Skip to content

Instantly share code, notes, and snippets.

@herrcore

herrcore/XProtect.yara

Created February 27, 2024 02:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save herrcore/8f6aa2e8cc245e121f0f960fd1f89797 to your computer and use it in GitHub Desktop.
Save herrcore/8f6aa2e8cc245e121f0f960fd1f89797 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
XProtect.yara
import "hash"
private rule Macho
{
meta:
description = "private rule to match Mach-O binaries"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
private rule PE
{
meta:
description = "private rule to match PE binaries"
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x4550
}
rule XProtect_MACOS_644e18d
{
meta:
description = "MACOS.644e18d"
strings:
$a = { 63 6f 6e 6e 65 63 74 54 6f 50 72 6f 78 79 4d 61 6e 61 67 65 72 }
$b = { 63 6f 6e 6e 65 63 74 54 6f 44 65 73 74 69 6e 61 74 69 6f 6e }
$c = { 68 65 61 72 74 62 65 61 74 53 65 6e 64 65 72 }
$d = { 63 6f 6e 6e 65 63 74 54 6f 43 6e 63 }
$e = { 70 72 6f 78 69 74 2e 63 6f 6d 2f 70 65 65 72 }
condition:
Macho and 2 of them
}
rule XProtect_MACOS_6e6bed7
{
meta:
description = "MACOS.6e6bed7"
strings:
$a = { 77 65 62 56 69 65 77 3a 64 65 63 69 64 65 50 6f 6c 69 63 79 46 6f 72 4e 61 76 69 67 61 74 69 6f 6e 41 63 74 69 6f 6e 3a 64 65 63 69 73 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$b = { 4e 53 54 61 73 6b }
$c = { 5f 70 63 6c 6f 73 65 00 5f 70 6f 70 65 6e }
$d1 = { ( 19 | 17 ) 6d 1b ( d1 | 51 ) }
$d2 = { 44 8d b4 08 25 f9 ff ff }
$d3 = { 89 16 40 38 e9 03 29 2a }
$d4 = { 41 8a 14 0e f6 d2 88 14 08 }
$d5 = { 5a 07 00 91 88 03 13 4a }
condition:
Macho and $a and ( $b or $c ) and ( 1 of ( $d* ) ) and filesize < 500KB
}
rule XProtect_MACOS_cbb1424
{
meta:
description = "MACOS.cbb1424"
strings:
$a = {
48 63 85 ?? ?? ?? ??
8B 84 85 ?? ?? ?? ??
88 85 ?? ?? ?? ??
8A 85 ?? ?? ?? ??
48 63 8D ?? ?? ?? ??
88 84 0D ?? ?? ?? ??
8B 85 ?? ?? ?? ??
83 C0 01
89 85 ?? ?? ?? ??
}
$b = {
66 ( 41 0f | 0F ) ( 6F | 6f 44 ) ( 04 | 05 ) 0?
66 0F 38 00 C1
( 66 41 0F 7E 45 ?? | 66 0F 7e 03 )
( 48 | 49 ) 83 C? 10
( 48 | 49 ) 83 C? 04
( 4? 81 F? | 48 3D ??) [3-4]
75 ??
}
condition:
Macho and any of them
}
rule XProtect_MACOS_1afcb8b
{
meta:
description = "MACOS.1afcb8b"
strings:
$a = { 77 65 62 76 69 65 77 2e 4e 65 77 }
$b = { 65 6e 63 6f 64 69 6e 67 2f 62 61 73 65 36 34 2e 28 2a 45 6e 63 6f 64 69 6e 67 29 2e 44 65 63 6f 64 65 53 74 72 69 6e 67 }
$c = { (45 | 46) 0f b6 ( 2c | 24 ) ( 02 | 22 ) 45 31 ( ea | e1 ) }
condition:
Macho and all of them
}
rule XProtect_MACOS_e71e847
{
meta:
description = "MACOS.e71e847"
strings:
$a = { 73 70 6d 44 6f 6d 61 69 6e }
$b = { 65 78 74 49 64 50 61 72 61 6d }
$c = { 69 64 50 61 72 61 6d }
$d = { 6c 6f 67 67 69 6e 67 55 72 6c }
$e = { 73 72 63 68 50 72 6f 78 79 55 52 4c }
$f = { 67 65 74 4c 6f 67 67 69 6e 67 55 72 6c }
$g = { 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 56 69 65 77 43 6f 6e 74 72 6f 6c 6c 65 72 }
$h = { 70 6f 70 6f 76 65 72 56 69 65 77 43 6f 6e 74 72 6f 6c 6c 65 72 }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_1940318
{
meta:
description = "MACOS.1940318"
strings:
$a = { 42 30 4C 30 FF 8D 51 29 81 F9 D5 00 00 00 41 0F 4F D4 42 30 14 30 8D 4A 29 81 FA D5 00 00 00 41 0F 4F CC 48 83 C0 02 48 3D 01 74 05 00 75 }
condition:
Macho and filesize < 600KB and $a
}
rule XProtect_MACOS_275ff12
{
meta:
description = "MACOS.275ff12"
strings:
$a = { 69 00 6f 00 72 00 65 00 67 00 20 00 2d 00 72 00 64 00 31 00 20 00 2d 00 63 00 20 00 49 00 4f 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 45 00 78 00 70 00 65 00 72 00 74 00 44 00 65 00 76 00 69 00 63 00 65 00 20 00 7c 00 20 00 61 00 77 00 6b 00 20 00 27 00 2f 00 49 00 4f 00 50 00 6c 00 61 00 74 00 66 00 6f 00 72 00 6d 00 55 00 55 00 49 00 44 00 2f 00 20 00 7b 00 20 00 73 00 70 00 6c 00 69 00 74 00 28 00 24 00 30 00 2c 00 20 00 6c 00 69 00 6e 00 65 00 2c 00 20 00 22 00 5c 00 22 00 22 00 29 00 3b 00 20 00 70 00 72 00 69 00 6e 00 74 00 66 00 28 00 22 00 25 00 73 00 22 00 2c 00 20 00 6c 00 69 00 6e 00 65 00 5b 00 34 00 5d 00 29 00 3b 00 20 00 7d 00 27 00 }
