Citizen Lab/boouset.yara
create mode 100644 yara-mikesxrs/Citizen Lab/comfoo.yara
create mode 100644 yara-mikesxrs/Citizen Lab/cookies.yara
create mode 100644 yara-mikesxrs/Citizen Lab/cves.yara
create mode 100644 yara-mikesxrs/Citizen Lab/cxpid.yara
create mode 100644 yara-mikesxrs/Citizen Lab/enfal.yara
create mode 100644 yara-mikesxrs/Citizen Lab/ezcob.yara
create mode 100644 yara-mikesxrs/Citizen Lab/fakem.yara
create mode 100644 yara-mikesxrs/Citizen Lab/favorite.yara
create mode 100644 yara-mikesxrs/Citizen Lab/filetypes.yara
create mode 100644 yara-mikesxrs/Citizen Lab/glasses.yara
create mode 100644 yara-mikesxrs/Citizen Lab/iexpl0re.yara
create mode 100644 yara-mikesxrs/Citizen Lab/imuler.yara
create mode 100644 yara-mikesxrs/Citizen Lab/insta11.yara
create mode 100644 yara-mikesxrs/Citizen Lab/luckycat.yara
create mode 100644 yara-mikesxrs/Citizen Lab/lurk0+cctv0.yara
create mode 100644 yara-mikesxrs/Citizen Lab/maccontrol.yara
create mode 100644 yara-mikesxrs/Citizen Lab/malware-families.yara
create mode 100644 yara-mikesxrs/Citizen Lab/mirage.yara
create mode 100644 yara-mikesxrs/Citizen Lab/mongal.yara
create mode 100644 yara-mikesxrs/Citizen Lab/msattacker.yara
create mode 100644 yara-mikesxrs/Citizen Lab/naikon.yara
create mode 100644 yara-mikesxrs/Citizen Lab/naspyupdate.yara
create mode 100644 yara-mikesxrs/Citizen Lab/nettraveler.yara
create mode 100644 yara-mikesxrs/Citizen Lab/nsfree.yara
create mode 100644 yara-mikesxrs/Citizen Lab/oleidentifiers.yara
create mode 100644 yara-mikesxrs/Citizen Lab/olyx.yara
create mode 100644 yara-mikesxrs/Citizen Lab/payloads.yara
create mode 100644 yara-mikesxrs/Citizen Lab/plugx.yara
create mode 100644 yara-mikesxrs/Citizen Lab/pubsab.yara
create mode 100644 yara-mikesxrs/Citizen Lab/quarian.yara
create mode 100644 yara-mikesxrs/Citizen Lab/regsubdat.yara
create mode 100644 yara-mikesxrs/Citizen Lab/remote.yara
create mode 100644 yara-mikesxrs/Citizen Lab/rookie.yara
create mode 100644 yara-mikesxrs/Citizen Lab/rooter.yara
create mode 100644 yara-mikesxrs/Citizen Lab/safenet.yara
create mode 100644 yara-mikesxrs/Citizen Lab/scarhikn.yara
create mode 100644 yara-mikesxrs/Citizen Lab/surtr.yara
create mode 100644 yara-mikesxrs/Citizen Lab/t5000.yara
create mode 100644 yara-mikesxrs/Citizen Lab/vidgrab.yara
create mode 100644 yara-mikesxrs/Citizen Lab/warp.yara
create mode 100644 yara-mikesxrs/Citizen Lab/wimmie.yara
create mode 100644 yara-mikesxrs/Citizen Lab/xtreme.yara
create mode 100644 yara-mikesxrs/Citizen Lab/yayih.yara
create mode 100644 yara-mikesxrs/Cluster 25/APT28_SkinnyBoy_Dropper.yar
create mode 100644 yara-mikesxrs/Cluster 25/APT28_SkinnyBoy_Implanter.yar
create mode 100644 yara-mikesxrs/Cluster 25/APT28_SkinnyBoy_Launcher.yar
create mode 100644 yara-mikesxrs/Cluster 25/APT29_HTMLSmuggling_ZIP_82733_00001.yar
create mode 100644 yara-mikesxrs/Cluster 25/APT29_Loader_87221_00001.yar
create mode 100644 yara-mikesxrs/Cluster 25/GhostWriter_MicroBackdoor_72632_00001.yar
create mode 100644 yara-mikesxrs/Cluster 25/GhostWriter_MicroLoader_72632_00001.yar
create mode 100644 yara-mikesxrs/Cluster 25/UNC1222_HermeticWiper_23433_10001.yar
create mode 100644 yara-mikesxrs/Cluster 25/UNC1222_HermeticWiper_23433_10002.yar
create mode 100644 yara-mikesxrs/Cluster 25/sidewinder_apt_rtf_cve_2017_0199.yar
create mode 100644 yara-mikesxrs/CyberDefenses/installmonstr.yar
create mode 100644 yara-mikesxrs/CyberDefenses/u34.yar
create mode 100644 yara-mikesxrs/CyberDefenses/wirenet_dropper.yar
create mode 100644 yara-mikesxrs/DFIR_Report/CobaltStrike.yar
create mode 100644 yara-mikesxrs/DFIR_Report/Quantum_Case_12647.yar
create mode 100644 yara-mikesxrs/Damian Baran/rule LinuxDDOS_Agent.yar
create mode 100644 yara-mikesxrs/Didier Stevens/Didier_Stevens_index.yara
create mode 100644 yara-mikesxrs/Didier Stevens/JPEG_EXIF_Contains_eval.yara
create mode 100644 yara-mikesxrs/Didier Stevens/Nviso.yar
create mode 100644 yara-mikesxrs/Didier Stevens/PE_PyInstaller.yar
create mode 100644 yara-mikesxrs/Didier Stevens/contains_pe_file.yara
create mode 100644 yara-mikesxrs/Didier Stevens/contains_vbe_file.yara
create mode 100644 yara-mikesxrs/Didier Stevens/maldoc.yara
create mode 100644 yara-mikesxrs/Didier Stevens/peid-userdb-rules-with-pe-module.yara
create mode 100644 yara-mikesxrs/Didier Stevens/peid-userdb-rules-without-pe-module.yara
create mode 100644 yara-mikesxrs/Dragonthreatlabs/apt_c16_win32_dropper.yar
create mode 100644 yara-mikesxrs/Dragonthreatlabs/apt_c16_win64_dropper.yar
create mode 100644 yara-mikesxrs/Dragonthreatlabs/apt_c16_win_disk_pcclient.yar
create mode 100644 yara-mikesxrs/Dragonthreatlabs/apt_c16_win_memory_pcclient.yar
create mode 100644 yara-mikesxrs/Dragonthreatlabs/apt_c16_win_swisyn.yar
create mode 100644 yara-mikesxrs/Dragonthreatlabs/apt_c16_win_wateringhole.yar
create mode 100644 yara-mikesxrs/Dragonthreatlabs/apt_win_mocelpa.yar
create mode 100644 yara-mikesxrs/Dragonthreatlabs/dragonthreatlabs_index.yara
create mode 100644 yara-mikesxrs/Elastic/APT_APT40_Implant_June2020.yar
create mode 100644 yara-mikesxrs/Elastic/Linux_Trojan_BPFDoor_1.yar
create mode 100644 yara-mikesxrs/Elastic/Mozi_Obfuscation_Technique.yar
create mode 100644 yara-mikesxrs/Elastic/Windows_Ransomware_Cuba.yar
create mode 100644 yara-mikesxrs/Elastic/Windows_Trojan_BLISTER.yar
create mode 100644 yara-mikesxrs/Elastic/Windows_Trojan_Deimos_DLL.yar
create mode 100644 yara-mikesxrs/Elastic/Windows_Wiper_HERMETICWIPER.yar
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_cab.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_elf.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_exe.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_gzip.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_jar.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_java_class.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_office_open_xml.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_ole_cf.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_pdf.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_rar.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_rtf.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_swf.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_tar.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/ft_zip.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/misc_compressed_exe.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/misc_no_dosmode_header.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/misc_ooxml_core_properties.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/misc_pe_signature.yara
create mode 100644 yara-mikesxrs/EmersonElectricCo/misc_upx_packed_binary.yara
create mode 100644 yara-mikesxrs/Fidelis/AlienSpy.yar
create mode 100644 yara-mikesxrs/Fidelis/DarkComet.yar
create mode 100644 yara-mikesxrs/Fidelis/DarkCometDownloader.yar
create mode 100644 yara-mikesxrs/Fidelis/Scanbox.yar
create mode 100644 yara-mikesxrs/Fidelis/Ursnif_report_variant_memory.yar
create mode 100644 yara-mikesxrs/Fidelis/XenonCrypter.yar
create mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_SharedMemCreation.yar
create mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_Derusbi_Linux_Strings.yar
create mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_derusbi.yar
create mode 100644 yara-mikesxrs/Fidelis/apt_nix_elf_derusbi_kernelModule.yar
create mode 100644 yara-mikesxrs/Fidelis/apt_win32_dll_bergard_pgv_pvid_variant.yar
create mode 100644 yara-mikesxrs/Fidelis/apt_win32_dll_rat_hiZorRAT.yar
create mode 100644 yara-mikesxrs/Fidelis/apt_win_exe_trojan_derusbi.yar
create mode 100644 yara-mikesxrs/Fidelis/crime_win32_exe_rat_netwire.yar
create mode 100644 yara-mikesxrs/Fidelis/crime_win_PWS_Fareit.yar
create mode 100644 yara-mikesxrs/Fidelis/network_traffic_njRAT.yar
create mode 100644 yara-mikesxrs/Fidelis/win_exe_njRAT.yar
create mode 100644 yara-mikesxrs/Fidelis/win_vbs_rat_hworm.yara
create mode 100644 yara-mikesxrs/Fireeye/APT19_LEGALSTRIKE_DOCUMENT.yara
create mode 100644 yara-mikesxrs/Fireeye/APT32_ActiveMime_Lure.yar
create mode 100644 yara-mikesxrs/Fireeye/APT_DeputyDog_Strings.yar
create mode 100644 yara-mikesxrs/Fireeye/BadRabbit.yar
create mode 100644 yara-mikesxrs/Fireeye/FE_APT_9002_rat.yar
create mode 100644 yara-mikesxrs/Fireeye/FE_petya_ransomware,yar
create mode 100644 yara-mikesxrs/Fireeye/Fireeye_red_team_tool_countermeasures.yar
create mode 100644 yara-mikesxrs/Fireeye/Fireye_index.yara
create mode 100644 yara-mikesxrs/Fireeye/MACROCHECK.YAR
create mode 100644 yara-mikesxrs/Fireeye/Molerats_certs.yar
create mode 100644 yara-mikesxrs/Fireeye/TRITON_Framework.yar
create mode 100644 yara-mikesxrs/Fireeye/callTogether_certificate.yar
create mode 100644 yara-mikesxrs/Fireeye/hastati.yar
create mode 100644 yara-mikesxrs/Fireeye/qti_certificate.yar
create mode 100644 yara-mikesxrs/Florian Roth/Florian_Roth_index.yara
create mode 100644 yara-mikesxrs/Florian Roth/Havex_Trojan.yar
create mode 100644 yara-mikesxrs/Florian Roth/Havex_Trojan_PHP_Server.yar
create mode 100644 yara-mikesxrs/Florian Roth/POSCardStealer_SpyBot.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_alienspy_rat.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_apt17_malware.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_apt28.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_apt30_backspace.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_apt6_malware.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_backdoor_ssh_python.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_backspace.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_beepservice.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_between-hk-and-burma.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_blackenergy.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_blackenergy_installer.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_bluetermite_emdivi.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_buckeye.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_casper.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_cheshirecat.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_cloudduke.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_codoso.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_coreimpact_agent.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_cve2015_5119.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_danti_svcmondr.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_deeppanda.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_derusbi.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_dubnium.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_duqu2.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_emissary.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_eqgrp.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_fakem_backdoor.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_fancybear_dnc.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_fidelis_phishing_plain_sight.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_four_element_sword.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_furtim.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_ghostdragon_gh0st_rat.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_glassRAT.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_hackingteam_rules.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_hellsing_kaspersky.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_hizor_rat.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_indetectables_rat.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_inocnation.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_irongate.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_irontiger.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_irontiger_trendmicro.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_kaspersky_duqu2.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_keylogger_cn.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_korplug_fast.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_laudanum_webshells.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_miniasp.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_minidionis.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_mofang.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_ms_platinum.yara
create mode 100644 yara-mikesxrs/Florian Roth/apt_naikon.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_nanocore_rat.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_onhat_proxy.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_op_cleaver.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_passthehashtoolkit.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_plugx.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_poisonivy.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_poisonivy_gen3.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_poseidon_group.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_prikormka.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_project_m.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_project_sauron.yara
create mode 100644 yara-mikesxrs/Florian Roth/apt_project_sauron_extras.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_putterpanda.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_quarkspwdump.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_rocketkitten_keylogger.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_ruag.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_rwmc_powershell_creddump.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_sakula.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_scanbox_deeppanda.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_seaduke_unit42.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_shamoon.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_skeletonkey.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_snowglobe_babar.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_dec15.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_fysbis.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_jun16.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_sofacy_xtunnel_bundestag.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_sphinx_moth.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_strider.yara
create mode 100644 yara-mikesxrs/Florian Roth/apt_stuxnet.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_suckfly.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_sysscan.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_terracotta.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_terracotta_liudoor.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_threatgroup_3390.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_tidepool.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_turbo_campaign.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_turla.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_unit78020_malware.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_volatile_cedar.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_waterbug.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_webshell_chinachopper.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_wildneutron.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_win_plugx.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_winnti.yar
create mode 100644 yara-mikesxrs/Florian Roth/apt_woolengoldfish.yar
create mode 100644 yara-mikesxrs/Florian Roth/cn_pentestset_scripts.yar
create mode 100644 yara-mikesxrs/Florian Roth/cn_pentestset_tools.yar
create mode 100644 yara-mikesxrs/Florian Roth/cn_pentestset_webshells.yar
create mode 100644 yara-mikesxrs/Florian Roth/cridex.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_antifw_installrex.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_bernhard_pos.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_buzus_softpulse.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_cmstar.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_cryptowall_svg.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_dexter_trojan.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_dridex_xml.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_enfal.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_fareit.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_kins_dropper.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_kraken_bot1.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_locky.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_malumpos.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_malware_generic.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_mikey_trojan.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_petya_ransom.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_phish_gina_dec15.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_rombertik_carbongrabber.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_shifu_trojan.yar
create mode 100644 yara-mikesxrs/Florian Roth/crime_upatre_oct15.yar
create mode 100644 yara-mikesxrs/Florian Roth/exploit_cve_2015_1674.yar
create mode 100644 yara-mikesxrs/Florian Roth/exploit_cve_2015_1701.yar
create mode 100644 yara-mikesxrs/Florian Roth/exploit_cve_2015_2426.yar
create mode 100644 yara-mikesxrs/Florian Roth/exploit_uac_elevators.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_ace_with_exe.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_b374k_extra.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_cn_hacktool_scripts.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_cn_hacktools.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_cn_webshells.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_deviceguard_evasion.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_faked_versions.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_gpp_cpassword.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_invoke_mimikatz.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_kerberoast.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_kirbi_mimkatz.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_malware_set_qa.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_metasploit_loader_rsmudge.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_mimikittenz.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_nopowershell.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_pirpi.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_powerkatz.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_powershell_empire.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_powershell_toolkit.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_regsrv32_issue.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_sharpcat.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_tempracer.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_thumbs_cloaking.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_transformed_strings.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_win_privesc.yar
create mode 100644 yara-mikesxrs/Florian Roth/gen_winshells.yar
create mode 100644 yara-mikesxrs/Florian Roth/general_cloaking.yar
create mode 100644 yara-mikesxrs/Florian Roth/general_officemacros.yar
create mode 100644 yara-mikesxrs/Florian Roth/generic_anomalies.yar
create mode 100644 yara-mikesxrs/Florian Roth/generic_cryptors.yar
create mode 100644 yara-mikesxrs/Florian Roth/generic_dumps.yar
create mode 100644 yara-mikesxrs/Florian Roth/generic_exe2hex_payload.yar
create mode 100644 yara-mikesxrs/Florian Roth/pup_lightftp.yar
create mode 100644 yara-mikesxrs/Florian Roth/spy_equation_fiveeyes.yar
create mode 100644 yara-mikesxrs/Florian Roth/spy_querty_fiveeyes.yar
create mode 100644 yara-mikesxrs/Florian Roth/spy_regin_fiveeyes.yar
create mode 100644 yara-mikesxrs/Florian Roth/thor-hacktools.yar
create mode 100644 yara-mikesxrs/Florian Roth/thor-webshells.yar
create mode 100644 yara-mikesxrs/Florian Roth/thor_inverse_matches.yar
create mode 100644 yara-mikesxrs/Florian Roth/threat_lenovo_superfish.yar
create mode 100644 yara-mikesxrs/GoDaddy/IsElfFile.yara
create mode 100644 yara-mikesxrs/GoDaddy/IsPeFile.yara
create mode 100644 yara-mikesxrs/GoDaddy/IsZipFile.yara
create mode 100644 yara-mikesxrs/GoDaddy/alphacrypt.yara
create mode 100644 yara-mikesxrs/GoDaddy/appraisel.yara
create mode 100644 yara-mikesxrs/GoDaddy/aspack.yara
create mode 100644 yara-mikesxrs/GoDaddy/emotet.yara
create mode 100644 yara-mikesxrs/GoDaddy/granite_coroner.yara
create mode 100644 yara-mikesxrs/GoDaddy/l_exe.yara
create mode 100644 yara-mikesxrs/GoDaddy/mimikatz.yara
create mode 100644 yara-mikesxrs/GoDaddy/reign.yara
create mode 100644 yara-mikesxrs/GoDaddy/rlpack.yara
create mode 100644 yara-mikesxrs/GoDaddy/sogu_packer.yara
create mode 100644 yara-mikesxrs/GoDaddy/turla.yara
create mode 100644 yara-mikesxrs/GoDaddy/upx.yara
create mode 100644 yara-mikesxrs/GoDaddy/vmprotect.yara
create mode 100644 yara-mikesxrs/GoDaddy/wiper.yara
create mode 100644 yara-mikesxrs/HP_Security/doc_efax_buran.yar
create mode 100644 yara-mikesxrs/HP_Security/js_RATDispenser.yar
create mode 100644 yara-mikesxrs/HP_Security/js_downloader_gootloader.yar
create mode 100644 yara-mikesxrs/HP_Security/trickbot_maldoc_embedded_dll_september_2020.yar
create mode 100644 yara-mikesxrs/HP_Security/win_l0rdix.yar
create mode 100644 yara-mikesxrs/HP_Security/win_ostap_jse.yar
create mode 100644 yara-mikesxrs/HP_Security/xll_custom_builder.yar
create mode 100644 yara-mikesxrs/HorribleCanoe/HorribleCanoe_index.yara
create mode 100644 yara-mikesxrs/HorribleCanoe/compiled_autoit.yara
create mode 100644 yara-mikesxrs/HorribleCanoe/connection_manager_phonebook.yara
create mode 100644 yara-mikesxrs/HorribleCanoe/delphi-wlan.yara
create mode 100644 yara-mikesxrs/HorribleCanoe/ejects_cdrom.yara
create mode 100644 yara-mikesxrs/HorribleCanoe/lowers_security.yara
create mode 100644 yara-mikesxrs/HorribleCanoe/pcre.yara
create mode 100644 yara-mikesxrs/HorribleCanoe/reads_clipboard.yara
create mode 100644 yara-mikesxrs/InQuest/Adobe_Flash_DRM_Use_After_Free.yar
create mode 100644 yara-mikesxrs/InQuest/AgentTesla.yar
create mode 100644 yara-mikesxrs/InQuest/CVE_2018_4878_0day_ITW.yar
create mode 100644 yara-mikesxrs/InQuest/Embedded_PE_File.yar
create mode 100644 yara-mikesxrs/InQuest/Excel_IQY_File.yar
create mode 100644 yara-mikesxrs/InQuest/Excel_IQY_File_Suspicious_Request.yar
create mode 100644 yara-mikesxrs/InQuest/Excel_IQY_File_With_file_extension.yar
create mode 100644 yara-mikesxrs/InQuest/Hiddenbee.yar
create mode 100644 yara-mikesxrs/InQuest/MC_Office_DDE.yar
create mode 100644 yara-mikesxrs/InQuest/Microsoft_Office_Document_with_Embedded_Flash_File.yar
create mode 100644 yara-mikesxrs/InQuest/NTLM_Credential_Theft_via_PDF.yar
create mode 100644 yara-mikesxrs/InQuest/RTF_Byte_Nibble_Obfuscation_method.yar
create mode 100644 yara-mikesxrs/Intezer/1
create mode 100644 yara-mikesxrs/Intezer/APT15.yar
create mode 100644 yara-mikesxrs/Intezer/AgeLocker.yar
create mode 100644 yara-mikesxrs/Intezer/ChinaZ_Managers.yar
create mode 100644 yara-mikesxrs/Intezer/DarkComet.yar
create mode 100644 yara-mikesxrs/Intezer/Doki_Attack.yar
create mode 100644 yara-mikesxrs/Intezer/ElectroRAT
create mode 100644 yara-mikesxrs/Intezer/EvilGnome.yar
create mode 100644 yara-mikesxrs/Intezer/Gh0stRAT.yar
create mode 100644 yara-mikesxrs/Intezer/GreedyAntd.yar
create mode 100644 yara-mikesxrs/Intezer/HiddenWasp.yar
create mode 100644 yara-mikesxrs/Intezer/IPStorm.yar
create mode 100644 yara-mikesxrs/Intezer/Iranian_Wipers.yar
create mode 100644 yara-mikesxrs/Intezer/Lazarus_2020.yar
create mode 100644 yara-mikesxrs/Intezer/NexePirateSteal.yar
create mode 100644 yara-mikesxrs/Intezer/QNAPCrypt.yar
create mode 100644 yara-mikesxrs/Intezer/RedDelta.yar
create mode 100644 yara-mikesxrs/Intezer/Rekoobe.yar
create mode 100644 yara-mikesxrs/Intezer/RussianAPT.yar
create mode 100644 yara-mikesxrs/Intezer/Trickbot.yar
create mode 100644 yara-mikesxrs/Intezer/WatchBog.yar
create mode 100644 yara-mikesxrs/Ironnet/nspps_RC4_Key.yar
create mode 100644 yara-mikesxrs/Ironnet/nspss_executable_strings.yar
create mode 100644 yara-mikesxrs/JSCU-NL/COATHANGER_beacon.yar
create mode 100644 yara-mikesxrs/JSCU-NL/COATHANGER_files.yar
create mode 100644 yara-mikesxrs/Jipe_/AutoIT.yar
create mode 100644 yara-mikesxrs/Jipe_/BlackShades.yar
create mode 100644 yara-mikesxrs/Jipe_/Bolonyokte.yar
create mode 100644 yara-mikesxrs/Jipe_/Cerberus.yar
create mode 100644 yara-mikesxrs/Jipe_/Citadel.yar
create mode 100644 yara-mikesxrs/Jipe_/DarkComet.yar
create mode 100644 yara-mikesxrs/Jipe_/Dotfuscator.yar
create mode 100644 yara-mikesxrs/Jipe_/Ice-IX.yar
create mode 100644 yara-mikesxrs/Jipe_/Jipe__index.yara
create mode 100644 yara-mikesxrs/Jipe_/NetWiredRC_B.yar
create mode 100644 yara-mikesxrs/Jipe_/PlugX.yar
create mode 100644 yara-mikesxrs/Jipe_/Poisonivy.yar
create mode 100644 yara-mikesxrs/Jipe_/Qadars.yar
create mode 100644 yara-mikesxrs/Jipe_/Shylock.yar
create mode 100644 yara-mikesxrs/Jipe_/Spyeye.yar
create mode 100644 yara-mikesxrs/Jipe_/Swrort.yar
create mode 100644 yara-mikesxrs/Jipe_/Terminator.yar
create mode 100644 yara-mikesxrs/Jipe_/XTremRat.yar
create mode 100644 yara-mikesxrs/Jipe_/jRAT_conf.yar
create mode 100644 yara-mikesxrs/Jipe_/office_document_vba.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/BlackShades_Trojan.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/Bublik_Downloader.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/Grozlex_Stealer.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/Kevin_Falcoz_index.yara
create mode 100644 yara-mikesxrs/Kevin Falcoz/Packers.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/Wabot_Worm.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/YahLover_Worm.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/Zegost_Trojan.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/compilers.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/lost_door_Trojan.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/universal_1337_stealer_serveur.yar
create mode 100644 yara-mikesxrs/Kevin Falcoz/xtreme_rat.yar
create mode 100644 yara-mikesxrs/Koodous/ASSDdeveloper.yar
create mode 100644 yara-mikesxrs/Koodous/Android.yar
create mode 100644 yara-mikesxrs/Koodous/Android_VirusPolicia.yar
create mode 100644 yara-mikesxrs/Koodous/Android_adware.yar
create mode 100644 yara-mikesxrs/Koodous/Android_mapin.yar
create mode 100644 yara-mikesxrs/Koodous/BatteryBot_ClickFraud.yar
create mode 100644 yara-mikesxrs/Koodous/ChinesePorn.yar
create mode 100644 yara-mikesxrs/Koodous/Drendoid_RAT.yar
create mode 100644 yara-mikesxrs/Koodous/FakeApps.yar
create mode 100644 yara-mikesxrs/Koodous/Fake_MosKow.yar
create mode 100644 yara-mikesxrs/Koodous/HackingTeam.yar
create mode 100644 yara-mikesxrs/Koodous/Koodous_index.yara
create mode 100644 yara-mikesxrs/Koodous/MalwareCertificates.yar
create mode 100644 yara-mikesxrs/Koodous/Ramsonware.yar
create mode 100644 yara-mikesxrs/Koodous/SMSsender.yar
create mode 100644 yara-mikesxrs/Koodous/Tinhvan.yar
create mode 100644 yara-mikesxrs/Koodous/generic_adware.yar
create mode 100644 yara-mikesxrs/Koodous/generic_smsfraud.yar
create mode 100644 yara-mikesxrs/Koodous/koler_ransomware.yar
create mode 100644 yara-mikesxrs/Koodous/malware_Advertising.yar
create mode 100644 yara-mikesxrs/Koodous/malware_Dropper.yar
create mode 100644 yara-mikesxrs/Koodous/mobidash.yar
create mode 100644 yara-mikesxrs/Koodous/realshell.yar
create mode 100644 yara-mikesxrs/Koodous/xbot007.yar
create mode 100644 yara-mikesxrs/LastLine/AgentTesla.yar
create mode 100644 yara-mikesxrs/M4r14ch1/Havex_NetScan.yar
create mode 100644 yara-mikesxrs/Mandiant/Backdoor_Win_C3_1.yar
create mode 100644 yara-mikesxrs/Mandiant/Dropper_Win_Darkside_1.yar
create mode 100644 yara-mikesxrs/Mandiant/LOCKBIT_Note_PE_v1.yar
create mode 100644 yara-mikesxrs/Mandiant/LOCKBIT_Note_PE_v2.yar
create mode 100644 yara-mikesxrs/Mandiant/MTI_Hunting_AsRockDriver_Exploit_Generic.yar
create mode 100644 yara-mikesxrs/Mandiant/MTI_Hunting_AsRockDriver_Exploit_PDB.yar
create mode 100644 yara-mikesxrs/Mandiant/MTI_Hunting_INDUSTROYERv2_Bytes.yar
create mode 100644 yara-mikesxrs/Mandiant/MTI_Hunting_INDUSTROYERv2_Strings.yar
create mode 100644 yara-mikesxrs/Mandiant/M_APT_Downloader_BEATDROP.yar
create mode 100644 yara-mikesxrs/Mandiant/M_APT_Downloader_BOOMMIC.yar
create mode 100644 yara-mikesxrs/Mandiant/QUIETEXIT_strings.yar
create mode 100644 yara-mikesxrs/Mandiant/REGEORG_Tuneller_generic.yar
create mode 100644 yara-mikesxrs/Mandiant/Ransomware_Win_DARKSIDE_v1__1.yar
create mode 100644 yara-mikesxrs/Mandiant/UNC3524_sha1.yar
create mode 100644 yara-mikesxrs/Mandiant/atrium.yar
create mode 100644 yara-mikesxrs/Mandiant/atrium2.yar
create mode 100644 yara-mikesxrs/Mandiant/bloodbank.yar
create mode 100644 yara-mikesxrs/Mandiant/bloodbank2.yar
create mode 100644 yara-mikesxrs/Mandiant/bloodmine.yar
create mode 100644 yara-mikesxrs/Mandiant/bloodmine2.yar
create mode 100644 yara-mikesxrs/Mandiant/cleanpulse.yar
create mode 100644 yara-mikesxrs/Mandiant/cleanpulse2.yar
create mode 100644 yara-mikesxrs/Mandiant/hardpulse.yar
create mode 100644 yara-mikesxrs/Mandiant/lockpick.yar
create mode 100644 yara-mikesxrs/Mandiant/pacemaker_linux32.yar
create mode 100644 yara-mikesxrs/Mandiant/pacemaker_linux64.yar
create mode 100644 yara-mikesxrs/Mandiant/pulsecheck.yar
create mode 100644 yara-mikesxrs/Mandiant/pulsejump.yar
create mode 100644 yara-mikesxrs/Mandiant/quietpulse.yar
create mode 100644 yara-mikesxrs/Mandiant/radialpulse.yar
create mode 100644 yara-mikesxrs/Mandiant/radialpulse2.yar
create mode 100644 yara-mikesxrs/Mandiant/radialpulse3.yar
create mode 100644 yara-mikesxrs/Mandiant/rapidpulse.yar
create mode 100644 yara-mikesxrs/Mandiant/slightpulse.yar
create mode 100644 yara-mikesxrs/Mandiant/slowpulse.yar
create mode 100644 yara-mikesxrs/Mandiant/slowpulse2.yar
create mode 100644 yara-mikesxrs/Mandiant/steadypulse.yar
create mode 100644 yara-mikesxrs/Mandiant/thinblood.yar
create mode 100644 yara-mikesxrs/Mandiant/thinblood2.yar
create mode 100644 yara-mikesxrs/Mandiant/thinblood3.yar
create mode 100644 yara-mikesxrs/McAfee/APT_KimSuky_dllbckdr.yar
create mode 100644 yara-mikesxrs/McAfee/BadRabbit_Ransomware.yar
create mode 100644 yara-mikesxrs/McAfee/CTB_Locker_Ransomware.yar
create mode 100644 yara-mikesxrs/McAfee/CredStealer.yar
create mode 100644 yara-mikesxrs/McAfee/CryptoLocker_rule2.yar
create mode 100644 yara-mikesxrs/McAfee/CryptoLocker_set1.yar
create mode 100644 yara-mikesxrs/McAfee/GPGQwerty_ransomware.yar
create mode 100644 yara-mikesxrs/McAfee/McAfee_index.yara
create mode 100644 yara-mikesxrs/McAfee/NionSpy.yar
create mode 100644 yara-mikesxrs/McAfee/OLE_JSRAT.yar
create mode 100644 yara-mikesxrs/McAfee/SAmSAmRansom2016,yar
create mode 100644 yara-mikesxrs/McAfee/SamSam_Ransomware_Latest.yar
create mode 100644 yara-mikesxrs/McAfee/Spygate_2.9_RAT.yar
create mode 100644 yara-mikesxrs/McAfee/W97M_Vawtrak_dropper.yar
create mode 100644 yara-mikesxrs/McAfee/WannaCry.yar
create mode 100644 yara-mikesxrs/McAfee/kraken_ransomware.yar
create mode 100644 yara-mikesxrs/McAfee/rovnix_downloader.yar
create mode 100644 yara-mikesxrs/McAfee/shifu.yar
create mode 100644 yara-mikesxrs/Microsoft/DevilsTongue_HijackDll.yar
create mode 100644 yara-mikesxrs/Microsoft/Platinum.yara
create mode 100644 yara-mikesxrs/Mike Schladt/Mike_Schladt_index.yara
create mode 100644 yara-mikesxrs/Mike Schladt/apt_win_blackenergy3_core.yar
create mode 100644 yara-mikesxrs/Mike Schladt/apt_win_blackenergy3_installer.yar
create mode 100644 yara-mikesxrs/Mikesxrs/ALFA_TEaM_Shell_V1.yar
create mode 100644 yara-mikesxrs/Mikesxrs/ALFA_TEaM_Shell_V2.yar
create mode 100644 yara-mikesxrs/Mikesxrs/APT3_PDB_Paths.yar
create mode 100644 yara-mikesxrs/Mikesxrs/AppleJeus_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Aurora_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/BADPATCH_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/CN_group_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Cleaver_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/FREEMILK_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Final1stspy_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/GravityRAT_G1-GX.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Greenbug_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/HTTPBrowser_PDB_Path.yar
create mode 100644 yara-mikesxrs/Mikesxrs/HermeticWiperCert.yar
create mode 100644 yara-mikesxrs/Mikesxrs/IRONGATE_SCADA.yar
create mode 100644 yara-mikesxrs/Mikesxrs/JRAT.yar
create mode 100644 yara-mikesxrs/Mikesxrs/KASPERAGENT_MICROPSIA_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/KONNI_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Luckymouse_cert.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Nitlove_PoS.yar
create mode 100644 yara-mikesxrs/Mikesxrs/OSX_XSL.yar
create mode 100644 yara-mikesxrs/Mikesxrs/PDB_Arachnophobia.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Pirates.yar
create mode 100644 yara-mikesxrs/Mikesxrs/PlugX_PDB_Paths.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Poisioned_Hurricane_Certs.yar
create mode 100644 yara-mikesxrs/Mikesxrs/REHASHED_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Ratty.yar
create mode 100644 yara-mikesxrs/Mikesxrs/SAFFRON_ROSE_PDB_PATH.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Sengoku_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/SyberSpace_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/Syrian_Malware_Team_Blackworm.yar
create mode 100644 yara-mikesxrs/Mikesxrs/TropicTrooper_keyboy_PDB.yar
create mode 100644 yara-mikesxrs/Mikesxrs/android_tempting_cedar_spyware.yar
create mode 100644 yara-mikesxrs/NCCGroup/APT15.yar
create mode 100644 yara-mikesxrs/NCCGroup/ISMRAT.yar
create mode 100644 yara-mikesxrs/NCCGroup/Sakula.yar
create mode 100644 yara-mikesxrs/NCCGroup/authenticode_anomalies.yara
create mode 100644 yara-mikesxrs/NCCGroup/badwinmail.yara
create mode 100644 yara-mikesxrs/NCCGroup/heartbleed.yar
create mode 100644 yara-mikesxrs/NCCGroup/metaStealer_memory.yar
create mode 100644 yara-mikesxrs/NCCGroup/package_manager.yara
create mode 100644 yara-mikesxrs/NCCGroup/redleaves.yar
create mode 100644 yara-mikesxrs/NCCGroup/turla_neuron_nautilus.yar
create mode 100644 yara-mikesxrs/NCSC/SparrowDoor_apipatch.yar
create mode 100644 yara-mikesxrs/NCSC/SparrowDoor_clipshot.yar
create mode 100644 yara-mikesxrs/NCSC/SparrowDoor_config.yar
create mode 100644 yara-mikesxrs/NCSC/SparrowDoor_loader.yar
create mode 100644 yara-mikesxrs/NCSC/SparrowDoor_shellcode.yar
create mode 100644 yara-mikesxrs/NCSC/SparrowDoor_sleep_routine.yar
create mode 100644 yara-mikesxrs/NCSC/SparrowDoor_strings.yar
create mode 100644 yara-mikesxrs/NCSC/SparrowDoor_xor.yar
create mode 100644 yara-mikesxrs/NCSC/turla_neuron_nautilus.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_Debugger.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_Dlls.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_DriveSize.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_FilePaths.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_Qemu_Description.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_Qemu_DeviceMap.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_UserNames.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_VBox_Description.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_VBox_DeviceMap.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_VBox_GuestAdditions.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_VBox_VideoDrivers.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_VMWare.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_VmTools.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Check_Wine.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Dropper_Hancitor.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/N3utrino.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/Nick_Hoffman_index.yara
create mode 100644 yara-mikesxrs/Nick Hoffman/bernhardpos.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/korlia.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/logpos.yar
create mode 100644 yara-mikesxrs/Nick Hoffman/mozart.yar
create mode 100644 yara-mikesxrs/Niels Warnars/encoded_vbs.yar
create mode 100644 yara-mikesxrs/Niels Warnars/office_filetype.yar
create mode 100644 yara-mikesxrs/Novetta/DeltaCharlie.yara
create mode 100644 yara-mikesxrs/Novetta/Derusbi_Server.yar
create mode 100644 yara-mikesxrs/Novetta/HotelAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/IndiaAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/IndiaBravo.yara
create mode 100644 yara-mikesxrs/Novetta/IndiaCharlie.yara
create mode 100644 yara-mikesxrs/Novetta/IndiaDelta.yara
create mode 100644 yara-mikesxrs/Novetta/IndiaEcho.yara
create mode 100644 yara-mikesxrs/Novetta/IndiaGolf.yara
create mode 100644 yara-mikesxrs/Novetta/IndiaHotel.yara
create mode 100644 yara-mikesxrs/Novetta/IndiaJuliett.yara
create mode 100644 yara-mikesxrs/Novetta/IndiaWhiskey.yara
create mode 100644 yara-mikesxrs/Novetta/KiloAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/LimaAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/LimaBravo.yara
create mode 100644 yara-mikesxrs/Novetta/LimaCharlie.yara
create mode 100644 yara-mikesxrs/Novetta/LimaDelta.yara
create mode 100644 yara-mikesxrs/Novetta/Novetta_index.yara
create mode 100644 yara-mikesxrs/Novetta/PapaAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/RomeoAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/RomeoBravo.yara
create mode 100644 yara-mikesxrs/Novetta/RomeoCharlie.yara
create mode 100644 yara-mikesxrs/Novetta/RomeoDelta.yara
create mode 100644 yara-mikesxrs/Novetta/RomeoEcho.yara
create mode 100644 yara-mikesxrs/Novetta/RomeoFoxtrot.yara
create mode 100644 yara-mikesxrs/Novetta/RomeoGolf.yara
