private rule RegSubDatCode : RegSubDat Family { meta: description = "RegSubDat code features" author = "Seth Hardy" last_modified = "2014-07-14" strings: // decryption loop $ = { 80 34 3? 99 40 (3D FB 65 00 00 | 3B C6) 7? F? } // push then pop values $ = { 68 FF FF 7F 00 5? } $ = { 68 FF 7F 00 00 5? } condition: all of them } private rule RegSubDatStrings : RegSubDat Family { meta: description = "RegSubDat Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-14" strings: $avg1 = "Button" $avg2 = "Allow" $avg3 = "Identity Protection" $avg4 = "Allow for all" $avg5 = "AVG Firewall Asks For Confirmation" $mutex = "0x1A7B4C9F" condition: all of ($avg*) or $mutex } rule RegSubDat : Family { meta: description = "RegSubDat" author = "Seth Hardy" last_modified = "2014-07-14" condition: RegSubDatCode or RegSubDatStrings }