$b = { 5f 6b 66 75 6e 3a 23 6d 61 69 6e 28 29 }
condition:
Macho and all of them
}
rule XProtect_MACOS_7c241b4
{
meta:
description = "MACOS.7c241b4"
strings:
$a1 = { 5f 54 72 61 6e 73 66 6f 72 6d 50 72 6f 63 65 73 73 54 79 70 65 }
$a2 = { 5f 69 6e 66 6c 61 74 65 49 6e 69 74 }
$b1 = { 90 4? 63 c? 48 8? 0d ?? ?? 00 00 32 14 08 4c 39 fb }
$b2 = { 49 63 c6 48 8d 0d ?? ?? 00 00 44 32 3c 08 90 48 8b 85 78 ff ff ff 48 3b 45 80 }
$b3 = { ff cb [0-2] 48 63 c3 48 8b (15 | 0d) ?? ?? 00 (00 | 00 44) 32 ?? ?? 48 8b ?5 [1-4] 48 3b ?5 }
condition:
Macho and any of ( $a* ) and any of ( $b* )
}
rule XProtect_MACOS_54d6414
{
meta:
description = "MACOS.54d6414"
strings:
$a = { 23 21 }
$b1 = { 6d 6b 74 65 6d 70 }
$b2 = { 74 61 69 6c 20 2d 63 20 22}
$b3 = { 66 75 6e 7a 69 70 20 2d 22}
$b4 = { 63 68 6d 6f 64 20 2b 78 }
$b5 = { 6e 6f 68 75 70 }
$c1 = { 50 4b 03 04 }
condition:
filesize < 100KB and $a at 0 and (all of ($b*)) and $c1
}
rule XProtect_MACOS_2b50ea5
{
meta:
description = "MACOS.2b50ea5"
strings:
$string_1 = { 43 61 6e 6e 6f 74 20 72 65 6d 6f 76 65 20 6f 6c 64 20 66 69 6c 65 }
$string_2 = { 2f 62 69 6e 2f 62 61 73 68 }
$string_3 = { 56 65 72 73 69 6f 6e 20 64 65 63 6f 64 65 64 }
$string_4 = { 76 65 72 73 69 6f 6e 49 73 4f 4b }
$string_5 = { 73 6f 72 74 65 65 64 43 69 74 79 4c 69 73 74 }
$string_6 = { 5f 75 70 64 61 74 65 50 61 74 68 }
condition:
Macho and filesize < 1MB and all of them
}
rule XProtect_MACOS_f5d33c9
{
meta:
description = "MACOS.f5d33c9"
strings:
$a1 = { 23 21 }
$b1 = { 6d 6b 74 65 6d 70 20 2d 74 }
$b2 = { 74 61 69 6c [1-2] 2d 63 }
$b3 = { 24 30 [1-3] 7c [1-3] 66 75 6e 7a 69 70 [1-3] 2d [5-9] [1-3] 3e [1-3] 24 }
$b4 = { 63 68 6d 6f 64 [1-3] 2b 78 }
$b5 = { 6b 69 6c 6c 61 6c 6c [1-3] 54 65 72 6d 69 6e 61 6c }
$b6 = { 50 4b 03 04 14 }
condition:
filesize < 100KB and $a1 at 0 and all of ($b*)
}
rule XProtect_MACOS_11eaac1
{
meta:
description = "MACOS.11eaac1"
strings:
$a1 = { 23 21 }
$b1 = { 74 61 69 6c 20 2b }
$b2 = { 66 75 6e 7a 69 70 20 2d }
$b3 = { 6d 6b 74 65 6d 70 20 2d 64 20 2d 74 20 78 }
$b4 = { 63 68 6d 6f 64 20 2d 52 [0-1] 20 37 35 35 }
$b5 = { 6b 69 6c 6c 61 6c 6c 20 [0-3] 54 65 72 6d 69 6e 61 6c }
$b6 = { 6e 6f 68 75 70 20 24 54 4d 50 44 49 52 2f 2a 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 4d 61 63 4f 53 2f }
$c1 = { 50 4b 03 04 0a }
condition:
filesize < 500KB and $a1 at 0 and 4 of ($b*) and $c1
}
rule XProtect_MACOS_0e32a32
{
meta:
description = "MACOS.0e32a32"
strings:
$a = { 23 21 }
$b1 = { ?? 3d 22 ?? 22 3b ?? 3d 22 ?? 22 3b ?? 3d 22 ?? 22 3b ?? 3d 22 ?? 22 3b ?? 3d 22 ?? 22 3b }
$b2 = { 6d 6b 74 65 6d 70 20 2d 64 20 2f 74 6d 70 }
$b3 = { 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d 20 24 7b ?? 7d 24 7b ?? 7d 24 7b ?? 7d }
$b4 = { 6e 6f 68 75 70 20 2f 62 69 6e 2f 62 61 73 68 20 2d 63 20 22 65 76 61 6c }
$c1 = { 27 5c 2e 28 63 6f 6d 6d 61 6e 64 29 24 27 }
$c2 = { 55 32 46 73 64 47 56 6b 58 31 }
$c3 = { 6b 69 6c 6c 61 6c 6c 20 54 65 72 6d 69 6e 61 6c }
condition:
filesize < 10KB and $a at 0 and (all of ($b*) or all of ($c*))
}
rule XProtect_MACOS_2afe6bd
{
meta:
description = "MACOS.2afe6bd"
strings:
$a1 = { bf 0a [0-3] e8 ?? ?? ?? ?? 48 ?? 6d 6d 6d 6d 6d 6d 6d 6d 48 89 08 [0-4] 66 c7 ?? ?? ?? [0-1] ?? c7 ?? ?? }
$a2 = { BF 09 00 00 00 E8 ?? ?? 00 00 48 B9 53 53 53 53 53 53 53 53 48 89 08 C6 ?? ?? ?? C6 00 ?? ?? 40 ?? }
$b1 = { e8 ed 8d d2 e8 ed ad f2 e8 ed cd f2 e8 ed ed f2 08 20 00 a9 08 e0 00 f8 c8 0d 80 52 08 34 00 39 }
$b2 = { A8 AD 8D D2 A8 AD AD F2 A8 AD CD F2 A8 AD ED F2 08 00 00 F9 ?? ?? 80 52 }
$c1 = { 48 8D ?? ?? 23 00 00 48 ?? ?? FE FF FF FF E8 ?? ?? 00 00 48 89 ?? ?? ?? 48 85 C0 0F ?? ?? 01 00 00 48 8D ?? ?? ?? 00 00 48 ?? ?? FE FF FF FF E8 ?? ?? 00 00 48 89 ?? ?? ?? 48 85 ?? 0F 84 ?? ?? 00 00 48 8D ?? ?? ?? 00 00 48 8D ?? ?? ?? 00 00 E8 ?? ?? 00 00 48 85 C0 0F ?? ?? ?? 00 00 48 ?? ?? 48 89 ?? ?? ?? 31 F6 BA 02 00 00 00 E8 ?? 02 00 00 48 8B ?? ?? ?? E8 ?? 02 00 00 31 FF 48 89 ?? ?? ?? }