create mode 100644 yara-mikesxrs/Novetta/RomeoHotel.yara
create mode 100644 yara-mikesxrs/Novetta/RomeoWhiskey.yara
create mode 100644 yara-mikesxrs/Novetta/SierraAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/SierraBravo.yara
create mode 100644 yara-mikesxrs/Novetta/SierraCharlie.yara
create mode 100644 yara-mikesxrs/Novetta/SierraJuliettMikeOne.yara
create mode 100644 yara-mikesxrs/Novetta/SierraJuliettMikeTwo.yara
create mode 100644 yara-mikesxrs/Novetta/TangoAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/TangoBravo.yara
create mode 100644 yara-mikesxrs/Novetta/UniformAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/UniformJuliett.yara
create mode 100644 yara-mikesxrs/Novetta/WhiskeyAlfa.yara
create mode 100644 yara-mikesxrs/Novetta/WhiskeyBravo.yara
create mode 100644 yara-mikesxrs/Novetta/WhiskeyCharlie.yara
create mode 100644 yara-mikesxrs/Novetta/WhiskeyDelta.yara
create mode 100644 yara-mikesxrs/Novetta/cert_wiper.yara
create mode 100644 yara-mikesxrs/Novetta/general.yara
create mode 100644 yara-mikesxrs/Novetta/hidkit.yar
create mode 100644 yara-mikesxrs/Novetta/hikit.yar
create mode 100644 yara-mikesxrs/Novetta/hikit2.yar
create mode 100644 yara-mikesxrs/Novetta/mastersig.yara
create mode 100644 yara-mikesxrs/Novetta/sharedcode.yara
create mode 100644 yara-mikesxrs/Novetta/suicidescripts.yara
create mode 100644 yara-mikesxrs/Novetta/zox.yar
create mode 100644 yara-mikesxrs/Nvisio/CCleaner.yar
create mode 100644 yara-mikesxrs/Nvisio/Office_DDE.yar
create mode 100644 yara-mikesxrs/PL CERT/Madprotect_packer.yar
create mode 100644 yara-mikesxrs/PL CERT/Polish_Bankbot_mobile.yar
create mode 100644 yara-mikesxrs/PL CERT/cryptomix_packer.yar
create mode 100644 yara-mikesxrs/PL CERT/cryptomix_payload.yar
create mode 100644 yara-mikesxrs/PL CERT/kbot.yar
create mode 100644 yara-mikesxrs/PL CERT/necurs.yar
create mode 100644 yara-mikesxrs/PL CERT/nymaim.yar
create mode 100644 yara-mikesxrs/PL CERT/ramnit.yar
create mode 100644 yara-mikesxrs/PL CERT/sage.yar
create mode 100644 yara-mikesxrs/PL CERT/tofsee.yar
create mode 100644 yara-mikesxrs/PWC/Elise_lstudio.yar
create mode 100644 yara-mikesxrs/PWC/Lightserver_variant_B.yar
create mode 100644 yara-mikesxrs/PWC/MSSUP.yar
create mode 100644 yara-mikesxrs/PWC/OrcaRAT.yar
create mode 100644 yara-mikesxrs/PWC/Tendrit_2014.yar
create mode 100644 yara-mikesxrs/PWC/smbWormTool.yar
create mode 100644 yara-mikesxrs/Pasquale Stirparo/beef_hooked.yar
create mode 100644 yara-mikesxrs/QuoIntelligence/UNC5221_WIREFIRE_Webshell.yar
create mode 100644 yara-mikesxrs/RSA/Artifact_ORION_aPlib.yar
create mode 100644 yara-mikesxrs/RSA/Kingslayer_codekey.yar
create mode 100644 yara-mikesxrs/RSA/PNGRat.yar
create mode 100644 yara-mikesxrs/RSA/RSA_index.yar
create mode 100644 yara-mikesxrs/RSA/RTF_Shellcode.yar
create mode 100644 yara-mikesxrs/RSA/Squiblydoo.yar
create mode 100644 yara-mikesxrs/RSA/TROJAN_Notepad.yar
create mode 100644 yara-mikesxrs/RSA/Trojan_Derusbi.yar
create mode 100644 yara-mikesxrs/RSA/Trojan_Derusbi_AP32_Orion.yar
create mode 100644 yara-mikesxrs/RSA/Trojan_HIKIT.yar
create mode 100644 yara-mikesxrs/RSA/Trojan_Lurker2_ORION.yar
create mode 100644 yara-mikesxrs/RSA/liudoor.yar
create mode 100644 yara-mikesxrs/Rapid7/KeyBoy_Backdoor.yar
create mode 100644 yara-mikesxrs/Rapid7/KeyBoy_Dropper.yar
create mode 100644 yara-mikesxrs/Rapid7/Rapid7_index.yara
create mode 100644 yara-mikesxrs/Recorded Future/TEMP.Periscope_Spearphish.yar
create mode 100644 yara-mikesxrs/Recorded Future/ext4_linuxlistener.yar
create mode 100644 yara-mikesxrs/ReversingLabs/BadRabbitRansomware.yar
create mode 100644 yara-mikesxrs/ReversingLabs/CVE_2017_11882.yar
create mode 100644 yara-mikesxrs/ReversingLabs/Rana_Android_resources.yar
create mode 100644 yara-mikesxrs/ReversingLabs/Unpacker_Stub.yar
create mode 100644 yara-mikesxrs/ReversingLabs/image_eval_hunt.yar
create mode 100644 yara-mikesxrs/ReversingLabs/obfuscated_dde.yar
create mode 100644 yara-mikesxrs/Root 9B/PoSLURP
create mode 100644 yara-mikesxrs/SadFud/DMALocker-All-Versions.yara
create mode 100644 yara-mikesxrs/SadFud/Remcos_RAT.yara
create mode 100644 yara-mikesxrs/SadFud/Ripper_ATM.yara
create mode 100644 yara-mikesxrs/SadFud/SadFud_index.yara
create mode 100644 yara-mikesxrs/Secuinfra/APT_Bitter_Almond_Rat.yar
create mode 100644 yara-mikesxrs/Secuinfra/APT_Bitter_Maldoc_Verify.yar
create mode 100644 yara-mikesxrs/Secuinfra/APT_Bitter_PDB_Paths.yar
create mode 100644 yara-mikesxrs/Secuinfra/APT_Bitter_ZxxZ_Downloader.yar
create mode 100644 yara-mikesxrs/SenseCy/ORXLocker.yar
create mode 100644 yara-mikesxrs/SenseCy/njrat_08d.yar
create mode 100644 yara-mikesxrs/Seth Hardy/3102.yar
create mode 100644 yara-mikesxrs/Seth Hardy/9002.yar
create mode 100644 yara-mikesxrs/Seth Hardy/APT_NGO_wuaclt.yar
create mode 100644 yara-mikesxrs/Seth Hardy/Babar.yar
create mode 100644 yara-mikesxrs/Seth Hardy/GeorBot.yar
create mode 100644 yara-mikesxrs/Seth Hardy/Scieron.yar
create mode 100644 yara-mikesxrs/Seth Hardy/Seth_Hardy_index.yara
create mode 100644 yara-mikesxrs/Seth Hardy/Swisyn.yar
create mode 100644 yara-mikesxrs/Seth Hardy/Waterbug.yar
create mode 100644 yara-mikesxrs/Seth Hardy/apt1.yar
create mode 100644 yara-mikesxrs/Seth Hardy/bangat.yar
create mode 100644 yara-mikesxrs/Seth Hardy/boouset.yar
create mode 100644 yara-mikesxrs/Seth Hardy/comfoo.yar
create mode 100644 yara-mikesxrs/Seth Hardy/cookies.yar
create mode 100644 yara-mikesxrs/Seth Hardy/cxpid.yar
create mode 100644 yara-mikesxrs/Seth Hardy/enfal.yar
create mode 100644 yara-mikesxrs/Seth Hardy/ezcob.yar
create mode 100644 yara-mikesxrs/Seth Hardy/f0xy.yar
create mode 100644 yara-mikesxrs/Seth Hardy/fakem.yar
create mode 100644 yara-mikesxrs/Seth Hardy/favorite.yar
create mode 100644 yara-mikesxrs/Seth Hardy/glasses.yar
create mode 100644 yara-mikesxrs/Seth Hardy/hangover.yar
create mode 100644 yara-mikesxrs/Seth Hardy/iexpl0re.yar
create mode 100644 yara-mikesxrs/Seth Hardy/imuler.yar
create mode 100644 yara-mikesxrs/Seth Hardy/insta11.yar
create mode 100644 yara-mikesxrs/Seth Hardy/kins.yar
create mode 100644 yara-mikesxrs/Seth Hardy/leverage.yar
create mode 100644 yara-mikesxrs/Seth Hardy/luckycat.yar
create mode 100644 yara-mikesxrs/Seth Hardy/lurk0+cctv0.yar
create mode 100644 yara-mikesxrs/Seth Hardy/maccontrol.yar
create mode 100644 yara-mikesxrs/Seth Hardy/mask.yar
create mode 100644 yara-mikesxrs/Seth Hardy/mirage.yar
create mode 100644 yara-mikesxrs/Seth Hardy/mongal.yar
create mode 100644 yara-mikesxrs/Seth Hardy/naikon.yar
create mode 100644 yara-mikesxrs/Seth Hardy/naspyupdate.yar
create mode 100644 yara-mikesxrs/Seth Hardy/nettraveler.yar
create mode 100644 yara-mikesxrs/Seth Hardy/nsfree.yar
create mode 100644 yara-mikesxrs/Seth Hardy/olyx.yar
create mode 100644 yara-mikesxrs/Seth Hardy/plugx.yar
create mode 100644 yara-mikesxrs/Seth Hardy/pubsab.yar
create mode 100644 yara-mikesxrs/Seth Hardy/quarian.yar
create mode 100644 yara-mikesxrs/Seth Hardy/regsubdat.yar
create mode 100644 yara-mikesxrs/Seth Hardy/remote.yar
create mode 100644 yara-mikesxrs/Seth Hardy/rookie.yar
create mode 100644 yara-mikesxrs/Seth Hardy/rooter.yar
create mode 100644 yara-mikesxrs/Seth Hardy/safenet.yar
create mode 100644 yara-mikesxrs/Seth Hardy/scarhikn.yar
create mode 100644 yara-mikesxrs/Seth Hardy/shell_crew.yar
create mode 100644 yara-mikesxrs/Seth Hardy/surtr.yar
create mode 100644 yara-mikesxrs/Seth Hardy/t5000.yar
create mode 100644 yara-mikesxrs/Seth Hardy/urausy_skypedat.yar
create mode 100644 yara-mikesxrs/Seth Hardy/vidgrab.yar
create mode 100644 yara-mikesxrs/Seth Hardy/warp.yar
create mode 100644 yara-mikesxrs/Seth Hardy/wimmie.yar
create mode 100644 yara-mikesxrs/Seth Hardy/xtreme.yar
create mode 100644 yara-mikesxrs/Seth Hardy/yayih.yar
create mode 100644 yara-mikesxrs/Spider-labs/Spiderlabs_index.yara
create mode 100644 yara-mikesxrs/Spider-labs/apacheInjection.yara
create mode 100644 yara-mikesxrs/Spider-labs/cherryPicker.yar
create mode 100644 yara-mikesxrs/Spider-labs/punkey.yar
create mode 100644 yara-mikesxrs/Stairwell/MauiRansomware.yar
create mode 100644 yara-mikesxrs/Stairwell/NK_GOLDBACKDOOR_LNK.yar
create mode 100644 yara-mikesxrs/Stairwell/NK_GOLDBACKDOOR_LNK_payload.yar
create mode 100644 yara-mikesxrs/Stairwell/NK_GOLDBACKDOOR_Main.yar
create mode 100644 yara-mikesxrs/Stairwell/NK_GOLDBACKDOOR_generic_shellcode.yar
create mode 100644 yara-mikesxrs/Stairwell/NK_GOLDBACKDOOR_inital_shellcode.yar
create mode 100644 yara-mikesxrs/Stairwell/NK_GOLDBACKDOOR_injected_shellcode.yar
create mode 100644 yara-mikesxrs/Stairwell/NK_GOLDBACKDOOR_obf_payload.yar
create mode 100644 yara-mikesxrs/Stairwell/TTP_Mutation_StackPush_Windows_DLLs.yar
create mode 100644 yara-mikesxrs/Storm Shield/AcidRain.yar
create mode 100644 yara-mikesxrs/Storm Shield/AgentTesla.yar
create mode 100644 yara-mikesxrs/Tenable/Generic_JSP_Webshell.yar
create mode 100644 yara-mikesxrs/Tenable/Tenablebot.yar
create mode 100644 yara-mikesxrs/Tenable/UPX_PACKED.yar
create mode 100644 yara-mikesxrs/Tenable/cerber3.yar
create mode 100644 yara-mikesxrs/Tenable/elf_format.yar
create mode 100644 yara-mikesxrs/Tenable/fopo_webshell.yar
create mode 100644 yara-mikesxrs/Tenable/kaiten.yar
create mode 100644 yara-mikesxrs/Tenable/obfuscated_php.yar
create mode 100644 yara-mikesxrs/Tenable/pbot.yar
create mode 100644 yara-mikesxrs/Tenable/venom.yar
create mode 100644 yara-mikesxrs/ThreatStreamLabs/PyInstaller_Binary.yar
create mode 100644 yara-mikesxrs/Trend Micro/FighterPOS.yar
create mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_MalumPOS.yar
create mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_NewPOSThings2015.yar
create mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_dumper.yar
create mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_dumper_old.yar
create mode 100644 yara-mikesxrs/Trend Micro/PoS_Malware_RawPOS2015_service.yar
create mode 100644 yara-mikesxrs/Trend Micro/VBS.yar
create mode 100644 yara-mikesxrs/Trend Micro/cracked_loki.yar
create mode 100644 yara-mikesxrs/Trend Micro/crime_linux_umbreon _ rootkit.yar
create mode 100644 yara-mikesxrs/US CERT/APT10 Dropper.yar
create mode 100644 yara-mikesxrs/US CERT/APT10 Redleaves Plugx.yar
create mode 100644 yara-mikesxrs/US CERT/APT10 Redleaves loader.yar
create mode 100644 yara-mikesxrs/US CERT/APT10 Redleaves.yar
create mode 100644 yara-mikesxrs/US CERT/APT10 redleaves handkerchief.yar
create mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_1.yara
create mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_2.yara
create mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_3.yara
create mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_5.yara
create mode 100644 yara-mikesxrs/US CERT/APT28_IMPLANT_6.yara
create mode 100644 yara-mikesxrs/US CERT/APT28_implant_4.yara
create mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_10.yara
create mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_11.yara
create mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_12.yara
create mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_7.yara
create mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_8.yara
create mode 100644 yara-mikesxrs/US CERT/APT29_IMPLANT_9.yara
create mode 100644 yara-mikesxrs/US CERT/APT29_unidentified.yara
create mode 100644 yara-mikesxrs/US CERT/Destructive_Hard_Drive_Tool.yar
create mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool.yar
create mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_2.yar
create mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_3.yar
create mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_5.yar
create mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_6.yar
create mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_7.yar
create mode 100644 yara-mikesxrs/US CERT/Destructive_Target_Cleaning_Tool_8.yar
create mode 100644 yara-mikesxrs/US CERT/Dragonfly.yar
create mode 100644 yara-mikesxrs/US CERT/Dragonfly2.0.yar
create mode 100644 yara-mikesxrs/US CERT/HIDDENCOBRA_RSA_MODULUS.yar
create mode 100644 yara-mikesxrs/US CERT/HIDDEN_COBRA.yar
create mode 100644 yara-mikesxrs/US CERT/Hidden Cobra Enfal.yar
create mode 100644 yara-mikesxrs/US CERT/Hidden_Cobra_DPRK_DDoS_Tool.yara
create mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor.yar
create mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_2.yar
create mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_3.yar
create mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_4.yar
create mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_5.yar
create mode 100644 yara-mikesxrs/US CERT/Lightweight_Backdoor_6.yar
create mode 100644 yara-mikesxrs/US CERT/Malware_used_by_cyber_threat_actor_1.yar
create mode 100644 yara-mikesxrs/US CERT/Malware_used_by_cyber_threat_actor_2.yar
create mode 100644 yara-mikesxrs/US CERT/Malware_used_by_cyber_threat_actor_3.yar
create mode 100644 yara-mikesxrs/US CERT/PAS_TOOL_PHP_WEB_KIT.yar
create mode 100644 yara-mikesxrs/US CERT/Proxy Tool.yar
create mode 100644 yara-mikesxrs/US CERT/Proxy_Tool_2.yar
create mode 100644 yara-mikesxrs/US CERT/Proxy_Tool_3.yar
create mode 100644 yara-mikesxrs/US CERT/SMB_Worm_Tool.yar
create mode 100644 yara-mikesxrs/US CERT/US_CERT_index.yara
create mode 100644 yara-mikesxrs/US CERT/WannaCry.yara
create mode 100644 yara-mikesxrs/US CERT/fallchill.yar
create mode 100644 yara-mikesxrs/US CERT/hatman.yar
create mode 100644 yara-mikesxrs/VectraThreatLab/re.yar
create mode 100644 yara-mikesxrs/Vinsula/Vinsula_Sayad_Binder_infostealer.yar
create mode 100644 yara-mikesxrs/Vinsula/Vinsula_Sayad_Client_infostealer.yar
create mode 100644 yara-mikesxrs/Vinsula/Vinsula_index.yara
create mode 100644 yara-mikesxrs/Volexity/apt_macOS_gimmick.yar
create mode 100644 yara-mikesxrs/Volexity/apt_py_bluelight_ldr.yar
create mode 100644 yara-mikesxrs/Volexity/apt_rb_rokrat_loader.yar
create mode 100644 yara-mikesxrs/Volexity/apt_win_bluelight.yar
create mode 100644 yara-mikesxrs/Volexity/apt_win_bluelight_b.yar
create mode 100644 yara-mikesxrs/Volexity/apt_win_decrok.yar
create mode 100644 yara-mikesxrs/Volexity/apt_win_flipflop_ldr.yar
create mode 100644 yara-mikesxrs/Volexity/apt_win_freshfire.yar
create mode 100644 yara-mikesxrs/Volexity/apt_win_gimmick_dotnet_base.yar
create mode 100644 yara-mikesxrs/Volexity/apt_win_rokload.yar
create mode 100644 yara-mikesxrs/Volexity/ebshell_jsp_converge.yar
create mode 100644 yara-mikesxrs/Volexity/general_java_encoding_and_classloader.yar
create mode 100644 yara-mikesxrs/Volexity/general_jsp_possible_tiny_fileuploader.yar
create mode 100644 yara-mikesxrs/Volexity/general_php_call_user_func.yar
create mode 100644 yara-mikesxrs/Volexity/general_php_fileinput_eval.yar
create mode 100644 yara-mikesxrs/Volexity/trojan_any_pupyrat_b.yar
create mode 100644 yara-mikesxrs/Volexity/trojan_backwash_iis_scout.yar
create mode 100644 yara-mikesxrs/Volexity/trojan_golang_pantegana.yar
create mode 100644 yara-mikesxrs/Volexity/trojan_win_backwash_cpp.yar
create mode 100644 yara-mikesxrs/Volexity/trojan_win_backwash_iis.yar
create mode 100644 yara-mikesxrs/Volexity/trojan_win_cobaltstrike.yar
create mode 100644 yara-mikesxrs/Volexity/trojan_win_iis_shellsave.yar
create mode 100644 yara-mikesxrs/Volexity/trojan_win_pngexe.yar
create mode 100644 yara-mikesxrs/Volexity/trojan_win_xe_backwash.yar
create mode 100644 yara-mikesxrs/Volexity/web_js_xeskimmer.yar
create mode 100644 yara-mikesxrs/Volexity/webshell_aspx_reGeorgTunnel.yar
create mode 100644 yara-mikesxrs/Volexity/webshell_aspx_simpleseesharp.yar
create mode 100644 yara-mikesxrs/Volexity/webshell_aspx_sportsball.yar
create mode 100644 yara-mikesxrs/Volexity/webshell_java_behinder_shellservice.yar
create mode 100644 yara-mikesxrs/Volexity/webshell_java_realcmd.yar
create mode 100644 yara-mikesxrs/Volexity/webshell_php_icescorpion.yar
create mode 100644 yara-mikesxrs/Volexity/webshell_php_str_replace_create_func.yar
create mode 100644 yara-mikesxrs/WalmartGlobalTech/cs_hexlified_stager_sc.yar
create mode 100644 yara-mikesxrs/WithSecure/SILKLOADER.yar
create mode 100644 yara-mikesxrs/WithSecure/ducktail_artifacts.yar
create mode 100644 yara-mikesxrs/WithSecure/ducktail_dotnet_core_infostealer.yar
create mode 100644 yara-mikesxrs/WithSecure/ducktail_exceldna_packed.yar
create mode 100644 yara-mikesxrs/WithSecure/ducktail_nativeaot.yar
create mode 100644 yara-mikesxrs/Xecscan/Yarochkin.yar
create mode 100644 yara-mikesxrs/Xylitol/Malware.yar
create mode 100644 yara-mikesxrs/Xylitol/Zeus_1134.yar
create mode 100644 yara-mikesxrs/Xylitol/ibanking.yar
create mode 100644 yara-mikesxrs/Xylitol/malware_banker.yar
create mode 100644 yara-mikesxrs/Yoroi/CobianRAT.yar
create mode 100644 yara-mikesxrs/Zerk Labs/CVE_2012_0158_1.yar
create mode 100644 yara-mikesxrs/Zerk Labs/Intel_Virtualization_Wizard.yar
create mode 100644 yara-mikesxrs/Zerk Labs/Zerk_Labs_index.yara
create mode 100644 yara-mikesxrs/abhinavbom/APT.yara
create mode 100644 yara-mikesxrs/abhinavbom/Banbra-banker.yara
create mode 100644 yara-mikesxrs/abhinavbom/Duqu2-0.yara
create mode 100644 yara-mikesxrs/abhinavbom/XMLshell.yara
create mode 100644 yara-mikesxrs/abhinavbom/abhinavbom_index.yara
create mode 100644 yara-mikesxrs/abhinavbom/ghostRAT.yara
create mode 100644 yara-mikesxrs/abhinavbom/pos_malwares.yara
create mode 100644 yara-mikesxrs/abhinavbom/virustotal-rules.yara
create mode 100644 yara-mikesxrs/abhinavbom/vm-detect.yara
create mode 100644 yara-mikesxrs/adamburt/adamburt_index.yara
create mode 100644 yara-mikesxrs/adamburt/win_BackoffPOS.yara
create mode 100644 yara-mikesxrs/adamburt/win_Dexter.yara
create mode 100644 yara-mikesxrs/adamburt/win_metasploit_related.yara
create mode 100644 yara-mikesxrs/adamburt/win_trojan-poweliks-dropper.yara
create mode 100644 yara-mikesxrs/alienvault/APT1_GDOCUPLOAD.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_GETMAIL.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_HACKSFASE1.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_HACKSFASE2.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_LIGHTBOLT.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_MAPIGET.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_RARSilent_EXE_PDF.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_Revird_svc.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_TARSIP_ECLIPSE.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_TARSIP_MOON.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WARP.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_ADSPACE.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_AUSOV.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_BOLID.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_CLOVER.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_CSON.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_DIV.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_GREENCAT.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_HEAD.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_KT3.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_QBP.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_RAVE.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_TABLE.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_TOCK.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_UGX.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_Y21K.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_WEBC2_YAHOO.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_dbg_mess.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_known_malicious_RARSilent.yar
create mode 100644 yara-mikesxrs/alienvault/APT1_letusgo.yar
create mode 100644 yara-mikesxrs/alienvault/AURIGA_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/AURIGA_driver_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/BANGAT_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/BISCUIT_GREENCAT_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/BOUNCER_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/BOUNCER_DLL_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/CALENDAR_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/CCREWBACK1.yar
create mode 100644 yara-mikesxrs/alienvault/COMBOS_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/CVE2012XXXX.yar
create mode 100644 yara-mikesxrs/alienvault/CaptainWord.yar
create mode 100644 yara-mikesxrs/alienvault/Careto generic malware signature.yar
create mode 100644 yara-mikesxrs/alienvault/Careto_CnC.yar
create mode 100644 yara-mikesxrs/alienvault/Careto_CnC_domains.yar
create mode 100644 yara-mikesxrs/alienvault/Careto_OSX_SBD.yar
create mode 100644 yara-mikesxrs/alienvault/Careto_SGH.yar
create mode 100644 yara-mikesxrs/alienvault/DAIRY_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/DownloaderPossibleCCrew.yar
create mode 100644 yara-mikesxrs/alienvault/EclipseSunCloudRAT.yar
create mode 100644 yara-mikesxrs/alienvault/Elise.yar
create mode 100644 yara-mikesxrs/alienvault/EzuriLoader.yar
create mode 100644 yara-mikesxrs/alienvault/EzuriLoaderOSX.yar
create mode 100644 yara-mikesxrs/alienvault/FatalRAT_unpacked.yar
create mode 100644 yara-mikesxrs/alienvault/GEN_CCREW1.yar
create mode 100644 yara-mikesxrs/alienvault/GLOOXMAIL_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/GOGGLES_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/GeorBotBinary.yar
create mode 100644 yara-mikesxrs/alienvault/GeorBotMemory.yar
create mode 100644 yara-mikesxrs/alienvault/HACKSFASE1_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/HACKSFASE2_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover2_Downloader.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover2_Keylogger.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover2_backdoor_shell.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover2_stealer.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Appinbot.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Auspo.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Deksila.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Foler.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Fuddol.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Gimwlog.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Gimwup.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Iconfall.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Linog.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Slidewin.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Smackdown_Downloader.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Smackdown_various.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Tymtin_Degrab.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_UpdateEx.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_Vacrhan_Downloader.yar
create mode 100644 yara-mikesxrs/alienvault/Hangover_ron_babylon.yar
create mode 100644 yara-mikesxrs/alienvault/Java0daycve2012xxxx_generic.yar
create mode 100644 yara-mikesxrs/alienvault/KINS_DLL_zeus.yar
create mode 100644 yara-mikesxrs/alienvault/KINS_dropper.yar
create mode 100644 yara-mikesxrs/alienvault/KURTON_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/Keyboy_document_ppsx_sct.yar
create mode 100644 yara-mikesxrs/alienvault/Keyboy_mobile_titan.yar
create mode 100644 yara-mikesxrs/alienvault/LIGHTDART_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/LONGRUN_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/MACROMAIL_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/MANITSME_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/MINIASP_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/MiniASP.yar
create mode 100644 yara-mikesxrs/alienvault/MoonProject.yar
create mode 100644 yara-mikesxrs/alienvault/NEWSREELS_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/NKRivts.yar
create mode 100644 yara-mikesxrs/alienvault/OSX_Dok.yar
create mode 100644 yara-mikesxrs/alienvault/OSX_MacSpy.yar
create mode 100644 yara-mikesxrs/alienvault/OSX_Proton.B.yar
create mode 100644 yara-mikesxrs/alienvault/OSX_Proton_B_systemd.1.yar
create mode 100644 yara-mikesxrs/alienvault/PRISM.yar
create mode 100644 yara-mikesxrs/alienvault/PrismaticSuccessor.yar
create mode 100644 yara-mikesxrs/alienvault/SEASALT_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/STARSYPOUND_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/SWORD_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/TABMSGSQL_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/TrojanCookies_CCREW.yar
create mode 100644 yara-mikesxrs/alienvault/alienvault_index.yara
create mode 100644 yara-mikesxrs/alienvault/avdetect_procs.yar
create mode 100644 yara-mikesxrs/alienvault/ccrewDownloader1.yar
create mode 100644 yara-mikesxrs/alienvault/ccrewDownloader2.yar
create mode 100644 yara-mikesxrs/alienvault/ccrewDownloader3.yar
create mode 100644 yara-mikesxrs/alienvault/ccrewMiniasp.yar
create mode 100644 yara-mikesxrs/alienvault/ccrewQAZ.yar
create mode 100644 yara-mikesxrs/alienvault/ccrewSSLBack1.yar
create mode 100644 yara-mikesxrs/alienvault/ccrewSSLBack2.yar
create mode 100644 yara-mikesxrs/alienvault/ccrewSSLBack3.yar
create mode 100644 yara-mikesxrs/alienvault/dbgdetect_files.yar
create mode 100644 yara-mikesxrs/alienvault/dbgdetect_funcs.yar
create mode 100644 yara-mikesxrs/alienvault/dbgdetect_procs.yar
create mode 100644 yara-mikesxrs/alienvault/leverage_a.yar
create mode 100644 yara-mikesxrs/alienvault/metaxcd.yar
create mode 100644 yara-mikesxrs/alienvault/nkminer_monero.yar
create mode 100644 yara-mikesxrs/alienvault/oceanlotus_constants.yar
create mode 100644 yara-mikesxrs/alienvault/oceanlotus_xor_decode.yar
create mode 100644 yara-mikesxrs/alienvault/sandboxdetect_misc.yar
create mode 100644 yara-mikesxrs/alienvault/thequickbrow_APT1.yar
create mode 100644 yara-mikesxrs/alienvault/urasay skype.yar
create mode 100644 yara-mikesxrs/alienvault/vmdetect_misc.yar
create mode 100644 yara-mikesxrs/arbor/Athena.yar
create mode 100644 yara-mikesxrs/arbor/Black_Revolution_DDoS.yar
create mode 100644 yara-mikesxrs/arbor/Computrace.yar
create mode 100644 yara-mikesxrs/arbor/buhtrapknock.yar
create mode 100644 yara-mikesxrs/arbor/chicken.yar
create mode 100644 yara-mikesxrs/arbor/dirtjumper_drive.yar
create mode 100644 yara-mikesxrs/arbor/dirtjumper_drive2.yar
create mode 100644 yara-mikesxrs/arbor/dirtjumper_drive3.yar
create mode 100644 yara-mikesxrs/arbor/flusihoc.yar
create mode 100644 yara-mikesxrs/ballastsecurity/alina.yara
create mode 100644 yara-mikesxrs/ballastsecurity/andromeda.yara
create mode 100644 yara-mikesxrs/ballastsecurity/athenahttp.yara
create mode 100644 yara-mikesxrs/ballastsecurity/backoff.yara
create mode 100644 yara-mikesxrs/ballastsecurity/blackshades.yara
create mode 100644 yara-mikesxrs/ballastsecurity/blackworm.yara
create mode 100644 yara-mikesxrs/ballastsecurity/cybergate.yara
create mode 100644 yara-mikesxrs/ballastsecurity/cythosia.yara
create mode 100644 yara-mikesxrs/ballastsecurity/darkcomet.yara
create mode 100644 yara-mikesxrs/ballastsecurity/dendroid.yara
create mode 100644 yara-mikesxrs/ballastsecurity/dexter.yara
create mode 100644 yara-mikesxrs/ballastsecurity/diamondfox.yara
create mode 100644 yara-mikesxrs/ballastsecurity/easterjackpos.yara
create mode 100644 yara-mikesxrs/ballastsecurity/elise.yara
create mode 100644 yara-mikesxrs/ballastsecurity/evora.yara
create mode 100644 yara-mikesxrs/ballastsecurity/genome.yara
create mode 100644 yara-mikesxrs/ballastsecurity/glassrat.yara
create mode 100644 yara-mikesxrs/ballastsecurity/herpes.yara
create mode 100644 yara-mikesxrs/ballastsecurity/jackpos.yara
create mode 100644 yara-mikesxrs/ballastsecurity/maazben.yara
create mode 100644 yara-mikesxrs/ballastsecurity/madnesspro.yar
create mode 100644 yara-mikesxrs/ballastsecurity/madnesspro.yara
create mode 100644 yara-mikesxrs/ballastsecurity/nanocore.yara
create mode 100644 yara-mikesxrs/ballastsecurity/njrat.yara
create mode 100644 yara-mikesxrs/ballastsecurity/pbot.yara
create mode 100644 yara-mikesxrs/ballastsecurity/poisonivy.yara
create mode 100644 yara-mikesxrs/ballastsecurity/pony.yara
create mode 100644 yara-mikesxrs/ballastsecurity/projecthook.yara
create mode 100644 yara-mikesxrs/ballastsecurity/solarbot.yara
create mode 100644 yara-mikesxrs/ballastsecurity/vertexnet.yara
create mode 100644 yara-mikesxrs/ballastsecurity/vskimmer.yara
create mode 100644 yara-mikesxrs/ballastsecurity/xtreme.yara
create mode 100644 yara-mikesxrs/bluecoat/Bluecoat_index.yara
create mode 100644 yara-mikesxrs/bluecoat/InceptionAndroid.yar
create mode 100644 yara-mikesxrs/bluecoat/InceptionBlackberry.yar
create mode 100644 yara-mikesxrs/bluecoat/InceptionDLL.yar
create mode 100644 yara-mikesxrs/bluecoat/InceptionIOS.yar
create mode 100644 yara-mikesxrs/bluecoat/InceptionMips.yar
create mode 100644 yara-mikesxrs/bluecoat/InceptionRTF.yar
create mode 100644 yara-mikesxrs/bluecoat/InceptionVBS.yar
create mode 100644 yara-mikesxrs/blueliv/WannaCryptor.yar
create mode 100644 yara-mikesxrs/blueliv/banswift.yar
create mode 100644 yara-mikesxrs/blueliv/banswift_wiper.yar
create mode 100644 yara-mikesxrs/blueliv/petya_eternalblue.yar
create mode 100644 yara-mikesxrs/carbon black/DPRK_ROKRAT.yar
create mode 100644 yara-mikesxrs/carbon black/PNG_dropper.yar
create mode 100644 yara-mikesxrs/carbon black/Plugx.yar
create mode 100644 yara-mikesxrs/carbon black/emotet.yar
create mode 100644 yara-mikesxrs/chuongdong/BabukRansomware.yar
create mode 100644 yara-mikesxrs/chuongdong/BabukRansomwareV3.yar
create mode 100644 yara-mikesxrs/chuongdong/ContiV2.yar
create mode 100644 yara-mikesxrs/chuongdong/DarksideRansomware1_8_6_2.yar
create mode 100644 yara-mikesxrs/chuongdong/MountLocker5_0.yar
create mode 100644 yara-mikesxrs/chuongdong/Regretlocker.yar
create mode 100644 yara-mikesxrs/clamsrch signatures/signsrch.yar
create mode 100644 yara-mikesxrs/clearskysec/comlook.yar
create mode 100644 yara-mikesxrs/clearskysec/gholee.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_ek_checkpoint.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_ek_redirector.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_flash.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_flash2.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_flash4.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_flash5.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_flash_uncompressed.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_html.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_html2.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_jar.yar
create mode 100644 yara-mikesxrs/codewatchorg/angler_js.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole1_jar.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_css.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm10.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm11.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm12.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm3.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm5.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm6.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_htm8.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_jar.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_jar2.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_jar3.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole2_pdf.yar
create mode 100644 yara-mikesxrs/codewatchorg/blackhole_basic.yar
create mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_adobe_2010_1297_exploit.yar
create mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_adobe_2010_2884_exploit.yar
create mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_jar2.yar
create mode 100644 yara-mikesxrs/codewatchorg/bleedinglife2_java_2010_0842_exploit.yar
create mode 100644 yara-mikesxrs/codewatchorg/codewatchorg_index.yar
create mode 100644 yara-mikesxrs/codewatchorg/crimepack_jar.yar
create mode 100644 yara-mikesxrs/codewatchorg/crimepack_jar3.yar
create mode 100644 yara-mikesxrs/codewatchorg/cve_2013_0074.yar
create mode 100644 yara-mikesxrs/codewatchorg/cve_2013_0422.yar
create mode 100644 yara-mikesxrs/codewatchorg/eleonore_jar.yar
create mode 100644 yara-mikesxrs/codewatchorg/eleonore_jar2.yar
create mode 100644 yara-mikesxrs/codewatchorg/eleonore_jar3.yar
create mode 100644 yara-mikesxrs/codewatchorg/eleonore_js.yar
create mode 100644 yara-mikesxrs/codewatchorg/eleonore_js2.yar
create mode 100644 yara-mikesxrs/codewatchorg/eleonore_js3.yar
create mode 100644 yara-mikesxrs/codewatchorg/fragus_htm.yar
create mode 100644 yara-mikesxrs/codewatchorg/fragus_js.yar
create mode 100644 yara-mikesxrs/codewatchorg/fragus_js2.yar
create mode 100644 yara-mikesxrs/codewatchorg/fragus_js_flash.yar
create mode 100644 yara-mikesxrs/codewatchorg/fragus_js_java.yar
create mode 100644 yara-mikesxrs/codewatchorg/fragus_js_quicktime.yar
create mode 100644 yara-mikesxrs/codewatchorg/fragus_js_vml.yar
create mode 100644 yara-mikesxrs/codewatchorg/malicious_office.yar
create mode 100644 yara-mikesxrs/codewatchorg/malicious_pdf.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html10.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html11.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html2.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html3.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html4.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html5.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html6.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html7.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html8.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_html9.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_jar.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_jar2.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_jar3.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_pdf.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_pdf2.yar
create mode 100644 yara-mikesxrs/codewatchorg/phoenix_pdf3.yar
create mode 100644 yara-mikesxrs/codewatchorg/redkit_bin_basic.yar
create mode 100644 yara-mikesxrs/codewatchorg/sakura_jar.yar
create mode 100644 yara-mikesxrs/codewatchorg/sakura_jar2.yar
create mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_css.yar
create mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_css2.yar
create mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_htm.yar
create mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js.yar
create mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js2.yar
create mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js3.yar
create mode 100644 yara-mikesxrs/codewatchorg/zeroaccess_js4.yar
create mode 100644 yara-mikesxrs/codewatchorg/zerox88_js2.yar
create mode 100644 yara-mikesxrs/codewatchorg/zerox88_js3.yar
create mode 100644 yara-mikesxrs/codewatchorg/zeus_js.yar
create mode 100644 yara-mikesxrs/contextis/Trojan_W32_Gh0stMiancha_1_0_0.yar
create mode 100644 yara-mikesxrs/crowdstrike/CVE_2014_4113.yar
create mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _02 - rc4_dropper putterpanda.yar
create mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _03 - threepara_para_implant putterpanda.yar
create mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _05 _ httpclient putterpanda.yar
create mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_ PutterPanda _06 _ xor_dropper putterpanda.yar
create mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_CSIT_14003_03.yar
create mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_CSIT_14004_02.yar
create mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_FlyingKitten.yar
create mode 100644 yara-mikesxrs/crowdstrike/CrowdStrike_PutterPanda_01 - fourh_stack_strings putterpanda.yar
create mode 100644 yara-mikesxrs/crowdstrike/Crowdstrike_index.yara
create mode 100644 yara-mikesxrs/crowdstrike/Crowdstrike_target_breach.yar
create mode 100644 yara-mikesxrs/crowdstrike/gameover zeus.yar
create mode 100644 yara-mikesxrs/crowdstrike/rule CrowdStrike_PutterPanda_04_ pngdowner putterpanda.yar
create mode 100644 yara-mikesxrs/crysys/duqu2.yar
create mode 100644 yara-mikesxrs/cylance/BackDoorLogger.yar
create mode 100644 yara-mikesxrs/cylance/Hkdoor_DLL.yar
create mode 100644 yara-mikesxrs/cylance/Hkdoor_backdoor.yar
create mode 100644 yara-mikesxrs/cylance/Hkdoor_driver.yar
create mode 100644 yara-mikesxrs/cylance/Hkdoor_dropper.yar
create mode 100644 yara-mikesxrs/cylance/Jasus.yar
create mode 100644 yara-mikesxrs/cylance/LoggerModule.yar
create mode 100644 yara-mikesxrs/cylance/MiSType_Backdoor_Packed.yar
create mode 100644 yara-mikesxrs/cylance/Misdat_Backdoor.yar
create mode 100644 yara-mikesxrs/cylance/Misdat_Backdoor_Packed.yar
create mode 100644 yara-mikesxrs/cylance/NetC.yar
create mode 100644 yara-mikesxrs/cylance/SType_Backdoor.yar
create mode 100644 yara-mikesxrs/cylance/ShellCreator2.yar
create mode 100644 yara-mikesxrs/cylance/SmartCopy2.yar
create mode 100644 yara-mikesxrs/cylance/StreamEX.yar
create mode 100644 yara-mikesxrs/cylance/SynFlooder.yar
create mode 100644 yara-mikesxrs/cylance/TinyZBot.yar
create mode 100644 yara-mikesxrs/cylance/WannaCryptor.yar
create mode 100644 yara-mikesxrs/cylance/ZhoupinExploitCrew.yar
create mode 100644 yara-mikesxrs/cylance/Zlib_Backdoor.yar
create mode 100644 yara-mikesxrs/cylance/antivirusdetector.yar
create mode 100644 yara-mikesxrs/cylance/baijiu.yar
create mode 100644 yara-mikesxrs/cylance/csext.yar
create mode 100644 yara-mikesxrs/cylance/cylance_index.yara
create mode 100644 yara-mikesxrs/cylance/kagent.yar
create mode 100644 yara-mikesxrs/cylance/mimikatzWrapper.yar
create mode 100644 yara-mikesxrs/cylance/pvz_in.yar
create mode 100644 yara-mikesxrs/cylance/pvz_out.yar
create mode 100644 yara-mikesxrs/cylance/snakewine.yar
create mode 100644 yara-mikesxrs/cylance/wndTest.yar
create mode 100644 yara-mikesxrs/cylance/zhCat.yar
create mode 100644 yara-mikesxrs/cylance/zhLookUp.yar
create mode 100644 yara-mikesxrs/cylance/zhmimikatz.yar
create mode 100644 yara-mikesxrs/dragos/Crashoverride.yara