$c2 = { E1 10 01 10 1F 20 03 D5 20 00 80 92 B7 00 00 94 E0 1B 00 F9 00 0E 00 B4 A1 10 01 70 1F 20 03 D5 20 00 80 92 B1 00 00 94 60 ?? 00 ?? F4 03 00 AA 40 10 01 30 1F 20 03 D5 81 11 01 50 1F 20 03 D5 B0 00 00 94 80 0C 00 B4 F7 03 00 AA F4 17 00 F9 01 00 80 D2 42 00 80 52 B3 00 00 94 E0 03 17 AA B4 00 00 94 E0 03 F8 B7 F4 03 00 AA E0 03 17 AA }
$d1 = { 5f 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 45 78 65 63 75 74 65 57 69 74 68 50 72 69 76 69 6c 65 67 65 73 }
$d2 = { 5f 43 46 42 75 6e 64 6c 65 47 65 74 56 65 72 73 69 6f 6e 4e 75 6d 62 65 72 }
$e1 = { 5f 67 65 74 5f 69 6e 73 74 61 6c 6c 65 72 5f 6e 73 73 74 72 5f 63 6f 6e 73 74 }
$e2 = { 5f 67 65 74 5f 69 6e 73 74 61 6c 6c 65 72 5f 63 73 74 72 5f 63 6f 6e 73 74 }
$e3 = { 5f 67 65 74 5f 61 75 74 68 5f 72 65 66 }
$e4 = { 5f 72 75 6e 5f 61 73 5f 72 6f 6f 74 }
$f1 = { 5f 43 46 42 75 6e 64 6c 65 47 65 74 56 65 72 73 69 6f 6e 4e 75 6d 62 65 72 00 90 00 72 ?? 01 15 40 5f 43 46 53 74 72 69 6e 67 47 65 74 43 53 74 72 69 6e 67 50 74 72 }
condition:
Macho and filesize < 1MB and ( (all of ($e*)) or ((all of ($a*) or all of ($b*) or all of ($c*)) and (all of ($d*))) and all of ($f*) )
}
rule XProtect_MACOS_4d60c89
{
meta:
description = "MACOS.4d60c89"
strings:
$a1 = { 23 21 }
$b1 = { 5f 70 6b 67 5f 69 6e 73 74 61 6c 6c 5f }
$b2 = { 70 75 62 6c 69 73 68 65 72 5f 69 64 }
$b3 = { 70 61 67 65 5f 69 64 }
$b4 = { 50 41 47 45 5f 49 44 }
$b5 = { 70 72 6f 64 75 63 74 56 65 72 73 69 6f 6e }
$b6 = { 63 6f 6d 2e 61 70 70 6c 65 2e 6d 65 74 61 64 61 74 61 3a 6b 4d 44 49 74 65 6d 57 68 65 72 65 46 72 6f 6d 73 }
$b7 = { 5c 22 65 76 65 6e 74 5c 22 3a 20 5c 22 73 75 63 63 65 73 73 5c 22 }
$b8 = { 5c 22 65 76 65 6e 74 5c 22 3a 20 5c 22 73 74 61 72 74 5c 22 }
$c1 = { 73 79 73 74 65 6d 5f 70 72 6f 66 69 6c 65 72 20 53 50 48 61 72 64 77 61 72 65 44 61 74 61 54 79 70 65 20 7c 20 61 77 6b }
$c2 = { 6c 61 75 6e 63 68 63 74 6c 20 6c 6f 61 64 20 2d 77 }
$c3 = { 69 6f 72 65 67 20 2d 61 64 32 20 2d 63 20 49 4f 50 6c 61 74 66 6f 72 6d 45 78 70 65 72 74 44 65 76 69 63 65 }
$c4 = { 73 77 5f 76 65 72 73 20 2d 70 72 6f 64 75 63 74 }
$c5 = { 64 65 66 61 75 6c 74 73 20 77 72 69 74 65 20 22 24 70 6c 69 73 74 4c 41 22 }
$c6 = { 73 75 64 6f 20 63 75 72 6c }
$c7 = { 6f 73 76 65 72 73 69 6f 6e }
$c8 = { 57 68 65 72 65 46 72 6f 6d }
$c9 = { 77 68 65 72 65 46 72 6f 6d }
$c10 = { 53 74 61 72 74 49 6e 74 65 72 76 61 6c }
$c11 = { 52 75 6e 41 74 4c 6f 61 64 }
condition:
filesize < 10KB and $a1 at 0 and 4 of ($b*) and (6 of ($c*))
}
rule XProtect_MACOS_74416b0
{
meta:
description = "MACOS.74416b0"
strings:
$a1 = { 4d 41 43 48 49 4e 45 49 44 3d 22 24 28 69 6f 72 65 67 20 2d 61 64 32 20 2d 63 20 49 4f 50 6c 61 74 66 6f 72 6d 45 78 70 65 72 74 44 65 76 69 63 65 20 7c 20 78 6d 6c 6c 69 6e 74 20 2d 2d 78 70 61 74 68 20 27 2f 2f 6b 65 79 5b 2e 3d 22 49 4f 50 6c 61 74 66 6f 72 6d 55 55 49 44 22 5d 2f 66 6f 6c 6c 6f 77 69 6e 67 2d 73 69 62 6c 69 6e 67 3a 3a 2a 5b 31 5d 2f 74 65 78 74 28 29 27 20 2d 29 22 3b 43 4f 4e 54 45 4e 54 3d 24 28 63 75 72 6c 20 2d 2d 63 6f 6e 6e 65 63 74 2d 74 69 6d 65 6f 75 74 20 39 30 }
$a2 = { 65 76 61 6c 20 22 24 43 4f 4e 54 45 4e 54 22 }
$a3 = { 5f 73 79 73 74 65 6d }
$b1 = { 49 89 C7 48 BF 2F 75 73 72 2F 73 62 69 48 BE 6E 2F 63 68 6F 77 6E EF }
$b2 = { 49 89 C6 48 BF 2F 62 69 6E 2F 63 68 6D 48 BE 6F 64 00 00 00 00 00 EA }
$b3 = { 28 69 6f 72 65 67 20 2d 61 64 32 20 2d 63 20 49 4f 50 6c 61 74 66 6f 72 6d 45 78 70 65 72 74 44 65 76 69 63 65 20 7c 20 78 6d 6c 6c 69 6e 74 20 2d 2d 78 70 61 74 68 20 27 2f 2f 6b 65 79 5b 2e 3d 22 49 4f 50 6c 61 74 66 6f 72 6d 55 55 49 44 22 5d 2f 66 6f 6c 6c 6f 77 69 6e 67 2d 73 69 62 6c 69 6e 67 3a 3a 2a 5b 31 5d }
$b4 = { 28 73 77 5f 76 65 72 73 20 2d 70 72 6f 64 75 63 74 4e 61 6d 65 29 00 00 00 00 00 00 00 00 00 00 28 73 77 5f 76 65 72 73 20 2d 70 72 6f 64 75 63 74 56 65 72 73 69 6f 6e 29 }
$b5 = { 48 B9 6F 73 5F 76 65 72 73 69 }
$b6 = { 48 B8 6E 6F 74 5F 6C 61 75 6E 48 89 05 6E A2 00 00 48 B8 63 68 65 64 00 00 00 EC }
condition:
filesize < 100KB and Macho and ((all of ($a*)) or (all of ($b*)))
}
rule XProtect_MACOS_e16be2c
{
meta:
description = "MACOS.e16be2c"
strings:
$a = { 80 7d ?? 00 b8 ?? ?? ?? ?? b9 ?? ?? ?? ?? 0f 45 c1 ( e9 | eb ) ?? ?? ?? ?? }
$b = { 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 48 61 6e 64 6c 65 72 }
$c = { 73 79 73 63 74 6c }
$d = { 49 4f 53 65 72 76 69 63 65 47 65 74 4d 61 74 63 68 69 6e 67 53 65 72 76 69 63 65 }
condition:
filesize < 500KB and Macho and all of them
}
rule XProtect_MACOS_1373c52
{
meta:
description = "MACOS.1373c52"
strings:
$a = { 48 8d b5 58 ff ff ff e8 ?? ?? ?? ?? 49 89 c4 66 0f 6f 05 09 3e 00 00 f3 0f 7f 40 10 4c 8d 68 20 44 88 78 20 48 8d 58 21 48 8b 7d c8 e8 ?? ?? ?? ?? 4c 89 ef 48 89 de 4c 8d 6d 90 e8 ?? ?? ?? ?? 4c 89 e7 e8 ?? ?? ?? ?? 48 8b 5d 80 48 ff c3 70 ?? }
condition:
filesize < 200KB and Macho and $a
}
rule XProtect_MACOS_6e7d4c2
{
meta:
description = "MACOS.6e7d4c2"
strings:
$a1 = { 73 65 74 44 69 73 74 72 69 62 75 74 65 72 }
$a2 = { 73 65 74 44 65 76 69 63 65 49 44 }
$a3 = { 73 65 74 43 68 61 6e 6e 65 6c 49 44 }
$a4 = { 73 65 74 49 70 41 64 64 72 65 73 73 }
$a5 = { 73 65 74 42 61 72 63 6f 64 65 49 44 }
$a6 = { 73 65 74 43 48 }
$a7 = { 73 65 74 46 46 }
$a8 = { 73 65 74 53 61 66 61 72 69 45 58 }
$b1 = { 49 4e 43 68 72 6f 6d 65 41 6e 64 46 46 53 65 74 74 65 72 }
$b2 = { 49 4e 41 70 53 65 74 74 65 72 }
$b3 = { 49 4e 49 6e 73 74 61 6c 6c 65 72 46 6c 6f 77 }
$c = { 48 8b 85 f0 fe ff ff 48 89 c7 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 bd c0 fe ff ff 48 89 cf 48 89 c2 ff ?? ?? ?? ?? ?? 48 89 c7 e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 8b 8d c0 fe ff ff 48 89 cf 48 89 c2 48 89 85 b8 fe ff ff ff ?? ?? ?? ?? ?? 48 8b 85 b8 fe ff ff 48 89 c7 ff ?? ?? ?? ?? ?? 45 31 c0 44 89 c6 48 8d 45 e0 48 89 c7 e8 ?? ?? ?? ?? 48 81 c4 50 01 00 00 5d c3 }
condition:
Macho and filesize < 1MB and ( ( all of ( $a* ) and all of ( $b* ) ) or $c )
}
rule XProtect_MACOS_1f26189
{
meta:
description = "MACOS.1f26189"
strings:
$a1 = { 70 72 6F 63 65 73 73 49 6E 66 6F 00 6F 70 65 72 61 74 69 6E 67 53 79 73 74 65 6D 56 65 72 73 69 6F 6E 00 }
$a2 = { 49 4F 45 74 68 65 72 6E 65 74 49 6E 74 65 72 66 61 63 65 00 49 4F 50 72 69 6D 61 72 79 49 6E 74 65 72 66 61 63 65 00 49 4F 50 72 6F 70 65 72 74 79 4D 61 74 63 68 00 49 4F 53 65 72 76 69 63 65 00 49 4F 4D 41 43 41 64 64 72 65 73 73 00 49 4F 50 6C 61 74 66 6F 72 6D 53 65 72 69 61 6C 4E 75 6D 62 65 72 00 49 4F 50 6C 61 74 66 6F 72 6D 55 55 49 44 00 }
$b1 = { 0F 28 ?? ?? ?? ?? 00 0F 29 ?? ?? ?? ?? 00 48 8D ?? ?? ?? ?? 00 [0-20] 48 ?? ?? ?? ?? ?? 00 C7 05 5B B1 05 00 B0 ED F8 F0 [0-20] C6 ?? ?? ?? ?? 00 ?? 48 8D ?? ?? ?? ?? 00 48 ?? ?? ?? DA FE FF E8 ?? ?? ?? 00 48 8D ?? ?? ?? ?? 00 }
$b2 = { C7 45 ?? ?? 00 00 00 83 7D ?? ?? 7C ?? 48 63 45 ?? F2 48 0F ?? 04 ?? F2 0F 51 C0 F2 0F 2C C0 48 63 4D ?? 88 84 0B ?? 00 00 00 8B 45 ?? 83 C0 ?? 89 45 ?? EB ?? EB ?? }
condition:
filesize < 1MB and Macho and all of ($a*) and any of ($b*)
}
rule XProtect_MACOS_8f20223
{
meta:
description = "MACOS.8f20223"
strings:
$a = { 48 83 c? 77 (0f | 70) ?? }
$b = { 5f 43 47 44 69 73 70 6c 61 79 4d 6f 76 65 43 75 72 73 6f 72 54 6f 50 6f 69 6e 74 }
condition:
filesize < 500KB and Macho and all of them
}
rule XProtect_MACOS_1c119be
{
meta:
description = "MACOS.1c119be"
strings:
$a = { 70 72 65 70 61 72 65 5f 73 65 61 72 63 68 }
$b = { 65 78 65 63 75 74 65 5f 73 65 61 72 63 68 }
$c = { 67 65 74 51 75 65 72 79 50 61 72 74 }
$d = { 53 65 61 72 63 68 50 72 65 66 69 78 65 73 }
$e = { 49 67 6e 6f 72 65 44 6f 6d 61 69 6e 73 }
$f = { 53 65 61 72 63 68 65 73 43 6c 6f 75 64 }
$g = { 53 65 61 72 63 68 65 73 4e 65 74 77 6f 72 6b }
$h = { 48 ?? 71 75 65 72 79 00 00 00 }
$i = { 48 ?? 72 65 73 65 74 20 53 65 }
$j = { 48 ?? 74 74 69 6e 67 73 00 }
condition:
filesize < 100KB and Macho and 3 of them
}
rule XProtect_MACOS_449a7ed
{
meta:
description = "MACOS.449a7ed"
strings:
$a1 = { 63 6c 6f 73 65 64 69 72 00 5f 6d 65 6d 63 68 72 00 5f 6d 65 6d 63 6d 70 00 5f 6d 65 6d 63 70 79 00 5f 6d 65 6d 73 65 74 00 5f 6f 70 65 6e 64 69 72 24 49 4e 4f 44 45 36 34 00 5f 72 61 6e 64 00 5f 72 65 61 64 64 69 72 24 49 4e 4f 44 45 36 34 00 5f 73 72 61 6e 64 00 5f 73 74 61 74 24 49 4e 4f 44 45 36 34 00 5f 73 74 72 63 70 79 00 5f 73 74 72 6c 65 6e 00 5f 73 79 73 74 65 6d 00 5f 74 69 6d 65 00 5f 76 73 6e 70 72 69 6e 74 66 00 64 79 6c 64 5f }
$a2 = { 48 89 7D F0 48 C7 45 F8 ?? 00 00 00 E8 3B 2D 00 00 B9 ?? 00 00 00 48 98 31 D2 48 F7 F1 48 8D ?? ?? 30 00 00 0F BE 04 ?? 48 83 C4 ?? }
$a3 = { 48 89 ?? 48 89 ?? E8 45 ?? 00 00 48 8D 45 ?? 48 8D ?? F0 FE FF FF 48 89 48 ?? 48 8D 4D ?? 48 89 48 ?? C7 40 04 ?? 00 00 00 C7 00 ?? 00 00 00 48 8D ?? ?? E8 7C ?? 00 00 49 89 C4 48 63 5D BC 4C 89 FF E8 9D ?? 00 00 48 8D ?? ?? 4C 89 ?? 48 89 ?? 48 89 ?? E8 0F ?? 00 00 89 45 ?? }
condition:
filesize < 500KB and Macho and all of them
}
rule XProtect_MACOS_d444820
{
meta:
description = "MACOS.d444820"
strings:
$a1 = { 70 74 68 72 65 61 64 5f 6b 65 79 5f 63 72 65 61 74 65 00 90 00 72 f8 01 15 40 5f 70 74 68 72 65 61 64 5f 6f 6e 63 65 00 90 00 72 80 02 15 40 5f 70 74 68 72 65 61 64 5f 73 65 74 73 70 65 63 69 66 69 63 00 90 00 72 88 02 15 40 5f 73 69 67 61 63 74 69 6f 6e 00 90 00 72 90 02 15 40 5f 73 69 67 6c 6f 6e 67 6a 6d 70 00 90 00 72 98 02 15 40 5f 73 69 67 73 65 74 6a 6d 70 }
$a2 = { 3c 6b 65 79 3e 63 6f 6d 2e 61 70 70 6c 65 2e 73 65 63 75 72 69 74 79 2e 63 73 2e 61 6c 6c 6f 77 2d 75 6e 73 69 67 6e 65 64 2d 65 78 65 63 75 74 61 62 6c 65 2d 6d 65 6d 6f 72 79 3c 2f 6b 65 79 3e }
$a3 = { 5f 73 69 67 6e 61 6c 5f 68 61 6e 64 6c 65 72 }
$a4 = { 5f 74 72 79 5f 63 61 74 63 68 5f 69 6e 69 74 }
$a5 = { BA ?? 00 00 00 B8 01 00 00 00 EB ?? 66 0F 1F 84 00 ?? ?? 00 00 48 83 C0 02 89 CA 48 3D ?? ?? ?? ?? 74 ?? 42 30 54 30 ?? 83 C2 ?? 31 C9 BE 00 00 00 00 81 FA FE 00 00 00 7F ?? 89 D6 42 30 34 30 83 C6 ?? 81 FE FE 00 00 00 7F ?? 89 F1 EB ?? }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_8a20735
{
meta:
description = "MACOS.8a20735"
strings:
$a1 = { 5f 67 65 74 78 61 74 74 72 }
$a2 = { 5f 73 79 73 74 65 6d }
$a3 = { 5f 75 75 69 64 5f 67 65 6e 65 72 61 74 65 5f 72 61 6e 64 6f 6d }
$b1 = { 5f 54 72 61 6e 73 66 6f 72 6d 50 72 6f 63 65 73 73 54 79 70 65 }
$b2 = { 5f 61 63 63 65 73 73 00 5f 63 68 6d 6f 64 00 5f 64 6c 63 6c 6f 73 65 00 5f 64 6c 6f 70 65 6e 00 5f 64 6c 73 79 6d 00 5f 66 63 6c 6f 73 65 00 5f 66 65 6f 66 00 5f 66 66 6c 75 73 68 00 5f 66 67 65 74 73 00 5f 66 6f 70 65 6e 00 5f 66 72 65 61 64 00 5f 66 72 65 65 00 5f 66 73 65 65 6b 00 5f 66 73 65 65 6b 6f 00 5f 66 74 65 6c 6c 6f 00 5f 66 77 72 69 74 65 00 5f 6b 43 46 41 6c 6c 6f 63 61 74 6f 72 }
$c1 = { A8 01 75 02 EB 21 C6 03 01 48 8D 7D D8 BE 01 00 00 00 ?? ?? ?? ?? ?? 48 8B 45 D8 48 89 43 08 48 89 DF ?? ?? ?? ?? ?? 48 89 DF ?? ?? ?? ?? ?? A8 01 75 02 EB 4E 48 8B 5B 08 48 8B 75 D0 4C 8D 75 80 4C 89 F7 ?? ?? ?? ?? ?? 48 89 DF 4C 89 F6 ?? ?? ?? ?? ?? EB 00 48 89 C3 48 8D 7D 80 ?? ?? ?? ?? ?? }
condition:
Macho and filesize < 250KB and (all of ($a*) or all of ($b*)) and $c1
}
rule XProtect_MACOS_e3548bb
{
meta:
description = "MACOS.e3548bb"
strings:
$a1 = { 5f 49 4f 53 65 72 76 69 63 65 4d 61 74 63 68 69 6e 67 }
$a2 = { 5f 49 4f 53 65 72 76 69 63 65 47 65 74 4d 61 74 63 68 69 6e 67 53 65 72 76 69 63 65 }
$a3 = { 5f 49 4f 52 65 67 69 73 74 72 79 45 6e 74 72 79 43 72 65 61 74 65 43 46 50 72 6f 70 65 72 74 79 }
$a4 = { 48 89 ?? ?? 48 89 ?? 4C 89 ?? 48 8D ?? ?? ?? 00 00 41 FF ?? 48 89 ?? E8 37 ?? 00 00 48 89 ?? ?? 48 89 ?? ?? }
$a5 = { 44 89 7C ?? ?? C1 E3 ?? C1 E5 ?? 0F B7 ?? 09 D9 41 0F B6 ?? 09 ?? 89 54 ?? ?? 48 8D 74 ?? ?? BF ?? 00 00 00 FF ?? }
condition:
filesize < 500KB and Macho and all of them
}
rule XProtect_MACOS_71915a8
{
meta:
description = "MACOS.71915a8"
strings:
$shebang = "#!"