create mode 100644 yara-mikesxrs/dragos/crashoverride_configReader.yar
create mode 100644 yara-mikesxrs/dragos/dragos_crashoverride_moduleStrings.yar
create mode 100644 yara-mikesxrs/dragos/embedded_psexec.yar
create mode 100644 yara-mikesxrs/dragos/olympic_destroyer_service_manipulator.yar
create mode 100644 yara-mikesxrs/dragos/shutdown_scheduling.yar
create mode 100644 yara-mikesxrs/eset/Animal_Farm.yar
create mode 100644 yara-mikesxrs/eset/ESET_index.yara
create mode 100644 yara-mikesxrs/eset/Gazer.yar
create mode 100644 yara-mikesxrs/eset/InvisiMole.yar
create mode 100644 yara-mikesxrs/eset/Linux_Moose.yar
create mode 100644 yara-mikesxrs/eset/Mumblehard_packer.yar
create mode 100644 yara-mikesxrs/eset/OSX_Keydnap_backdoor.yar
create mode 100644 yara-mikesxrs/eset/OSX_Keydnap_packer.yar
create mode 100644 yara-mikesxrs/eset/OSX_keydnap_downloader.yar
create mode 100644 yara-mikesxrs/eset/Operation Potao.yar
create mode 100644 yara-mikesxrs/eset/Operation Windigo.yar
create mode 100644 yara-mikesxrs/eset/PotaoNew.yara
create mode 100644 yara-mikesxrs/eset/Prikormka.yar
create mode 100644 yara-mikesxrs/eset/SparklingGoblin.yar
create mode 100644 yara-mikesxrs/eset/Turla_Carbon.yar
create mode 100644 yara-mikesxrs/eset/badiis.yar
create mode 100644 yara-mikesxrs/eset/kobalos.yar
create mode 100644 yara-mikesxrs/eset/kobalos_ssh_credential_stealer.yar
create mode 100644 yara-mikesxrs/eset/linux_rakos.yar
create mode 100644 yara-mikesxrs/eset/skip20_sqllang_hook.yar
create mode 100644 yara-mikesxrs/eset/sshdoor.yar
create mode 100644 yara-mikesxrs/eset/stantinko.yar
create mode 100644 yara-mikesxrs/eset/ta410.yar
create mode 100644 yara-mikesxrs/eset/turla-outlook.yar
create mode 100644 yara-mikesxrs/evild3ad/contains_ah_encoded_pe_file.yara
create mode 100644 yara-mikesxrs/evild3ad/contains_ascii_hex_encoded_pe_file.yara
create mode 100644 yara-mikesxrs/evild3ad/contains_hidden_pe_file_inside_a_sequence_of_numbers.yara
create mode 100644 yara-mikesxrs/evild3ad/contains_userform_object_1.yara
create mode 100644 yara-mikesxrs/evild3ad/contains_userform_object_2.yara
create mode 100644 yara-mikesxrs/evild3ad/contains_userform_object_3.yara
create mode 100644 yara-mikesxrs/evild3ad/contains_vba_macro_code.yara
create mode 100644 yara-mikesxrs/evild3ad/evild3ad_index.yara
create mode 100644 yara-mikesxrs/evild3ad/mime_mso_activemime_base64.yara
create mode 100644 yara-mikesxrs/forcepoint/CVE_2014_6352.yar
create mode 100644 yara-mikesxrs/forcepoint/Zbot.yar
create mode 100644 yara-mikesxrs/forcepoint/f0xy.yar
create mode 100644 yara-mikesxrs/fox-it/rule Ponmocup_plugins.yar
create mode 100644 yara-mikesxrs/fox-it/shimrat.yar
create mode 100644 yara-mikesxrs/fox-it/shimratreporter.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.AdGazelle.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Adpeak.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Agent.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.BetterSurf.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.BrowseFox.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Conduit.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.ConvertAd.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Crossrider.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.DealPly.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Dlhelper.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Downloader.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.ELEX.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Gen.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Genieo.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Imali.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.InstallCore.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Linkury.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.MyWebSearch.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.NextLive.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.ObronaAds.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.OpenCandy.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.OutBrowse.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.PullUpdate.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.SProtect.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.SearchSuite.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Sendori.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.SimplyTech.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.SmartApps.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Solimbda.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Trioris.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Vitruvian.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.Wajam.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.WebTools.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.WebWatcher.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.iBryte.yar
create mode 100644 yara-mikesxrs/g00dv1n/Adware.uKor.yar
create mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Bladabindi.yar
create mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Dedipros.yar
create mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Fynloski.yar
create mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Gen.yar
create mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Liudoor.yar
create mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Mirage.yar
create mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Vawtrak.yar
create mode 100644 yara-mikesxrs/g00dv1n/Backdoor.Zegost.yar
create mode 100644 yara-mikesxrs/g00dv1n/Malware.BitCoinMiner.yar
create mode 100644 yara-mikesxrs/g00dv1n/Malware.Downloader.yar
create mode 100644 yara-mikesxrs/g00dv1n/Malware.PWS.yar
create mode 100644 yara-mikesxrs/g00dv1n/PUP.SystemOptimizer.yar
create mode 100644 yara-mikesxrs/g00dv1n/PUP.Systweak.yar
create mode 100644 yara-mikesxrs/g00dv1n/Ransom.Crypters.yar
create mode 100644 yara-mikesxrs/g00dv1n/Risk.DetectAnalysis.yar
create mode 100644 yara-mikesxrs/g00dv1n/Risk.NetFilter.yar
create mode 100644 yara-mikesxrs/g00dv1n/Rogue.AVSoft.yar
create mode 100644 yara-mikesxrs/g00dv1n/Rogue.Braviax.yar
create mode 100644 yara-mikesxrs/g00dv1n/Rogue.FakePAV.yar
create mode 100644 yara-mikesxrs/g00dv1n/Rogue.FakeRean.yar
create mode 100644 yara-mikesxrs/g00dv1n/Rogue.FakeSysDef.yar
create mode 100644 yara-mikesxrs/g00dv1n/Rogue.LiveSP.yar
create mode 100644 yara-mikesxrs/g00dv1n/Rogue.SDef.yar
create mode 100644 yara-mikesxrs/g00dv1n/Rogue.SysDoc.yar
create mode 100644 yara-mikesxrs/g00dv1n/Rogue.Winwebsec.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Antivar.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Cbeplay.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.ChStartPage.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Citadel.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Comfoo.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Cutwail.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Dllpatcher.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Downloader.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Dropper.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Frethog.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.GBot.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Gamarue.Andromeda.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Injector.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Kovter.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Kuluoz.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Lethic.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Necurs.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Nedsym.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Neurevt.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.PowerLoader.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Ransom.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Regin.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Rovnix.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Simda.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Sirefef.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Upatre.yar
create mode 100644 yara-mikesxrs/g00dv1n/Trojan.Virtool.Obfuscator.yar
create mode 100644 yara-mikesxrs/g00dv1n/TrojanPSW.Tepfer.yar
create mode 100644 yara-mikesxrs/g00dv1n/TrojanPSW.ZBot.yar
create mode 100644 yara-mikesxrs/g00dv1n/TrojanSpy.Ursnif.yar
create mode 100644 yara-mikesxrs/g00dv1n/Virus.Chir.yar
create mode 100644 yara-mikesxrs/g00dv1n/Virus.Madang.yar
create mode 100644 yara-mikesxrs/g00dv1n/Worm.Cridex.yar
create mode 100644 yara-mikesxrs/g00dv1n/Worm.Dorkbot.yar
create mode 100644 yara-mikesxrs/g00dv1n/Worm.Phorpiex.yar
create mode 100644 yara-mikesxrs/g00dv1n/Worm.SillyP2P.yar
create mode 100644 yara-mikesxrs/g00dv1n/Worm.SkypeSpamer.yar
create mode 100644 yara-mikesxrs/g00dv1n/g00dvin_index.yara
create mode 100644 yara-mikesxrs/group-ib/CorkowDLL.yar
create mode 100644 yara-mikesxrs/group-ib/albaniiutas_dropper_exe.yar
create mode 100644 yara-mikesxrs/group-ib/albaniiutas_rat_dll.yar
create mode 100644 yara-mikesxrs/group-ib/webdavo_rat.yar
create mode 100644 yara-mikesxrs/h3x2b/cab.yara
create mode 100644 yara-mikesxrs/h3x2b/compiler.yara
create mode 100644 yara-mikesxrs/h3x2b/exe.yara
create mode 100644 yara-mikesxrs/h3x2b/injection.yara
create mode 100644 yara-mikesxrs/h3x2b/java_adwind.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_coolmemes.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_darlloz.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_elfiot.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_irctelnet.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_jellyfish.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_kaiten.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_ladylinux.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_mirai.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_stdbot.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_torlus.yara
create mode 100644 yara-mikesxrs/h3x2b/lin_venom.yara
create mode 100644 yara-mikesxrs/h3x2b/maldoc.yara
create mode 100644 yara-mikesxrs/h3x2b/malrtf.yara
create mode 100644 yara-mikesxrs/h3x2b/math.yara
create mode 100644 yara-mikesxrs/h3x2b/nccgroup_stdolelink.yara
create mode 100644 yara-mikesxrs/h3x2b/networking.yara
create mode 100644 yara-mikesxrs/h3x2b/obfuscation.yara
create mode 100644 yara-mikesxrs/h3x2b/win_asprox.vt_yara
create mode 100644 yara-mikesxrs/h3x2b/win_bookworm.yara
create mode 100644 yara-mikesxrs/h3x2b/win_geodo.yara
create mode 100644 yara-mikesxrs/h3x2b/win_hancitor.yara
create mode 100644 yara-mikesxrs/h3x2b/win_locky.yara
create mode 100644 yara-mikesxrs/h3x2b/win_pax.yara
create mode 100644 yara-mikesxrs/h3x2b/win_plugx.yara
create mode 100644 yara-mikesxrs/h3x2b/win_plugx_av.vt_yara
create mode 100644 yara-mikesxrs/h3x2b/win_spora.yara
create mode 100644 yara-mikesxrs/hidd3ncod3s/trojan_win_dridex.yar
create mode 100644 yara-mikesxrs/iDefense/WannaCrypt0r.yara
create mode 100644 yara-mikesxrs/iSightPartners/SDBFile.yar
create mode 100644 yara-mikesxrs/iocbucket/APT_NGO_wuaclt_PDF.yar
create mode 100644 yara-mikesxrs/iocbucket/apt_ngo_wuaclt.yar
create mode 100644 yara-mikesxrs/iocbucket/iocbucket_index.yara
create mode 100644 yara-mikesxrs/jackcr/gh0st.yar
create mode 100644 yara-mikesxrs/jackcr/pivy.yar
create mode 100644 yara-mikesxrs/jackcr/shylock.yar
create mode 100644 yara-mikesxrs/juanandresgs/apt_RU_Turla_Kazuar_DebugView.yara
create mode 100644 yara-mikesxrs/juanandresgs/apt_ZZ_Sig37_NAZAR.yara
create mode 100644 yara-mikesxrs/juanandresgs/sta_Voltron_0xFancyFilter.yara
create mode 100644 yara-mikesxrs/kaspersky/Adwind.yar
create mode 100644 yara-mikesxrs/kaspersky/Crime_eyepyramid.yar
create mode 100644 yara-mikesxrs/kaspersky/LazarusWannaCry.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_LSA.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_SSPI.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encrypted_container.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_encryption.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_generic_pipe_backdoor.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_ProjectSauron_pipe_backdoor.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_duqu2_drivers.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_duqu2_loaders.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_equation_cryptotable.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_equation_doublefantasy_genericresource.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_equation_equationlaser_runtimeclasses.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_equation_exploitlib_mutexes.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_implantstrings.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_installer.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_irene.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_msgertype2.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_proxytool.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_hellsing_xkat.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_regin_2013_64bit_stage1.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_regin_dispatcher_disp_dll.yar
create mode 100644 yara-mikesxrs/kaspersky/apt_regin_vfs.yar
create mode 100644 yara-mikesxrs/kaspersky/backdoored_ssh.yar
create mode 100644 yara-mikesxrs/kaspersky/exploit_Silverlight_Toropov_Generic_XAP.yar
create mode 100644 yara-mikesxrs/kaspersky/kaspersky_index.yara
create mode 100644 yara-mikesxrs/kaspersky/ransomware_PetrWrap.yar
create mode 100644 yara-mikesxrs/kaspersky/stonedrill.yar
create mode 100644 yara-mikesxrs/kaspersky/xDedic_SysScan_unpacked.yar
create mode 100644 yara-mikesxrs/kaspersky/xdedic_packed_syscan.yar
create mode 100644 yara-mikesxrs/kevthehermit/AAR.yar
create mode 100644 yara-mikesxrs/kevthehermit/Adzok.yar
create mode 100644 yara-mikesxrs/kevthehermit/AlienSpy.yar
create mode 100644 yara-mikesxrs/kevthehermit/Ap0calypse.yar
create mode 100644 yara-mikesxrs/kevthehermit/Arcom.yar
create mode 100644 yara-mikesxrs/kevthehermit/Bandook.yar
create mode 100644 yara-mikesxrs/kevthehermit/BlackNix.yar
create mode 100644 yara-mikesxrs/kevthehermit/BlackShades.yar
create mode 100644 yara-mikesxrs/kevthehermit/BlueBanana.yar
create mode 100644 yara-mikesxrs/kevthehermit/Bozok.yar
create mode 100644 yara-mikesxrs/kevthehermit/ClientMesh.yar
create mode 100644 yara-mikesxrs/kevthehermit/Crimson.yar
create mode 100644 yara-mikesxrs/kevthehermit/CyberGate.yar
create mode 100644 yara-mikesxrs/kevthehermit/DarkComet.yar
create mode 100644 yara-mikesxrs/kevthehermit/DarkRAT.yar
create mode 100644 yara-mikesxrs/kevthehermit/Greame.yar
create mode 100644 yara-mikesxrs/kevthehermit/Hangover_ron_babylon.yar
create mode 100644 yara-mikesxrs/kevthehermit/HawkEye.yar
create mode 100644 yara-mikesxrs/kevthehermit/Imminent3.yar
create mode 100644 yara-mikesxrs/kevthehermit/Infinity.yar
create mode 100644 yara-mikesxrs/kevthehermit/JavaDropper.yar
create mode 100644 yara-mikesxrs/kevthehermit/LostDoor.yar
create mode 100644 yara-mikesxrs/kevthehermit/LuminosityLink.yar
create mode 100644 yara-mikesxrs/kevthehermit/LuxNet.yar
create mode 100644 yara-mikesxrs/kevthehermit/NanoCore.yar
create mode 100644 yara-mikesxrs/kevthehermit/NetWire.yar
create mode 100644 yara-mikesxrs/kevthehermit/Pandora.yar
create mode 100644 yara-mikesxrs/kevthehermit/Paradox.yar
create mode 100644 yara-mikesxrs/kevthehermit/PoisonIvy.yar
create mode 100644 yara-mikesxrs/kevthehermit/Punisher.yar
create mode 100644 yara-mikesxrs/kevthehermit/PythoRAT.yar
create mode 100644 yara-mikesxrs/kevthehermit/ShadowTech.yar
create mode 100644 yara-mikesxrs/kevthehermit/SmallNet.yar
create mode 100644 yara-mikesxrs/kevthehermit/SpyGate.yar
create mode 100644 yara-mikesxrs/kevthehermit/Sub7Nation.yar
create mode 100644 yara-mikesxrs/kevthehermit/Vertex.yar
create mode 100644 yara-mikesxrs/kevthehermit/VirusRat.yar
create mode 100644 yara-mikesxrs/kevthehermit/Xena.yar
create mode 100644 yara-mikesxrs/kevthehermit/Xtreme.yar
create mode 100644 yara-mikesxrs/kevthehermit/adWind.yar
create mode 100644 yara-mikesxrs/kevthehermit/jRat.yar
create mode 100644 yara-mikesxrs/kevthehermit/kevthehermit_index.yara
create mode 100644 yara-mikesxrs/kevthehermit/njRat.yar
create mode 100644 yara-mikesxrs/kevthehermit/unrecom.yar
create mode 100644 yara-mikesxrs/kevthehermit/xRAT.yar
create mode 100644 yara-mikesxrs/malc0de/auriga_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/bouncer2_exe_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/bouncer_dll_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/bouncer_exe_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/calendar_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/combos_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/cookiebag_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/dairy_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/gdocupload_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/getmail_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/glooxmail_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/goggles_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/greencat_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/hacksfase_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/helauto_apt.yar
create mode 100644 yara-mikesxrs/malc0de/kurton_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/lightbolt_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/lightdart_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/longrun_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/macromail_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/malc0de_index.yara
create mode 100644 yara-mikesxrs/malc0de/manitsme_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/mapiget_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/miniasp_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/newsreels_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/seasalt_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/starsypound_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/sword_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/tabmsgsql_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/tarsip_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/tarsip_eclipse_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/warp_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_adspace_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_ausov_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_bolid_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_clover_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_cson_apt.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_div_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_greencat_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_head_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_kt3_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_qbp_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_rave_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_table_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_ugx_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_y21k_apt1.yar
create mode 100644 yara-mikesxrs/malc0de/webc2_yahoo_apt1.yar
create mode 100644 yara-mikesxrs/malwarebytes/MonkerTrojan.yar
create mode 100644 yara-mikesxrs/malwarebytes/zeroaccess.yar
create mode 100644 yara-mikesxrs/malwarecookbook/packer.yara
create mode 100644 yara-mikesxrs/malwaretracker/apt_actor_tran_duy_linh.yar
create mode 100644 yara-mikesxrs/malwaretracker/doc_zws_flash.yar
create mode 100644 yara-mikesxrs/malwaretracker/mime_mso.yar
create mode 100644 yara-mikesxrs/mimikatz/kiwi_passwords.yar
create mode 100644 yara-mikesxrs/n3sfox/Tinba2.yar
create mode 100644 yara-mikesxrs/naxonez/DebuggerCheck.yar
create mode 100644 yara-mikesxrs/netlab360/elknot_billgates.yar
create mode 100644 yara-mikesxrs/nex/embedded_macho.yar
create mode 100644 yara-mikesxrs/nex/embedded_pe.yar
create mode 100644 yara-mikesxrs/nex/embedded_win_api.yar
create mode 100644 yara-mikesxrs/nex/nex_index.yara
create mode 100644 yara-mikesxrs/nex/shellcode.yar
create mode 100644 yara-mikesxrs/nex/vm_detect.yar
create mode 100644 yara-mikesxrs/nshadov/RANSOMWARE_RAA.yar
create mode 100644 yara-mikesxrs/one offs/9002Rat.yar
create mode 100644 yara-mikesxrs/one offs/AdwindRat.yar
create mode 100644 yara-mikesxrs/one offs/CVE-2013-3660.yar
create mode 100644 yara-mikesxrs/one offs/ComputraceAgent.yar
create mode 100644 yara-mikesxrs/one offs/CoreFlood_ldr.yar
create mode 100644 yara-mikesxrs/one offs/Cridex.yar
create mode 100644 yara-mikesxrs/one offs/Hancidoc_Dropper.yar
create mode 100644 yara-mikesxrs/one offs/Mebroot_Torpig.yar
create mode 100644 yara-mikesxrs/one offs/OSX_Malware.yar
create mode 100644 yara-mikesxrs/one offs/Pegasus.yar
create mode 100644 yara-mikesxrs/one offs/Qadars_DGA.yar
create mode 100644 yara-mikesxrs/one offs/Shellphish.yar
create mode 100644 yara-mikesxrs/one offs/W32ChirB.yar
create mode 100644 yara-mikesxrs/one offs/XorDDoS.yar
create mode 100644 yara-mikesxrs/one offs/ammyy_cerber3.yar
create mode 100644 yara-mikesxrs/one offs/crime_ole_loadswf_cve_2018_4878.yar
create mode 100644 yara-mikesxrs/one offs/crime_win32_gratefulpos_trojan.yar
create mode 100644 yara-mikesxrs/one offs/dridex.yar
create mode 100644 yara-mikesxrs/one offs/fastposloader.yar
create mode 100644 yara-mikesxrs/one offs/marcher.yar
create mode 100644 yara-mikesxrs/one offs/mwi_document.yar
create mode 100644 yara-mikesxrs/one offs/nettraveler.yar
create mode 100644 yara-mikesxrs/one offs/packager_cve2017_11882.yar
create mode 100644 yara-mikesxrs/one offs/snake_uroburos.yar
create mode 100644 yara-mikesxrs/openanalysis/andromeda.yara
create mode 100644 yara-mikesxrs/optiv/autoit_scripting_pos_malware.yar
create mode 100644 yara-mikesxrs/paloalto/Palo_Alto_index.yara
create mode 100644 yara-mikesxrs/paloalto/ce_enfal_cmstar_debug_msg.yar
create mode 100644 yara-mikesxrs/paloalto/cobalt_gang_builder.yar
create mode 100644 yara-mikesxrs/paloalto/findpos.yar
create mode 100644 yara-mikesxrs/paloalto/general_win_dll_golang_socks.yar
create mode 100644 yara-mikesxrs/paloalto/general_win_faked_dlls_export_popo.yar
create mode 100644 yara-mikesxrs/paloalto/general_win_golang_socks.yar
create mode 100644 yara-mikesxrs/paloalto/hancitor_dropper.yar
create mode 100644 yara-mikesxrs/paloalto/hancitor_payload.yar
create mode 100644 yara-mikesxrs/paloalto/hancitor_stage1.yar
create mode 100644 yara-mikesxrs/paloalto/powerstager.yar
create mode 100644 yara-mikesxrs/paloalto/webshell_chinachopper_oab.yar
create mode 100644 yara-mikesxrs/patrickrolsen/Armadillo_v1xx__v2xx.yar
create mode 100644 yara-mikesxrs/patrickrolsen/Backdoor_APT_Mongall.yar
create mode 100644 yara-mikesxrs/patrickrolsen/CVE_2013_1347.yar
create mode 100644 yara-mikesxrs/patrickrolsen/GIF_exploit.yar
create mode 100644 yara-mikesxrs/patrickrolsen/LNK_files.yar
create mode 100644 yara-mikesxrs/patrickrolsen/PCAPs.yar
create mode 100644 yara-mikesxrs/patrickrolsen/UPX_290_LZMA.yar
create mode 100644 yara-mikesxrs/patrickrolsen/UPX_Protector_v10x_2.yar
create mode 100644 yara-mikesxrs/patrickrolsen/UPX_V200V290.yar
create mode 100644 yara-mikesxrs/patrickrolsen/UPX_v0896.yar
create mode 100644 yara-mikesxrs/patrickrolsen/acunetix_web_scanner.yar
create mode 100644 yara-mikesxrs/patrickrolsen/bcp_sql_tool.yar
create mode 100644 yara-mikesxrs/patrickrolsen/beep_remote_shell.yar
create mode 100644 yara-mikesxrs/patrickrolsen/blat_email_301.yar
create mode 100644 yara-mikesxrs/patrickrolsen/blazingtools.yar
create mode 100644 yara-mikesxrs/patrickrolsen/cmd_shell.yar
create mode 100644 yara-mikesxrs/patrickrolsen/dark_edition.yar
create mode 100644 yara-mikesxrs/patrickrolsen/dump_tool.yar
create mode 100644 yara-mikesxrs/patrickrolsen/gsec_generic.yar
create mode 100644 yara-mikesxrs/patrickrolsen/html_exploit_GIF.yar
create mode 100644 yara-mikesxrs/patrickrolsen/jpg_web_shell.yar
create mode 100644 yara-mikesxrs/patrickrolsen/keyfinder_tool.yar
create mode 100644 yara-mikesxrs/patrickrolsen/luxnet.yar
create mode 100644 yara-mikesxrs/patrickrolsen/misc_iocs.yar
create mode 100644 yara-mikesxrs/patrickrolsen/misc_php_exploits.yar
create mode 100644 yara-mikesxrs/patrickrolsen/misc_shells.yar
create mode 100644 yara-mikesxrs/patrickrolsen/monitor_tool_pos.yar
create mode 100644 yara-mikesxrs/patrickrolsen/mpress_2_xx_net _ Packer.yar
create mode 100644 yara-mikesxrs/patrickrolsen/mpress_2_xx_x64 _ Packer.yar
create mode 100644 yara-mikesxrs/patrickrolsen/mpress_2_xx_x86 _ Packer.yar
create mode 100644 yara-mikesxrs/patrickrolsen/nbtscan.yar
create mode 100644 yara-mikesxrs/patrickrolsen/osql_tool.yar
create mode 100644 yara-mikesxrs/patrickrolsen/patrickrolsen_index.yara
create mode 100644 yara-mikesxrs/patrickrolsen/port_forward_tool.yar
create mode 100644 yara-mikesxrs/patrickrolsen/pos_malware.yar
create mode 100644 yara-mikesxrs/patrickrolsen/pos_memory.yar
create mode 100644 yara-mikesxrs/patrickrolsen/pos_memory_scrapper.yar
create mode 100644 yara-mikesxrs/patrickrolsen/procdump.yar
create mode 100644 yara-mikesxrs/patrickrolsen/psexec_generic.yar
create mode 100644 yara-mikesxrs/patrickrolsen/pstgdump.yar
create mode 100644 yara-mikesxrs/patrickrolsen/rtf_Kaba_jDoe.yar
create mode 100644 yara-mikesxrs/patrickrolsen/rtf_multiple.yar
create mode 100644 yara-mikesxrs/patrickrolsen/rtf_yahoo_ken.yar
create mode 100644 yara-mikesxrs/patrickrolsen/rule _Armadillo_v171
create mode 100644 yara-mikesxrs/patrickrolsen/scanline_mcafee.yar
create mode 100644 yara-mikesxrs/patrickrolsen/seven_zip_cmdversion.yar
create mode 100644 yara-mikesxrs/patrickrolsen/shell_functions.yar
create mode 100644 yara-mikesxrs/patrickrolsen/shell_names.yar
create mode 100644 yara-mikesxrs/patrickrolsen/sneakernet_trojan.yar
create mode 100644 yara-mikesxrs/patrickrolsen/tran_duy_linh.yar
create mode 100644 yara-mikesxrs/patrickrolsen/unknown_creds_dump.yar
create mode 100644 yara-mikesxrs/patrickrolsen/web_log_review.yar
create mode 100644 yara-mikesxrs/patrickrolsen/web_shell_crews.yar
create mode 100644 yara-mikesxrs/patrickrolsen/windows_credentials_editor.yar
create mode 100644 yara-mikesxrs/patrickrolsen/winrar_4xx.yar
create mode 100644 yara-mikesxrs/patrickrolsen/wp_shell.yar
create mode 100644 yara-mikesxrs/patrickrolsen/zend_framework.yar
create mode 100644 yara-mikesxrs/phbiohazard/APT20140414_1NT.yar
create mode 100644 yara-mikesxrs/phbiohazard/APT20140414_1PE.yar
create mode 100644 yara-mikesxrs/phbiohazard/ID2015032010000026.yar
create mode 100644 yara-mikesxrs/phbiohazard/phbiohazard_index.yara
create mode 100644 yara-mikesxrs/phish me/Cryptowall_docx_macro.yar
create mode 100644 yara-mikesxrs/phish me/PM_Dyre_Delivery _ dyre cryptowall crimeware.yar
create mode 100644 yara-mikesxrs/phish me/PM_Dyre_Delivery _ dyre cryptowall crimeware2.yar
create mode 100644 yara-mikesxrs/phish me/PM_Dyre_Voice_Message.yar
create mode 100644 yara-mikesxrs/phish me/PM_Zip_With_Exe.yar
create mode 100644 yara-mikesxrs/phish me/PM_docx_with_vba_bin.yar
create mode 100644 yara-mikesxrs/phish me/PM_outlook_setting_pdf_exe.yar
create mode 100644 yara-mikesxrs/phish me/PPS_With_OLEObject.yar
create mode 100644 yara-mikesxrs/phish me/PhishMe_index.yara
create mode 100644 yara-mikesxrs/phish me/PowerPoint_Embedded_OLE.yar
create mode 100644 yara-mikesxrs/phish me/Zip_with_JS.yar
create mode 100644 yara-mikesxrs/phish me/criakl_metadata.yar
create mode 100644 yara-mikesxrs/phish me/cryptowall_phish.yar
create mode 100644 yara-mikesxrs/phish me/mailers.yar
create mode 100644 yara-mikesxrs/phish me/rar_with_JS.yar
create mode 100644 yara-mikesxrs/phish me/rockloader.yar
create mode 100644 yara-mikesxrs/phish me/viotto_keylogger.yar
create mode 100644 yara-mikesxrs/phoul/BLOWFISH_Constants.yar
create mode 100644 yara-mikesxrs/phoul/MD5_Constants.yar
create mode 100644 yara-mikesxrs/phoul/RC6_Constants.yar
create mode 100644 yara-mikesxrs/phoul/RIPEMD160_Constants.yar
create mode 100644 yara-mikesxrs/phoul/SHA1_Constants.yar
create mode 100644 yara-mikesxrs/phoul/SHA256_Constants.yar
create mode 100644 yara-mikesxrs/phoul/SHA512_Constants.yar
create mode 100644 yara-mikesxrs/phoul/WHIRLPOOL_Constants.yar
create mode 100644 yara-mikesxrs/phoul/phoul_index.yara
create mode 100644 yara-mikesxrs/plxsertr/ntserverdll.yar
create mode 100644 yara-mikesxrs/plxsertr/ntserverexe.yar
create mode 100644 yara-mikesxrs/plxsertr/plxsertr_index.yara
create mode 100644 yara-mikesxrs/pombredanne/Android_AVITOMMS_Variant.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_AndroRat.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_BadMirror.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_Banker_Sberbank.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_Clicker_G.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_Copy9.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_DeathRing.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_Dendroid.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_Dogspectus.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_FakeBank_Fanta.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_Godless.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_Marcher.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_MazarBot.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_OmniRat.yar
create mode 100644 yara-mikesxrs/pombredanne/Android_RuMMS.yar
create mode 100644 yara-mikesxrs/pombredanne/PDF_Embedded_Exe.yar
create mode 100644 yara-mikesxrs/pombredanne/SandroRat.yar
create mode 100644 yara-mikesxrs/pombredanne/Spartan_SWF.yar
create mode 100644 yara-mikesxrs/proofpoint/AVIDVIPER_APT_BACKDOOR.yar
create mode 100644 yara-mikesxrs/proofpoint/AdGholas_mem.yar
create mode 100644 yara-mikesxrs/proofpoint/AdGholas_mem_MIME.yar
create mode 100644 yara-mikesxrs/proofpoint/AdGholas_mem_MIME_M2.yar
create mode 100644 yara-mikesxrs/proofpoint/AdGholas_mem_antisec.yar
create mode 100644 yara-mikesxrs/proofpoint/AdGholas_mem_antisec_M2.yar
create mode 100644 yara-mikesxrs/proofpoint/abaddon.yara
create mode 100644 yara-mikesxrs/proofpoint/blackmoon_banker.yar
create mode 100644 yara-mikesxrs/pveutin/magic_numbers.yar
create mode 100644 yara-mikesxrs/secureworks/Mirage_APT_Backdoor.yar
create mode 100644 yara-mikesxrs/secureworks/Secureworks_index.yara
create mode 100644 yara-mikesxrs/secureworks/skeleton_key_injected_code.yar
create mode 100644 yara-mikesxrs/secureworks/skeleton_key_patcher.yar
create mode 100644 yara-mikesxrs/securityartwork/Erebus_Ransomware.yar
create mode 100644 yara-mikesxrs/securityartwork/HardcodeHunter.yar
create mode 100644 yara-mikesxrs/securityartwork/IoT_Reaper.yar
create mode 100644 yara-mikesxrs/securityartwork/Linux_Bew.yar
create mode 100644 yara-mikesxrs/securityartwork/Linux_Helios.yar
create mode 100644 yara-mikesxrs/securityartwork/Meterpreter_rev_tcp.yar
create mode 100644 yara-mikesxrs/securityartwork/OfficeMacrosWinintelDLL.yar
create mode 100644 yara-mikesxrs/securityartwork/linux_Okiru.yar
create mode 100644 yara-mikesxrs/securityartwork/multibanker.yar
create mode 100644 yara-mikesxrs/securityartwork/shellcode_cve_2013_2729.yar
create mode 100644 yara-mikesxrs/securityartwork/trickbot.yar
create mode 100644 yara-mikesxrs/sentinelone/IDAnt_wanna.yara
create mode 100644 yara-mikesxrs/sentinelone/iOS.GuiInject.yara
create mode 100644 yara-mikesxrs/srozb/isfb.yar
create mode 100644 yara-mikesxrs/srozb/kronos.yar
create mode 100644 yara-mikesxrs/srozb/nymaim.yar
create mode 100644 yara-mikesxrs/swood/browser_pass.yar
create mode 100644 yara-mikesxrs/symantec/Bannerjack.yar
create mode 100644 yara-mikesxrs/symantec/Cadelle_1.yar
create mode 100644 yara-mikesxrs/symantec/Cadelle_2.yar
create mode 100644 yara-mikesxrs/symantec/Cadelle_3.yar
create mode 100644 yara-mikesxrs/symantec/Cadelle_4.yar
create mode 100644 yara-mikesxrs/symantec/Eventlog.yar
create mode 100644 yara-mikesxrs/symantec/Hacktool.yar
create mode 100644 yara-mikesxrs/symantec/Kwampirs.yar
create mode 100644 yara-mikesxrs/symantec/Multipurpose.yar
create mode 100644 yara-mikesxrs/symantec/Proxy.yar
create mode 100644 yara-mikesxrs/symantec/Securetunnel.yar
create mode 100644 yara-mikesxrs/symantec/comrat.yar
create mode 100644 yara-mikesxrs/symantec/fa.yar
create mode 100644 yara-mikesxrs/symantec/isPE.yar
create mode 100644 yara-mikesxrs/symantec/jiripbot _ ascii _ str _ decrypt.yar
create mode 100644 yara-mikesxrs/symantec/jiripbot _ unicode _ str _ decrypt.yar
create mode 100644 yara-mikesxrs/symantec/remsec_encrypted_api.yar
create mode 100644 yara-mikesxrs/symantec/remsec_executable_blob_32.yar
create mode 100644 yara-mikesxrs/symantec/remsec_executable_blob_64.yar
create mode 100644 yara-mikesxrs/symantec/remsec_executable_blob_parser.yar
create mode 100644 yara-mikesxrs/symantec/remsec_packer_A.yar
create mode 100644 yara-mikesxrs/symantec/remsec_packer_B.yar
create mode 100644 yara-mikesxrs/symantec/sav _ dropper.yar
create mode 100644 yara-mikesxrs/symantec/sav.yar
create mode 100644 yara-mikesxrs/symantec/symantec_index.yara
create mode 100644 yara-mikesxrs/symantec/turla _ dll.yar
create mode 100644 yara-mikesxrs/symantec/turla _ dropper.yar
create mode 100644 yara-mikesxrs/symantec/wipbot _ 2013 _ core _ PDF.yar
create mode 100644 yara-mikesxrs/symantec/wipbot _ 2013 _ core.yar
create mode 100644 yara-mikesxrs/symantec/wipbot _ 2013 _ dll.yar
create mode 100644 yara-mikesxrs/tekdefense/DarkComet.yara
create mode 100644 yara-mikesxrs/unknown/AutoIt_Script.yar
create mode 100644 yara-mikesxrs/unknown/SANSDFIR.yara
create mode 100644 yara-mikesxrs/unknown/UserDB.yara
create mode 100644 yara-mikesxrs/unknown/Windows_0day_Exploit.yara
create mode 100644 yara-mikesxrs/unknown/epcompilersigs.yara
create mode 100644 yara-mikesxrs/unknown/eppackersigs.yara
create mode 100644 yara-mikesxrs/unknown/packers.yara
create mode 100644 yara-mikesxrs/unknown/undocumentedFPUAtEntryPoint.yar
create mode 100644 yara-mikesxrs/unknown/userdb_exeinfope.yara
create mode 100644 yara-mikesxrs/unknown/userdb_jclausing.yara
create mode 100644 yara-mikesxrs/unknown/userdb_panda.yara
create mode 100644 yara-mikesxrs/venom23/Neurevt.yar
create mode 100644 yara-mikesxrs/vitorafonso/banker.yar
create mode 100644 yara-mikesxrs/vitorafonso/crisis.yar
create mode 100644 yara-mikesxrs/vitorafonso/dropper.yar
create mode 100644 yara-mikesxrs/vitorafonso/exploit.yar
create mode 100644 yara-mikesxrs/vitorafonso/shedun.yar
create mode 100644 yara-mikesxrs/vitorafonso/zitmo.yar
create mode 100644 yara-mikesxrs/vred/W32HavexNetscan.yar
create mode 100644 yara-mikesxrs/xanda/MS12_052.yar
create mode 100644 yara-mikesxrs/xanda/counterPHPredirectBHEK.yar
create mode 100644 yara-mikesxrs/xanda/iframeRedKit.yar
create mode 100644 yara-mikesxrs/xanda/jjEncode.yar
create mode 100644 yara-mikesxrs/xme/Worm_VBS_Uaper_B.yar
create mode 100644 yara-mikesxrs/xme/office_macro.yar
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..18eba14
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+
+/yara-hydradragon
diff --git a/LICENSE-YARA-RULES-NEO23X0 b/LICENSE-YARA-RULES-NEO23X0
new file mode 100644
index 0000000..37c5f90
--- /dev/null
+++ b/LICENSE-YARA-RULES-NEO23X0
@@ -0,0 +1,38 @@
+# Detection Rule License (DRL) 1.1
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this rule set and associated documentation files (the "Rules"), to deal
+in the Rules without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Rules, and to permit persons to whom the Rules are furnished to do so,
+subject to the following conditions:
+
+If you share the Rules (including in modified form), you must retain the
+following if it is supplied within the Rules:
+
+1. identification of the authors(s) ("author" field) of the Rule and any
+ others designated to receive attribution, in any reasonable manner
+ requested by the Rule author (including by pseudonym if designated).
+
+2. a URI or hyperlink to the Rule set or explicit Rule to the extent
+ reasonably practicable
+
+3. indicate the Rules are licensed under this Detection Rule License, and
+ include the text of, or the URI or hyperlink to, this Detection Rule
+ License to the extent reasonably practicable
+
+If you use the Rules (including in modified form) on data, messages based on
+matches with the Rules must retain the following if it is supplied within the
+Rules:
+
+1. identification of the authors(s) ("author" field) of the Rule and any
+ others designated to receive attribution, in any reasonable manner
+ requested by the Rule author (including by pseudonym if designated).
+
+THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE
+RULES.
\ No newline at end of file
diff --git a/LICENSE-YARA-RULES-REVERSINGLABS b/LICENSE-YARA-RULES-REVERSINGLABS
new file mode 100644
index 0000000..a43f946
--- /dev/null
+++ b/LICENSE-YARA-RULES-REVERSINGLABS
@@ -0,0 +1,19 @@
+Copyright (c) 2020 ReversingLabs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
index 5a5715b..56befc7 100644
--- a/README.md
+++ b/README.md
@@ -5,11 +5,15 @@ Cross-Platform Open Reactive AntiMalware
## Credits
* VirusTotal - Creating Yara
-* [ReversingLabs - Creating Yara Rules](https://github.com/reversinglabs/reversinglabs-yara-rules)
+* [ReversingLabs - Creating Some Yara Rules](https://github.com/reversinglabs/reversinglabs-yara-rules)
+* [Yara23x0 - Creating more Yara Rules](https://github.com/Neo23x0/signature-base)
+* [mikesxrc - Creating a compilation of even MORE yara rules (had to delete some due to errors)](https://github.com/mikesxrs/Open-Source-YARA-rules)
* Sneed Group - Creating the idea/code
* ChatGPT/Gemini - Helping code this amazing project
## Licensing Details
-* LICENSE-YARA-RULES - ReversingLab's Yara Rules (everything under the yara subdirectory)
-* LICENSE - Our code. (Pretty much anything else.)
+* LICENSE-YARA-RULES-REVERSINGLABS - ReversingLab's Yara Rules (under the yara-ReversingLabs subdirectory)
+* LICENSE-YARA-RULES-NEO23X0 - NEO23X0's Yara Rules (under the yara-Neo23x0 subdirectory)
+* LICENSE - Our code. (Pretty much any .py file in the main directory as well as requirements.txt)
+* mikesxrs sadly had no license in his Yara Rules repo, so I guess take that for what you will.
\ No newline at end of file
diff --git a/main.py b/main.py
index 6bca5e8..19cdb22 100644
--- a/main.py
+++ b/main.py
@@ -23,7 +23,28 @@ import yara # YARA for malware scanning
# YARA Rules
def load_yara_rules():
yara_rules = []
- yara_dir = Path('yara')
+ yara_dir = Path('yara-ReversingLabs')
+ if yara_dir.exists() and yara_dir.is_dir():
+ for yara_file in yara_dir.rglob('*.yar'):
+ try:
+ rule = yara.compile(filepath=str(yara_file))
+ yara_rules.append(rule)
+ except Exception as e:
+ print(f"Error compiling YARA rule {yara_file}: {e}")
+ else:
+ print(f"YARA rules directory not found: {yara_dir}")
+ time.sleep(1)
+ yara_dir = Path('yara-mikesxrs')
+ if yara_dir.exists() and yara_dir.is_dir():
+ for yara_file in yara_dir.rglob('*.yar'):
+ try:
+ rule = yara.compile(filepath=str(yara_file))
+ yara_rules.append(rule)
+ except Exception as e:
+ print(f"Error compiling YARA rule {yara_file}: {e}")
+ else:
+ print(f"YARA rules directory not found: {yara_dir}")
+ yara_dir = Path('yara-Neo23x0')
if yara_dir.exists() and yara_dir.is_dir():
for yara_file in yara_dir.rglob('*.yar'):
try:
diff --git a/requirements.txt b/requirements.txt
index 80af7d1..d923c03 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,4 +5,4 @@ requests
certifi
tensorflow
webdriver_manager
-pywin32; platform_system == "Windows"
+pywin32; platform_system == "Windows"
\ No newline at end of file
diff --git a/yara-Neo23x0/apt_aa19_024a.yar b/yara-Neo23x0/apt_aa19_024a.yar
new file mode 100644
index 0000000..cd794b1
--- /dev/null
+++ b/yara-Neo23x0/apt_aa19_024a.yar
@@ -0,0 +1,19 @@
+
+rule APT_MAL_DNS_Hijacking_Campaign_AA19_024A {
+ meta:
+ description = "Detects malware used in DNS Hijackign campaign"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://www.us-cert.gov/ncas/alerts/AA19-024A"
+ date = "2019-01-25"
+ hash1 = "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
+ hash2 = "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
+ id = "6a476052-ba4e-5049-9c7a-f8949d26e7b5"
+ strings:
+ $s2 = "/Client/Login?id=" fullword ascii
+ $s3 = "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" fullword ascii
+ $s4 = ".\\Configure.txt" fullword ascii
+ $s5 = "Content-Disposition: form-data; name=\"files\"; filename=\"" fullword ascii
+ $s6 = "Content-Disposition: form-data; name=\"txts\"" fullword ascii
+ condition:
+ uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them
+}
diff --git a/yara-Neo23x0/apt_agent_btz.yar b/yara-Neo23x0/apt_agent_btz.yar
new file mode 100644
index 0000000..1972150
--- /dev/null
+++ b/yara-Neo23x0/apt_agent_btz.yar
@@ -0,0 +1,106 @@
+/*
+ Yara Rule Set
+ Author: Florian Roth
+ Date: 2017-08-07
+ Identifier: Agent BTZ
+ Reference: http://www.intezer.com/new-variants-of-agent-btz-comrat-found/
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+import "pe"
+
+rule Agent_BTZ_Proxy_DLL_1 {
+ meta:
+ description = "Detects Agent-BTZ Proxy DLL - activeds.dll"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
+ date = "2017-08-07"
+ hash1 = "9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426"
+ hash2 = "628d316a983383ed716e3f827720915683a8876b54677878a7d2db376d117a24"
+ id = "f8032616-2a54-5107-b330-65fcc84b866e"
+ strings:
+ $s1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Modules" fullword wide
+ condition:
+ ( uint16(0) == 0x5a4d and filesize < 300KB and all of them and pe.exports("Entry") )
+}
+
+rule Agent_BTZ_Proxy_DLL_2 {
+ meta:
+ description = "Detects Agent-BTZ Proxy DLL - activeds.dll"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
+ date = "2017-08-07"
+ hash1 = "73db4295c5b29958c5d93c20be9482c1efffc89fc4e5c8ba59ac9425a4657a88"
+ hash2 = "380b0353ba8cd33da8c5e5b95e3e032e83193019e73c71875b58ec1ed389bdac"
+ hash3 = "f27e9bba6a2635731845b4334b807c0e4f57d3b790cecdc77d8fef50629f51a2"
+ id = "2777443d-6f63-5948-855a-e064a6e0310f"
+ strings:
+ $s1 = { 38 21 38 2C 38 37 38 42 38 4D 38 58 38 63 38 6E
+ 38 79 38 84 38 8F 38 9A 38 A5 38 B0 38 BB 38 C6
+ 38 D1 38 DC 38 E7 38 F2 38 FD 38 08 39 13 39 1E
+ 39 29 39 34 39 3F 39 4A 39 55 39 60 39 6B 39 76
+ 39 81 39 8C 39 97 39 A2 39 AD 39 B8 39 C3 39 CE
+ 39 D9 39 E4 39 EF 39 FA 39 05 3A 10 3A 1B 3A 26
+ 3A 31 3A 3C 3A 47 3A 52 3A 5D 3A 68 3A 73 3A 7E
+ 3A 89 3A 94 3A 9F 3A AA 3A B5 3A C0 3A CB 3A D6
+ 3A E1 3A EC 3A F7 3A }
+ $s2 = "activeds.dll" ascii fullword
+ condition:
+ uint16(0) == 0x5a4d and filesize < 200KB and all of them and pe.imphash() == "09b7c73fbe5529e6de7137e3e8268b7b"
+}
+
+rule Agent_BTZ_Aug17 {
+ meta:
+ description = "Detects Agent.BTZ"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
+ date = "2017-08-07"
+ hash1 = "6ad78f069c3619d0d18eef8281219679f538cfe0c1b6d40b244beb359762cf96"
+ hash2 = "49c5c798689d4a54e5b7099b647b0596fb96b996a437bb8241b5dd76e974c24e"
+ hash3 = "e88970fa4892150441c1616028982fe63c875f149cd490c3c910a1c091d3ad49"
+ id = "31804208-3edb-554b-8820-e682db647435"
+ strings:
+ $s1 = "stdole2.tlb" fullword ascii
+ $s2 = "UnInstallW" fullword ascii
+ condition:
+ (
+ uint16(0) == 0x5a4d and filesize < 900KB and
+ all of them and
+ pe.exports("Entry") and pe.exports("InstallW") and pe.exports("UnInstallW")
+ )
+}
+
+rule APT_Turla_Agent_BTZ_Gen_1 {
+ meta:
+ description = "Detects Turla Agent.BTZ"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "Internal Research"
+ date = "2018-06-16"
+ score = 80
+ hash1 = "c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615"
+ id = "d5e1dd3d-4f03-5f79-898b-e612d2758b60"
+ strings:
+ $x1 = "1dM3uu4j7Fw4sjnbcwlDqet4F7JyuUi4m5Imnxl1pzxI6as80cbLnmz54cs5Ldn4ri3do5L6gs923HL34x2f5cvd0fk6c1a0s" fullword ascii
+
+ $s1 = "release mutex - %u (%u)(%u)" fullword ascii
+ $s2 = "\\system32\\win.com" ascii
+ $s3 = "Command Id:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)" fullword ascii
+ $s4 = "MakeFile Error(%d) copy file to temp file %s" fullword ascii
+ $s5 = "%s%%s08x.tmp" fullword ascii
+ $s6 = "Run instruction: %d ID:%u%010u(%02d:%02d:%02d %02d/%02d/%04d)" fullword ascii
+ $s7 = "Mutex_Log" fullword ascii
+ $s8 = "%s\\system32\\winview.ocx" fullword ascii
+ $s9 = "Microsoft(R) Windows (R) Operating System" fullword wide
+ $s10 = "Error: pos(%d) > CmdSize(%d)" fullword ascii
+ $s11 = "\\win.com" ascii
+ $s12 = "Error(%d) run %s " fullword ascii
+ $s13 = "%02d.%02d.%04d Log begin:" fullword ascii
+ condition:
+ uint16(0) == 0x5a4d and filesize < 500KB and (
+ pe.imphash() == "9d0d6daa47d6e6f2d80eb05405944f87" or
+ ( pe.exports("Entry") and pe.exports("InstallM") and pe.exports("InstallS") ) or
+ $x1 or 3 of them
+ ) or ( 5 of them )
+}
diff --git a/yara-Neo23x0/apt_alienspy_rat.yar b/yara-Neo23x0/apt_alienspy_rat.yar
new file mode 100644
index 0000000..c0bc7ee
--- /dev/null
+++ b/yara-Neo23x0/apt_alienspy_rat.yar
@@ -0,0 +1,50 @@
+
+rule crime_win_rat_AlienSpy
+{
+meta:
+ description = "Alien Spy Remote Access Trojan"
+ author = "General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team"
+ reference_1 = "www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf"
+ reference_2 = "www.fidelissecurity.com/sites/default/files/AlienSpy-Configs2_1_2.csv"
+ date = "04-Apr-15"
+ filetype = "Java"
+ hash_1 = "075fa0567d3415fbab3514b8aa64cfcb"
+ hash_2 = "818afea3040a887f191ee9d0579ac6ed"
+ hash_3 = "973de705f2f01e82c00db92eaa27912c"
+ hash_4 = "7f838907f9cc8305544bd0ad4cfd278e"
+ hash_5 = "071e12454731161d47a12a8c4b3adfea"
+ hash_6 = "a7d50760d49faff3656903c1130fd20b"
+ hash_7 = "f399afb901fcdf436a1b2a135da3ee39"
+ hash_8 = "3698a3630f80a632c0c7c12e929184fb"
+ hash_9 = "fdb674cadfa038ff9d931e376f89f1b6"
+
+ id = "a79789cd-9b16-58f5-ab51-48bb900583d1"
+ strings:
+
+ $sa_1 = "META-INF/MANIFEST.MF"
+ $sa_2 = "Main.classPK"
+ $sa_3 = "plugins/Server.classPK"
+ $sa_4 = "IDPK"
+
+ $sb_1 = "config.iniPK"
+ $sb_2 = "password.iniPK"
+ $sb_3 = "plugins/Server.classPK"
+ $sb_4 = "LoadStub.classPK"
+ $sb_5 = "LoadStubDecrypted.classPK"
+ $sb_7 = "LoadPassword.classPK"
+ $sb_8 = "DecryptStub.classPK"
+ $sb_9 = "ClassLoaders.classPK"
+
+ $sc_1 = "config.xml"
+ $sc_2 = "options"
+ $sc_3 = "plugins"
+ /* $sc_4 = "util" */
+ $sc_5 = "util/OSHelper"
+ $sc_6 = "Start.class"
+ $sc_7 = "AlienSpy"
+ /* $sc_8 = "PK" */ /* too short atom - disabled for performance reasons */
+
+ condition:
+
+ uint16(0) == 0x4B50 and filesize < 800KB and ( (all of ($sa_*)) or (all of ($sb_*)) or (all of ($sc_*)) )
+}
diff --git a/yara-Neo23x0/apt_apt10.yar b/yara-Neo23x0/apt_apt10.yar
new file mode 100644
index 0000000..720e28e
--- /dev/null
+++ b/yara-Neo23x0/apt_apt10.yar
@@ -0,0 +1,1406 @@
+/*
+ Yara Rule Set
+ Author: Jonas Lejon
+ Date: 2017-04-06
+ Identifier: APT 10 Malware
+*/
+
+import "pe"
+
+/* outdated and prone to FPs */
+/* disabled on 18.07.23 */
+/* see : https://www.linkedin.com/feed/update/urn:li:activity:7087021383276236800/ */
+
+/*
+rule APT10_Malware_Sample_Gen : FILE {
+ meta:
+ description = "APT 10 / Cloud Hopper malware campaign"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html"
+ date = "2017-04-06"
+ score = 80
+ strings:
+ $c2_1 = "002562066559681.r3u8.com" ascii
+ $c2_2 = "031168053846049.r3u8.com" ascii
+ $c2_3 = "0625.have8000.com" ascii
+ $c2_4 = "1.gadskysun.com" ascii
+ $c2_5 = "100fanwen.com" ascii
+ $c2_6 = "11.usyahooapis.com" ascii
+ $c2_7 = "19518473326.r3u8.com" ascii
+ $c2_8 = "1960445709311199.r3u8.com" ascii
+ $c2_9 = "1j.www1.biz" ascii
+ $c2_10 = "1z.itsaol.com" ascii
+ $c2_11 = "2012yearleft.com" ascii
+ $c2_12 = "2014.zzux.com" ascii
+ $c2_13 = "202017845.r3u8.com" ascii
+ $c2_14 = "2139465544784.r3u8.com" ascii
+ $c2_15 = "2789203959848958.r3u8.com" ascii
+ $c2_16 = "5590428449750026.r3u8.com" ascii
+ $c2_17 = "5q.niushenghuo.info" ascii
+ $c2_18 = "6r.suibian2010.info" ascii
+ $c2_19 = "9gowg.tech" ascii
+ $c2_20 = "Hamiltion.catholicmmb.com" ascii
+ $c2_21 = "a.wubangtu.info" ascii
+ $c2_22 = "a1.suibian2010.info" ascii
+ $c2_24 = "abc.wikaba.com" ascii
+ $c2_25 = "abcd120719.6600.org" ascii
+ $c2_26 = "abcd120807.3322.org" ascii
+ $c2_27 = "acc.emailfound.info" ascii
+ $c2_28 = "acc.lehigtapp.com" ascii
+ $c2_29 = "acsocietyy.com" ascii
+ $c2_31 = "ad.webbooting.com" ascii
+ $c2_32 = "additional.sexidude.com" ascii
+ $c2_33 = "af.zyns.com" ascii
+ $c2_34 = "afc.https443.org" ascii
+ $c2_35 = "ako.ddns.us" ascii
+ $c2_36 = "androidmusicapp.onmypc.us" ascii
+ $c2_37 = "announcements.toythieves.com" ascii
+ $c2_38 = "anvprn.com" ascii
+ $c2_39 = "aotuo.9966.org" ascii
+ $c2_40 = "apec.qtsofta.com" ascii
+ $c2_41 = "app.lehigtapp.com" ascii
+ $c2_42 = "apple.cmdnetview.com" ascii
+ $c2_43 = "apple.defensewar.org" ascii
+ $c2_44 = "apple.ikwb.com" ascii
+ $c2_45 = "appledownload.ourhobby.com" ascii
+ $c2_46 = "appleimages.itemdb.com" ascii
+ $c2_47 = "appleimages.longmusic.com" ascii
+ $c2_48 = "applelib120102.9966.org" ascii
+ $c2_49 = "applemirror.organiccrap.com" ascii
+ $c2_50 = "applemirror.squirly.info" ascii
+ $c2_51 = "applemusic.isasecret.com" ascii
+ $c2_52 = "applemusic.itemdb.com" ascii
+ $c2_53 = "applemusic.wikaba.com" ascii
+ $c2_54 = "applemusic.xxuz.com" ascii
+ $c2_55 = "applemusic.zzux.com" ascii
+ $c2_56 = "apples.sytes.net" ascii
+ $c2_57 = "appleupdate.itemdb.com" ascii
+ $c2_58 = "architectisusa.com" ascii
+ $c2_59 = "area.wthelpdesk.com" ascii
+ $c2_60 = "army.xxuz.com" ascii
+ $c2_61 = "art.p6p6.net" ascii
+ $c2_62 = "asfzx.x24hr.com" ascii
+ $c2_64 = "availab.wikaba.com" ascii
+ $c2_65 = "availability.justdied.com" ascii
+ $c2_66 = "ba.my03.com" ascii
+ $c2_67 = "baby.macforlinux.net" ascii
+ $c2_68 = "baby.myie12.com" ascii
+ $c2_69 = "baby.usmirocomney.net" ascii
+ $c2_70 = "back.jungleheart.com" ascii
+ $c2_71 = "back.mofa.dynamic-dns.net" ascii
+ $c2_72 = "bak.have8000.com" ascii
+ $c2_73 = "bak.ignorelist.com" ascii
+ $c2_74 = "bak.un.dnsrd.com" ascii
+ $c2_75 = "balance1.wikaba.com" ascii
+ $c2_76 = "balk.n7go.com" ascii
+ $c2_77 = "banana.cmdnetview.com" ascii
+ $c2_78 = "barrybaker.6600.org" ascii
+ $c2_79 = "bbs.jungleheart.com" ascii
+ $c2_80 = "bdoncloud.com" ascii
+ $c2_81 = "be.mrslove.com" ascii
+ $c2_82 = "be.yourtrap.com" ascii
+ $c2_83 = "belowto.com" ascii
+ $c2_84 = "bethel.webhop.net" ascii
+ $c2_85 = "bexm.cleansite.biz" ascii
+ $c2_86 = "bezu.itemdb.com" ascii
+ $c2_87 = "bk56.twilightparadox.com" ascii
+ $c2_88 = "blaaaaaaaaaaaa.windowsupdate.3-a.net" ascii
+ $c2_89 = "blog.defensewar.org" ascii
+ $c2_90 = "brand.fartit.com" ascii
+ $c2_91 = "bridgeluxlightmadness.com" ascii
+ $c2_92 = "bulletproof.squirly.info" ascii
+ $c2_93 = "cao.p6p6.net" ascii
+ $c2_94 = "cata.qtsofta.com" ascii
+ $c2_95 = "catholicmmb.com" ascii
+ $c2_96 = "cc.dynamicdns.co.uk" ascii
+ $c2_97 = "ccfchrist.com" ascii
+ $c2_98 = "ccupdatedata.authorizeddns.net" ascii
+ $c2_99 = "cd.usyahooapis.com" ascii
+ $c2_100 = "cdn.incloud-go.com" ascii
+ $c2_101 = "center.shenajou.com" ascii
+ $c2_102 = "cgei493860.r3u8.com" ascii
+ $c2_103 = "chaindungeons.com" ascii
+ $c2_104 = "chibashiri.com" ascii
+ $c2_105 = "childrenstow.com" ascii
+ $c2_106 = "cia.ezua.com" ascii
+ $c2_107 = "cia.toh.info" ascii
+ $c2_108 = "ciaoci.chickenkiller.com" ascii
+ $c2_109 = "civilwar123.authorizeddns.org" ascii
+ $c2_110 = "civilwar520.onmypc.org" ascii
+ $c2_111 = "ckusshani.com" ascii
+ $c2_112 = "cloud-kingl.com" ascii
+ $c2_113 = "cloud-maste.com" ascii
+ $c2_114 = "cloudns.8800.org" ascii
+ $c2_115 = "cmdnetview.com" ascii
+ $c2_116 = "cms.sindeali.com" ascii
+ $c2_117 = "cnnews.mylftv.com" ascii
+ $c2_118 = "commissioner.shenajou.com" ascii
+ $c2_119 = "commons.onedumb.com" ascii
+ $c2_120 = "contactus.myddns.com" ascii
+ $c2_121 = "contactus.onmypc.us" ascii
+ $c2_122 = "contract.4mydomain.com" ascii
+ $c2_123 = "contractus.qpoe.com" ascii
+ $c2_124 = "contractus.zzux.com" ascii
+ $c2_125 = "coreck.suayay.com" ascii
+ $c2_128 = "ctdl.windowsupdate.itsaol.com" ascii
+ $c2_129 = "ctdl.windowsupdate.nsatcdns.com" ascii
+ $c2_130 = "ctldl.appledownload.ourhobby.com" ascii
+ $c2_131 = "ctldl.applemusic.itemdb.com" ascii
+ $c2_132 = "ctldl.itunesmusic.jkub.com" ascii
+ $c2_133 = "ctldl.microsoftmusic.onedumb.com" ascii
+ $c2_134 = "ctldl.microsoftupdate.qhigh.com" ascii
+ $c2_135 = "ctldl.windowsupdate.authorizeddns.org" ascii
+ $c2_136 = "ctldl.windowsupdate.authorizeddns.us" ascii
+ $c2_137 = "ctldl.windowsupdate.dnset.com" ascii
+ $c2_138 = "ctldl.windowsupdate.esmtp.biz" ascii
+ $c2_139 = "ctldl.windowsupdate.ezua.com" ascii
+ $c2_140 = "ctldl.windowsupdate.gettrials.com" ascii
+ $c2_141 = "ctldl.windowsupdate.itsaol.com" ascii
+ $c2_142 = "ctldl.windowsupdate.lflinkup.com" ascii
+ $c2_143 = "ctldl.windowsupdate.mrface.com" ascii
+ $c2_144 = "ctldl.windowsupdate.nsatcdns.com" ascii
+ $c2_145 = "ctldl.windowsupdate.organiccrap.com" ascii
+ $c2_146 = "ctldl.windowsupdate.x24hr.com" ascii
+ $c2_147 = "cvnx.zyns.com" ascii
+ $c2_148 = "cwiinatonal.com" ascii
+ $c2_149 = "daddy.gostudyantivirus.com" ascii
+ $c2_150 = "dcc.jimingroup.com" ascii
+ $c2_151 = "dd.ddns.us" ascii
+ $c2_152 = "de.onmypc.info" ascii
+ $c2_153 = "dear.loveddos.com" ascii
+ $c2_154 = "dec.seyesb.acmetoy.com" ascii
+ $c2_155 = "dedgesuite.net" ascii
+ $c2_156 = "dedydns.ns01.us" ascii
+ $c2_157 = "defensewar.org" ascii
+ $c2_158 = "demoones.com" ascii
+ $c2_159 = "department.shenajou.com" ascii
+ $c2_160 = "details.squirly.info" ascii
+ $c2_161 = "development.shenajou.com" ascii
+ $c2_162 = "devilcase.acmetoy.com" ascii
+ $c2_163 = "dfgwerzc.3322.org" ascii
+ $c2_164 = "dick.ccfchrist.com" ascii
+ $c2_165 = "digsby.ourhobby.com" ascii
+ $c2_166 = "disruptive.https443.net" ascii
+ $c2_167 = "dlmix.ourdvs.com" ascii
+ $c2_168 = "dnspoddwg.authorizeddns.org" ascii
+ $c2_170 = "document.methoder.com" ascii
+ $c2_171 = "document.shenajou.com" ascii
+ $c2_172 = "domainnow.yourtrap.com" ascii
+ $c2_173 = "download.applemusic.itemdb.com" ascii
+ $c2_174 = "download.microsoftmusic.onedumb.com" ascii
+ $c2_175 = "download.windowsupdate.authorizeddns.org" ascii
+ $c2_176 = "download.windowsupdate.dedgesuite.net" ascii
+ $c2_177 = "download.windowsupdate.dnset.com" ascii
+ $c2_178 = "download.windowsupdate.itsaol.com" ascii
+ $c2_179 = "download.windowsupdate.lflinkup.com" ascii
+ $c2_180 = "download.windowsupdate.nsatcdns.com" ascii
+ $c2_181 = "download.windowsupdate.x24hr.com" ascii
+ $c2_182 = "downloadlink.mypicture.info" ascii
+ $c2_183 = "drives.methoder.com" ascii
+ $c2_184 = "dst.1dumb.com" ascii
+ $c2_185 = "duosay.com" ascii
+ $c2_186 = "dyncojinf.6600.org" ascii
+ $c2_187 = "dynsbluecheck.7766.org" ascii
+ $c2_188 = "ea.onmypc.info" ascii
+ $c2_189 = "ea.rebatesrule.net" ascii
+ $c2_190 = "edgar.ccfchrist.com" ascii
+ $c2_191 = "ehshiroshima.mylftv.com" ascii
+ $c2_192 = "emailfound.info" ascii
+ $c2_193 = "eric-averyanov.wha.la" ascii
+ $c2_194 = "essashi.com" ascii
+ $c2_195 = "eu.acmetoy.com" ascii
+ $c2_196 = "eu.wha.la" ascii
+ $c2_197 = "eu.zzux.com" ascii
+ $c2_198 = "everydayfilmlink.com" ascii
+ $c2_199 = "ewe.toshste.com" ascii
+ $c2_200 = "eweek.2waky.com" ascii
+ $c2_201 = "exprenum.com" ascii
+ $c2_202 = "express.lflinkup.com" ascii
+ $c2_203 = "extraordinary.dynamic-dns.net" ascii
+ $c2_204 = "f068v.site" ascii
+ $c2_205 = "fabian.ccfchrist.com" ascii
+ $c2_206 = "fastemail.dnsrd.com" ascii
+ $c2_207 = "fastmail2.com" ascii
+ $c2_208 = "fbi.sexxxy.biz" ascii
+ $c2_209 = "fbi.zyns.com" ascii
+ $c2_210 = "fcztqbg.zj.r3u8.com" ascii
+ $c2_211 = "feed.jungleheart.com" ascii
+ $c2_212 = "fftpoor.com" ascii
+ $c2_213 = "fg.v4.download.windowsupdates.dnsrd.com" ascii
+ $c2_214 = "fgipv6.download.windowsupdate.com.mwcname.com" ascii
+ $c2_215 = "file.zzux.com" ascii
+ $c2_216 = "files.architectisusa.com" ascii
+ $c2_217 = "film.everydayfilmlink.com" ascii
+ $c2_218 = "filmlist.everydayfilmlink.com" ascii
+ $c2_219 = "findme.epac.to" ascii
+ $c2_220 = "fire.mrface.com" ascii
+ $c2_221 = "fish.toh.info" ascii
+ $c2_222 = "fiveavmersi.websegoo.net" ascii
+ $c2_223 = "fjs.wikaba.com" ascii
+ $c2_224 = "flea.poulsenv.com" ascii
+ $c2_225 = "flynews.edns.biz" ascii
+ $c2_226 = "fo.mysecondarydns.com" ascii
+ $c2_227 = "foal.wchildress.com" ascii
+ $c2_228 = "follow.wha.la" ascii
+ $c2_229 = "foo.shenajou.com" ascii
+ $c2_230 = "for.ddns.mobi" ascii
+ $c2_231 = "fr.wikaba.com" ascii
+ $c2_232 = "franck.demoones.com" ascii
+ $c2_233 = "ftp.2014.zzux.com" ascii
+ $c2_234 = "ftp.additional.sexidude.com" ascii
+ $c2_235 = "ftp.afc.https443.org" ascii
+ $c2_236 = "ftp.announcements.toythieves.com" ascii
+ $c2_237 = "ftp.apple.ikwb.com" ascii
+ $c2_238 = "ftp.appledownload.ourhobby.com" ascii
+ $c2_239 = "ftp.appleimages.itemdb.com" ascii
+ $c2_240 = "ftp.appleimages.longmusic.com" ascii
+ $c2_241 = "ftp.appleimages.organiccrap.com" ascii
+ $c2_242 = "ftp.applemirror.organiccrap.com" ascii
+ $c2_243 = "ftp.applemirror.squirly.info" ascii
+ $c2_244 = "ftp.applemusic.isasecret.com" ascii
+ $c2_245 = "ftp.applemusic.itemdb.com" ascii
+ $c2_246 = "ftp.applemusic.wikaba.com" ascii
+ $c2_247 = "ftp.applemusic.xxuz.com" ascii
+ $c2_248 = "ftp.applemusic.zzux.com" ascii
+ $c2_249 = "ftp.appleupdate.itemdb.com" ascii
+ $c2_250 = "ftp.architectisusa.com" ascii
+ $c2_251 = "ftp.asfzx.x24hr.com" ascii
+ $c2_252 = "ftp.availab.wikaba.com" ascii
+ $c2_253 = "ftp.availability.justdied.com" ascii
+ $c2_254 = "ftp.back.jungleheart.com" ascii
+ $c2_255 = "ftp.balance1.wikaba.com" ascii
+ $c2_256 = "ftp.be.mrslove.com" ascii
+ $c2_257 = "ftp.brand.fartit.com" ascii
+ $c2_258 = "ftp.bulletproof.squirly.info" ascii
+ $c2_259 = "ftp.cia.ezua.com" ascii
+ $c2_260 = "ftp.cia.toh.info" ascii
+ $c2_261 = "ftp.civilwar123.authorizeddns.org" ascii
+ $c2_262 = "ftp.civilwar520.onmypc.org" ascii
+ $c2_263 = "ftp.cloudfileserverbs.dynamicdns.co.uk" ascii
+ $c2_264 = "ftp.cnnews.mylftv.com" ascii
+ $c2_265 = "ftp.commons.onedumb.com" ascii
+ $c2_266 = "ftp.contractus.qpoe.com" ascii
+ $c2_267 = "ftp.cvnx.zyns.com" ascii
+ $c2_268 = "ftp.de.onmypc.info" ascii
+ $c2_269 = "ftp.details.squirly.info" ascii
+ $c2_270 = "ftp.devilcase.acmetoy.com" ascii
+ $c2_271 = "ftp.disruptive.https443.net" ascii
+ $c2_272 = "ftp.domainnow.yourtrap.com" ascii
+ $c2_273 = "ftp.ea.onmypc.info" ascii
+ $c2_274 = "ftp.ehshiroshima.mylftv.com" ascii
+ $c2_275 = "ftp.eric-averyanov.wha.la" ascii
+ $c2_276 = "ftp.eu.acmetoy.com" ascii
+ $c2_277 = "ftp.eu.wha.la" ascii
+ $c2_278 = "ftp.eu.zzux.com" ascii
+ $c2_279 = "ftp.fbi.sexxxy.biz" ascii
+ $c2_280 = "ftp.file.zzux.com" ascii
+ $c2_281 = "ftp.findme.epac.to" ascii
+ $c2_282 = "ftp.fire.mrface.com" ascii
+ $c2_283 = "ftp.fjs.wikaba.com" ascii
+ $c2_284 = "ftp.fr.wikaba.com" ascii
+ $c2_285 = "ftp.fuck.ikwb.com" ascii
+ $c2_286 = "ftp.fuckmm.dns-dns.com" ascii
+ $c2_287 = "ftp.generat.almostmy.com" ascii
+ $c2_288 = "ftp.goldtoyota.com" ascii
+ $c2_289 = "ftp.goodmusic.justdied.com" ascii
+ $c2_290 = "ftp.helpus.ddns.info" ascii
+ $c2_291 = "ftp.hii.qhigh.com" ascii
+ $c2_292 = "ftp.innocent-isayev.sexidude.com" ascii
+ $c2_293 = "ftp.invoices.sexxxy.biz" ascii
+ $c2_294 = "ftp.iphone.vizvaz.com" ascii
+ $c2_295 = "ftp.itlans.isasecret.com" ascii
+ $c2_296 = "ftp.itunesdownload.jkub.com" ascii
+ $c2_297 = "ftp.itunesdownload.wikaba.com" ascii
+ $c2_298 = "ftp.itunesimages.itemdb.com" ascii
+ $c2_299 = "ftp.itunesimages.itsaol.com" ascii
+ $c2_300 = "ftp.itunesimages.qpoe.com" ascii
+ $c2_301 = "ftp.itunesmirror.fartit.com" ascii
+ $c2_302 = "ftp.itunesmirror.itsaol.com" ascii
+ $c2_303 = "ftp.itunesmusic.ikwb.com" ascii
+ $c2_304 = "ftp.itunesmusic.jetos.com" ascii
+ $c2_305 = "ftp.itunesmusic.jkub.com" ascii
+ $c2_306 = "ftp.itunesmusic.zzux.com" ascii
+ $c2_307 = "ftp.itunesupdate.itsaol.com" ascii
+ $c2_308 = "ftp.itunesupdates.organiccrap.com" ascii
+ $c2_309 = "ftp.japanfilmsite.ikwb.com" ascii
+ $c2_310 = "ftp.jimin.mymom.info" ascii
+ $c2_311 = "ftp.jp.serveuser.com" ascii
+ $c2_312 = "ftp.key.zzux.com" ascii
+ $c2_313 = "ftp.knowledge.sellclassics.com" ascii
+ $c2_314 = "ftp.lan.dynssl.com" ascii
+ $c2_315 = "ftp.latestnews.epac.to" ascii
+ $c2_316 = "ftp.latestnews.organiccrap.com" ascii
+ $c2_317 = "ftp.leedong.longmusic.com" ascii
+ $c2_318 = "ftp.macfee.mrface.com" ascii
+ $c2_319 = "ftp.maffc.mrface.com" ascii
+ $c2_320 = "ftp.malware.dsmtp.com" ascii
+ $c2_321 = "ftp.manager.jetos.com" ascii
+ $c2_322 = "ftp.martin.sellclassics.com" ascii
+ $c2_323 = "ftp.mason.vizvaz.com" ascii
+ $c2_324 = "ftp.mediapath.organiccrap.com" ascii
+ $c2_325 = "ftp.microsoft.got-game.org" ascii
+ $c2_326 = "ftp.microsoft.mrface.com" ascii
+ $c2_327 = "ftp.microsoftimages.organiccrap.com" ascii
+ $c2_328 = "ftp.microsoftmusic.mrbasic.com" ascii
+ $c2_329 = "ftp.microsoftqckmanager.pcanywhere.net" ascii
+ $c2_330 = "ftp.microsoftupdate.mrbasic.com" ascii
+ $c2_331 = "ftp.microsoftupdate.qhigh.com" ascii
+ $c2_332 = "ftp.micrsoftware.dsmtp.com" ascii
+ $c2_333 = "ftp.mircsoft.compress.to" ascii
+ $c2_334 = "ftp.mmy.ddns.us" ascii
+ $c2_335 = "ftp.mod.jetos.com" ascii
+ $c2_336 = "ftp.mofa.dynamic-dns.net" ascii
+ $c2_337 = "ftp.mofa.ns01.info" ascii
+ $c2_338 = "ftp.moscowdic.trickip.org" ascii
+ $c2_339 = "ftp.msg.ezua.com" ascii
+ $c2_340 = "ftp.musicfile.ikwb.com" ascii
+ $c2_341 = "ftp.musicjj.zzux.com" ascii
+ $c2_342 = "ftp.mymusicbox.vizvaz.com" ascii
+ $c2_343 = "ftp.myphpwebsite.itsaol.com" ascii
+ $c2_344 = "ftp.myrestroomimage.isasecret.com" ascii
+ $c2_345 = "ftp.na.americanunfinished.com" ascii
+ $c2_346 = "ftp.na.onmypc.org" ascii
+ $c2_347 = "ftp.newsdata.jkub.com" ascii
+ $c2_348 = "ftp.newsroom.cleansite.info" ascii
+ $c2_349 = "ftp.no.authorizeddns.org" ascii
+ $c2_350 = "ftp.nsa.mefound.com" ascii
+ $c2_351 = "ftp.nt.mynumber.org" ascii
+ $c2_352 = "ftp.nttdata.otzo.com" ascii
+ $c2_353 = "ftp.nz.compress.to" ascii
+ $c2_354 = "ftp.ol.almostmy.com" ascii
+ $c2_355 = "ftp.oracleupdate.dns04.com" ascii
+ $c2_356 = "ftp.portal.mrface.com" ascii
+ $c2_357 = "ftp.portal.sendsmtp.com" ascii
+ $c2_358 = "ftp.portalser.dynamic-dns.net" ascii
+ $c2_359 = "ftp.praskovya-matveyeva.mefound.com" ascii
+ $c2_360 = "ftp.praskovya-ulyanova.dumb1.com" ascii
+ $c2_361 = "ftp.products.almostmy.com" ascii
+ $c2_362 = "ftp.products.cleansite.us" ascii
+ $c2_363 = "ftp.products.serveuser.com" ascii
+ $c2_364 = "ftp.purchase.lflinkup.org" ascii
+ $c2_365 = "ftp.recent.dns-stuff.com" ascii
+ $c2_366 = "ftp.recent.fartit.com" ascii
+ $c2_367 = "ftp.referred.gr8domain.biz" ascii
+ $c2_368 = "ftp.referred.yourtrap.com" ascii
+ $c2_369 = "ftp.register.ourhobby.com" ascii
+ $c2_370 = "ftp.registration2.instanthq.com" ascii
+ $c2_371 = "ftp.registrations.4pu.com" ascii
+ $c2_372 = "ftp.registrations.organiccrap.com" ascii
+ $c2_373 = "ftp.remeberdata.iownyour.org" ascii
+ $c2_374 = "ftp.reserveds.onedumb.com" ascii
+ $c2_375 = "ftp.rethem.almostmy.com" ascii
+ $c2_376 = "ftp.sdmsg.onmypc.org" ascii
+ $c2_377 = "ftp.se.toythieves.com" ascii