$a = "zsh"
$b = "\\U00000"
$c = "${"
$d = "rev)"
condition:
filesize < 10KB and $shebang at 0 and $a and #b > 15 and #c > 100 and $d
}
rule XProtect_MACOS_260ae81
{
meta:
description = "MACOS.260ae81"
strings:
$s1 = { 4D 65 64 69 61 52 65 6D 6F 74 65 2E 61 70 70 }
$s2 = { 57 61 74 63 68 43 61 74 2E 61 70 70 }
$s3 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 4E 61 6D 65 }
$s4 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 56 65 72 73 69 6F 6E }
$s5 = { 73 77 5F 76 65 72 73 20 2D 62 75 69 6C 64 56 65 72 73 69 6F 6E }
$s6 = { 77 68 6F 61 6D 69 }
$s7 = { 70 73 20 2D 65 20 2D 6F 20 63 6F 6D 6D 61 6E 64 }
$s8 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 68 3B 20 49 6E 74 65 6C 20 4D 61 63 20 4F 53 20 58 20 31 30 5F 31 33 5F 36 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 36 30 35 2E 31 2E 31 35 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 56 65 72 73 69 6F 6E 2F 31 32 2E 30 2E 32 20 53 61 66 61 72 69 2F 36 30 35 2E 31 2E 31 35 }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_580a1bc
{
meta:
description = "MACOS.580a1bc"
strings:
$s1 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 4E 61 6D 65 }
$s2 = { 73 77 5F 76 65 72 73 20 2D 70 72 6F 64 75 63 74 56 65 72 73 69 6F 6E }
$s3 = { 73 77 5F 76 65 72 73 20 2D 62 75 69 6C 64 56 65 72 73 69 6F 6E }
$s4 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 68 3B 20 49 6E 74 65 6C 20 4D 61 63 20 4F 53 20 58 20 31 30 5F 31 33 5F 36 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 36 30 35 2E 31 2E 31 35 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 56 65 72 73 69 6F 6E 2F 31 32 2E 30 2E 32 20 53 61 66 61 72 69 2F 36 30 35 2E 31 2E 31 35 }
$s5 = { 63 6F 6D 2E 61 70 70 6C 65 2E 77 61 74 63 68 63 61 74 2E 70 6C 69 73 74 }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_6cb9746
{
meta:
description = "MACOS.6cb9746"
strings:
$a = { 8b 45 bc 48 8b 4d a0 48 63 55 9c 33 04 91 89 04 91 8b 7d bc be 01 00 00 00 e8 ?? ?? ?? ?? 89 45 bc 8b 45 9c 83 c0 01 89 45 9c e9 ?? ?? ?? ?? }
$b = { 48 0f bf 85 ce fe ff ff 0f b6 8c 05 f0 fe ff ff 48 0f bf 85 ce fe ff ff 0f b6 84 05 f0 fe ff ff 0f b6 95 db fe ff ff 89 95 bc fe ff ff 99 8b b5 bc fe ff ff f7 fe 01 d1 89 c8 99 b9 ?? ?? ?? ?? f7 f9 40 88 d7 4c 0f bf 85 ce fe ff ff 42 88 bc 05 f0 fe ff ff 0f b6 85 db fe ff ff 0f bf 8d ce fe ff ff 01 c1 66 89 ca 66 89 95 ce fe ff ff e9 ?? ?? ?? ?? }
condition:
Macho and all of them
}
rule XProtect_MACOS_b17a97e
{
meta:
description = "MACOS.b17a97e"
strings:
$s1 = { 89 C1 C1 E9 07 48 69 C9 11 08 04 02 48 C1 E9 20 69 C9 80 3F 00 00 F7 D9 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_2b3d4cb
{
meta:
description = "MACOS.2b3d4cb"
strings:
$s1 = { 43 6F 6E 6E 4D 6F 64 65 6C }
$s2 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 68 3B 20 49 6E 74 65 6C 20 4D 61 63 20 4F 53 20 58 20 31 30 5F 31 32 5F 36 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D 65 2F 36 36 2E 30 2E 33 33 35 39 2E 31 33 39 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 }
$s3 = { 31 72 65 70 6C 79 46 69 6E 69 73 68 65 64 28 29 }
$s4 = { 32 66 69 6E 69 73 68 65 64 28 29 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_8340d93
{
meta:
description = "MACOS.8340d93"
strings:
$s1 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 4D 61 63 69 6E 74 6F 73 68 3B 20 49 6E 74 65 6C 20 4D 61 63 20 4F 53 20 58 20 31 30 5F 31 34 5F 33 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 36 30 35 2E 31 2E 31 35 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 56 65 72 73 69 6F 6E 2F 31 32 2E 30 2E 32 20 53 61 66 61 72 69 2F 36 30 35 2E 31 2E 31 35 }
$s2 = { 5F 42 61 73 65 36 34 45 6E 63 6F 64 65 }
$s3 = { 5F 43 75 72 6C 53 65 6E 64 52 65 63 76 }
$s4 = { 5F 44 6F 77 6E 41 63 74 }
$s5 = { 5F 47 65 6E 65 72 61 74 65 46 69 6C 65 4E 61 6D 65 }
$s6 = { 5F 47 65 74 49 6E 66 6F 4C 69 6E 65 }
$s7 = { 5F 47 65 74 49 6E 74 65 72 6E 61 6C 49 50 }
$s8 = { 5F 47 65 74 55 73 65 72 4E 61 6D 65 }
$s9 = { 5F 47 65 74 5F 53 57 5F 56 45 52 }
$s10 = { 5F 53 69 6E 53 6C 65 65 70 }
$s11 = { 5F 53 69 6E 5A 65 72 6F 4D 65 6D 6F 72 79 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_f4a3a92
{
meta:
description = "MACOS.f4a3a92"
strings:
$s1 = { 6A 47 7A 41 63 4E 36 6B 34 56 73 54 52 6E 39 }
$s2 = { 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 78 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D 65 2F 37 32 2E 30 2E 33 36 32 36 2E 31 32 31 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_8d038b3
{
meta:
description = "MACOS.8d038b3"
strings:
$s1 = { 5F 69 73 5F 73 69 65 72 72 61 }
$s2 = { 5F 66 69 6E 64 5F 6D 61 63 68 6F }
$s3 = { 5F 66 69 6E 64 5F 65 70 63 }
$s4 = { 5F 72 65 73 6F 6C 76 65 5F 73 79 6D 62 6F 6C }