+ $c2_378 = "ftp.secertnews.mrbasic.com" ascii
+ $c2_379 = "ftp.senseye.ikwb.com" ascii
+ $c2_380 = "ftp.senseye.mrbonus.com" ascii
+ $c2_381 = "ftp.septdlluckysystem.jungleheart.com" ascii
+ $c2_382 = "ftp.seraphim-yurieva.justdied.com" ascii
+ $c2_383 = "ftp.serv.justdied.com" ascii
+ $c2_384 = "ftp.server1.proxydns.com" ascii
+ $c2_385 = "ftp.seyesb.acmetoy.com" ascii
+ $c2_386 = "ftp.shugiin.jkub.com" ascii
+ $c2_387 = "ftp.singed.otzo.com" ascii
+ $c2_388 = "ftp.sstday.jkub.com" ascii
+ $c2_389 = "ftp.support1.mrface.com" ascii
+ $c2_390 = "ftp.supportus.mefound.com" ascii
+ $c2_391 = "ftp.svc.dynssl.com" ascii
+ $c2_392 = "ftp.synssl.dnset.com" ascii
+ $c2_393 = "ftp.tamraj.fartit.com" ascii
+ $c2_394 = "ftp.tfa.longmusic.com" ascii
+ $c2_395 = "ftp.thunder.wikaba.com" ascii
+ $c2_396 = "ftp.ticket.instanthq.com" ascii
+ $c2_397 = "ftp.ticket.serveuser.com" ascii
+ $c2_398 = "ftp.tokyofile.2waky.com" ascii
+ $c2_399 = "ftp.tophost.dynamicdns.co.uk" ascii
+ $c2_400 = "ftp.transfer.lflinkup.org" ascii
+ $c2_401 = "ftp.transfer.mrbasic.com" ascii
+ $c2_402 = "ftp.transfer.vizvaz.com" ascii
+ $c2_403 = "ftp.ugreen.itemdb.com" ascii
+ $c2_404 = "ftp.uk.dynamicdns.org.uk" ascii
+ $c2_405 = "ftp.un.ddns.info" ascii
+ $c2_406 = "ftp.un.dnsrd.com" ascii
+ $c2_407 = "ftp.usa.itsaol.com" ascii
+ $c2_408 = "ftp.well.itsaol.com" ascii
+ $c2_409 = "ftp.well.mrbasic.com" ascii
+ $c2_410 = "ftp.wike.wikaba.com" ascii
+ $c2_411 = "ftp.windowfile.itemdb.com" ascii
+ $c2_412 = "ftp.windowsimages.itemdb.com" ascii
+ $c2_413 = "ftp.windowsimages.qhigh.com" ascii
+ $c2_414 = "ftp.windowsmirrors.vizvaz.com" ascii
+ $c2_415 = "ftp.windowsupdate.2waky.com" ascii
+ $c2_416 = "ftp.windowsupdate.3-a.net" ascii
+ $c2_417 = "ftp.windowsupdate.authorizeddns.us" ascii
+ $c2_418 = "ftp.windowsupdate.dns05.com" ascii
+ $c2_419 = "ftp.windowsupdate.esmtp.biz" ascii
+ $c2_420 = "ftp.windowsupdate.ezua.com" ascii
+ $c2_421 = "ftp.windowsupdate.fartit.com" ascii
+ $c2_422 = "ftp.windowsupdate.gettrials.com" ascii
+ $c2_423 = "ftp.windowsupdate.instanthq.com" ascii
+ $c2_424 = "ftp.windowsupdate.jungleheart.com" ascii
+ $c2_425 = "ftp.windowsupdate.lflink.com" ascii
+ $c2_426 = "ftp.windowsupdate.mrface.com" ascii
+ $c2_427 = "ftp.windowsupdate.mylftv.com" ascii
+ $c2_428 = "ftp.windowsupdate.rebatesrule.net" ascii
+ $c2_429 = "ftp.windowsupdate.sellclassics.com" ascii
+ $c2_430 = "ftp.windowsupdate.serveusers.com" ascii
+ $c2_431 = "ftp.yandexr.sellclassics.com" ascii
+ $c2_432 = "fu.epac.to" ascii
+ $c2_433 = "fuck.ikwb.com" ascii
+ $c2_434 = "fuckanti.com" ascii
+ $c2_435 = "fuckdd.8800.org" ascii
+ $c2_436 = "fuckmm.8800.org" ascii
+ $c2_437 = "fuckmm.dns-dns.com" ascii
+ $c2_438 = "fukuoka.cloud-maste.com" ascii
+ $c2_439 = "g3ypf.online" ascii
+ $c2_440 = "gadskysun.com" ascii
+ $c2_441 = "gavin.ccfchrist.com" ascii
+ $c2_442 = "generat.almostmy.com" ascii
+ $c2_443 = "generousd.hopto.org" ascii
+ $c2_444 = "gensuzuki.6600.org" ascii
+ $c2_446 = "gh.mysecondarydns.com" ascii
+ $c2_447 = "gifuonlineshopping.mynumber.org" ascii
+ $c2_448 = "glicense.shenajou.com" ascii
+ $c2_449 = "globalnews.wikaba.com" ascii
+ $c2_450 = "gmail.com.mailsserver.com" ascii
+ $c2_451 = "gmpcw.com" ascii
+ $c2_452 = "gold.polopurple.com" ascii
+ $c2_453 = "goldtoyota.com" ascii
+ $c2_454 = "goodmusic.justdied.com" ascii
+ $c2_455 = "goodsampjp.com" ascii
+ $c2_456 = "gooesdataios.instanthq.com" ascii
+ $c2_457 = "google.macforlinux.net" ascii
+ $c2_458 = "google.usrobothome.com" ascii
+ $c2_459 = "googlemeail.com" ascii
+ $c2_460 = "gostudyantivirus.com" ascii
+ $c2_461 = "gostudymbaa.com" ascii
+ $c2_462 = "gotourisma.com" ascii
+ $c2_463 = "gt4study.com" ascii
+ $c2_464 = "gtsofta.com" ascii
+ $c2_465 = "haoyujd.info" ascii
+ $c2_466 = "happy.workerisgood.com" ascii
+ $c2_467 = "have8000.com" ascii
+ $c2_468 = "helpus.ddns.info" ascii
+ $c2_469 = "helshellfucde.8866.org" ascii
+ $c2_470 = "hg8fmv.racing" ascii
+ $c2_471 = "hii.qhigh.com" ascii
+ $c2_472 = "hk.2012yearleft.com" ascii
+ $c2_473 = "hk.cmdnetview.com" ascii
+ $c2_474 = "hk.have8000.com" ascii
+ $c2_475 = "hk.loveddos.com" ascii
+ $c2_476 = "home.trickip.org" ascii
+ $c2_477 = "hostport9.net" ascii
+ $c2_478 = "hotmai.info" ascii
+ $c2_479 = "hotmail.com.mailsserver.com" ascii
+ $c2_480 = "hukuoka.cloud-maste.com" ascii
+ $c2_481 = "iamges.itunesmusic.jkub.com" ascii
+ $c2_482 = "ibmmsg.strangled.net" ascii
+ $c2_483 = "icfeds.cf" ascii
+ $c2_484 = "idpmus.hostport9.net" ascii
+ $c2_486 = "im.suibian2010.info" ascii
+ $c2_487 = "image.websago.info" ascii
+ $c2_488 = "images.itunesmusic.jkub.com" ascii
+ $c2_489 = "images.thedomais.info" ascii
+ $c2_490 = "images.tyoto-go-jp.com" ascii
+ $c2_491 = "images.windowsupdate.organiccrap.com" ascii
+ $c2_492 = "imap.architectisusa.com" ascii
+ $c2_493 = "imap.dnset.com" ascii
+ $c2_494 = "imap.lflink.com" ascii
+ $c2_495 = "imap.onmypc.net" ascii
+ $c2_496 = "imap.ygto.com" ascii
+ $c2_497 = "img.station155.com" ascii
+ $c2_498 = "improvejpese.com" ascii
+ $c2_499 = "incloud-go.com" ascii
+ $c2_500 = "incloud-obert.com" ascii
+ $c2_501 = "ingemar.catholicmmb.com" ascii
+ $c2_502 = "innocent-isayev.sexidude.com" ascii
+ $c2_503 = "innov-tec.com.ua" ascii
+ $c2_504 = "inspgon.re26.com" ascii
+ $c2_505 = "interpreter.shenajou.com" ascii
+ $c2_506 = "invoices.sexxxy.biz" ascii
+ $c2_508 = "iphone.vizvaz.com" ascii
+ $c2_509 = "ipv4.applemusic.itemdb.com" ascii
+ $c2_510 = "ipv4.itunesmusic.jkub.com" ascii
+ $c2_511 = "ipv4.japanenvnews.qpoe.com" ascii
+ $c2_512 = "ipv4.microsoftmusic.onedumb.com" ascii
+ $c2_513 = "ipv4.microsoftupdate.mrbasic.com" ascii
+ $c2_514 = "ipv4.microsoftupdate.qhigh.com" ascii
+ $c2_515 = "ipv4.windowsupdate.3-a.net" ascii
+ $c2_516 = "ipv4.windowsupdate.authorizeddns.org" ascii
+ $c2_517 = "ipv4.windowsupdate.authorizeddns.us" ascii
+ $c2_518 = "ipv4.windowsupdate.dnset.com" ascii
+ $c2_519 = "ipv4.windowsupdate.esmtp.biz" ascii
+ $c2_520 = "ipv4.windowsupdate.ezua.com" ascii
+ $c2_521 = "ipv4.windowsupdate.fartit.com" ascii
+ $c2_522 = "ipv4.windowsupdate.gettrials.com" ascii
+ $c2_523 = "ipv4.windowsupdate.itsaol.com" ascii
+ $c2_524 = "ipv4.windowsupdate.lflink.com" ascii
+ $c2_525 = "ipv4.windowsupdate.lflinkup.com" ascii
+ $c2_526 = "ipv4.windowsupdate.mrface.com" ascii
+ $c2_527 = "ipv4.windowsupdate.mylftv.com" ascii
+ $c2_528 = "ipv4.windowsupdate.nsatcdns.com" ascii
+ $c2_529 = "ipv4.windowsupdate.x24hr.com" ascii
+ $c2_530 = "ipv6microsoft.dlmix.ourdvs.com" ascii
+ $c2_531 = "itlans.isasecret.com" ascii
+ $c2_532 = "itunesdownload.jkub.com" ascii
+ $c2_533 = "itunesdownload.vizvaz.com" ascii
+ $c2_534 = "itunesdownload.wikaba.com" ascii
+ $c2_535 = "itunesimages.itemdb.com" ascii
+ $c2_536 = "itunesimages.itsaol.com" ascii
+ $c2_537 = "itunesimages.qpoe.com" ascii
+ $c2_538 = "itunesmirror.fartit.com" ascii
+ $c2_539 = "itunesmirror.itsaol.com" ascii
+ $c2_540 = "itunesmusic.ikwb.com" ascii
+ $c2_541 = "itunesmusic.jetos.com" ascii
+ $c2_542 = "itunesmusic.jkub.com" ascii
+ $c2_543 = "itunesmusic.zzux.com" ascii
+ $c2_544 = "itunesupdate.itsaol.com" ascii
+ $c2_545 = "itunesupdates.organiccrap.com" ascii
+ $c2_546 = "iw.mrslove.com" ascii
+ $c2_547 = "ixrayeye.com" ascii
+ $c2_548 = "james.tffghelth.com" ascii
+ $c2_549 = "janpan.bigmoney.biz" ascii
+ $c2_550 = "janpun.americanunfinished.com" ascii
+ $c2_551 = "jap.japanmusicinfo.com" ascii
+ $c2_552 = "japan.fuckanti.com" ascii
+ $c2_553 = "japan.linuxforover.com" ascii
+ $c2_554 = "japan.loveddos.com" ascii
+ $c2_555 = "japanenvnews.qpoe.com" ascii
+ $c2_556 = "japanfilmsite.ikwb.com" ascii
+ $c2_557 = "japanfst.japanteam.org" ascii
+ $c2_558 = "japanmusicinfo.com" ascii
+ $c2_559 = "japanteam.org" ascii
+ $c2_560 = "jcie.mofa.ns01.info" ascii
+ $c2_561 = "jepsen.r3u8.com" ascii
+ $c2_562 = "jica-go-jp.bike" ascii
+ $c2_563 = "jica-go-jp.biz" ascii
+ $c2_564 = "jimin-jp.biz" ascii
+ $c2_565 = "jimin.jimindaddy.com" ascii
+ $c2_566 = "jimin.mymom.info" ascii
+ $c2_567 = "jimindaddy.com" ascii
+ $c2_568 = "jimingroup.com" ascii
+ $c2_569 = "jimintokoy.com" ascii
+ $c2_570 = "jj.mysecondarydns.com" ascii
+ $c2_571 = "jmuroran.com" ascii
+ $c2_572 = "jp.rakutenmusic.com" ascii
+ $c2_573 = "jp.serveuser.com" ascii
+ $c2_574 = "jpcert.org" ascii
+ $c2_575 = "jpn.longmusic.com" ascii
+ $c2_576 = "jpnxzshopdata.authorizeddns.org" ascii
+ $c2_577 = "jpstarmarket.serveusers.com" ascii
+ $c2_578 = "kaka.lehigtapp.com" ascii
+ $c2_579 = "kawasaki.cloud-maste.com" ascii
+ $c2_580 = "kawasaki.unhamj.com" ascii
+ $c2_581 = "kennedy.tffghelth.com" ascii
+ $c2_582 = "key.zzux.com" ascii
+ $c2_583 = "kikimusic.sellclassics.com" ascii
+ $c2_584 = "kmd.crabdance.com" ascii
+ $c2_585 = "knowledge.sellclassics.com" ascii
+ $c2_586 = "ktgmktanxgvn.r3u8.com" ascii
+ $c2_587 = "kxsbwappupdate.dhcp.biz" ascii
+ $c2_588 = "kztmusiclnk.dnsrd.com" ascii
+ $c2_589 = "lan.dynssl.com" ascii
+ $c2_590 = "last.p6p6.net" ascii
+ $c2_591 = "latestnews.epac.to" ascii
+ $c2_592 = "latestnews.organiccrap.com" ascii
+ $c2_593 = "leedong.longmusic.com" ascii
+ $c2_594 = "lehigtapp.com" ascii
+ $c2_595 = "lennon.fftpoor.com" ascii
+ $c2_596 = "license.shenajou.com" ascii
+ $c2_597 = "lie.jetos.com" ascii
+ $c2_598 = "linuxforover.com" ascii
+ $c2_599 = "linuxsofta.com" ascii
+ $c2_600 = "lion.wchildress.com" ascii
+ $c2_601 = "lizard.poulsenv.com" ascii
+ $c2_602 = "logon-live.com" ascii
+ $c2_603 = "lottedfstravel.webbooting.com" ascii
+ $c2_604 = "loveddos.com" ascii
+ $c2_605 = "lzf550.r3u8.com" ascii
+ $c2_606 = "ma.vizvaz.com" ascii
+ $c2_607 = "mac.goldtoyota.com" ascii
+ $c2_608 = "mac.methoder.com" ascii
+ $c2_609 = "macfee.mrface.com" ascii
+ $c2_610 = "macforlinux.net" ascii
+ $c2_611 = "maffc.mrface.com" ascii
+ $c2_612 = "mail.architectisusa.com" ascii
+ $c2_613 = "mail.macforlinux.net" ascii
+ $c2_614 = "mailcarriage.co.uk" ascii
+ $c2_615 = "mailj.hostport9.net" ascii
+ $c2_616 = "mailserever.com" ascii
+ $c2_617 = "mailsserver.com" ascii
+ $c2_618 = "mailvserver.com" ascii
+ $c2_619 = "malcolm.fftpoor.com" ascii
+ $c2_620 = "malware.dsmtp.com" ascii
+ $c2_621 = "manager.architectisusa.com" ascii
+ $c2_622 = "manager.jetos.com" ascii
+ $c2_623 = "markabcinfo.dynamicdns.me.uk" ascii
+ $c2_624 = "martin.sellclassics.com" ascii
+ $c2_625 = "mason.vizvaz.com" ascii
+ $c2_626 = "mbaby.macforlinux.net" ascii
+ $c2_627 = "medexplor.thedomais.info" ascii
+ $c2_628 = "mediapath.organiccrap.com" ascii
+ $c2_629 = "meiji-ac-jp.com" ascii
+ $c2_630 = "mesjm.emailfound.info" ascii
+ $c2_631 = "message.emailfound.info" ascii
+ $c2_632 = "message.p6p6.net" ascii
+ $c2_633 = "messagea.emailfound.info" ascii
+ $c2_634 = "methoder.com" ascii
+ $c2_635 = "mf.ddns.info" ascii
+ $c2_636 = "microcnmlgb.3322.org" ascii
+ $c2_637 = "microdef.2288.org" ascii
+ $c2_638 = "microhome.wikaba.com" ascii
+ $c2_639 = "microsoft.got-game.org" ascii
+ $c2_640 = "microsoft.mrface.com" ascii
+ $c2_641 = "microsoftdownload.zzux.com" ascii
+ $c2_642 = "microsoftempowering.sendsmtp.com" ascii
+ $c2_643 = "microsoften.com" ascii
+ $c2_644 = "microsoftgame.mrface.com" ascii
+ $c2_645 = "microsoftgetstarted.sexidude.com" ascii
+ $c2_646 = "microsoftimages.organiccrap.com" ascii
+ $c2_647 = "microsoftmirror.mrbasic.com" ascii
+ $c2_648 = "microsoftmusic.itemdb.com" ascii
+ $c2_649 = "microsoftmusic.mrbasic.com" ascii
+ $c2_650 = "microsoftmusic.onedumb.com" ascii
+ $c2_651 = "microsoftqckmanager.pcanywhere.net" ascii
+ $c2_652 = "microsoftstore.jetos.com" ascii
+ $c2_653 = "microsoftstores.itemdb.com" ascii
+ $c2_654 = "microsoftupdate.mrbasic.com" ascii
+ $c2_655 = "microsoftupdate.qhigh.com" ascii
+ $c2_656 = "microsoftupdates.vizvaz.com" ascii
+ $c2_657 = "micrsoftware.dsmtp.com" ascii
+ $c2_658 = "mircsoft.compress.to" ascii
+ $c2_659 = "mivsee.website0012.net" ascii
+ $c2_660 = "mmofoojap.2288.org" ascii
+ $c2_661 = "mmy.ddns.us" ascii
+ $c2_662 = "mobile.2waky.com" ascii
+ $c2_663 = "mocha.100fanwen.com" ascii
+ $c2_664 = "mod.jetos.com" ascii
+ $c2_665 = "mofa-go-jp.com" ascii
+ $c2_666 = "mofa.dynamic-dns.net" ascii
+ $c2_667 = "mofa.ns01.info" ascii
+ $c2_668 = "mofa.strangled.net" ascii
+ $c2_669 = "mofaess.com" ascii
+ $c2_670 = "mongoles.3322.org" ascii
+ $c2_671 = "monkey.2012yearleft.com" ascii
+ $c2_672 = "moscowstdsupdate.toythieves.com" ascii
+ $c2_673 = "mrsloveaqx.mrslove.com" ascii
+ $c2_674 = "ms.ecc.u-tokyo-ac-jp.com" ascii
+ $c2_675 = "mseupdate.ourhobby.com" ascii
+ $c2_676 = "msg.ezua.com" ascii
+ $c2_677 = "msn.incloud-go.com" ascii
+ $c2_678 = "muller.exprenum.com" ascii
+ $c2_679 = "music.applemusic.itemdb.com" ascii
+ $c2_680 = "music.cleansite.us" ascii
+ $c2_681 = "music.websegoo.net" ascii
+ $c2_682 = "musicfile.ikwb.com" ascii
+ $c2_683 = "musicinfo.everydayfilmlink.com" ascii
+ $c2_684 = "musiclinker.jkub.com" ascii
+ $c2_685 = "musicsecph.squirly.info" ascii
+ $c2_686 = "mx.yetrula.eu" ascii
+ $c2_687 = "myie12.com" ascii
+ $c2_688 = "mymusicbox.lflinkup.org" ascii
+ $c2_689 = "mymusicbox.vizvaz.com" ascii
+ $c2_690 = "myphpwebsite.itsaol.com" ascii
+ $c2_691 = "myrestroomimage.isasecret.com" ascii
+ $c2_692 = "mytwhomeinst.sendsmtp.com" ascii
+ $c2_693 = "myurinikoreaaps.ninth.biz" ascii
+ $c2_694 = "na.americanunfinished.com" ascii
+ $c2_695 = "na.onmypc.org" ascii
+ $c2_696 = "nasa.xxuz.com" ascii
+ $c2_697 = "nec.website0012.net" ascii
+ $c2_698 = "news.100fanwen.com" ascii
+ $c2_699 = "newsdata.jkub.com" ascii
+ $c2_700 = "newsfile.toythieves.com" ascii
+ $c2_701 = "newsreport.justdied.com" ascii
+ $c2_702 = "newsroom.cleansite.info" ascii
+ $c2_703 = "nezwq.ezua.com" ascii
+ $c2_704 = "ngcc.8800.org" ascii
+ $c2_705 = "niushenghuo.info" ascii
+ $c2_706 = "nk10.belowto.com" ascii
+ $c2_707 = "nk20.belowto.com" ascii
+ $c2_708 = "nlddnsinfo.https443.org" ascii
+ $c2_709 = "nmrx.mrbonus.com" ascii
+ $c2_710 = "nn.dynssl.com" ascii
+ $c2_711 = "no.authorizeddns.org" ascii
+ $c2_712 = "node.mofaess.com" ascii
+ $c2_713 = "nodns2.qipian.org" ascii
+ $c2_714 = "nposnewsinfo.qhigh.com" ascii
+ $c2_715 = "ns1.belowto.com" ascii
+ $c2_716 = "ns1.tlchs2.ml" ascii
+ $c2_717 = "ns2.belowto.com" ascii
+ $c2_718 = "ns21.belowto.com" ascii
+ $c2_719 = "ns22.belowto.com" ascii
+ $c2_720 = "ns4.belowto.com" ascii
+ $c2_721 = "ns5.belowto.com" ascii
+ $c2_722 = "nsa.mefound.com" ascii
+ $c2_723 = "nsatcdns.com" ascii
+ $c2_724 = "nt.mynumber.org" ascii
+ $c2_725 = "nttdata.otzo.com" ascii
+ $c2_726 = "nunluck.re26.com" ascii
+ $c2_727 = "nz.compress.to" ascii
+ $c2_728 = "oipbl.com" ascii
+ $c2_729 = "ol.almostmy.com" ascii
+ $c2_730 = "oldbmwy.com" ascii
+ $c2_731 = "oms.sindeali.com" ascii
+ $c2_732 = "openmofa.8866.org" ascii
+ $c2_733 = "oracleupdate.dns04.com" ascii
+ $c2_734 = "osaka-jpgo.com" ascii
+ $c2_735 = "outlook.otzo.com" ascii
+ $c2_736 = "owlmedia.mefound.com" ascii
+ $c2_737 = "p6p6.net" ascii
+ $c2_738 = "peopleinfodata.3-a.net" ascii
+ $c2_739 = "phptecinfohelp.itemdb.com" ascii
+ $c2_740 = "pictures.everydayfilmlink.com" ascii
+ $c2_741 = "pj.qpoe.com" ascii
+ $c2_742 = "points.mofaess.com" ascii
+ $c2_743 = "polopurple.com" ascii
+ $c2_744 = "pop.architectisusa.com" ascii
+ $c2_745 = "pop.loveddos.com" ascii
+ $c2_746 = "portal.mrface.com" ascii
+ $c2_747 = "portal.sendsmtp.com" ascii
+ $c2_748 = "portalser.dynamic-dns.net" ascii
+ $c2_749 = "poulsenv.com" ascii
+ $c2_750 = "praskovya-matveyeva.mefound.com" ascii
+ $c2_751 = "praskovya-ulyanova.dumb1.com" ascii
+ $c2_752 = "premium.redforlinux.com" ascii
+ $c2_753 = "products.almostmy.com" ascii
+ $c2_754 = "products.cleansite.us" ascii
+ $c2_755 = "products.serveuser.com" ascii
+ $c2_756 = "program.acmetoy.com" ascii
+ $c2_757 = "prrmes4019.r3u8.com" ascii
+ $c2_758 = "purchase.lflinkup.org" ascii
+ $c2_759 = "q6.niushenghuo.info" ascii
+ $c2_760 = "qtsofta.com" ascii
+ $c2_761 = "quick.oldbmwy.com" ascii
+ $c2_762 = "r3u8.com" ascii
+ $c2_763 = "radiorig.com" ascii
+ $c2_764 = "rain.orctldl.windowsupdate.authorizeddns.us" ascii
+ $c2_765 = "rakutenmusic.com" ascii
+ $c2_766 = "rdns-4.infoproduto1.tk" ascii
+ $c2_767 = "re26.com" ascii
+ $c2_768 = "read.xxuz.com" ascii
+ $c2_769 = "recent.dns-stuff.com" ascii
+ $c2_770 = "recent.fartit.com" ascii
+ $c2_771 = "record.hostport9.net" ascii
+ $c2_772 = "record.webssl9.info" ascii
+ $c2_773 = "record.wschandler.com" ascii
+ $c2_774 = "redforlinux.com" ascii
+ $c2_775 = "referred.gr8domain.biz" ascii
+ $c2_776 = "referred.yourtrap.com" ascii
+ $c2_777 = "register.ourhobby.com" ascii
+ $c2_778 = "registration2.instanthq.com" ascii
+ $c2_779 = "registrations.4pu.com" ascii
+ $c2_780 = "registrations.organiccrap.com" ascii
+ $c2_781 = "reports.tomorrowforgood.com" ascii
+ $c2_782 = "reserveds.onedumb.com" ascii
+ $c2_783 = "resources.applemusic.itemdb.com" ascii
+ $c2_784 = "rethem.almostmy.com" ascii
+ $c2_785 = "rg197.win" ascii
+ $c2_786 = "rlbeiydn.hi.r3u8.com" ascii
+ $c2_787 = "saiyo.exprenum.com" ascii
+ $c2_788 = "sakai.unhamj.com" ascii
+ $c2_789 = "salvaiona.com" ascii
+ $c2_790 = "sappore.cloud-maste.com" ascii
+ $c2_791 = "sapporo.cloud-maste.com" ascii
+ $c2_792 = "sapporot.com" ascii
+ $c2_793 = "sat.suayay.com" ascii
+ $c2_794 = "saverd.re26.com" ascii
+ $c2_795 = "sbuudd.webssl9.info" ascii
+ $c2_796 = "sc.weboot.info" ascii
+ $c2_797 = "scholz-versand.com" ascii
+ $c2_798 = "scorpion.poulsenv.com" ascii
+ $c2_799 = "scrlk.exprenum.com" ascii
+ $c2_800 = "sdmsg.onmypc.org" ascii
+ $c2_801 = "se.toythieves.com" ascii
+ $c2_802 = "sea.websegoo.net" ascii
+ $c2_803 = "secertnews.mrbasic.com" ascii
+ $c2_804 = "secmicrosooo.6600.org" ascii
+ $c2_805 = "secnetshit.com" ascii
+ $c2_806 = "secserverupdate.toh.info" ascii
+ $c2_807 = "sell.mofaess.com" ascii
+ $c2_808 = "sema.linuxsofta.com" ascii
+ $c2_809 = "send.have8000.com" ascii
+ $c2_810 = "send.mofa.ns01.info" ascii
+ $c2_811 = "sendmsg.jumpingcrab.com" ascii
+ $c2_812 = "senseye.ikwb.com" ascii
+ $c2_813 = "senseye.mrbonus.com" ascii
+ $c2_814 = "septdlluckysystem.jungleheart.com" ascii
+ $c2_815 = "seraphim-yurieva.justdied.com" ascii
+ $c2_816 = "serv.justdied.com" ascii
+ $c2_817 = "server1.proxydns.com" ascii
+ $c2_818 = "seyesb.acmetoy.com" ascii
+ $c2_819 = "sha.25u.com" ascii
+ $c2_820 = "sha.ikwb.com" ascii
+ $c2_821 = "shenajou.com" ascii
+ $c2_822 = "shoppingcentre.station155.com" ascii
+ $c2_823 = "shrimp.UsFfUnicef.com" ascii
+ $c2_824 = "shrimp.bdoncloud.com" ascii
+ $c2_825 = "shugiin.jkub.com" ascii
+ $c2_826 = "sindeali.com" ascii
+ $c2_827 = "singed.otzo.com" ascii
+ $c2_828 = "siteinit.info" ascii
+ $c2_829 = "sky.oldbmwy.com" ascii
+ $c2_830 = "sma.jimindaddy.com" ascii
+ $c2_831 = "smo.gadskysun.com" ascii
+ $c2_832 = "smtp.architectisusa.com" ascii
+ $c2_833 = "smtp.macforlinux.net" ascii
+ $c2_834 = "smtp230.toldweb.com" ascii
+ $c2_835 = "somthing.re26.com" ascii
+ $c2_836 = "sstday.jkub.com" ascii
+ $c2_837 = "start.usrobothome.com" ascii
+ $c2_838 = "station155.com" ascii
+ $c2_839 = "stevenlf.com" ascii
+ $c2_840 = "stone.jumpingcrab.com" ascii
+ $c2_841 = "style.u-tokyo-ac-jp.com" ascii
+ $c2_842 = "suayay.com" ascii
+ $c2_843 = "suibian2010.info" ascii
+ $c2_844 = "support1.mrface.com" ascii
+ $c2_845 = "supportus.mefound.com" ascii
+ $c2_846 = "suzukigooogle.8866.org" ascii
+ $c2_847 = "svc.dynssl.com" ascii
+ $c2_848 = "synssl.dnset.com" ascii
+ $c2_849 = "sz.thedomais.info" ascii
+ $c2_850 = "taipei.yourtrap.com" ascii
+ $c2_851 = "taipeifoodsite.ocry.com" ascii
+ $c2_852 = "tamraj.fartit.com" ascii
+ $c2_853 = "telegraph.mefound.com" ascii
+ $c2_854 = "test.usyahooapis.com" ascii
+ $c2_855 = "tfa.longmusic.com" ascii
+ $c2_856 = "tffghelth.com" ascii
+ $c2_857 = "thedomais.info" ascii
+ $c2_858 = "ticket.instanthq.com" ascii
+ $c2_859 = "ticket.jetos.com" ascii
+ $c2_860 = "ticket.serveuser.com" ascii
+ $c2_861 = "tidatacenter.shenajou.com" ascii
+ $c2_862 = "tisdatacenter.shenajou.com" ascii
+ $c2_863 = "tisupdateinfo.faqserv.com" ascii
+ $c2_864 = "tokyo-gojp.com" ascii
+ $c2_865 = "tokyofile.2waky.com" ascii
+ $c2_866 = "tomorrowforgood.com" ascii
+ $c2_867 = "tophost.dynamicdns.co.uk" ascii
+ $c2_868 = "toshste.com" ascii
+ $c2_869 = "toya.7766.org" ascii
+ $c2_870 = "transfer.lflinkup.org" ascii
+ $c2_871 = "transfer.mrbasic.com" ascii
+ $c2_872 = "transfer.vizvaz.com" ascii
+ $c2_873 = "trasul.mypicture.info" ascii
+ $c2_874 = "travelyokogawafz.fartit.com" ascii
+ $c2_875 = "trendmicroupdate.shenajou.com" ascii
+ $c2_876 = "trendsecurity.shenajou.com" ascii
+ $c2_877 = "trout.belowto.com" ascii
+ $c2_878 = "tv.goldtoyota.com" ascii
+ $c2_879 = "tw.2012yearleft.com" ascii
+ $c2_880 = "twmusic.proxydns.com" ascii
+ $c2_881 = "twpeoplemusicsite.my03.com" ascii
+ $c2_882 = "twtravelinfomation.toythieves.com" ascii
+ $c2_883 = "twx.mynumber.org" ascii
+ $c2_884 = "tyoto-go-jp.com" ascii
+ $c2_885 = "u-tokyo-ac-jp.com" ascii
+ $c2_886 = "u1.FartIT.com" ascii
+ $c2_887 = "u1.haoyujd.info" ascii
+ $c2_888 = "ubuntusofta.com" ascii
+ $c2_889 = "ugreen.itemdb.com" ascii
+ $c2_890 = "ui.hdcdui.com" ascii
+ $c2_891 = "uk.dynamicdns.org.uk" ascii
+ $c2_892 = "ukuoka.cloud-maste.com" ascii
+ $c2_893 = "ultimedia.vmmini.com" ascii
+ $c2_894 = "un.ddns.info" ascii
+ $c2_895 = "un.dnsrd.com" ascii
+ $c2_896 = "unhamj.com" ascii
+ $c2_897 = "update.yourtrap.com" ascii
+ $c2_898 = "updatemirrors.fartit.com" ascii
+ $c2_899 = "updates.itsaol.com" ascii
+ $c2_900 = "ups.improvejpese.com" ascii
+ $c2_901 = "urearapetsu.com" ascii
+ $c2_902 = "usa.got-game.org" ascii
+ $c2_903 = "usa.itsaol.com" ascii
+ $c2_904 = "usa.japanteam.org" ascii
+ $c2_905 = "usffunicef.com" ascii
+ $c2_906 = "usmirocomney.net" ascii
+ $c2_907 = "usrobothome.com" ascii
+ $c2_908 = "usyahooapis.com" ascii
+ $c2_909 = "uu.logon-live.com" ascii
+ $c2_910 = "uu.niushenghuo.info" ascii
+ $c2_911 = "ux.niushenghuo.info" ascii
+ $c2_912 = "v4.appledownload.ourhobby.com" ascii
+ $c2_913 = "v4.itunesmusic.jkub.com" ascii
+ $c2_914 = "v4.microsoftmusic.onedumb.com" ascii
+ $c2_915 = "v4.microsoftupdate.mrbasic.com" ascii
+ $c2_916 = "v4.windowsupdate.DEDGESUITE.NET" ascii
+ $c2_917 = "v4.windowsupdate.authorizeddns.org" ascii
+ $c2_918 = "v4.windowsupdate.dnset.com" ascii
+ $c2_919 = "v4.windowsupdate.itsaol.com" ascii
+ $c2_920 = "v4.windowsupdate.lflinkup.com" ascii
+ $c2_921 = "v4.windowsupdate.mrface.com" ascii
+ $c2_922 = "v4.windowsupdate.nsatcdns.com" ascii
+ $c2_923 = "v4.windowsupdate.x24hr.com" ascii
+ $c2_924 = "v4.windowsupdates.dnsrd.com" ascii
+ $c2_925 = "veryhuai.info" ascii
+ $c2_926 = "video.vmdnsup.org" ascii
+ $c2_927 = "vmdnsup.org" ascii
+ $c2_929 = "vmyiersend.WEBSAGO.INFO" ascii
+ $c2_930 = "vmyisan.website0012.net" ascii
+ $c2_932 = "wchildress.com" ascii
+ $c2_934 = "wcxh.mynetav.net" ascii
+ $c2_935 = "wdsupdates.com" ascii
+ $c2_936 = "webbooting.com" ascii
+ $c2_937 = "webdirectnews.dynamicdns.biz" ascii
+ $c2_938 = "webinfoseco.ygto.com" ascii
+ $c2_939 = "webmailentry.jetos.com" ascii
+ $c2_940 = "weboot.info" ascii
+ $c2_941 = "websago.info" ascii
+ $c2_942 = "websegoo.net" ascii
+ $c2_943 = "website0012.net" ascii
+ $c2_944 = "websiteboo.website0012.net" ascii
+ $c2_945 = "websqlnewsmanager.ninth.biz" ascii
+ $c2_946 = "webssl9.info" ascii
+ $c2_947 = "well.itsaol.com" ascii
+ $c2_948 = "well.mrbasic.com" ascii
+ $c2_949 = "whale.toshste.com" ascii
+ $c2_950 = "whellbuy.wschandler.com" ascii
+ $c2_951 = "whyis.haoyujd.info" ascii
+ $c2_952 = "wike.wikaba.com" ascii
+ $c2_953 = "windowfile.itemdb.com" ascii
+ $c2_954 = "windowsimages.itemdb.com" ascii
+ $c2_955 = "windowsimages.qhigh.com" ascii
+ $c2_956 = "windowsmirrors.vizvaz.com" ascii
+ $c2_957 = "windowsstores.gettrials.com" ascii
+ $c2_958 = "windowsstores.organiccrap.com" ascii
+ $c2_959 = "windowsupdate.2waky.com" ascii
+ $c2_960 = "windowsupdate.3-a.net" ascii
+ $c2_961 = "windowsupdate.acmetoy.com" ascii
+ $c2_962 = "windowsupdate.authorizeddns.net" ascii
+ $c2_963 = "windowsupdate.authorizeddns.org" ascii
+ $c2_964 = "windowsupdate.authorizeddns.us" ascii
+ $c2_965 = "windowsupdate.com.mwcname.com" ascii
+ $c2_966 = "windowsupdate.dedgesuite.net" ascii
+ $c2_967 = "windowsupdate.dns05.com" ascii
+ $c2_968 = "windowsupdate.dnset.com" ascii
+ $c2_969 = "windowsupdate.esmtp.biz" ascii
+ $c2_970 = "windowsupdate.ezua.com" ascii
+ $c2_971 = "windowsupdate.fartit.com" ascii
+ $c2_972 = "windowsupdate.gettrials.com" ascii
+ $c2_973 = "windowsupdate.instanthq.com" ascii
+ $c2_974 = "windowsupdate.itsaol.com" ascii
+ $c2_975 = "windowsupdate.jungleheart.com" ascii
+ $c2_976 = "windowsupdate.lflink.com" ascii
+ $c2_977 = "windowsupdate.mrface.com" ascii
+ $c2_978 = "windowsupdate.mylftv.com" ascii
+ $c2_979 = "windowsupdate.nsatcdns.com" ascii
+ $c2_980 = "windowsupdate.organiccrap.com" ascii
+ $c2_981 = "windowsupdate.rebatesrule.net" ascii
+ $c2_982 = "windowsupdate.sellclassics.com" ascii
+ $c2_983 = "windowsupdate.serveusers.com" ascii
+ $c2_984 = "windowsupdate.vizvaz.com" ascii
+ $c2_985 = "windowsupdate.wcwname.com" ascii
+ $c2_986 = "windowsupdate.x24hr.com" ascii
+ $c2_987 = "windowsupdate.ygto.com" ascii
+ $c2_988 = "windowsupdates.dnset.com" ascii
+ $c2_989 = "windowsupdates.ezua.com" ascii
+ $c2_990 = "windowsupdates.ikwb.com" ascii
+ $c2_991 = "windowsupdates.itemdb.com" ascii
+ $c2_992 = "windowsupdates.proxydns.com" ascii
+ $c2_993 = "workerisgood.com" ascii
+ $c2_994 = "woyaofanwen.com" ascii
+ $c2_995 = "wschandler.com" ascii
+ $c2_996 = "wthelpdesk.com" ascii
+ $c2_997 = "wubangtu.info" ascii
+ $c2_998 = "www-meti-go-jp.tyoto-go-jp.com" ascii
+ $c2_999 = "www.2014.zzux.com" ascii
+ $c2_1000 = "www.97sm.com" ascii
+ $c2_1001 = "www.9gowg.tech" ascii
+ $c2_1002 = "www.abdominal.faqserv.com" ascii
+ $c2_1003 = "www.additional.sexidude.com" ascii
+ $c2_1004 = "www.afc.https443.org" ascii
+ $c2_1005 = "www.androidmusicapp.onmypc.us" ascii
+ $c2_1006 = "www.announcements.toythieves.com" ascii
+ $c2_1007 = "www.anx-own-334.mrbasic.com" ascii
+ $c2_1008 = "www.apple.ikwb.com" ascii
+ $c2_1009 = "www.appledownload.ourhobby.com" ascii
+ $c2_1010 = "www.appleimages.itemdb.com" ascii
+ $c2_1011 = "www.appleimages.longmusic.com" ascii
+ $c2_1012 = "www.appleimages.organiccrap.com" ascii
+ $c2_1013 = "www.applejuice.itemdb.com" ascii
+ $c2_1014 = "www.applemirror.organiccrap.com" ascii
+ $c2_1015 = "www.applemirror.squirly.info" ascii
+ $c2_1016 = "www.applemusic.isasecret.com" ascii
+ $c2_1017 = "www.applemusic.itemdb.com" ascii
+ $c2_1018 = "www.applemusic.wikaba.com" ascii
+ $c2_1019 = "www.applemusic.xxuz.com" ascii
+ $c2_1020 = "www.applemusic.zzux.com" ascii
+ $c2_1021 = "www.appleupdate.itemdb.com" ascii
+ $c2_1022 = "www.appleupdateurl.2waky.com" ascii
+ $c2_1023 = "www.architectisusa.com" ascii
+ $c2_1024 = "www.army.xxuz.com" ascii
+ $c2_1025 = "www.art.p6p6.net" ascii
+ $c2_1026 = "www.asfzx.x24hr.com" ascii
+ $c2_1027 = "www.availab.wikaba.com" ascii
+ $c2_1028 = "www.availability.justdied.com" ascii
+ $c2_1029 = "www.babymusicsitetr.mymom.info" ascii
+ $c2_1030 = "www.back.jungleheart.com" ascii
+ $c2_1031 = "www.balance1.wikaba.com" ascii
+ $c2_1032 = "www.be.mrslove.com" ascii
+ $c2_1033 = "www.belowto.com" ascii
+ $c2_1034 = "www.billing.organiccrap.com" ascii
+ $c2_1035 = "www.blaaaaaaaaaaaa.windowsupdate.3-a.net" ascii
+ $c2_1036 = "www.brand.fartit.com" ascii
+ $c2_1037 = "www.bulletproof.squirly.info" ascii
+ $c2_1038 = "www.cabbage.iownyour.biz" ascii
+ $c2_1039 = "www.ccupdatedata.authorizeddns.net" ascii
+ $c2_1040 = "www.cdn.incloud-go.com" ascii
+ $c2_1041 = "www.center.shenajou.com" ascii
+ $c2_1042 = "www.chaindungeons.com" ascii
+ $c2_1043 = "www.cia.ezua.com" ascii
+ $c2_1044 = "www.cia.toh.info" ascii
+ $c2_1045 = "www.civilwar123.authorizeddns.org" ascii
+ $c2_1046 = "www.civilwar520.onmypc.org" ascii
+ $c2_1047 = "www.cloud-maste.com" ascii
+ $c2_1048 = "www.cnnews.mylftv.com" ascii
+ $c2_1049 = "www.commissioner.shenajou.com" ascii
+ $c2_1050 = "www.commons.onedumb.com" ascii
+ $c2_1051 = "www.contractus.qpoe.com" ascii
+ $c2_1052 = "www.corp-dnsonline.itsaol.com" ascii
+ $c2_1053 = "www.courier.jetos.com" ascii
+ $c2_1054 = "www.cress.mynetav.net" ascii
+ $c2_1055 = "www.ctdl.windowsupdate.nsatcdns.com" ascii
+ $c2_1056 = "www.ctldl.microsoftupdate.qhigh.com" ascii
+ $c2_1057 = "www.ctldl.windowsupdate.authorizeddns.us" ascii
+ $c2_1058 = "www.ctldl.windowsupdate.esmtp.biz" ascii
+ $c2_1059 = "www.ctldl.windowsupdate.mrface.com" ascii
+ $c2_1060 = "www.cwiinatonal.com" ascii
+ $c2_1061 = "www.dasoftactivemodule.toythieves.com" ascii
+ $c2_1062 = "www.dasonews.youdontcare.com" ascii
+ $c2_1063 = "www.daughter.vizvaz.com" ascii
+ $c2_1064 = "www.de.onmypc.info" ascii
+ $c2_1065 = "www.details.squirly.info" ascii
+ $c2_1066 = "www.development.shenajou.com" ascii
+ $c2_1067 = "www.devilcase.acmetoy.com" ascii
+ $c2_1068 = "www.disruptive.https443.net" ascii
+ $c2_1069 = "www.dns-hinettw.25u.com" ascii
+ $c2_1070 = "www.document.shenajou.com" ascii
+ $c2_1071 = "www.domainnow.yourtrap.com" ascii
+ $c2_1072 = "www.download.windowsupdate.nsatcdns.com" ascii
+ $c2_1073 = "www.ea.onmypc.info" ascii
+ $c2_1074 = "www.eddo.qpoe.com" ascii
+ $c2_1075 = "www.ehshiroshima.mylftv.com" ascii
+ $c2_1076 = "www.eric-averyanov.wha.la" ascii
+ $c2_1077 = "www.eu.acmetoy.com" ascii
+ $c2_1078 = "www.eu.wha.la" ascii
+ $c2_1079 = "www.express.lflinkup.com" ascii
+ $c2_1080 = "www.extraordinary.dynamic-dns.net" ascii
+ $c2_1081 = "www.f068v.site" ascii
+ $c2_1082 = "www.facefile.fartit.com" ascii
+ $c2_1083 = "www.fertile.authorizeddns.net" ascii
+ $c2_1084 = "www.file.zzux.com" ascii
+ $c2_1085 = "www.findme.epac.to" ascii
+ $c2_1086 = "www.fire.mrface.com" ascii
+ $c2_1087 = "www.firstnews.jkub.com" ascii
+ $c2_1088 = "www.fjs.wikaba.com" ascii
+ $c2_1089 = "www.foal.wchildress.com" ascii
+ $c2_1090 = "www.fr.wikaba.com" ascii
+ $c2_1091 = "www.freegamecenter.onedumb.com" ascii
+ $c2_1092 = "www.fruit.qhigh.com" ascii
+ $c2_1093 = "www.fuck.ikwb.com" ascii
+ $c2_1094 = "www.fuckmm.dns-dns.com" ascii
+ $c2_1095 = "www.fukuoka.cloud-maste.com" ascii
+ $c2_1096 = "www.g3ypf.online" ascii
+ $c2_1097 = "www.garlic.dyndns.pro" ascii
+ $c2_1098 = "www.generat.almostmy.com" ascii
+ $c2_1099 = "www.glicense.shenajou.com" ascii
+ $c2_1100 = "www.goldtoyota.com" ascii
+ $c2_1101 = "www.goodmusic.justdied.com" ascii
+ $c2_1102 = "www.gooesdataios.instanthq.com" ascii
+ $c2_1103 = "www.grammar.jkub.com" ascii
+ $c2_1104 = "www.helpus.ddns.info" ascii
+ $c2_1105 = "www.hii.qhigh.com" ascii
+ $c2_1106 = "www.hinetonlinedns.dns05.com" ascii
+ $c2_1107 = "www.incloud-go.com" ascii
+ $c2_1108 = "www.innocent-isayev.sexidude.com" ascii
+ $c2_1109 = "www.interpreter.shenajou.com" ascii
+ $c2_1110 = "www.invoices.sexxxy.biz" ascii
+ $c2_1111 = "www.iphone.vizvaz.com" ascii
+ $c2_1112 = "www.ipv4.microsoftupdate.mrbasic.com" ascii
+ $c2_1113 = "www.ipv4.windowsupdate.3-a.net" ascii
+ $c2_1114 = "www.ipv4.windowsupdate.esmtp.biz" ascii
+ $c2_1115 = "www.ipv4.windowsupdate.fartit.com" ascii
+ $c2_1116 = "www.ipv4.windowsupdate.lflink.com" ascii
+ $c2_1117 = "www.ipv4.windowsupdate.mrface.com" ascii
+ $c2_1118 = "www.ipv4.windowsupdate.mylftv.com" ascii
+ $c2_1119 = "www.ipv4.windowsupdate.nsatcdns.com" ascii
+ $c2_1120 = "www.itlans.isasecret.com" ascii
+ $c2_1121 = "www.itunesdownload.jkub.com" ascii
+ $c2_1122 = "www.itunesdownload.vizvaz.com" ascii
+ $c2_1123 = "www.itunesdownload.wikaba.com" ascii
+ $c2_1124 = "www.itunesimages.itemdb.com" ascii
+ $c2_1125 = "www.itunesimages.itsaol.com" ascii
+ $c2_1126 = "www.itunesimages.qpoe.com" ascii
+ $c2_1127 = "www.itunesmirror.fartit.com" ascii
+ $c2_1128 = "www.itunesmirror.itsaol.com" ascii
+ $c2_1129 = "www.itunesmusic.ikwb.com" ascii
+ $c2_1130 = "www.itunesmusic.jetos.com" ascii
+ $c2_1131 = "www.itunesmusic.jkub.com" ascii
+ $c2_1132 = "www.itunesmusic.zzux.com" ascii
+ $c2_1133 = "www.itunesupdate.itsaol.com" ascii
+ $c2_1134 = "www.itunesupdates.organiccrap.com" ascii
+ $c2_1135 = "www.japanenvnews.qpoe.com" ascii
+ $c2_1136 = "www.jd978.com" ascii
+ $c2_1137 = "www.jimin.jimindaddy.com" ascii
+ $c2_1138 = "www.jimin.mymom.info" ascii
+ $c2_1139 = "www.jp.serveuser.com" ascii
+ $c2_1140 = "www.jpnappstore.ourhobby.com" ascii
+ $c2_1141 = "www.jpnewslogs.sendsmtp.com" ascii
+ $c2_1142 = "www.jpnxzshopdata.authorizeddns.org" ascii
+ $c2_1143 = "www.kawasaki.cloud-maste.com" ascii
+ $c2_1144 = "www.kawasaki.unhamj.com" ascii
+ $c2_1145 = "www.key.zzux.com" ascii
+ $c2_1146 = "www.knowledge.sellclassics.com" ascii
+ $c2_1147 = "www.lan.dynssl.com" ascii
+ $c2_1148 = "www.last.p6p6.net" ascii
+ $c2_1149 = "www.latestnews.epac.to" ascii
+ $c2_1150 = "www.latestnews.organiccrap.com" ascii
+ $c2_1151 = "www.leedong.longmusic.com" ascii
+ $c2_1152 = "www.leeks.mrbonus.com" ascii
+ $c2_1153 = "www.liberty.acmetoy.com" ascii
+ $c2_1154 = "www.license.shenajou.com" ascii
+ $c2_1155 = "www.lion.wchildress.com" ascii
+ $c2_1156 = "www.loveddos.com" ascii
+ $c2_1157 = "www.macfee.mrface.com" ascii
+ $c2_1158 = "www.macforlinux.net" ascii
+ $c2_1159 = "www.maffc.mrface.com" ascii
+ $c2_1160 = "www.malware.dsmtp.com" ascii
+ $c2_1161 = "www.manager.jetos.com" ascii
+ $c2_1162 = "www.markabcinfo.dynamicdns.me.uk" ascii
+ $c2_1163 = "www.mason.vizvaz.com" ascii
+ $c2_1164 = "www.mediapath.organiccrap.com" ascii
+ $c2_1165 = "www.meiji-ac-jp.com" ascii
+ $c2_1166 = "www.messagea.emailfound.info" ascii
+ $c2_1167 = "www.microsoft.got-game.org" ascii
+ $c2_1168 = "www.microsoft.mrface.com" ascii
+ $c2_1169 = "www.microsoftempowering.sendsmtp.com" ascii
+ $c2_1170 = "www.microsoftgame.mrface.com" ascii
+ $c2_1171 = "www.microsoftgetstarted.sexidude.com" ascii
+ $c2_1172 = "www.microsoftimages.organiccrap.com" ascii
+ $c2_1173 = "www.microsoftmirror.mrbasic.com" ascii
+ $c2_1174 = "www.microsoftmusic.itemdb.com" ascii
+ $c2_1175 = "www.microsoftmusic.mrbasic.com" ascii
+ $c2_1176 = "www.microsoftqckmanager.pcanywhere.net" ascii
+ $c2_1177 = "www.microsoftupdate.mrbasic.com" ascii
+ $c2_1178 = "www.microsoftupdate.qhigh.com" ascii
+ $c2_1179 = "www.micrsoftware.dsmtp.com" ascii
+ $c2_1180 = "www.mircsoft.compress.to" ascii
+ $c2_1181 = "www.mmy.ddns.us" ascii
+ $c2_1182 = "www.mod.jetos.com" ascii
+ $c2_1183 = "www.mofa.dynamic-dns.net" ascii
+ $c2_1184 = "www.mofa.ns01.info" ascii
+ $c2_1185 = "www.moonnightthse.zyns.com" ascii
+ $c2_1186 = "www.moscowdic.trickip.org" ascii
+ $c2_1187 = "www.moscowstdsupdate.toythieves.com" ascii
+ $c2_1188 = "www.mseupdate.ourhobby.com" ascii
+ $c2_1189 = "www.msg.ezua.com" ascii
+ $c2_1190 = "www.msn.incloud-go.com" ascii
+ $c2_1191 = "www.musicfile.ikwb.com" ascii
+ $c2_1192 = "www.musicjj.zzux.com" ascii
+ $c2_1193 = "www.musicsecph.squirly.info" ascii
+ $c2_1194 = "www.mymusicbox.lflinkup.org" ascii
+ $c2_1195 = "www.mymusicbox.vizvaz.com" ascii
+ $c2_1196 = "www.myrestroomimage.isasecret.com" ascii
+ $c2_1197 = "www.mytwhomeinst.sendsmtp.com" ascii
+ $c2_1198 = "www.myurinikoreaaps.ninth.biz" ascii
+ $c2_1199 = "www.na.americanunfinished.com" ascii
+ $c2_1200 = "www.na.onmypc.org" ascii
+ $c2_1201 = "www.networkjpnzee.mynetav.org" ascii
+ $c2_1202 = "www.newcityoforward.rebatesrule.net" ascii
+ $c2_1203 = "www.newdnssec-info.4mydomain.com" ascii
+ $c2_1204 = "www.newsdata.jkub.com" ascii
+ $c2_1205 = "www.newsfile.toythieves.com" ascii
+ $c2_1206 = "www.newsroom.cleansite.info" ascii
+ $c2_1207 = "www.nlddnsinfo.https443.org" ascii
+ $c2_1208 = "www.no.authorizeddns.org" ascii
+ $c2_1209 = "www.nposnewsinfo.qhigh.com" ascii
+ $c2_1210 = "www.nsa.mefound.com" ascii
+ $c2_1211 = "www.nt.mynumber.org" ascii
+ $c2_1212 = "www.nttdata.otzo.com" ascii
+ $c2_1213 = "www.nuisance.serveusers.com" ascii
+ $c2_1214 = "www.nz.compress.to" ascii
+ $c2_1215 = "www.ol.almostmy.com" ascii
+ $c2_1216 = "www.oldbmwy.com" ascii
+ $c2_1217 = "www.onion.jkub.com" ascii
+ $c2_1218 = "www.onlinednsserver.sendsmtp.com" ascii
+ $c2_1219 = "www.oracleupdate.dns04.com" ascii
+ $c2_1220 = "www.oyster.jkub.com" ascii
+ $c2_1221 = "www.p6p6.net" ascii
+ $c2_1222 = "www.packetsdsquery.dns05.com" ascii
+ $c2_1223 = "www.pepper.sexxxy.biz" ascii
+ $c2_1224 = "www.phptecinfohelp.itemdb.com" ascii
+ $c2_1225 = "www.pickled.myddns.com" ascii
+ $c2_1226 = "www.polopurple.com" ascii
+ $c2_1227 = "www.portal.mrface.com" ascii
+ $c2_1228 = "www.portal.sendsmtp.com" ascii
+ $c2_1229 = "www.portalser.dynamic-dns.net" ascii
+ $c2_1230 = "www.praskovya-matveyeva.mefound.com" ascii
+ $c2_1231 = "www.praskovya-ulyanova.dumb1.com" ascii
+ $c2_1232 = "www.products.almostmy.com" ascii
+ $c2_1233 = "www.products.cleansite.us" ascii
+ $c2_1234 = "www.products.serveuser.com" ascii
+ $c2_1235 = "www.purchase.lflinkup.org" ascii
+ $c2_1236 = "www.rainbow.mypop3.org" ascii
+ $c2_1237 = "www.re26.com" ascii
+ $c2_1238 = "www.read.xxuz.com" ascii
+ $c2_1239 = "www.recent.dns-stuff.com" ascii
+ $c2_1240 = "www.recent.fartit.com" ascii
+ $c2_1241 = "www.redflower.isasecret.com" ascii
+ $c2_1242 = "www.referred.gr8domain.biz" ascii
+ $c2_1243 = "www.referred.yourtrap.com" ascii
+ $c2_1244 = "www.register.ourhobby.com" ascii
+ $c2_1245 = "www.registration2.instanthq.com" ascii
+ $c2_1246 = "www.registrations.4pu.com" ascii
+ $c2_1247 = "www.registrations.organiccrap.com" ascii
+ $c2_1248 = "www.remeberdata.iownyour.org" ascii
+ $c2_1249 = "www.reserveds.onedumb.com" ascii
+ $c2_1250 = "www.rethem.almostmy.com" ascii
+ $c2_1251 = "www.rg197.win" ascii
+ $c2_1252 = "www.sakai.unhamj.com" ascii
+ $c2_1253 = "www.sapporo.cloud-maste.com" ascii
+ $c2_1254 = "www.sauerkraut.sellclassics.com" ascii
+ $c2_1255 = "www.saverd.re26.com" ascii
+ $c2_1256 = "www.sbuudd.webssl9.info" ascii
+ $c2_1257 = "www.sdmsg.onmypc.org" ascii
+ $c2_1258 = "www.se.toythieves.com" ascii
+ $c2_1259 = "www.secertnews.mrbasic.com" ascii
+ $c2_1260 = "www.secnetshit.com" ascii
+ $c2_1261 = "www.secserverupdate.toh.info" ascii
+ $c2_1262 = "www.senseye.ikwb.com" ascii
+ $c2_1263 = "www.senseye.mrbonus.com" ascii
+ $c2_1264 = "www.septdlluckysystem.jungleheart.com" ascii
+ $c2_1265 = "www.seraphim-yurieva.justdied.com" ascii
+ $c2_1266 = "www.serv.justdied.com" ascii
+ $c2_1267 = "www.server1.proxydns.com" ascii
+ $c2_1268 = "www.seyesb.acmetoy.com" ascii
+ $c2_1269 = "www.showy.almostmy.com" ascii
+ $c2_1270 = "www.shugiin.jkub.com" ascii
+ $c2_1271 = "www.sindeali.com" ascii
+ $c2_1272 = "www.singed.otzo.com" ascii
+ $c2_1273 = "www.sojourner.mypicture.info" ascii
+ $c2_1274 = "www.sstday.jkub.com" ascii
+ $c2_1275 = "www.support1.mrface.com" ascii
+ $c2_1276 = "www.supportus.mefound.com" ascii
+ $c2_1277 = "www.svc.dynssl.com" ascii
+ $c2_1278 = "www.sweetheart.sexxxy.biz" ascii
+ $c2_1279 = "www.synssl.dnset.com" ascii
+ $c2_1280 = "www.tamraj.fartit.com" ascii
+ $c2_1281 = "www.telegraph.mefound.com" ascii
+ $c2_1282 = "www.tfa.longmusic.com" ascii
+ $c2_1283 = "www.thunder.wikaba.com" ascii
+ $c2_1284 = "www.ticket.instanthq.com" ascii
+ $c2_1285 = "www.ticket.serveuser.com" ascii
+ $c2_1286 = "www.tisupdateinfo.faqserv.com" ascii
+ $c2_1287 = "www.tokyofile.2waky.com" ascii
+ $c2_1288 = "www.tophost.dynamicdns.co.uk" ascii
+ $c2_1289 = "www.transfer.lflinkup.org" ascii
+ $c2_1290 = "www.transfer.mrbasic.com" ascii
+ $c2_1291 = "www.transfer.vizvaz.com" ascii
+ $c2_1292 = "www.twgovernmentinfo.acmetoy.com" ascii
+ $c2_1293 = "www.twsslpopservupro.dynssl.com" ascii
+ $c2_1294 = "www.ugreen.itemdb.com" ascii
+ $c2_1295 = "www.uk.dynamicdns.org.uk" ascii
+ $c2_1296 = "www.un.ddns.info" ascii
+ $c2_1297 = "www.un.dnsrd.com" ascii
+ $c2_1298 = "www.unhamj.com" ascii
+ $c2_1299 = "www.usa.itsaol.com" ascii
+ $c2_1300 = "www.usffunicef.com" ascii
+ $c2_1301 = "www.usliveupdateonline.ygto.com" ascii
+ $c2_1302 = "www.ut-portal-u-tokyo-ac-jp.tyoto-go-jp.com" ascii
+ $c2_1303 = "www.v4.windowsupdate.mrface.com" ascii
+ $c2_1304 = "www.v4.windowsupdate.nsatcdns.com" ascii
+ $c2_1305 = "www.vmmini.com" ascii
+ $c2_1306 = "www.wchildress.com" ascii
+ $c2_1307 = "www.webdirectnews.dynamicdns.biz" ascii
+ $c2_1308 = "www.webmailentry.jetos.com" ascii
+ $c2_1309 = "www.websqlnewsmanager.ninth.biz" ascii
+ $c2_1310 = "www.well.itsaol.com" ascii
+ $c2_1311 = "www.well.mrbasic.com" ascii
+ $c2_1312 = "www.windowfile.itemdb.com" ascii
+ $c2_1313 = "www.windowsimages.itemdb.com" ascii
+ $c2_1314 = "www.windowsimages.qhigh.com" ascii
+ $c2_1315 = "www.windowsmirrors.vizvaz.com" ascii
+ $c2_1316 = "www.windowsupdate.2waky.com" ascii
+ $c2_1317 = "www.windowsupdate.3-a.net" ascii
+ $c2_1318 = "www.windowsupdate.acmetoy.com" ascii
+ $c2_1319 = "www.windowsupdate.authorizeddns.net" ascii
+ $c2_1320 = "www.windowsupdate.authorizeddns.org" ascii
+ $c2_1321 = "www.windowsupdate.authorizeddns.us" ascii
+ $c2_1322 = "www.windowsupdate.dns05.com" ascii
+ $c2_1323 = "www.windowsupdate.dnset.com" ascii
+ $c2_1324 = "www.windowsupdate.esmtp.biz" ascii
+ $c2_1325 = "www.windowsupdate.ezua.com" ascii
+ $c2_1326 = "www.windowsupdate.fartit.com" ascii
+ $c2_1327 = "www.windowsupdate.gettrials.com" ascii
+ $c2_1328 = "www.windowsupdate.instanthq.com" ascii
+ $c2_1329 = "www.windowsupdate.itsaol.com" ascii
+ $c2_1330 = "www.windowsupdate.jungleheart.com" ascii
+ $c2_1331 = "www.windowsupdate.lflink.com" ascii
+ $c2_1332 = "www.windowsupdate.mrface.com" ascii
+ $c2_1333 = "www.windowsupdate.mylftv.com" ascii
+ $c2_1334 = "www.windowsupdate.nsatcdns.com" ascii
+ $c2_1335 = "www.windowsupdate.organiccrap.com" ascii
+ $c2_1336 = "www.windowsupdate.rebatesrule.net" ascii
+ $c2_1337 = "www.windowsupdate.sellclassics.com" ascii
+ $c2_1338 = "www.windowsupdate.serveusers.com" ascii
+ $c2_1339 = "www.windowsupdate.x24hr.com" ascii
+ $c2_1340 = "www.yahoo.incloud-go.com" ascii
+ $c2_1341 = "www.yandexr.sellclassics.com" ascii
+ $c2_1342 = "www.yeahyeahyeahs.3322.org" ascii
+ $c2_1343 = "www.yokohamajpinstaz.mrbonus.com" ascii
+ $c2_1344 = "www.zaigawebinfo.rebatesrule.net" ascii
+ $c2_1345 = "www.zebra.incloud-go.com" ascii
+ $c2_1346 = "www2.qpoe.com" ascii
+ $c2_1347 = "www2.zyns.com" ascii
+ $c2_1348 = "www2.zzux.com" ascii
+ $c2_1349 = "x7.usyahooapis.com" ascii
+ $c2_1350 = "xi.dyndns.pro" ascii
+ $c2_1351 = "xi.sexxxy.biz" ascii
+ $c2_1352 = "xread10821.9966.org" ascii
+ $c2_1353 = "xsince.tk" ascii
+ $c2_1354 = "xt.dnset.com" ascii
+ $c2_1355 = "xyrn998754.2288.org" ascii
+ $c2_1356 = "yahoo.incloud-go.com" ascii
+ $c2_1357 = "yallago.cu.cc" ascii
+ $c2_1358 = "yandexr.sellclassics.com" ascii
+ $c2_1359 = "yeahyeahyeahs.3322.org" ascii
+ $c2_1360 = "yeap1.jumpingcrab.com" ascii
+ $c2_1361 = "yfrfyhf.youdontcare.com" ascii
+ $c2_1362 = "yo.acmetoy.com" ascii
+ $c2_1363 = "za.myftp.info" ascii
+ $c2_1364 = "zabbix.servercontrols.pw" ascii
+ $c2_1365 = "zaigawebinfo.rebatesrule.net" ascii
+ $c2_1367 = "zebra.UsFfUnicef.com" ascii
+ $c2_1368 = "zebra.bdoncloud.com" ascii
+ $c2_1369 = "zebra.incloud-go.com" ascii
+ $c2_1370 = "zebra.unhamj.com" ascii
+ $c2_1371 = "zebra.wthelpdesk.com" ascii
+ $c2_1372 = "zero.pcanywhere.net" ascii
+ $c2_1373 = "zg.ns02.biz" ascii
+ $c2_1374 = "zone.demoones.com" ascii
+ condition:
+ 1 of ($c2_*)
+}
+*/
+
+rule APT_APT10_Malware_Imphash_Dec18_1 {
+ meta:
+ description = "Detects APT10 malware based on ImpHashes"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "AlienVault OTX IOCs - statistical sample analysis"
+ date = "2018-12-28"
+ id = "2de195a3-63a4-50ac-a83d-ab0db0f784bf"
+ condition:
+ uint16(0) == 0x5a4d and filesize < 6000KB and (
+ pe.imphash() == "0556ff5e5f8744bff47d4921494ba46d" or
+ pe.imphash() == "cb1194123f68a68eb14552c085b620ce" or
+ pe.imphash() == "efad9ff8c0d2a6419bf1dd970bcd806d" or
+ pe.imphash() == "7a861cd9c495e1d950a43cb708a22985" or
+ pe.imphash() == "a5d0545030be75a421529c2b0be6c4bd" or
+ pe.imphash() == "94491f4a812b0297419dc888aa4fd2a5"
+ )
+}
diff --git a/yara-Neo23x0/apt_apt10_redleaves.yar b/yara-Neo23x0/apt_apt10_redleaves.yar
new file mode 100644
index 0000000..3b163d3
--- /dev/null
+++ b/yara-Neo23x0/apt_apt10_redleaves.yar
@@ -0,0 +1,48 @@
+/*
+ Yara Rule Set
+ Author: Florian Roth
+ Date: 2018-05-01
+ Identifier: APT10 / Hogfish Report
+ Reference: https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+import "pe"
+
+rule MAL_Hogfish_Report_Related_Sample {
+ meta:
+ description = "Detects APT10 / Hogfish related samples"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
+ date = "2018-05-01"
+ hash1 = "f9acc706d7bec10f88f9cfbbdf80df0d85331bd4c3c0188e4d002d6929fe4eac"
+ hash2 = "7188f76ca5fbc6e57d23ba97655b293d5356933e2ab5261e423b3f205fe305ee"
+ hash3 = "4de5a22cd798950a69318fdcc1ec59e9a456b4e572c2d3ac4788ee96a4070262"
+ id = "7fc4fdda-b71f-5c9c-87a4-5d8290b99348"
+ strings:
+ $s1 = "R=user32.dll" fullword ascii
+ condition:
+ uint16(0) == 0x5a4d and filesize < 1000KB and (
+ pe.imphash() == "efad9ff8c0d2a6419bf1dd970bcd806d" or
+ 1 of them
+ )
+}
+
+rule MAL_RedLeaves_Apr18_1 {
+ meta:
+ description = "Detects RedLeaves malware"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf"
+ date = "2018-05-01"
+ hash1 = "f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b"
+ hash2 = "db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d"
+ hash3 = "d956e2ff1b22ccee2c5d9819128103d4c31ecefde3ce463a6dea19ecaaf418a1"
+ id = "578b40d7-6818-56d5-92ce-535141c0aa8e"
+ condition:
+ uint16(0) == 0x5a4d and filesize < 1000KB and (
+ pe.imphash() == "7a861cd9c495e1d950a43cb708a22985" or
+ pe.imphash() == "566a7a4ef613a797389b570f8b4f79df"
+ )
+}
diff --git a/yara-Neo23x0/apt_apt12_malware.yar b/yara-Neo23x0/apt_apt12_malware.yar
new file mode 100644
index 0000000..d8d7f79
--- /dev/null
+++ b/yara-Neo23x0/apt_apt12_malware.yar
@@ -0,0 +1,25 @@
+/*
+ Yara Rule Set
+ Author: Florian Roth
+ Date: 2017-08-30
+ Identifier: APT 12 Japanese Incident
+ Reference: http://blog.macnica.net/blog/2017/08/post-fb81.html
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+import "pe"
+
+rule APT12_Malware_Aug17 {
+ meta:
+ description = "Detects APT 12 Malware"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "http://blog.macnica.net/blog/2017/08/post-fb81.html"
+ date = "2017-08-30"
+ hash1 = "dc7521c00ec2534cf494c0263ddf67ea4ba9915eb17bdc0b3ebe9e840ec63643"
+ hash2 = "42da51b69bd6625244921a4eef9a2a10153e012a3213e8e9877cf831aea3eced"
+ id = "6c9cd68f-b839-5c99-a9f5-14c2d8a28bec"
+ condition:
+ ( uint16(0) == 0x5a4d and pe.imphash() == "9ba915fd04f248ad62e856c7238c0264" )
+}
diff --git a/yara-Neo23x0/apt_apt15.yar b/yara-Neo23x0/apt_apt15.yar
new file mode 100644
index 0000000..cd95357
--- /dev/null
+++ b/yara-Neo23x0/apt_apt15.yar
@@ -0,0 +1,307 @@
+/*
+ Yara Rule Set
+ Author: Florian Roth
+ Date: 2018-03-10
+ Identifier: APT15 Report
+ Reference: https://goo.gl/HZ5XMN
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+import "pe"
+
+rule APT15_Malware_Mar18_RoyalCli {
+ meta:
+ description = "Detects malware from APT 15 report by NCC Group"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/HZ5XMN"
+ date = "2018-03-10"
+ hash1 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
+ id = "165bfa6c-1a8d-5628-8c35-da4e4a2ae04f"
+ strings:
+ $s1 = "\\Release\\RoyalCli.pdb" ascii
+ $s2 = "%snewcmd.exe" fullword ascii
+ $s3 = "Run cmd error %d" fullword ascii
+ $s4 = "%s~clitemp%08x.ini" fullword ascii
+ $s5 = "run file failed" fullword ascii
+ $s6 = "Cmd timeout %d" fullword ascii
+ $s7 = "2 %s %d 0 %d" fullword ascii
+ condition:
+ uint16(0) == 0x5a4d and filesize < 200KB and 2 of them
+}
+
+rule APT15_Malware_Mar18_RoyalDNS {
+ meta:
+ description = "Detects malware from APT 15 report by NCC Group"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/HZ5XMN"
+ date = "2018-03-10"
+ hash1 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
+ id = "c2f519db-2750-53ce-ae18-697ea041faaf"
+ strings:
+ $x1 = "del c:\\windows\\temp\\r.exe /f /q" fullword ascii
+ $x2 = "%s\\r.exe" fullword ascii
+
+ $s1 = "rights.dll" fullword ascii
+ $s2 = "\"%s\">>\"%s\"\\s.txt" fullword ascii
+ $s3 = "Nwsapagent" fullword ascii
+ $s4 = "%s\\r.bat" fullword ascii
+ $s5 = "%s\\s.txt" fullword ascii
+ $s6 = "runexe" fullword ascii
+ condition:
+ uint16(0) == 0x5a4d and filesize < 200KB and (
+ ( pe.exports("RunInstallA") and pe.exports("RunUninstallA") ) or
+ 1 of ($x*) or
+ 2 of them
+ )
+}
+
+rule APT15_Malware_Mar18_BS2005 {
+ meta:
+ description = "Detects malware from APT 15 report by NCC Group"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/HZ5XMN"
+ date = "2018-03-10"
+ hash1 = "750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b"
+ id = "700bbe14-d79e-5a35-aab3-31eacd5bd950"
+ strings:
+ $x1 = "AAAAKQAASCMAABi+AABnhEBj8vep7VRoAEPRWLweGc0/eiDrXGajJXRxbXsTXAcZAABK4QAAPWwAACzWAAByrg==" fullword ascii
+ $x2 = "AAAAKQAASCMAABi+AABnhKv3kXJJousn5YzkjGF46eE3G8ZGse4B9uoqJo8Q2oF0AABK4QAAPWwAACzWAAByrg==" fullword ascii
+
+ $a1 = "http://%s/content.html?id=%s" fullword ascii
+ $a2 = "http://%s/main.php?ssid=%s" fullword ascii
+ $a3 = "http://%s/webmail.php?id=%s" fullword ascii
+ $a9 = "http://%s/error.html?tab=%s" fullword ascii
+
+ $s1 = "%s\\~tmp.txt" fullword ascii
+ $s2 = "%s /C %s >>\"%s\" 2>&1" fullword ascii
+ $s3 = "DisableFirstRunCustomize" fullword ascii
+ condition:
+ uint16(0) == 0x5a4d and filesize < 200KB and (
+ 1 of ($x*) or
+ 2 of them
+ )
+}
+
+rule APT15_Malware_Mar18_MSExchangeTool {
+ meta:
+ description = "Detects malware from APT 15 report by NCC Group"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/HZ5XMN"
+ date = "2018-03-10"
+ hash1 = "16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce"
+ id = "81b826b6-8c2e-5a8a-a626-9515d40dbbb0"
+ strings:
+ $s1 = "\\Release\\EWSTEW.pdb" ascii
+ $s2 = "EWSTEW.exe" fullword wide
+ $s3 = "Microsoft.Exchange.WebServices.Data" fullword ascii
+ $s4 = "tmp.dat" fullword wide
+ $s6 = "/v or /t is null" fullword wide
+ condition:
+ uint16(0) == 0x5a4d and filesize < 40KB and all of them
+}
+
+/*
+ Identifier: APT15 = Mirage = Ke3chang
+ Author: NCCGroup
+ Revised by Florian Roth for performance reasons
+ see https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7
+ > some rules were untightened
+ Date: 2018-03-09
+ Reference: https://github.com/nccgroup/Royal_APT/blob/master/signatures/apt15.yara
+*/
+
+rule clean_apt15_patchedcmd{
+ meta:
+ author = "Ahmed Zaki"
+ description = "This is a patched CMD. This is the CMD that RoyalCli uses."
+ sha256 = "90d1f65cfa51da07e040e066d4409dc8a48c1ab451542c894a623bc75c14bf8f"
+ id = "c6867ad4-f7f2-5d63-bffd-07599ede635d"
+ strings:
+ $ = "eisableCMD" wide
+ $ = "%WINDOWS_COPYRIGHT%" wide
+ $ = "Cmd.Exe" wide
+ $ = "Windows Command Processor" wide
+ condition:
+ uint16(0) == 0x5A4D and all of them
+}
+
+rule malware_apt15_royalcli_1{
+ meta:
+ description = "Generic strings found in the Royal CLI tool"
+ author = "David Cannings"
+ sha256 = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
+ id = "432c09bf-3c44-5a2c-ba69-7b4fe7eb43cc"
+ strings:
+ $ = "%s~clitemp%08x.tmp" fullword
+ $ = "%s /c %s>%s" fullword
+ $ = "%snewcmd.exe" fullword
+ $ = "%shkcmd.exe" fullword
+ $ = "%s~clitemp%08x.ini" fullword
+ $ = "myRObject" fullword
+ $ = "myWObject" fullword
+ $ = "2 %s %d 0 %d\x0D\x0A"
+ $ = "2 %s %d 1 %d\x0D\x0A"
+ $ = "%s file not exist" fullword
+ condition:
+ uint16(0) == 0x5A4D and 5 of them
+}
+
+rule malware_apt15_royalcli_2{
+ meta:
+ author = "Nikolaos Pantazopoulos"
+ description = "APT15 RoyalCli backdoor"
+ id = "d4acfd2d-385d-5063-898e-d339b50733eb"
+ strings:
+ $string1 = "%shkcmd.exe" fullword
+ $string2 = "myRObject" fullword
+ $string3 = "%snewcmd.exe" fullword
+ $string4 = "%s~clitemp%08x.tmp" fullword
+ $string6 = "myWObject" fullword
+ condition:
+ uint16(0) == 0x5A4D and 2 of them
+}
+
+/*
+rule malware_apt15_bs2005{
+ meta:
+ author = "Ahmed Zaki"
+ md5 = "ed21ce2beee56f0a0b1c5a62a80c128b"
+ description = "APT15 bs2005"
+ strings:
+ $ = "%s&%s&%s&%s" wide ascii
+ $ = "%s\\%s" wide ascii fullword
+ $ = "WarOnPostRedirect" wide ascii fullword
+ $ = "WarnonZoneCrossing" wide ascii fullword
+ $ = "^^^^^" wide ascii fullword
+ $ = /"?%s\s*"?\s*\/C\s*"?%s\s*>\s*\\?"?%s\\(\w+\.\w+)?"\s*2>&1\s*"?/
+ $ ="IEharden" wide ascii fullword
+ $ ="DEPOff" wide ascii fullword
+ $ ="ShownVerifyBalloon" wide ascii fullword
+ $ ="IEHardenIENoWarn" wide ascii fullword
+ condition:
+ ( uint16(0) == 0x5A4D and 5 of them ) or
+ ( uint16(0) == 0x5A4D and 3 of them and
+ ( pe.imports("advapi32.dll", "CryptDecrypt") and pe.imports("advapi32.dll", "CryptEncrypt") and
+ pe.imports("ole32.dll", "CoCreateInstance")
+ )
+ )
+}
+*/
+
+rule malware_apt15_royaldll {
+ meta:
+ author = "David Cannings"
+ description = "DLL implant, originally rights.dll and runs as a service"
+ sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
+ id = "26baef92-1055-56dc-b274-e2a6bc05d85b"
+ strings:
+ /*
+ 56 push esi
+ B8 A7 C6 67 4E mov eax, 4E67C6A7h
+ 83 C1 02 add ecx, 2
+ BA 04 00 00 00 mov edx, 4
+ 57 push edi
+ 90 nop
+ */
+ // JSHash implementation (Justin Sobel's hash algorithm)
+ $opcodes_jshash = { B8 A7 C6 67 4E 83 C1 02 BA 04 00 00 00 57 90 }
+
+ /*
+ 0F B6 1C 03 movzx ebx, byte ptr [ebx+eax]
+ 8B 55 08 mov edx, [ebp+arg_0]
+ 30 1C 17 xor [edi+edx], bl
+ 47 inc edi
+ 3B 7D 0C cmp edi, [ebp+arg_4]
+ 72 A4 jb short loc_10003F31
+ */
+ // Encode loop, used to "encrypt" data before DNS request
+ $opcodes_encode = { 0F B6 1C 03 8B 55 08 30 1C 17 47 3B 7D 0C }
+
+ /*
+ 68 88 13 00 00 push 5000 # Also seen 3000, included below
+ FF D6 call esi ; Sleep
+ 4F dec edi
+ 75 F6 jnz short loc_10001554
+ */
+ // Sleep loop
+ $opcodes_sleep_loop = { 68 (88|B8) (13|0B) 00 00 FF D6 4F 75 F6 }
+
+ // Generic strings
+ $ = "Nwsapagent" fullword
+ $ = "\"%s\">>\"%s\"\\s.txt"
+ $ = "myWObject" fullword
+ $ = "del c:\\windows\\temp\\r.exe /f /q"
+ $ = "del c:\\windows\\temp\\r.ini /f /q"
+
+ condition:
+ 3 of them
+}
+
+rule malware_apt15_royaldll_2 {
+ meta:
+ author = "Ahmed Zaki"
+ sha256 = "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
+ description = "DNS backdoor used by APT15"
+ id = "3bc546a5-38b9-5504-b09e-305ba7bbd6bc"
+ strings:
+ $= "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost" wide ascii
+ $= "netsvcs" wide ascii fullword
+ $= "%SystemRoot%\\System32\\svchost.exe -k netsvcs" wide ascii fullword
+ $= "SYSTEM\\CurrentControlSet\\Services\\" wide ascii
+ $= "myWObject" wide ascii
+ condition:
+ uint16(0) == 0x5A4D and all of them
+ and pe.exports("ServiceMain")
+ and filesize > 50KB and filesize < 600KB
+}
+
+rule malware_apt15_exchange_tool {
+ meta:
+ author = "Ahmed Zaki"
+ md5 = "d21a7e349e796064ce10f2f6ede31c71"
+ description = "This is a an exchange enumeration/hijacking tool used by an APT 15"
+ id = "f07b9537-0741-51c8-a9fa-836430fe4855"
+ strings:
+ $s1= "subjectname" fullword
+ $s2= "sendername" fullword
+ $s3= "WebCredentials" fullword
+ $s4= "ExchangeVersion" fullword
+ $s5= "ExchangeCredentials" fullword
+ $s6= "slfilename" fullword
+ $s7= "EnumMail" fullword
+ $s8= "EnumFolder" fullword
+ $s9= "set_Credentials" fullword
+ $s18 = "/v or /t is null" wide
+ $s24 = "2013sp1" wide
+ condition:
+ uint16(0) == 0x5A4D and all of them
+}
+
+rule malware_apt15_generic {
+ meta:
+ author = "David Cannings"
+ description = "Find generic data potentially relating to AP15 tools"
+ id = "4eb50731-22df-5f7a-bf5f-166ef84cf8b5"
+ strings:
+ // Appears to be from copy/paste code
+ $str01 = "myWObject" fullword
+ $str02 = "myRObject" fullword
+
+ /*
+ 6A 02 push 2 ; dwCreationDisposition
+ 6A 00 push 0 ; lpSecurityAttributes
+ 6A 00 push 0 ; dwShareMode
+ 68 00 00 00 C0 push 0C0000000h ; dwDesiredAccess
+ 50 push eax ; lpFileName
+ FF 15 44 F0 00 10 call ds:CreateFileA
+ */
+ // Arguments for CreateFileA
+ $opcodes01 = { 6A (02|03) 6A 00 6A 00 68 00 00 00 C0 50 FF 15 }
+ condition:
+ 2 of them
+}
diff --git a/yara-Neo23x0/apt_apt17_mal_sep17.yar b/yara-Neo23x0/apt_apt17_mal_sep17.yar
new file mode 100644
index 0000000..8216068
--- /dev/null
+++ b/yara-Neo23x0/apt_apt17_mal_sep17.yar
@@ -0,0 +1,107 @@
+/*
+ Yara Rule Set
+ Author: Florian Roth
+ Date: 2017-10-03
+ Identifier: APT17 Oct 10
+ Reference: https://goo.gl/puVc9q
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+import "pe"
+
+rule APT17_Malware_Oct17_1 {
+ meta:
+ description = "Detects APT17 malware"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/puVc9q"
+ date = "2017-10-03"
+ hash1 = "dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83"
+ id = "457312d8-5bfe-5282-9ace-2f169278569c"
+ strings:
+ $s1 = "\\spool\\prtprocs\\w32x86\\localspl.dll" ascii
+ $s2 = "\\spool\\prtprocs\\x64\\localspl.dll" ascii
+ $s3 = "\\msvcrt.dll" ascii
+ $s4 = "\\TSMSISrv.dll" ascii
+ condition:
+ ( uint16(0) == 0x5a4d and filesize < 500KB and all of them )
+}
+
+rule APT17_Malware_Oct17_2 {
+ meta:
+ description = "Detects APT17 malware"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/puVc9q"
+ date = "2017-10-03"
+ hash1 = "20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27"
+ id = "9f21514a-168b-5158-8322-60fa8499b11a"
+ strings:
+ $x1 = "Cookie: __xsptplus=%s" fullword ascii
+ $x2 = "http://services.fiveemotions.co.jp" fullword ascii
+ $x3 = "http://%s/ja-JP/2015/%d/%d/%d%d%d%d%d%d%d%d.gif" fullword ascii
+
+ $s1 = "FoxHTTPClient_EXE_x86.exe" fullword ascii
+ $s2 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.3072" ascii
+ $s3 = "hWritePipe2 Error:%d" fullword ascii
+ $s4 = "Not Support This Function!" fullword ascii
+ $s5 = "Global\\PnP_No_Management" fullword ascii
+ $s6 = "Content-Type: image/x-png" fullword ascii
+ $s7 = "Accept-Language: ja-JP" fullword ascii
+ $s8 = "IISCMD Error:%d" fullword ascii
+ condition:
+ uint16(0) == 0x5a4d and filesize < 100KB and (
+ pe.exports("_foo@0") or
+ 1 of ($x*) or
+ 6 of them
+ )
+}
+
+rule APT17_Unsigned_Symantec_Binary_EFA {
+ meta:
+ description = "Detects APT17 malware"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/puVc9q"
+ date = "2017-10-03"
+ hash1 = "128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f"
+ id = "56eec517-8b00-5cb5-9806-249e50f53b99"
+ strings:
+ $s1 = "Copyright (c) 2007 - 2011 Symantec Corporation" fullword wide
+ $s2 = "\\\\.\\SYMEFA" fullword wide
+ condition:
+ ( uint16(0) == 0x5a4d and filesize < 200KB and all of them and pe.number_of_signatures == 0 )
+}
+
+rule APT17_Malware_Oct17_Gen {
+ meta:
+ description = "Detects APT17 malware"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/puVc9q"
+ date = "2017-10-03"
+ hash1 = "0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2"
+ hash2 = "07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d"
+ hash3 = "ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550"
+ id = "c2156e68-d5b5-5bd7-858c-2d5e90199287"
+ strings:
+ $x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" fullword ascii
+ $x2 = "http://%s/imgres?q=A380&hl=en-US&sa=X&biw=1440&bih=809&tbm=isus&tbnid=aLW4-J8Q1lmYBM" ascii
+
+ $s1 = "hWritePipe2 Error:%d" fullword ascii
+ $s2 = "Not Support This Function!" fullword ascii
+ $s3 = "Cookie: SESSIONID=%s" fullword ascii
+ $s4 = "http://0.0.0.0/1" fullword ascii
+ $s5 = "Content-Type: image/x-png" fullword ascii
+ $s6 = "Accept-Language: en-US" fullword ascii
+ $s7 = "IISCMD Error:%d" fullword ascii
+ $s8 = "[IISEND=0x%08X][Recv:] 0x%08X %s" fullword ascii
+ condition:
+ ( uint16(0) == 0x5a4d and filesize < 200KB and (
+ pe.imphash() == "414bbd566b700ea021cfae3ad8f4d9b9" or
+ 1 of ($x*) or
+ 6 of them
+ )
+ )
+}
diff --git a/yara-Neo23x0/apt_apt17_malware.yar b/yara-Neo23x0/apt_apt17_malware.yar
new file mode 100644
index 0000000..bd40117
--- /dev/null
+++ b/yara-Neo23x0/apt_apt17_malware.yar
@@ -0,0 +1,36 @@
+/*
+ Yara Rule Set
+ Author: Florian Roth
+ Date: 2015-05-14
+ Identifier: APT17
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule APT17_Sample_FXSST_DLL {
+ meta:
+ description = "Detects Samples related to APT17 activity - file FXSST.DLL"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/ZiJyQv"
+ date = "2015-05-14"
+ hash = "52f1add5ad28dc30f68afda5d41b354533d8bce3"
+ id = "e4b9b25e-8895-5ba5-b706-bfb6892c16ae"
+ strings:
+ $x1 = "Microsoft? Windows? Operating System" fullword wide
+ $x2 = "fxsst.dll" fullword ascii
+
+ $y1 = "DllRegisterServer" fullword ascii
+ $y2 = ".cSV" fullword ascii
+
+ $s1 = "GetLastActivePopup"
+ $s2 = "Sleep"
+ $s3 = "GetModuleFileName"
+ $s4 = "VirtualProtect"
+ $s5 = "HeapAlloc"
+ $s6 = "GetProcessHeap"
+ $s7 = "GetCommandLine"
+ condition:
+ uint16(0) == 0x5a4d and filesize < 800KB and
+ ( all of ($x*) or all of ($y*) ) and all of ($s*)
+}
diff --git a/yara-Neo23x0/apt_apt19.yar b/yara-Neo23x0/apt_apt19.yar
new file mode 100644
index 0000000..c527edd
--- /dev/null
+++ b/yara-Neo23x0/apt_apt19.yar
@@ -0,0 +1,69 @@
+
+/*
+ Yara Rule Set
+ Author: Ian.Ahl@fireeye.com @TekDefense, modified by Florian Roth
+ Date: 2017-06-05
+ Identifier: APT19
+ Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
+*/
+
+rule Beacon_K5om {
+ meta:
+ description = "Detects Meterpreter Beacon - file K5om.dll"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html"
+ date = "2017-06-07"
+ hash1 = "e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9"
+ id = "9354d20a-d798-55bf-a735-820f21d4a861"
+ strings:
+ $x1 = "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s" fullword ascii
+ $x2 = "powershell -nop -exec bypass -EncodedCommand \"%s\"" fullword ascii
+ $x3 = "%d is an x86 process (can't inject x64 content)" fullword ascii
+
+ $s1 = "Could not open process token: %d (%u)" fullword ascii
+ $s2 = "0fd00b.dll" fullword ascii
+ $s3 = "%s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s" fullword ascii
+ $s4 = "Could not connect to pipe (%s): %d" fullword ascii
+ condition:
+ ( uint16(0) == 0x5a4d and filesize < 600KB and ( 1 of ($x*) or 3 of them ) )
+}
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule FE_LEGALSTRIKE_MACRO {
+ meta:
+ version=".1"
+ filetype="MACRO"
+ author="Ian.Ahl@fireeye.com @TekDefense - modified by Florian Roth"
+ date="2017-06-02"
+ description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
+ id = "eb15e5aa-16e5-5c07-a293-ad15c0c09d8e"
+ strings:
+ // OBSFUCATION
+ $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
+ // wscript
+ $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
+ $wsobj2 = "Obj.Run " ascii wide
+ condition:
+ all of them
+}
+
+rule FE_LEGALSTRIKE_RTF {
+ meta:
+ version=".1"
+ filetype="MACRO"
+ author="joshua.kim@FireEye. - modified by Florian Roth"
+ date="2017-06-02"
+ description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
+ id = "b62ceffa-445f-517e-b86b-56e47876c6c0"
+ strings:
+ $lnkinfo = "4c0069006e006b0049006e0066006f"
+ $encoded1 = "4f4c45324c696e6b"
+ $encoded2 = "52006f006f007400200045006e007400720079"
+ $encoded3 = "4f0062006a0049006e0066006f"
+ $encoded4 = "4f006c0065"
+ $datastore = "\\*\\datastore"
+ condition:
+ uint32be(0) == 0x7B5C7274 and all of them
+}
diff --git a/yara-Neo23x0/apt_apt27_hyperbro.yar b/yara-Neo23x0/apt_apt27_hyperbro.yar
new file mode 100644
index 0000000..9413f31
--- /dev/null
+++ b/yara-Neo23x0/apt_apt27_hyperbro.yar
@@ -0,0 +1,389 @@
+import "pe"
+
+rule APT_RU_APT27_HyperBro_Vftrace_Loader_Jan22_1 {
+ meta:
+ description = "Yara rule to detect first Hyperbro Loader Stage, often called vftrace.dll. Detects decoding function."
+ author = "Bundesamt fuer Verfassungsschutz (modified by Florian Roth)"
+ date = "2022-01-14"
+ sharing = "TLP:WHITE"
+ reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf"
+ hash1 = "333B52C2CFAC56B86EE9D54AEF4F0FF4144528917BC1AA1FE1613EFC2318339A"
+ id = "b049e163-2694-5fb9-a3a3-98cc77bcd0ca"
+ strings:
+ $decoder_routine = { 8A ?? 41 10 00 00 8B ?? 28 ?? ?? 4? 3B ?? 72 ?? }
+ condition:
+ uint16(0) == 0x5a4d and
+ filesize < 5MB and
+ $decoder_routine and
+ pe.exports("D_C_Support_SetD_File")
+}
+
+rule APT_CN_APT27_Compromised_Certficate_Jan22_1 {
+ meta:
+ description = "Detects compromised certifcates used by APT27 malware"
+ author = "Florian Roth (Nextron Systems)"
+ date = "2022-01-29"
+ score = 80
+ reference = "https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2022-01-bfv-cyber-brief.pdf"
+ id = "f2f015af-219d-51ab-9529-01687a879ebb"
+ condition:
+ for any i in (0 .. pe.number_of_signatures) : (
+ pe.signatures[i].issuer contains "DigiCert SHA2 Assured ID Code Signing CA" and
+ pe.signatures[i].serial == "08:68:70:51:50:f1:cf:c1:fc:c3:fc:91:a4:49:49:a6"
+ )
+}
+rule HvS_APT27_HyperBro_Decrypted_Stage2 {
+ meta:
+ description = "HyperBro Stage 2 and compressed Stage 3 detection"
+ license = "https://creativecommons.org/licenses/by-nc/4.0/"
+ author = "Moritz Oettle"
+ reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
+ date = "2022-02-07"
+ hash1 = "fc5a58bf0fce9cb96f35ee76842ff17816fe302e3164bc7c6a5ef46f6eff67ed"
+ id = "039e5d41-eadb-5c53-82cd-20ffd4105326"
+ strings:
+ $lznt1_compressed_pe_header_small = { FC B9 00 4D 5A 90 } // This is the lznt1 compressed PE header
+
+ $lznt1_compressed_pe_header_large_1 = { FC B9 00 4D 5A 90 00 03 00 00 00 82 04 00 30 FF FF 00 }
+ $lznt1_compressed_pe_header_large_2 = { 00 b8 00 38 0d 01 00 40 04 38 19 00 10 01 00 00 }
+ $lznt1_compressed_pe_header_large_3 = { 00 0e 1f ba 0e 00 b4 09 cd 00 21 b8 01 4c cd 21 }
+ $lznt1_compressed_pe_header_large_4 = { 54 68 00 69 73 20 70 72 6f 67 72 00 61 6d 20 63 }
+ $lznt1_compressed_pe_header_large_5 = { 61 6e 6e 6f 00 74 20 62 65 20 72 75 6e 00 20 69 }
+ $lznt1_compressed_pe_header_large_6 = { 6e 20 44 4f 53 20 00 6d 6f 64 65 2e 0d 0d 0a 02 }
+
+ condition:
+ filesize < 200KB and
+ ($lznt1_compressed_pe_header_small at 0x9ce) or (all of ($lznt1_compressed_pe_header_large_*))
+}
+
+rule HvS_APT27_HyperBro_Stage3 {
+ meta:
+ description = "HyperBro Stage 3 detection - also tested in memory"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Markus Poelloth"
+ reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
+ date = "2022-02-07"
+ modified = "2023-01-07"
+ hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"
+ id = "b4002777-f129-5177-a8f1-690012a207fa"
+ strings:
+ $s1 = "\\cmd.exe /A" wide
+ $s2 = "vftrace.dll" fullword wide
+ $s3 = "msmpeng.exe" fullword wide
+ $s4 = "\\\\.\\pipe\\testpipe" fullword wide
+ $s5 = "thumb.dat" fullword wide
+
+ $g1 = "%s\\%d.exe" fullword wide
+ $g2 = "https://%s:%d/api/v2/ajax" fullword wide
+ $g3 = " -k networkservice" fullword wide
+ $g4 = " -k localservice" fullword wide
+
+ condition:
+ uint16(0) == 0x5a4d and filesize < 300KB and
+ (( 4 of ($s*) ) or (4 of ($g*)))
+}
+
+rule HvS_APT27_HyperBro_Stage3_C2 {
+ meta:
+ description = "HyperBro Stage 3 C2 path and user agent detection - also tested in memory"
+ license = "https://creativecommons.org/licenses/by-nc/4.0/"
+ author = "Marc Stroebel"
+ reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
+ date = "2022-02-07"
+ hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"
+ id = "d1fe03b9-440c-5127-9572-dddcd5c9966b"
+ strings:
+ $s1 = "api/v2/ajax" ascii wide nocase
+ $s2 = "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36" ascii wide nocase
+ condition:
+ all of them
+}
+
+
+rule HvS_APT27_HyperBro_Stage3_Persistence {
+ meta:
+ description = "HyperBro Stage 3 registry keys for persistence"
+ license = "https://creativecommons.org/licenses/by-nc/4.0/"
+ author = "Marko Dorfhuber"
+ reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
+ date = "2022-02-07"
+ hash1 = "624e85bd669b97bc55ed5c5ea5f6082a1d4900d235a5d2e2a5683a04e36213e8"
+ id = "2bb1d28b-5fc4-5f0b-b546-c8b8192b0d48"
+ strings:
+ $ = "SOFTWARE\\WOW6432Node\\Microsoft\\config_" ascii
+ $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\windefenders" ascii
+ condition:
+ 1 of them
+}
+
+
+rule HvS_APT27_HyperBro_Encrypted_Stage2 {
+ meta:
+ description = "HyperBro Encrypted Stage 2 detection. Looks for all possible one byte shifts of the lznt1 compressed PE header"
+ license = "https://creativecommons.org/licenses/by-nc/4.0/"
+ author = "Moritz Oettle"
+ reference = "https://www.hvs-consulting.de/en/threat-intelligence-report-emissary-panda-apt27"
+ date = "2022-02-07"
+ hash1 = "fc5a58bf0fce9cb96f35ee76842ff17816fe302e3164bc7c6a5ef46f6eff67ed"
+ id = "fa4fe057-4c3f-5785-a8d3-588398360996"
+ strings:
+ $encrypted_pe_header_shift_0 = { fc b9 00 4d 5a 90 00 03 00 00 00 82 04 00 30 ff ff 00 }
+ $encrypted_pe_header_shift_1 = { fd ba 01 4e 5b 91 01 04 01 01 01 83 05 01 31 00 00 01 }
+ $encrypted_pe_header_shift_2 = { fe bb 02 4f 5c 92 02 05 02 02 02 84 06 02 32 01 01 02 }
+ $encrypted_pe_header_shift_3 = { ff bc 03 50 5d 93 03 06 03 03 03 85 07 03 33 02 02 03 }
+ $encrypted_pe_header_shift_4 = { 00 bd 04 51 5e 94 04 07 04 04 04 86 08 04 34 03 03 04 }
+ $encrypted_pe_header_shift_5 = { 01 be 05 52 5f 95 05 08 05 05 05 87 09 05 35 04 04 05 }
+ $encrypted_pe_header_shift_6 = { 02 bf 06 53 60 96 06 09 06 06 06 88 0a 06 36 05 05 06 }
+ $encrypted_pe_header_shift_7 = { 03 c0 07 54 61 97 07 0a 07 07 07 89 0b 07 37 06 06 07 }
+ $encrypted_pe_header_shift_8 = { 04 c1 08 55 62 98 08 0b 08 08 08 8a 0c 08 38 07 07 08 }
+ $encrypted_pe_header_shift_9 = { 05 c2 09 56 63 99 09 0c 09 09 09 8b 0d 09 39 08 08 09 }
+ $encrypted_pe_header_shift_10 = { 06 c3 0a 57 64 9a 0a 0d 0a 0a 0a 8c 0e 0a 3a 09 09 0a }
+ $encrypted_pe_header_shift_11 = { 07 c4 0b 58 65 9b 0b 0e 0b 0b 0b 8d 0f 0b 3b 0a 0a 0b }
+ $encrypted_pe_header_shift_12 = { 08 c5 0c 59 66 9c 0c 0f 0c 0c 0c 8e 10 0c 3c 0b 0b 0c }
+ $encrypted_pe_header_shift_13 = { 09 c6 0d 5a 67 9d 0d 10 0d 0d 0d 8f 11 0d 3d 0c 0c 0d }
+ $encrypted_pe_header_shift_14 = { 0a c7 0e 5b 68 9e 0e 11 0e 0e 0e 90 12 0e 3e 0d 0d 0e }
+ $encrypted_pe_header_shift_15 = { 0b c8 0f 5c 69 9f 0f 12 0f 0f 0f 91 13 0f 3f 0e 0e 0f }
+ $encrypted_pe_header_shift_16 = { 0c c9 10 5d 6a a0 10 13 10 10 10 92 14 10 40 0f 0f 10 }
+ $encrypted_pe_header_shift_17 = { 0d ca 11 5e 6b a1 11 14 11 11 11 93 15 11 41 10 10 11 }
+ $encrypted_pe_header_shift_18 = { 0e cb 12 5f 6c a2 12 15 12 12 12 94 16 12 42 11 11 12 }
+ $encrypted_pe_header_shift_19 = { 0f cc 13 60 6d a3 13 16 13 13 13 95 17 13 43 12 12 13 }
+ $encrypted_pe_header_shift_20 = { 10 cd 14 61 6e a4 14 17 14 14 14 96 18 14 44 13 13 14 }
+ $encrypted_pe_header_shift_21 = { 11 ce 15 62 6f a5 15 18 15 15 15 97 19 15 45 14 14 15 }
+ $encrypted_pe_header_shift_22 = { 12 cf 16 63 70 a6 16 19 16 16 16 98 1a 16 46 15 15 16 }
+ $encrypted_pe_header_shift_23 = { 13 d0 17 64 71 a7 17 1a 17 17 17 99 1b 17 47 16 16 17 }
+ $encrypted_pe_header_shift_24 = { 14 d1 18 65 72 a8 18 1b 18 18 18 9a 1c 18 48 17 17 18 }
+ $encrypted_pe_header_shift_25 = { 15 d2 19 66 73 a9 19 1c 19 19 19 9b 1d 19 49 18 18 19 }
+ $encrypted_pe_header_shift_26 = { 16 d3 1a 67 74 aa 1a 1d 1a 1a 1a 9c 1e 1a 4a 19 19 1a }
+ $encrypted_pe_header_shift_27 = { 17 d4 1b 68 75 ab 1b 1e 1b 1b 1b 9d 1f 1b 4b 1a 1a 1b }
+ $encrypted_pe_header_shift_28 = { 18 d5 1c 69 76 ac 1c 1f 1c 1c 1c 9e 20 1c 4c 1b 1b 1c }
+ $encrypted_pe_header_shift_29 = { 19 d6 1d 6a 77 ad 1d 20 1d 1d 1d 9f 21 1d 4d 1c 1c 1d }
+ $encrypted_pe_header_shift_30 = { 1a d7 1e 6b 78 ae 1e 21 1e 1e 1e a0 22 1e 4e 1d 1d 1e }
+ $encrypted_pe_header_shift_31 = { 1b d8 1f 6c 79 af 1f 22 1f 1f 1f a1 23 1f 4f 1e 1e 1f }
+ $encrypted_pe_header_shift_32 = { 1c d9 20 6d 7a b0 20 23 20 20 20 a2 24 20 50 1f 1f 20 }
+ $encrypted_pe_header_shift_33 = { 1d da 21 6e 7b b1 21 24 21 21 21 a3 25 21 51 20 20 21 }
+ $encrypted_pe_header_shift_34 = { 1e db 22 6f 7c b2 22 25 22 22 22 a4 26 22 52 21 21 22 }
+ $encrypted_pe_header_shift_35 = { 1f dc 23 70 7d b3 23 26 23 23 23 a5 27 23 53 22 22 23 }
+ $encrypted_pe_header_shift_36 = { 20 dd 24 71 7e b4 24 27 24 24 24 a6 28 24 54 23 23 24 }
+ $encrypted_pe_header_shift_37 = { 21 de 25 72 7f b5 25 28 25 25 25 a7 29 25 55 24 24 25 }
+ $encrypted_pe_header_shift_38 = { 22 df 26 73 80 b6 26 29 26 26 26 a8 2a 26 56 25 25 26 }
+ $encrypted_pe_header_shift_39 = { 23 e0 27 74 81 b7 27 2a 27 27 27 a9 2b 27 57 26 26 27 }
+ $encrypted_pe_header_shift_40 = { 24 e1 28 75 82 b8 28 2b 28 28 28 aa 2c 28 58 27 27 28 }
+ $encrypted_pe_header_shift_41 = { 25 e2 29 76 83 b9 29 2c 29 29 29 ab 2d 29 59 28 28 29 }
+ $encrypted_pe_header_shift_42 = { 26 e3 2a 77 84 ba 2a 2d 2a 2a 2a ac 2e 2a 5a 29 29 2a }
+ $encrypted_pe_header_shift_43 = { 27 e4 2b 78 85 bb 2b 2e 2b 2b 2b ad 2f 2b 5b 2a 2a 2b }
+ $encrypted_pe_header_shift_44 = { 28 e5 2c 79 86 bc 2c 2f 2c 2c 2c ae 30 2c 5c 2b 2b 2c }
+ $encrypted_pe_header_shift_45 = { 29 e6 2d 7a 87 bd 2d 30 2d 2d 2d af 31 2d 5d 2c 2c 2d }
+ $encrypted_pe_header_shift_46 = { 2a e7 2e 7b 88 be 2e 31 2e 2e 2e b0 32 2e 5e 2d 2d 2e }
+ $encrypted_pe_header_shift_47 = { 2b e8 2f 7c 89 bf 2f 32 2f 2f 2f b1 33 2f 5f 2e 2e 2f }
+ $encrypted_pe_header_shift_48 = { 2c e9 30 7d 8a c0 30 33 30 30 30 b2 34 30 60 2f 2f 30 }
+ $encrypted_pe_header_shift_49 = { 2d ea 31 7e 8b c1 31 34 31 31 31 b3 35 31 61 30 30 31 }
+ $encrypted_pe_header_shift_50 = { 2e eb 32 7f 8c c2 32 35 32 32 32 b4 36 32 62 31 31 32 }
+ $encrypted_pe_header_shift_51 = { 2f ec 33 80 8d c3 33 36 33 33 33 b5 37 33 63 32 32 33 }
+ $encrypted_pe_header_shift_52 = { 30 ed 34 81 8e c4 34 37 34 34 34 b6 38 34 64 33 33 34 }
+ $encrypted_pe_header_shift_53 = { 31 ee 35 82 8f c5 35 38 35 35 35 b7 39 35 65 34 34 35 }
+ $encrypted_pe_header_shift_54 = { 32 ef 36 83 90 c6 36 39 36 36 36 b8 3a 36 66 35 35 36 }
+ $encrypted_pe_header_shift_55 = { 33 f0 37 84 91 c7 37 3a 37 37 37 b9 3b 37 67 36 36 37 }
+ $encrypted_pe_header_shift_56 = { 34 f1 38 85 92 c8 38 3b 38 38 38 ba 3c 38 68 37 37 38 }
+ $encrypted_pe_header_shift_57 = { 35 f2 39 86 93 c9 39 3c 39 39 39 bb 3d 39 69 38 38 39 }
+ $encrypted_pe_header_shift_58 = { 36 f3 3a 87 94 ca 3a 3d 3a 3a 3a bc 3e 3a 6a 39 39 3a }
+ $encrypted_pe_header_shift_59 = { 37 f4 3b 88 95 cb 3b 3e 3b 3b 3b bd 3f 3b 6b 3a 3a 3b }
+ $encrypted_pe_header_shift_60 = { 38 f5 3c 89 96 cc 3c 3f 3c 3c 3c be 40 3c 6c 3b 3b 3c }
+ $encrypted_pe_header_shift_61 = { 39 f6 3d 8a 97 cd 3d 40 3d 3d 3d bf 41 3d 6d 3c 3c 3d }
+ $encrypted_pe_header_shift_62 = { 3a f7 3e 8b 98 ce 3e 41 3e 3e 3e c0 42 3e 6e 3d 3d 3e }
+ $encrypted_pe_header_shift_63 = { 3b f8 3f 8c 99 cf 3f 42 3f 3f 3f c1 43 3f 6f 3e 3e 3f }
+ $encrypted_pe_header_shift_64 = { 3c f9 40 8d 9a d0 40 43 40 40 40 c2 44 40 70 3f 3f 40 }
+ $encrypted_pe_header_shift_65 = { 3d fa 41 8e 9b d1 41 44 41 41 41 c3 45 41 71 40 40 41 }
+ $encrypted_pe_header_shift_66 = { 3e fb 42 8f 9c d2 42 45 42 42 42 c4 46 42 72 41 41 42 }
+ $encrypted_pe_header_shift_67 = { 3f fc 43 90 9d d3 43 46 43 43 43 c5 47 43 73 42 42 43 }
+ $encrypted_pe_header_shift_68 = { 40 fd 44 91 9e d4 44 47 44 44 44 c6 48 44 74 43 43 44 }
+ $encrypted_pe_header_shift_69 = { 41 fe 45 92 9f d5 45 48 45 45 45 c7 49 45 75 44 44 45 }
+ $encrypted_pe_header_shift_70 = { 42 ff 46 93 a0 d6 46 49 46 46 46 c8 4a 46 76 45 45 46 }
+ $encrypted_pe_header_shift_71 = { 43 00 47 94 a1 d7 47 4a 47 47 47 c9 4b 47 77 46 46 47 }
+ $encrypted_pe_header_shift_72 = { 44 01 48 95 a2 d8 48 4b 48 48 48 ca 4c 48 78 47 47 48 }
+ $encrypted_pe_header_shift_73 = { 45 02 49 96 a3 d9 49 4c 49 49 49 cb 4d 49 79 48 48 49 }
+ $encrypted_pe_header_shift_74 = { 46 03 4a 97 a4 da 4a 4d 4a 4a 4a cc 4e 4a 7a 49 49 4a }
+ $encrypted_pe_header_shift_75 = { 47 04 4b 98 a5 db 4b 4e 4b 4b 4b cd 4f 4b 7b 4a 4a 4b }
+ $encrypted_pe_header_shift_76 = { 48 05 4c 99 a6 dc 4c 4f 4c 4c 4c ce 50 4c 7c 4b 4b 4c }
+ $encrypted_pe_header_shift_77 = { 49 06 4d 9a a7 dd 4d 50 4d 4d 4d cf 51 4d 7d 4c 4c 4d }
+ $encrypted_pe_header_shift_78 = { 4a 07 4e 9b a8 de 4e 51 4e 4e 4e d0 52 4e 7e 4d 4d 4e }
+ $encrypted_pe_header_shift_79 = { 4b 08 4f 9c a9 df 4f 52 4f 4f 4f d1 53 4f 7f 4e 4e 4f }
+ $encrypted_pe_header_shift_80 = { 4c 09 50 9d aa e0 50 53 50 50 50 d2 54 50 80 4f 4f 50 }
+ $encrypted_pe_header_shift_81 = { 4d 0a 51 9e ab e1 51 54 51 51 51 d3 55 51 81 50 50 51 }
+ $encrypted_pe_header_shift_82 = { 4e 0b 52 9f ac e2 52 55 52 52 52 d4 56 52 82 51 51 52 }
+ $encrypted_pe_header_shift_83 = { 4f 0c 53 a0 ad e3 53 56 53 53 53 d5 57 53 83 52 52 53 }
+ $encrypted_pe_header_shift_84 = { 50 0d 54 a1 ae e4 54 57 54 54 54 d6 58 54 84 53 53 54 }
+ $encrypted_pe_header_shift_85 = { 51 0e 55 a2 af e5 55 58 55 55 55 d7 59 55 85 54 54 55 }
+ $encrypted_pe_header_shift_86 = { 52 0f 56 a3 b0 e6 56 59 56 56 56 d8 5a 56 86 55 55 56 }
+ $encrypted_pe_header_shift_87 = { 53 10 57 a4 b1 e7 57 5a 57 57 57 d9 5b 57 87 56 56 57 }
+ $encrypted_pe_header_shift_88 = { 54 11 58 a5 b2 e8 58 5b 58 58 58 da 5c 58 88 57 57 58 }
+ $encrypted_pe_header_shift_89 = { 55 12 59 a6 b3 e9 59 5c 59 59 59 db 5d 59 89 58 58 59 }
+ $encrypted_pe_header_shift_90 = { 56 13 5a a7 b4 ea 5a 5d 5a 5a 5a dc 5e 5a 8a 59 59 5a }
+ $encrypted_pe_header_shift_91 = { 57 14 5b a8 b5 eb 5b 5e 5b 5b 5b dd 5f 5b 8b 5a 5a 5b }
+ $encrypted_pe_header_shift_92 = { 58 15 5c a9 b6 ec 5c 5f 5c 5c 5c de 60 5c 8c 5b 5b 5c }
+ $encrypted_pe_header_shift_93 = { 59 16 5d aa b7 ed 5d 60 5d 5d 5d df 61 5d 8d 5c 5c 5d }
+ $encrypted_pe_header_shift_94 = { 5a 17 5e ab b8 ee 5e 61 5e 5e 5e e0 62 5e 8e 5d 5d 5e }
+ $encrypted_pe_header_shift_95 = { 5b 18 5f ac b9 ef 5f 62 5f 5f 5f e1 63 5f 8f 5e 5e 5f }
+ $encrypted_pe_header_shift_96 = { 5c 19 60 ad ba f0 60 63 60 60 60 e2 64 60 90 5f 5f 60 }
+ $encrypted_pe_header_shift_97 = { 5d 1a 61 ae bb f1 61 64 61 61 61 e3 65 61 91 60 60 61 }
+ $encrypted_pe_header_shift_98 = { 5e 1b 62 af bc f2 62 65 62 62 62 e4 66 62 92 61 61 62 }
+ $encrypted_pe_header_shift_99 = { 5f 1c 63 b0 bd f3 63 66 63 63 63 e5 67 63 93 62 62 63 }
+ $encrypted_pe_header_shift_100 = { 60 1d 64 b1 be f4 64 67 64 64 64 e6 68 64 94 63 63 64 }
+ $encrypted_pe_header_shift_101 = { 61 1e 65 b2 bf f5 65 68 65 65 65 e7 69 65 95 64 64 65 }
+ $encrypted_pe_header_shift_102 = { 62 1f 66 b3 c0 f6 66 69 66 66 66 e8 6a 66 96 65 65 66 }
+ $encrypted_pe_header_shift_103 = { 63 20 67 b4 c1 f7 67 6a 67 67 67 e9 6b 67 97 66 66 67 }
+ $encrypted_pe_header_shift_104 = { 64 21 68 b5 c2 f8 68 6b 68 68 68 ea 6c 68 98 67 67 68 }
+ $encrypted_pe_header_shift_105 = { 65 22 69 b6 c3 f9 69 6c 69 69 69 eb 6d 69 99 68 68 69 }
+ $encrypted_pe_header_shift_106 = { 66 23 6a b7 c4 fa 6a 6d 6a 6a 6a ec 6e 6a 9a 69 69 6a }
+ $encrypted_pe_header_shift_107 = { 67 24 6b b8 c5 fb 6b 6e 6b 6b 6b ed 6f 6b 9b 6a 6a 6b }
+ $encrypted_pe_header_shift_108 = { 68 25 6c b9 c6 fc 6c 6f 6c 6c 6c ee 70 6c 9c 6b 6b 6c }
+ $encrypted_pe_header_shift_109 = { 69 26 6d ba c7 fd 6d 70 6d 6d 6d ef 71 6d 9d 6c 6c 6d }
+ $encrypted_pe_header_shift_110 = { 6a 27 6e bb c8 fe 6e 71 6e 6e 6e f0 72 6e 9e 6d 6d 6e }
+ $encrypted_pe_header_shift_111 = { 6b 28 6f bc c9 ff 6f 72 6f 6f 6f f1 73 6f 9f 6e 6e 6f }
+ $encrypted_pe_header_shift_112 = { 6c 29 70 bd ca 00 70 73 70 70 70 f2 74 70 a0 6f 6f 70 }
+ $encrypted_pe_header_shift_113 = { 6d 2a 71 be cb 01 71 74 71 71 71 f3 75 71 a1 70 70 71 }
+ $encrypted_pe_header_shift_114 = { 6e 2b 72 bf cc 02 72 75 72 72 72 f4 76 72 a2 71 71 72 }
+ $encrypted_pe_header_shift_115 = { 6f 2c 73 c0 cd 03 73 76 73 73 73 f5 77 73 a3 72 72 73 }
+ $encrypted_pe_header_shift_116 = { 70 2d 74 c1 ce 04 74 77 74 74 74 f6 78 74 a4 73 73 74 }
+ $encrypted_pe_header_shift_117 = { 71 2e 75 c2 cf 05 75 78 75 75 75 f7 79 75 a5 74 74 75 }
+ $encrypted_pe_header_shift_118 = { 72 2f 76 c3 d0 06 76 79 76 76 76 f8 7a 76 a6 75 75 76 }
+ $encrypted_pe_header_shift_119 = { 73 30 77 c4 d1 07 77 7a 77 77 77 f9 7b 77 a7 76 76 77 }
+ $encrypted_pe_header_shift_120 = { 74 31 78 c5 d2 08 78 7b 78 78 78 fa 7c 78 a8 77 77 78 }
+ $encrypted_pe_header_shift_121 = { 75 32 79 c6 d3 09 79 7c 79 79 79 fb 7d 79 a9 78 78 79 }
+ $encrypted_pe_header_shift_122 = { 76 33 7a c7 d4 0a 7a 7d 7a 7a 7a fc 7e 7a aa 79 79 7a }
+ $encrypted_pe_header_shift_123 = { 77 34 7b c8 d5 0b 7b 7e 7b 7b 7b fd 7f 7b ab 7a 7a 7b }
+ $encrypted_pe_header_shift_124 = { 78 35 7c c9 d6 0c 7c 7f 7c 7c 7c fe 80 7c ac 7b 7b 7c }
+ $encrypted_pe_header_shift_125 = { 79 36 7d ca d7 0d 7d 80 7d 7d 7d ff 81 7d ad 7c 7c 7d }
+ $encrypted_pe_header_shift_126 = { 7a 37 7e cb d8 0e 7e 81 7e 7e 7e 00 82 7e ae 7d 7d 7e }
+ $encrypted_pe_header_shift_127 = { 7b 38 7f cc d9 0f 7f 82 7f 7f 7f 01 83 7f af 7e 7e 7f }
+ $encrypted_pe_header_shift_128 = { 7c 39 80 cd da 10 80 83 80 80 80 02 84 80 b0 7f 7f 80 }
+ $encrypted_pe_header_shift_129 = { 7d 3a 81 ce db 11 81 84 81 81 81 03 85 81 b1 80 80 81 }
+ $encrypted_pe_header_shift_130 = { 7e 3b 82 cf dc 12 82 85 82 82 82 04 86 82 b2 81 81 82 }
+ $encrypted_pe_header_shift_131 = { 7f 3c 83 d0 dd 13 83 86 83 83 83 05 87 83 b3 82 82 83 }
+ $encrypted_pe_header_shift_132 = { 80 3d 84 d1 de 14 84 87 84 84 84 06 88 84 b4 83 83 84 }
+ $encrypted_pe_header_shift_133 = { 81 3e 85 d2 df 15 85 88 85 85 85 07 89 85 b5 84 84 85 }
+ $encrypted_pe_header_shift_134 = { 82 3f 86 d3 e0 16 86 89 86 86 86 08 8a 86 b6 85 85 86 }
+ $encrypted_pe_header_shift_135 = { 83 40 87 d4 e1 17 87 8a 87 87 87 09 8b 87 b7 86 86 87 }
+ $encrypted_pe_header_shift_136 = { 84 41 88 d5 e2 18 88 8b 88 88 88 0a 8c 88 b8 87 87 88 }
+ $encrypted_pe_header_shift_137 = { 85 42 89 d6 e3 19 89 8c 89 89 89 0b 8d 89 b9 88 88 89 }
+ $encrypted_pe_header_shift_138 = { 86 43 8a d7 e4 1a 8a 8d 8a 8a 8a 0c 8e 8a ba 89 89 8a }
+ $encrypted_pe_header_shift_139 = { 87 44 8b d8 e5 1b 8b 8e 8b 8b 8b 0d 8f 8b bb 8a 8a 8b }
+ $encrypted_pe_header_shift_140 = { 88 45 8c d9 e6 1c 8c 8f 8c 8c 8c 0e 90 8c bc 8b 8b 8c }
+ $encrypted_pe_header_shift_141 = { 89 46 8d da e7 1d 8d 90 8d 8d 8d 0f 91 8d bd 8c 8c 8d }
+ $encrypted_pe_header_shift_142 = { 8a 47 8e db e8 1e 8e 91 8e 8e 8e 10 92 8e be 8d 8d 8e }
+ $encrypted_pe_header_shift_143 = { 8b 48 8f dc e9 1f 8f 92 8f 8f 8f 11 93 8f bf 8e 8e 8f }
+ $encrypted_pe_header_shift_144 = { 8c 49 90 dd ea 20 90 93 90 90 90 12 94 90 c0 8f 8f 90 }
+ $encrypted_pe_header_shift_145 = { 8d 4a 91 de eb 21 91 94 91 91 91 13 95 91 c1 90 90 91 }
+ $encrypted_pe_header_shift_146 = { 8e 4b 92 df ec 22 92 95 92 92 92 14 96 92 c2 91 91 92 }
+ $encrypted_pe_header_shift_147 = { 8f 4c 93 e0 ed 23 93 96 93 93 93 15 97 93 c3 92 92 93 }
+ $encrypted_pe_header_shift_148 = { 90 4d 94 e1 ee 24 94 97 94 94 94 16 98 94 c4 93 93 94 }
+ $encrypted_pe_header_shift_149 = { 91 4e 95 e2 ef 25 95 98 95 95 95 17 99 95 c5 94 94 95 }
+ $encrypted_pe_header_shift_150 = { 92 4f 96 e3 f0 26 96 99 96 96 96 18 9a 96 c6 95 95 96 }
+ $encrypted_pe_header_shift_151 = { 93 50 97 e4 f1 27 97 9a 97 97 97 19 9b 97 c7 96 96 97 }
+ $encrypted_pe_header_shift_152 = { 94 51 98 e5 f2 28 98 9b 98 98 98 1a 9c 98 c8 97 97 98 }
+ $encrypted_pe_header_shift_153 = { 95 52 99 e6 f3 29 99 9c 99 99 99 1b 9d 99 c9 98 98 99 }
+ $encrypted_pe_header_shift_154 = { 96 53 9a e7 f4 2a 9a 9d 9a 9a 9a 1c 9e 9a ca 99 99 9a }
+ $encrypted_pe_header_shift_155 = { 97 54 9b e8 f5 2b 9b 9e 9b 9b 9b 1d 9f 9b cb 9a 9a 9b }
+ $encrypted_pe_header_shift_156 = { 98 55 9c e9 f6 2c 9c 9f 9c 9c 9c 1e a0 9c cc 9b 9b 9c }
+ $encrypted_pe_header_shift_157 = { 99 56 9d ea f7 2d 9d a0 9d 9d 9d 1f a1 9d cd 9c 9c 9d }
+ $encrypted_pe_header_shift_158 = { 9a 57 9e eb f8 2e 9e a1 9e 9e 9e 20 a2 9e ce 9d 9d 9e }
+ $encrypted_pe_header_shift_159 = { 9b 58 9f ec f9 2f 9f a2 9f 9f 9f 21 a3 9f cf 9e 9e 9f }
+ $encrypted_pe_header_shift_160 = { 9c 59 a0 ed fa 30 a0 a3 a0 a0 a0 22 a4 a0 d0 9f 9f a0 }
+ $encrypted_pe_header_shift_161 = { 9d 5a a1 ee fb 31 a1 a4 a1 a1 a1 23 a5 a1 d1 a0 a0 a1 }
+ $encrypted_pe_header_shift_162 = { 9e 5b a2 ef fc 32 a2 a5 a2 a2 a2 24 a6 a2 d2 a1 a1 a2 }
+ $encrypted_pe_header_shift_163 = { 9f 5c a3 f0 fd 33 a3 a6 a3 a3 a3 25 a7 a3 d3 a2 a2 a3 }
+ $encrypted_pe_header_shift_164 = { a0 5d a4 f1 fe 34 a4 a7 a4 a4 a4 26 a8 a4 d4 a3 a3 a4 }
+ $encrypted_pe_header_shift_165 = { a1 5e a5 f2 ff 35 a5 a8 a5 a5 a5 27 a9 a5 d5 a4 a4 a5 }
+ $encrypted_pe_header_shift_166 = { a2 5f a6 f3 00 36 a6 a9 a6 a6 a6 28 aa a6 d6 a5 a5 a6 }
+ $encrypted_pe_header_shift_167 = { a3 60 a7 f4 01 37 a7 aa a7 a7 a7 29 ab a7 d7 a6 a6 a7 }
+ $encrypted_pe_header_shift_168 = { a4 61 a8 f5 02 38 a8 ab a8 a8 a8 2a ac a8 d8 a7 a7 a8 }
+ $encrypted_pe_header_shift_169 = { a5 62 a9 f6 03 39 a9 ac a9 a9 a9 2b ad a9 d9 a8 a8 a9 }
+ $encrypted_pe_header_shift_170 = { a6 63 aa f7 04 3a aa ad aa aa aa 2c ae aa da a9 a9 aa }
+ $encrypted_pe_header_shift_171 = { a7 64 ab f8 05 3b ab ae ab ab ab 2d af ab db aa aa ab }
+ $encrypted_pe_header_shift_172 = { a8 65 ac f9 06 3c ac af ac ac ac 2e b0 ac dc ab ab ac }
+ $encrypted_pe_header_shift_173 = { a9 66 ad fa 07 3d ad b0 ad ad ad 2f b1 ad dd ac ac ad }
+ $encrypted_pe_header_shift_174 = { aa 67 ae fb 08 3e ae b1 ae ae ae 30 b2 ae de ad ad ae }
+ $encrypted_pe_header_shift_175 = { ab 68 af fc 09 3f af b2 af af af 31 b3 af df ae ae af }
+ $encrypted_pe_header_shift_176 = { ac 69 b0 fd 0a 40 b0 b3 b0 b0 b0 32 b4 b0 e0 af af b0 }
+ $encrypted_pe_header_shift_177 = { ad 6a b1 fe 0b 41 b1 b4 b1 b1 b1 33 b5 b1 e1 b0 b0 b1 }
+ $encrypted_pe_header_shift_178 = { ae 6b b2 ff 0c 42 b2 b5 b2 b2 b2 34 b6 b2 e2 b1 b1 b2 }
+ $encrypted_pe_header_shift_179 = { af 6c b3 00 0d 43 b3 b6 b3 b3 b3 35 b7 b3 e3 b2 b2 b3 }
+ $encrypted_pe_header_shift_180 = { b0 6d b4 01 0e 44 b4 b7 b4 b4 b4 36 b8 b4 e4 b3 b3 b4 }
+ $encrypted_pe_header_shift_181 = { b1 6e b5 02 0f 45 b5 b8 b5 b5 b5 37 b9 b5 e5 b4 b4 b5 }
+ $encrypted_pe_header_shift_182 = { b2 6f b6 03 10 46 b6 b9 b6 b6 b6 38 ba b6 e6 b5 b5 b6 }
+ $encrypted_pe_header_shift_183 = { b3 70 b7 04 11 47 b7 ba b7 b7 b7 39 bb b7 e7 b6 b6 b7 }
+ $encrypted_pe_header_shift_184 = { b4 71 b8 05 12 48 b8 bb b8 b8 b8 3a bc b8 e8 b7 b7 b8 }
+ $encrypted_pe_header_shift_185 = { b5 72 b9 06 13 49 b9 bc b9 b9 b9 3b bd b9 e9 b8 b8 b9 }
+ $encrypted_pe_header_shift_186 = { b6 73 ba 07 14 4a ba bd ba ba ba 3c be ba ea b9 b9 ba }
+ $encrypted_pe_header_shift_187 = { b7 74 bb 08 15 4b bb be bb bb bb 3d bf bb eb ba ba bb }
+ $encrypted_pe_header_shift_188 = { b8 75 bc 09 16 4c bc bf bc bc bc 3e c0 bc ec bb bb bc }
+ $encrypted_pe_header_shift_189 = { b9 76 bd 0a 17 4d bd c0 bd bd bd 3f c1 bd ed bc bc bd }
+ $encrypted_pe_header_shift_190 = { ba 77 be 0b 18 4e be c1 be be be 40 c2 be ee bd bd be }
+ $encrypted_pe_header_shift_191 = { bb 78 bf 0c 19 4f bf c2 bf bf bf 41 c3 bf ef be be bf }
+ $encrypted_pe_header_shift_192 = { bc 79 c0 0d 1a 50 c0 c3 c0 c0 c0 42 c4 c0 f0 bf bf c0 }
+ $encrypted_pe_header_shift_193 = { bd 7a c1 0e 1b 51 c1 c4 c1 c1 c1 43 c5 c1 f1 c0 c0 c1 }
+ $encrypted_pe_header_shift_194 = { be 7b c2 0f 1c 52 c2 c5 c2 c2 c2 44 c6 c2 f2 c1 c1 c2 }
+ $encrypted_pe_header_shift_195 = { bf 7c c3 10 1d 53 c3 c6 c3 c3 c3 45 c7 c3 f3 c2 c2 c3 }
+ $encrypted_pe_header_shift_196 = { c0 7d c4 11 1e 54 c4 c7 c4 c4 c4 46 c8 c4 f4 c3 c3 c4 }
+ $encrypted_pe_header_shift_197 = { c1 7e c5 12 1f 55 c5 c8 c5 c5 c5 47 c9 c5 f5 c4 c4 c5 }
+ $encrypted_pe_header_shift_198 = { c2 7f c6 13 20 56 c6 c9 c6 c6 c6 48 ca c6 f6 c5 c5 c6 }
+ $encrypted_pe_header_shift_199 = { c3 80 c7 14 21 57 c7 ca c7 c7 c7 49 cb c7 f7 c6 c6 c7 }
+ $encrypted_pe_header_shift_200 = { c4 81 c8 15 22 58 c8 cb c8 c8 c8 4a cc c8 f8 c7 c7 c8 }
+ $encrypted_pe_header_shift_201 = { c5 82 c9 16 23 59 c9 cc c9 c9 c9 4b cd c9 f9 c8 c8 c9 }
+ $encrypted_pe_header_shift_202 = { c6 83 ca 17 24 5a ca cd ca ca ca 4c ce ca fa c9 c9 ca }
+ $encrypted_pe_header_shift_203 = { c7 84 cb 18 25 5b cb ce cb cb cb 4d cf cb fb ca ca cb }
+ $encrypted_pe_header_shift_204 = { c8 85 cc 19 26 5c cc cf cc cc cc 4e d0 cc fc cb cb cc }
+ $encrypted_pe_header_shift_205 = { c9 86 cd 1a 27 5d cd d0 cd cd cd 4f d1 cd fd cc cc cd }
+ $encrypted_pe_header_shift_206 = { ca 87 ce 1b 28 5e ce d1 ce ce ce 50 d2 ce fe cd cd ce }
+ $encrypted_pe_header_shift_207 = { cb 88 cf 1c 29 5f cf d2 cf cf cf 51 d3 cf ff ce ce cf }
+ $encrypted_pe_header_shift_208 = { cc 89 d0 1d 2a 60 d0 d3 d0 d0 d0 52 d4 d0 00 cf cf d0 }
+ $encrypted_pe_header_shift_209 = { cd 8a d1 1e 2b 61 d1 d4 d1 d1 d1 53 d5 d1 01 d0 d0 d1 }
+ $encrypted_pe_header_shift_210 = { ce 8b d2 1f 2c 62 d2 d5 d2 d2 d2 54 d6 d2 02 d1 d1 d2 }
+ $encrypted_pe_header_shift_211 = { cf 8c d3 20 2d 63 d3 d6 d3 d3 d3 55 d7 d3 03 d2 d2 d3 }
+ $encrypted_pe_header_shift_212 = { d0 8d d4 21 2e 64 d4 d7 d4 d4 d4 56 d8 d4 04 d3 d3 d4 }
+ $encrypted_pe_header_shift_213 = { d1 8e d5 22 2f 65 d5 d8 d5 d5 d5 57 d9 d5 05 d4 d4 d5 }
+ $encrypted_pe_header_shift_214 = { d2 8f d6 23 30 66 d6 d9 d6 d6 d6 58 da d6 06 d5 d5 d6 }
+ $encrypted_pe_header_shift_215 = { d3 90 d7 24 31 67 d7 da d7 d7 d7 59 db d7 07 d6 d6 d7 }
+ $encrypted_pe_header_shift_216 = { d4 91 d8 25 32 68 d8 db d8 d8 d8 5a dc d8 08 d7 d7 d8 }
+ $encrypted_pe_header_shift_217 = { d5 92 d9 26 33 69 d9 dc d9 d9 d9 5b dd d9 09 d8 d8 d9 }
+ $encrypted_pe_header_shift_218 = { d6 93 da 27 34 6a da dd da da da 5c de da 0a d9 d9 da }
+ $encrypted_pe_header_shift_219 = { d7 94 db 28 35 6b db de db db db 5d df db 0b da da db }
+ $encrypted_pe_header_shift_220 = { d8 95 dc 29 36 6c dc df dc dc dc 5e e0 dc 0c db db dc }
+ $encrypted_pe_header_shift_221 = { d9 96 dd 2a 37 6d dd e0 dd dd dd 5f e1 dd 0d dc dc dd }
+ $encrypted_pe_header_shift_222 = { da 97 de 2b 38 6e de e1 de de de 60 e2 de 0e dd dd de }
+ $encrypted_pe_header_shift_223 = { db 98 df 2c 39 6f df e2 df df df 61 e3 df 0f de de df }
+ $encrypted_pe_header_shift_224 = { dc 99 e0 2d 3a 70 e0 e3 e0 e0 e0 62 e4 e0 10 df df e0 }
+ $encrypted_pe_header_shift_225 = { dd 9a e1 2e 3b 71 e1 e4 e1 e1 e1 63 e5 e1 11 e0 e0 e1 }
+ $encrypted_pe_header_shift_226 = { de 9b e2 2f 3c 72 e2 e5 e2 e2 e2 64 e6 e2 12 e1 e1 e2 }
+ $encrypted_pe_header_shift_227 = { df 9c e3 30 3d 73 e3 e6 e3 e3 e3 65 e7 e3 13 e2 e2 e3 }
+ $encrypted_pe_header_shift_228 = { e0 9d e4 31 3e 74 e4 e7 e4 e4 e4 66 e8 e4 14 e3 e3 e4 }
+ $encrypted_pe_header_shift_229 = { e1 9e e5 32 3f 75 e5 e8 e5 e5 e5 67 e9 e5 15 e4 e4 e5 }
+ $encrypted_pe_header_shift_230 = { e2 9f e6 33 40 76 e6 e9 e6 e6 e6 68 ea e6 16 e5 e5 e6 }
+ $encrypted_pe_header_shift_231 = { e3 a0 e7 34 41 77 e7 ea e7 e7 e7 69 eb e7 17 e6 e6 e7 }
+ $encrypted_pe_header_shift_232 = { e4 a1 e8 35 42 78 e8 eb e8 e8 e8 6a ec e8 18 e7 e7 e8 }
+ $encrypted_pe_header_shift_233 = { e5 a2 e9 36 43 79 e9 ec e9 e9 e9 6b ed e9 19 e8 e8 e9 }
+ $encrypted_pe_header_shift_234 = { e6 a3 ea 37 44 7a ea ed ea ea ea 6c ee ea 1a e9 e9 ea }
+ $encrypted_pe_header_shift_235 = { e7 a4 eb 38 45 7b eb ee eb eb eb 6d ef eb 1b ea ea eb }
+ $encrypted_pe_header_shift_236 = { e8 a5 ec 39 46 7c ec ef ec ec ec 6e f0 ec 1c eb eb ec }
+ $encrypted_pe_header_shift_237 = { e9 a6 ed 3a 47 7d ed f0 ed ed ed 6f f1 ed 1d ec ec ed }
+ $encrypted_pe_header_shift_238 = { ea a7 ee 3b 48 7e ee f1 ee ee ee 70 f2 ee 1e ed ed ee }
+ $encrypted_pe_header_shift_239 = { eb a8 ef 3c 49 7f ef f2 ef ef ef 71 f3 ef 1f ee ee ef }
+ $encrypted_pe_header_shift_240 = { ec a9 f0 3d 4a 80 f0 f3 f0 f0 f0 72 f4 f0 20 ef ef f0 }
+ $encrypted_pe_header_shift_241 = { ed aa f1 3e 4b 81 f1 f4 f1 f1 f1 73 f5 f1 21 f0 f0 f1 }
+ $encrypted_pe_header_shift_242 = { ee ab f2 3f 4c 82 f2 f5 f2 f2 f2 74 f6 f2 22 f1 f1 f2 }
+ $encrypted_pe_header_shift_243 = { ef ac f3 40 4d 83 f3 f6 f3 f3 f3 75 f7 f3 23 f2 f2 f3 }
+ $encrypted_pe_header_shift_244 = { f0 ad f4 41 4e 84 f4 f7 f4 f4 f4 76 f8 f4 24 f3 f3 f4 }
+ $encrypted_pe_header_shift_245 = { f1 ae f5 42 4f 85 f5 f8 f5 f5 f5 77 f9 f5 25 f4 f4 f5 }
+ $encrypted_pe_header_shift_246 = { f2 af f6 43 50 86 f6 f9 f6 f6 f6 78 fa f6 26 f5 f5 f6 }
+ $encrypted_pe_header_shift_247 = { f3 b0 f7 44 51 87 f7 fa f7 f7 f7 79 fb f7 27 f6 f6 f7 }
+ $encrypted_pe_header_shift_248 = { f4 b1 f8 45 52 88 f8 fb f8 f8 f8 7a fc f8 28 f7 f7 f8 }
+ $encrypted_pe_header_shift_249 = { f5 b2 f9 46 53 89 f9 fc f9 f9 f9 7b fd f9 29 f8 f8 f9 }
+ $encrypted_pe_header_shift_250 = { f6 b3 fa 47 54 8a fa fd fa fa fa 7c fe fa 2a f9 f9 fa }
+ $encrypted_pe_header_shift_251 = { f7 b4 fb 48 55 8b fb fe fb fb fb 7d ff fb 2b fa fa fb }
+ $encrypted_pe_header_shift_252 = { f8 b5 fc 49 56 8c fc ff fc fc fc 7e 00 fc 2c fb fb fc }
+ $encrypted_pe_header_shift_253 = { f9 b6 fd 4a 57 8d fd 00 fd fd fd 7f 01 fd 2d fc fc fd }
+ $encrypted_pe_header_shift_254 = { fa b7 fe 4b 58 8e fe 01 fe fe fe 80 02 fe 2e fd fd fe }
+ $encrypted_pe_header_shift_255 = { fb b8 ff 4c 59 8f ff 02 ff ff ff 81 03 ff 2f fe fe ff }
+
+ condition:
+ filesize < 200KB and (1 of ($encrypted_pe_header_shift_*))
+}
diff --git a/yara-Neo23x0/apt_apt27_rshell.yar b/yara-Neo23x0/apt_apt27_rshell.yar
new file mode 100644
index 0000000..25fc84e
--- /dev/null
+++ b/yara-Neo23x0/apt_apt27_rshell.yar
@@ -0,0 +1,40 @@
+
+rule APT_MAL_APT27_Rshell_Jul24 {
+ meta:
+ sharing = "TLP:WHITE"
+ source = "BUNDESAMT FUER VERFASSUNGSSCHUTZ"
+ author = "Bundesamt fuer Verfassungsschutz, modified by Florian Roth"
+ description = "YARA rule to detect RSHELL of APT27"
+ category = "MALWARE"
+ malware = "RSHELL / SYSUPDATE"
+ reference = "https://x.com/bfv_bund/status/1811364839656185985?s=12&t=C0_T_re0wRP_NfKa27Xw9w"
+ date = "2024-07-11"
+ hash1 = "0433edfad648e1e29be54101abaded690302dc7e49ad916cfbbddf99b3ade12c"
+ hash2 = "10bb89fdf25c88d3c5623e8d68573124c9a42549750014e3675e2ca342aeba4a"
+ hash3 = "2603e1f61363451891c97b0c4ce8acfbfb680d3df4282f9d151ecce3a5679616"
+ hash4 = "70dac42491f8f19568a5d7b1d10b29f732a88d75e7f2bfa07b23202bacadf56f"
+ hash5 = "b988a6583ce40f07e5fc8e890ae2b1c84a93db8a2e3ca8769241b94bea332a7a"
+ hash6 = "c4fe1e56f601d411e2385352606524fb8bbf773bc2ba14889a8de605c2d14da0"
+ hash7 = "c787144d285fcca8a542f7a5525a37bcd089b39068b9a4db7fe3554ee6c08301"
+ hash8 = "ddaa4d23e4651a517fffbd29f0924607ba6b6253171144da5e49237afe91666b"
+ strings:
+ $a1 = "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%" ascii
+ $a2 = "/proc/self/exe" ascii
+
+ $s1 = "HISTFILE" ascii fullword
+ $s2 = "/tmp/guid" ascii fullword
+
+ $sop1 = { e8 ?? ?? ?? ?? c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? }
+ $sop2 = { c7 43 04 00 00 00 00 8b 3b 85 ff 7e 2? e8 ?? ?? 0? 00 85 c0 7e 0? f7 d8 }
+ condition:
+ (
+ uint32be(0) == 0x7f454c46 // Linux
+ or ( uint32be(0) == 0xcafebabe and uint32be(4) < 0x20 ) // Universal mach-O App with dont-match-java-class-file hack
+ or uint32(0) == 0xfeedface // 32-bit mach-O
+ or uint32(0) == 0xfeedfacf // 64-bit mach-O
+ )
+ and filesize < 2MB
+ and all of ($a*)
+ and 2 of ($s*)
+ or 3 of ($s*)
+}
diff --git a/yara-Neo23x0/apt_apt28.yar b/yara-Neo23x0/apt_apt28.yar
new file mode 100644
index 0000000..fa3169b
--- /dev/null
+++ b/yara-Neo23x0/apt_apt28.yar
@@ -0,0 +1,159 @@
+/*
+ Yara Rule Set
+ Author: YarGen Rule Generator
+ Date: 2015-06-02
+ Identifier: APT28
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule APT28_CHOPSTICK {
+ meta:
+ description = "Detects a malware that behaves like CHOPSTICK mentioned in APT28 report"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/v3ebal"
+ date = "2015-06-02"
+ hash = "f4db2e0881f83f6a2387ecf446fcb4a4c9f99808"
+ score = 60
+ id = "08bc4cc2-1844-5218-bb89-20a3ac70a951"
+ strings:
+ $s0 = "jhuhugit.tmp" fullword ascii /* score: '14.005' */
+ $s8 = "KERNEL32.dll" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 14405 times */
+ $s9 = "IsDebuggerPresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 3518 times */
+ $s10 = "IsProcessorFeaturePresent" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1383 times */
+ $s11 = "TerminateProcess" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 13081 times */
+ $s13 = "DeleteFileA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 1384 times */
+ $s15 = "GetProcessHeap" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5875 times */
+ $s16 = "!This program cannot be run in DOS mode." fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 20908 times */
+ $s17 = "LoadLibraryA" fullword ascii /* PEStudio Blacklist: strings */ /* score: '5' */ /* Goodware String - occured 5461 times */
+ condition:
+ uint16(0) == 0x5a4d and filesize < 722KB and all of them
+}
+
+rule APT28_SourFace_Malware1 {
+ meta:
+ description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
+ date = "2015-06-01"
+ hash1 = "e2450dffa675c61aa43077b25b12851a910eeeb6"
+ hash2 = "d9c53adce8c35ec3b1e015ec8011078902e6800b"
+ score = 60
+ id = "d4275b8d-384f-58b7-bac5-05fb7db659e2"
+ strings:
+ $s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */
+ $s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */
+ $s2 = "\\chkdbg.log" wide
+ condition:
+ uint16(0) == 0x5a4d and filesize < 62KB and all of them
+}
+
+rule APT28_SourFace_Malware2 {
+ meta:
+ description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
+ date = "2015-06-01"
+ super_rule = 1
+ hash0 = "367d40465fd1633c435b966fa9b289188aa444bc"
+ hash1 = "cf3220c867b81949d1ce2b36446642de7894c6dc"
+ hash2 = "ed48ef531d96e8c7360701da1c57e2ff13f12405"
+ hash3 = "682e49efa6d2549147a21993d64291bfa40d815a"
+ hash4 = "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca"
+ hash5 = "f5b3e98c6b5d65807da66d50bd5730d35692174d"
+ score = 60
+ id = "8a9df742-82c1-56bb-ab70-6384403f70b5"
+ strings:
+ $s0 = "coreshell.dll" fullword ascii /* PEStudio Blacklist: strings */
+ $s1 = "Applicate" fullword ascii
+ condition:
+ uint16(0) == 0x5a4d and filesize < 550KB and all of them
+}
+
+rule APT28_SourFace_Malware3 {
+ meta:
+ description = "Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server."
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
+ date = "2015-06-01"
+ super_rule = 1
+ hash0 = "85522190958c82589fa290c0835805f3d9a2f8d6"
+ hash1 = "d9c53adce8c35ec3b1e015ec8011078902e6800b"
+ hash2 = "367d40465fd1633c435b966fa9b289188aa444bc"
+ hash3 = "d87b310aa81ae6254fff27b7d57f76035f544073"
+ hash4 = "cf3220c867b81949d1ce2b36446642de7894c6dc"
+ hash5 = "ed48ef531d96e8c7360701da1c57e2ff13f12405"
+ hash6 = "682e49efa6d2549147a21993d64291bfa40d815a"
+ hash7 = "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca"
+ hash8 = "f5b3e98c6b5d65807da66d50bd5730d35692174d"
+ hash9 = "e2450dffa675c61aa43077b25b12851a910eeeb6"
+ score = 60
+ id = "b49843b9-3a54-5525-958e-ac545cc00bde"
+ strings:
+ $s0 = "coreshell.dll" fullword wide /* PEStudio Blacklist: strings */
+ $s1 = "Core Shell Runtime Service" fullword wide /* PEStudio Blacklist: strings */
+ condition:
+ uint16(0) == 0x5a4d and filesize < 550KB and all of them
+}
+
+
+import "pe"
+
+rule APT28_SkinnyBoy_Dropper: RUSSIA {
+ meta:
+ description = "Detects APT28 SkinnyBoy droppers"
+ author = "Cluster25"
+ date = "2021-05-24"
+ reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf"
+ hash1 = "12331809c3e03d84498f428a37a28cf6cbb1dafe98c36463593ad12898c588c9"
+ id = "ed0b2d2b-f820-57b5-9654-c24734d81996"
+ strings:
+ $ = "cmd /c DEL " ascii
+ /* $ = " \"" ascii */ /* slowing down scanning */
+ $ = {8a 08 40 84 c9 75 f9}
+ $ = {0f b7 84 0d fc fe ff ff 66 31 84 0d fc fd ff ff}
+ condition:
+ (uint16(0) == 0x5A4D and all of them)
+}
+
+rule APT28_SkinnyBoy_Launcher: RUSSIA {
+ meta:
+ description = "Detects APT28 SkinnyBoy launchers"
+ author = "Cluster25"
+ date = "2021-05-24"
+ reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf"
+ hash1 ="2a652721243f29e82bdf57b565208c59937bbb6af4ab51e7b6ba7ed270ea6bce"
+ id = "eaf4e8e5-cbec-5000-a2ff-31d1dac4c30f"
+ strings:
+ $sha = {F4 EB 56 52 AF 4B 48 EE 08 FF 9D 44 89 4B D5 66 24 61 2A 15 1D 58 14 F9 6D 97
+ 13 2C 6D 07 6F 86}
+ $l1 = "CryptGetHashParam" ascii
+ $l2 = "CryptCreateHash" ascii
+ $l3 = "FindNextFile" ascii
+ $l4 = "PathAddBackslashW" ascii
+ $l5 = "PathRemoveFileSpecW" ascii
+ $h1 = {50 6A 00 6A 00 68 0C 80 00 00 FF ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 6A 00
+ 56 ?? ?? ?? ?? 50 FF ?? ?? ?? FF 15 ?? ?? ?? ?? FF 15 ?? ?? ?? ??}
+ $h2 = {8B 01 3B 02 75 10 83 C1 04 83 C2 04 83 EE 04 73 EF}
+ condition:
+ uint16(0) == 0x5a4d and filesize < 100KB and ($sha or (all of ($l*) and all of ($h*)))
+}
+
+rule APT28_SkinnyBoy_Implanter: RUSSIA {
+ meta:
+ description = "Detects APT28 SkinnyBoy implanter"
+ author = "Cluster25"
+ date = "2021-05-24"
+ reference = "https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf"
+ hash1 = "ae0bc3358fef0ca2a103e694aa556f55a3fed4e98ba57d16f5ae7ad4ad583698"
+ id = "c44faf95-a64c-58f4-97d4-2fe17aefc813"
+ strings:
+ $enc_string = {F3 0F 7E 05 ?? ?? ?? ?? 6? [5] 6A ?? 66 [6] 66 [7] F3 0F 7E 05 ?? ?? ?? ?? 8D
+ 85 [4] 6A ?? 50 66 [7] E8}
+ $heap_ops = {8B [1-5] 03 ?? 5? 5? 6A 08 FF [1-6] FF ?? ?? ?? ?? ?? [0-6] 8B ?? [0-6] 8?}
+ $xor_cycle = { 8A 8C ?? ?? ?? ?? ?? 30 8C ?? ?? ?? ?? ?? 42 3B D0 72 }
+ condition:
+ uint16(0) == 0x5a4d and pe.is_dll() and filesize < 100KB and $xor_cycle and $heap_ops and
+ $enc_string
+}
diff --git a/yara-Neo23x0/apt_apt28_drovorub.yar b/yara-Neo23x0/apt_apt28_drovorub.yar
new file mode 100644
index 0000000..f61c5dc
--- /dev/null
+++ b/yara-Neo23x0/apt_apt28_drovorub.yar
@@ -0,0 +1,115 @@
+ rule APT_APT28_generic_poco_openssl {
+ meta:
+ description = "Rule to detect statically linked POCO and OpenSSL libraries (COULD be Drovorub related and should be further investigated)"
+ author = "NSA / FBI"
+ reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
+ date = "2020-08-13"
+ score = 50
+ strings:
+ $mw1 = { 89 F1 48 89 FE 48 89 D7 48 F7 C6 FF FF FF FF 0F 84 6B 02 00 00 48 F7 C7
+ FF FF FF FF 0F 84 5E 02 00 00 48 8D 2D }
+
+ $mw2 = { 41 54 49 89 D4 55 53 F6 47 19 04 48 8B 2E 75 08 31 DB F6 45 00 03 75 }
+ $mw3 = { 85C0BA15000000750989D05BC30F1F44 0000BE }
+
+ $mw4 = { 53 8A 47 08 3C 06 74 21 84 C0 74 1D 3C 07 74 20 B9 ?? ?? ?? ?? BA FD 03
+ 00 00 BE ?? ?? ?? ?? BF ?? ?? ?? ?? E8 ?? ?? ?? ?? 83 E8 06 3C 01 77 2B 48 8B 1F 48 8B 73
+ 10 48 89 DF E8 ?? ?? ?? ?? 48 8D 43 08 48 C7 43 10 00 00 00 00 48 C7 43 28 00 00 00 00 48
+ 89 43 18 48 89 43 20 5B C3 }
+ condition:
+ all of them
+}
+
+rule APT_APT28_drovorub_library_and_unique_strings {
+ meta:
+ description = "Rule to detect Drovorub-server, Drovorub-agent, and Drovorub-client"
+ author = "NSA / FBI"
+ reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
+ date = "2020-08-13"
+ score = 75
+ id = "8e010356-09c7-5897-9cbe-051cd0800502"
+ strings:
+ $s1 = "Poco" ascii wide
+ $s2 = "Json" ascii wide
+ $s3 = "OpenSSL" ascii wide
+
+ $a1 = "clientid" ascii wide
+ $a2 = "-----BEGIN" ascii wide
+ $a3 = "-----END" ascii wide
+ $a4 = "tunnel" ascii wide
+ condition:
+ (filesize > 1MB and filesize < 10MB and (uint32(0) == 0x464c457f)) and (#s1 > 20 and #s2 > 15 and #s3 > 15 and all of ($a*))
+}
+
+rule APT_APT28_drovorub_unique_network_comms_strings {
+ meta:
+ description = "Rule to detect Drovorub-server, Drovorub-agent, or Drovorub-client based"
+ author = "NSA / FBI"
+ reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
+ date = "2020-08-13"
+ score = 75
+ id = "c6a930e8-c1c0-5d96-9051-7516df848b45"
+ strings:
+ $s_01 = "action" wide ascii
+ $s_02 = "auth.commit" wide ascii
+ $s_03 = "auth.hello" wide ascii
+ $s_04 = "auth.login" wide ascii
+ $s_05 = "auth.pending" wide ascii
+ $s_06 = "client_id" wide ascii
+ $s_07 = "client_login" wide ascii
+ $s_08 = "client_pass" wide ascii
+ $s_09 = "clientid" wide ascii
+ $s_10 = "clientkey_base64" wide ascii
+ $s_11 = "file_list_request" wide ascii
+ $s_12 = "module_list_request" wide ascii
+ $s_13 = "monitor" wide ascii
+ $s_14 = "net_list_request" wide ascii
+ $s_15 = "server finished" wide ascii
+ $s_16 = "serverid" wide ascii
+ $s_17 = "tunnel" wide ascii
+ condition:
+ all of them
+}
+/* FPs
+48505c956c005576b1292495102a5a4d37a830dc936ce85204d2783e13082c1f
+
+rule APT_APT28_drovorub_kernel_module_unique_strings {
+ meta:
+ description = "Rule detects the Drovorub-kernel module based on unique strings"
+ author = "NSA / FBI"
+ reference = "https://www.nsa.gov/news-features/press-room/Article/2311407/nsa-and-fbi-expose-russian-previously-undisclosed-malware-drovorub-in-cybersecu/"
+ date = "2020-08-13"
+ score = 75
+ strings:
+ $s_01 = "/proc" wide ascii
+ $s_02 = "/proc/net/packet" wide ascii
+ $s_03 = "/proc/net/raw" wide ascii
+ $s_04 = "/proc/net/tcp" wide ascii
+ $s_05 = "/proc/net/tcp6" wide ascii
+ $s_06 = "/proc/net/udp" wide ascii
+ $s_07 = "/proc/net/udp6" wide ascii
+ $s_08 = "cs02" wide ascii
+ $s_09 = "do_fork" wide ascii
+ $s_10 = "es01" wide ascii
+ $s_11 = "g001" wide ascii
+ $s_12 = "g002" wide ascii
+ $s_13 = "i001" wide ascii
+ $s_14 = "i002" wide ascii
+ $s_15 = "i003" wide ascii
+ $s_16 = "i004" wide ascii
+ $s_17 = "module" wide ascii
+ $s_18 = "sc!^2a" wide ascii
+ $s_19 = "sysfs" wide ascii
+ $s_20 = "tr01" wide ascii
+ $s_21 = "tr02" wide ascii
+ $s_22 = "tr03" wide ascii
+ $s_23 = "tr04" wide ascii
+ $s_24 = "tr05" wide ascii
+ $s_25 = "tr06" wide ascii
+ $s_26 = "tr07" wide ascii
+ $s_27 = "tr08" wide ascii
+ $s_28 = "tr09" wide ascii
+ condition:
+ all of them
+}
+*/
\ No newline at end of file
diff --git a/yara-Neo23x0/apt_apt29_grizzly_steppe.yar b/yara-Neo23x0/apt_apt29_grizzly_steppe.yar
new file mode 100644
index 0000000..fefbf6c
--- /dev/null
+++ b/yara-Neo23x0/apt_apt29_grizzly_steppe.yar
@@ -0,0 +1,311 @@
+/*
+ Yara Rule Set
+ Author: Florian Roth
+ Date: 2016-12-29
+ Identifier: GRIZZLY STEPPE
+*/
+
+/* Rule Set ----------------------------------------------------------------- */
+
+rule GRIZZLY_STEPPE_Malware_1 {
+ meta:
+ description = "Auto-generated rule - file HRDG022184_certclint.dll"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/WVflzO"
+ date = "2016-12-29"
+ hash1 = "9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5"
+ id = "7239a5f3-9c29-57d7-be95-946d14039353"
+ strings:
+ $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii
+ $s2 = "Repeat last find command)Replace specific text with different text" fullword wide
+ $s3 = "l\\Processor(0)\\% Processor Time" fullword wide
+ $s6 = "Self Process" fullword wide
+ $s7 = "Default Process" fullword wide
+ $s8 = "Star Polk.exe" fullword wide
+ condition:
+ ( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them )
+}
+
+rule GRIZZLY_STEPPE_Malware_2 {
+ meta:
+ description = "Auto-generated rule"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ reference = "https://goo.gl/WVflzO"
+ date = "2016-12-29"
+ hash1 = "9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0"
+ hash2 = "55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641"
+ id = "37cfba67-af85-5efe-9b07-9f1e5d9f9195"
+ strings:
+ $x1 = "GoogleCrashReport.dll" fullword ascii
+
+ $s1 = "CrashErrors" fullword ascii
+ $s2 = "CrashSend" fullword ascii
+ $s3 = "CrashAddData" fullword ascii
+ $s4 = "CrashCleanup" fullword ascii
+ $s5 = "CrashInit" fullword ascii
+ condition:
+ ( uint16(0) == 0x5a4d and filesize < 1000KB and $x1 ) or ( all of them )
+}
+
+rule PAS_TOOL_PHP_WEB_KIT_mod {
+ meta:
+ description = "Detects PAS Tool PHP Web Kit"
+ reference = "https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity"
+ author = "US CERT - modified by Florian Roth due to performance reasons"
+ date = "2016/12/29"
+ id = "6bc75e44-7784-5e48-9bbc-052d84ebee83"
+ strings:
+ $php = " 10KB and filesize < 30KB) and
+ #cookie == 2 and
+ #isset == 3 and
+ all of them
+}
+
+rule WebShell_PHP_Web_Kit_v3 {
+ meta:
+ description = "Detects PAS Tool PHP Web Kit"
+ reference = "https://github.com/wordfence/grizzly"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ date = "2016/01/01"
+ id = "dc5fa2c9-3e1e-594d-be4f-141e1f4915f1"
+ strings:
+ $php = " 8KB and filesize < 100KB and
+ all of ($s*)
+}
+
+rule WebShell_PHP_Web_Kit_v4 {
+ meta:
+ description = "Detects PAS Tool PHP Web Kit"
+ reference = "https://github.com/wordfence/grizzly"
+ license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
+ author = "Florian Roth (Nextron Systems)"
+ date = "2016/01/01"
+ id = "a5f915cd-b9c5-5cd3-b0a2-c15f6124737a"
+ strings:
+ $php = " 8KB and filesize < 100KB and
+ 2 of ($s*)
+}
+
+
+
+rule APT_APT29_wellmess_dotnet_unique_strings {
+ meta:
+ description = "Rule to detect WellMess .NET samples based on unique strings and function/variable names"
+ author = "NCSC"
+ reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
+ hash = "2285a264ffab59ab5a1eb4e2b9bcab9baf26750b6c551ee3094af56a4442ac41"
+ id = "7a058ec7-f795-5226-b511-ff469a969ee6"
+ strings:
+ $s1 = "HealthInterval" wide
+ $s2 = "Hello from Proxy" wide
+ $s3 = "Start bot:" wide
+ $s4 = "FromNormalToBase64" ascii
+ $s5 = "FromBase64ToNormal" ascii
+ $s6 = "WellMess" ascii
+ condition:
+ uint16(0) == 0x5a4d and uint16(uint16(0x3c)) == 0x4550 and 3 of them
+}
+
+rule APT_APT29_sorefang_encryption_key_schedule {
+ meta:
+ description = "Rule to detect SoreFang based on the key schedule used for encryption"
+ author = "NCSC"
+ reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
+ hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
+ id = "8d89edc1-a9fc-5155-9dc2-8d7f952f90d1"
+ strings:
+ $ = { C7 05 ?? ?? ?? ?? 63 51 E1 B7 B8 ?? ?? ?? ?? 8B 48
+ FC 81 E9 47 86 C8 61 89 08 83 C0 04 3D ?? ?? ?? ??
+ 7E EB 33 D2 33 C9 B8 2C 00 00 00 89 55 D4 33 F6 89
+ 4D D8 33 DB 3B F8 0F 4F C7 8D 04 40 89 45 D0 83 F8
+ 01 7C 4F 0F 1F 80 00 00 00 00 }
+ condition:
+ (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them
+}
+
+rule APT_APT29_sorefang_encryption_key_2b62 {
+ meta:
+ description = "Rule to detect SoreFang based on hardcoded encryption key"
+ author = "NCSC"
+ reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
+ hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
+ id = "9a7abad7-1cfa-52c8-9416-47cb80486714"
+ strings:
+ $ = "2b6233eb3e872ff78988f4a8f3f6a3ba"
+ condition:
+ ( uint16(0) == 0x5A4D and uint16(uint32(0x3c) ) == 0x4550)
+ and any of them
+}
+
+rule APT_APT29_sorefang_directory_enumeration_output_strings {
+ meta:
+ description = "Rule to detect SoreFang based on formatted string output for directory enumeration"
+ author = "NCSC"
+ reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
+ hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
+ id = "e24dbda1-3d43-52a7-9249-70a648f4913e"
+ strings:
+ $ = "----------All usres directory----------"
+ $ = "----------Desktop directory----------"
+ $ = "----------Documents directory----------"
+ condition:
+ (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)
+ and 2 of them
+}
+
+rule APT_APT29_sorefang_command_elem_cookie_ga_boundary_string {
+ meta:
+ description = "Rule to detect SoreFang based on scheduled task element and Cookie header/boundary strings"
+ author = "NCSC"
+ reference = "https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development"
+ hash = "58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2"
+ id = "3c6ffbad-9b39-5518-aa66-d76531ddb9ea"
+ strings:
+ $ = "