$s5 = { 5F 6D 65 6D 6F 72 79 5F 65 78 65 63 32 }
$s6 = { 5F 6D 65 6D 6F 72 79 5F 65 78 65 63 }
$s7 = { 5F 6C 6F 61 64 5F 66 72 6F 6D 5F 6D 65 6D 6F 72 79 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_c723519
{
meta:
description = "MACOS.c723519"
strings:
$s1 = { 5F 6D 5F 43 6F 6E 66 69 67 }
$s2 = { 5F 5F 5A 39 53 65 74 43 6F 6E 66 69 67 76 }
$s3 = { 5F 5F 5A 31 30 4C 6F 61 64 43 6F 6E 66 69 67 76 }
$s4 = { 5F 5F 5A 31 30 53 61 76 65 43 6F 6E 66 69 67 76 }
$s5 = { 5F 5F 5A 31 33 4D 65 73 73 61 67 65 54 68 72 65 61 64 76 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_bd64115
{
meta:
description = "MACOS.bd64115"
strings:
$s1 = { 68 74 74 70 73 3A 2F 2F 63 6F 69 6E 67 6F 74 72 61 64 65 2E 63 6F 6D 2F 75 70 64 61 74 65 5F 63 6F 69 6E 67 6F 74 72 61 64 65 2E 70 68 70 }
$s2 = { 76 65 72 3D 25 64 26 74 69 6D 65 73 74 61 6D 70 3D 25 6C 64 }
$s3 = { 43 6F 69 6E 47 6F 54 72 61 64 65 20 31 2E 30 20 28 43 68 65 63 6B 20 55 70 64 61 74 65 20 4F 73 78 29 }
$s4 = { 2F 70 72 69 76 61 74 65 2F 74 6D 70 2F 75 70 64 61 74 65 63 6F 69 6E 67 6F 74 72 61 64 65 }
$s5 = { 6B 75 70 61 79 5F 75 70 64 61 74 65 72 5F 6D 61 63 5F 6E 65 77 2D 35 35 35 35 34 39 34 34 39 34 36 35 31 63 37 36 32 65 32 35 33 37 65 31 62 32 66 31 32 64 30 31 64 33 63 34 33 37 63 37 }
condition:
Macho and filesize < 100KB and all of them
}
rule XProtect_MACOS_8032420
{
meta:
description = "MACOS.8032420"
strings:
$a1 = { 0f 28 ?? ?? ?? ?? ?? 0f 28 ?? ?? ?? ?? ?? 0f 57 c8 0f 29 ?? ?? ?? ?? ?? 0f 57 05 e3 13 07 00 0f 29 ?? ?? ?? ?? ?? 80 35 ?? ?? ?? 00 ?? 80 35 ?? ?? ?? 00 ?? 80 35 ?? ?? ?? 00 ?? 80 35 ?? ?? ?? 00 ?? 80 35 ?? ?? ?? 00 ?? }
$a2 = { 48 8d [5] 80 34 08 ?? 48 ff c0 48 ?? ?? ?? 75 ?? 48 8d [5] 48 89 df 4c 89 fe ff }
$a3 = { b8 02 00 00 00 48 ?? ?? ?? ?? ?? ?? 48 c7 c2 ff ff ff ff 80 ?? ?? ?? 48 ff c8 48 39 d0 75 ?? }
$a4 = { 48 c7 c2 ff ff ff ff 80 ?? ?? ?? 48 ff c8 48 39 d0 75 ?? 48 ?? ?? ?? ?? ?? ?? 48 89 df }
$a5 = { 50 58 90 90 90 90 50 58 90 90 90 8a (4c | 8c ) c7 [1-4] 80 ?? ?? 88 (4c | 8c) 07 [1-4] 50 58 90 90 50 58 90 90 48 ff c8 48 ?? ?? ?? 75 ?? }
$a7 = { 50 58 90 50 58 80 f? ?? 88 ( 4c | 5c | 6c | 7c ) ?? ?? 50 58 50 58 }
$b = { 0f 57 c0 f2 48 0f 2a 44 c1 [1-4] f2 0f 51 c0 [0-8] f2 0f 2c d0 88 ?? 08 [1-4] 48 ff c8 48 ?? ?? ?? 75 ?? }
$c = { 8a ?4 c1 ?? [0-3] fe ca 88 ?4 08 ?? [0-3] 48 ff c8 48 ?? ?? ?? 75 ?? }
$d = { 31 C0 48 8D 0D ?? ?? ?? 00 0F 57 C0 F2 48 0F 2A ?? C1 ?? [0-10] F2 0F 51 C0 F2 0F 2C D0 88 ?? 08 ?? [0-10] 48 FF C8 48 83 F8 ?? 75 ?? [0-20] ?? 89 F7 }
$e = { 5f 73 79 73 74 65 6d }
$f = { 5f 6d 65 6d 63 70 79 }
$g = { 8b 42 fc 34 ?? 88 02 8b 42 fc fe c0 34 ?? 88 42 01 8b 42 fc 04 02 34 ?? 88 42 02 8b 42 fc 04 03 34 ?? 88 42 03 8b 42 fc 04 04 34 ?? 88 42 04 8b 42 fc 04 05 34 ?? 88 42 05 8b 42 fc 04 06 34 ?? 88 42 06 8b 42 fc 04 07 34 ?? 88 42 07 8b 42 fc 04 08 34 ?? }
condition:
Macho and filesize < 4MB and (any of ( $a* ) or #g > 50 or $b or $c ) or ( #d > 1 and #e > 1 and #f > 1 )
}
rule XProtect_MACOS_e4644f7
{
meta:
description = "MACOS.e4644f7"
strings:
$a1 = { 5f 73 79 73 74 65 6d }
$a2 = { 62 61 73 65 36 34 20 2d 2d 64 65 63 6f 64 65 20 }
$b1 = { E8 ?? ?? 00 00 31 FF 48 89 C6 E8 ?? ?? 00 00 }
$b3 = { 48 8B ?? ?? ?? 00 00 48 8D ?? ?? ?? 00 00 }
$b4 = { 48 89 ?? E8 ?? 00 00 00 48 8B ?? D0 }
condition:
Macho and all of them
}
rule XProtect_MACOS_3ea93d1
{
meta:
description = "MACOS.3ea93d1"
strings:
$a1 = { 5f 63 68 6d 6f 64 }
$a2 = { 5f 5f 5f 65 72 72 6f 72 }
$b1 = { BE FF 01 00 00 48 ?? ?? E8 ?? 2B 00 00 E8 ?? ?? 00 00 83 38 02 75 ?? 81 ?? CF FA ED FE }
$b2 = { BA 00 10 00 00 31 C9 48 BF 00 00 00 00 01 00 00 00 48 ?? ?? D0 E8 ?? ?? FF FF 4C 8B 75 }
$c1 = { 30 ?? ?? 83 C0 ?? 3D FE 00 00 00 0F 4F C1 48 FF C7 48 39 FE 75 EA }
$c2 = { 80 ?? ?? ?? 48 FF C0 48 39 C6 75 ?? 8B ?? ?? ?? 00 00 83 ?? ?? }
$c3 = { BE 19 00 00 00 BA 72 6F 6D 4D E8 ?? FE FF FF }
condition:
Macho and filesize < 1MB and all of ($a*) and all of ($b*) and any of ($c*)
}
rule XProtect_MACOS_c592675
{
meta:
description = "MACOS.c592675"
strings:
$a = { 4c 75 6d 62 65 72 6a 61 63 6b }
$b = { 69 61 6d 72 6f 6f 74 }
$c = { 53 68 45 78 65 63 75 74 6f 72 }
condition:
Macho and 2 of them
}
rule XProtect_MACOS_489e70f
{
meta:
description = "MACOS.489e70f"
strings:
$a1 = { 66 89 45 d2 48 ?? ?? ?? ?? ?? ?? ba 01 00 00 00 4? 89 ?e 41 ff d? 66 89 45 d4 48 ?? ?? ?? ?? ?? ?? ba 02 00 00 00 4? 89 ?e 41 ff d? 66 89 45 d6 }
$a2 = { 44 89 e0 b9 ab aa aa aa 48 0f af c1 48 c1 e8 22 01 c0 49 89 dd 8d 1c 40 }
$a3 = { 44 89 e1 29 d9 4c 89 ?? 83 e1 fe 66 33 44 0d d2 48 8b ?? }
$a4 = { 66 89 4d ?? 0f be cb 66 89 4d ?? 0f be c0 66 89 45 ?? 48 }
condition:
Macho and filesize < 200KB and any of them
}
rule XProtect_MACOS_8283b86
{
meta:
description = "MACOS.8283b86"
strings:
$a = { 67 65 74 61 64 76 61 6e 63 65 64 6d 61 63 }
$b = { 74 72 61 63 6b 57 65 62 4f 66 66 65 72 73 56 69 65 77 }
$c = { 67 65 74 4f 66 66 65 72 50 61 72 73 65 64 43 6f 75 6e 74 }
$d = { 77 76 47 65 74 50 68 6f 6e 65 52 65 6e 64 6f 6d }
$e = { 48 8B 3D ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 8D 05 ?? ?? ?? ?? 48 89 ?? ?? 48 8D ?? ?? ?? ?? ?? 48 8D ?? ?? ?? ?? ?? 4C 8D ?? ?? ?? ?? ?? 4C 8D ?? ?? ?? ?? ?? 4C 8B ?? ?? ?? ?? ?? 31 C0 41 FF D7 49 89 C4 48 8B ?? ?? ?? ?? ?? 48 8B ?? ?? ?? ?? ?? 41 FF D7 48 8B 35 ?? ?? ?? ?? 48 89 C7 41 FF D7 48 ?? ?? ?? 4C 8B 35 ?? ?? ?? ?? 48 89 DF 4C 89 F6 41 FF D7 49 89 C5 4C 89 ?? ?? 4C 89 E7 4C 89 F6 41 FF D7 45 85 ED 0F 84 A1 00 00 00 48 8B ?? ?? ?? ?? ?? 48 89 ?? ?? 48 8B ?? ?? ?? ?? ?? 48 89 4D C0 44 89 E9 48 89 4D C8 45 31 ED 45 31 FF 48 89 5D A8 [-] 48 89 DF 4C 8B 75 B8 4C 89 F6 4C 89 EA 4C 8B ?? ?? ?? ?? ?? 41 FF D4 89 C3 44 89 FA 48 8B 7D A0 4C 89 F6 41 FF D4 0F B7 C0 C1 E8 04 31 D8 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_MACOS_b264ff6
{
meta:
description = "MACOS.b264ff6"
strings:
$a1 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 44 89 ( e8 | e9 | e0 ) 48 ?? ?? ?? 45 31 (ed | e4) 45 31 (f6 | ff) }
$a2 = { 48 ?? ?? ?? 8b ?? ?? 89 ca 48 ?? ?? ?? ?? ?? ?? 48 89 c7 e8 ?? ?? ?? ?? 0f b7 c8 48 ?? ?? ?? 44 ?? ?? ?? 44 89 c6 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d6 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 c8 c1 f9 04 44 ?? ?? ?? ?? ?? ?? 41 31 c8 66 44 89 c0 66 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 ?? ?? 4c ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 ce b0 00 e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 89 c2 e8 ?? ?? ?? ?? 8b ?? ?? 83 c1 01 89 ?? ?? 3b ?? ?? 0f 83 ?? ?? ?? ?? }
$a3 = { 48 ?? ?? ?? 8b ?? ?? 89 ca 48 ?? ?? ?? ?? ?? ?? 48 89 c7 ff ?? ?? ?? ?? ?? 0f b7 c8 48 ?? ?? ?? 44 ?? ?? ?? 44 89 c6 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d6 48 ?? ?? ?? ?? ?? ?? 89 ?? ?? ?? ?? ?? ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 c8 c1 f9 04 44 ?? ?? ?? ?? ?? ?? 41 31 c8 66 44 89 c0 66 89 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 0f b7 ?? ?? 4c ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 ce b0 00 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d7 48 89 c2 ff ?? ?? ?? ?? ?? 8b ?? ?? 83 c1 01 89 ?? ?? 3b ?? ?? 0f 83 ?? ?? ?? ?? }
$a4 = { e8 ?? ?? ?? ?? 48 ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 cf 48 ?? ?? ?? 48 89 d6 48 ?? ?? ?? ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 89 ca ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 89 d7 48 89 ca 48 89 c1 b0 00 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 89 cf 48 89 c2 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 ff ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 89 c7 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? e8 ?? ?? ?? ?? 8b ?? ?? 48 ?? ?? ?? e8 ?? ?? ?? ?? }
$b1 = { 75 73 65 72 45 6e 74 65 72 65 64 46 69 6c 65 6e 61 6d 65 }
$b2 = { 64 69 64 43 61 6e 63 65 6c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 43 68 61 6c 6c 65 6e 67 65 }
$b3 = { 65 78 65 63 75 74 65 43 6f 6d 6d 61 6e 64 }
$b4 = { 2f 75 73 72 2f 73 62 69 6e 2f 73 79 73 74 65 6d 5f 70 72 6f 66 69 6c 65 72 }
$c = { 00 25 40 25 40 25 40 25 40 00 25 63 00 }
condition:
Macho and filesize < 3000000 and (1 of ($a*)) and (1 of ($b*)) and $c
}
rule XProtect_MACOS_f3edc61
{
meta:
description = "MACOS.f3edc61"
strings:
$a = { 6f 70 65 6e 50 68 6f 74 6f 73 4e 61 67 }
$b = { 73 69 6c 65 6e 74 6c 79 46 69 72 65 55 72 6c }
$c = { 54 72 61 63 6b 4f 66 66 65 72 73 }
$d = { 48 8D 05 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 8B 15 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 89 D7 48 89 C2 48 89 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 8B 8D ?? ?? ?? ?? 48 89 CF 48 89 C2 FF 15 ?? ?? ?? ?? 41 B8 10 00 00 00 31 F6 41 B9 40 00 00 00 44 89 CA 48 89 85 ?? ?? ?? ?? 48 8D 85 ?? ?? ?? ?? 48 89 C1 48 89 CF 48 89 85 ?? ?? ?? ?? 4C 89 85 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 85 ?? ?? ?? ?? 48 8B 35 ?? ?? ?? ?? 48 89 C1 48 89 CF 48 8B 95 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? 4C 8B 85 ?? ?? ?? ?? 48 89 85 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 83 F8 00 48 89 85 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? }
condition:
Macho and filesize < 1000000 and all of them
}
rule XProtect_MACOS_60a3d68
{
meta:
description = "MACOS.60a3d68"
strings:
$a = { 23 21 }
$b1 = { 6f 70 65 6e 73 73 6c [1-3] 65 6e 63 }
$b2 = { 2d 61 65 73 2d 32 35 36 2d 63 62 63 }
$c1 = { 24 4f 24 50 24 45 24 4e 24 53 24 53 24 4c 20 24 45 24 4e 24 43 }
$c2 = { 2d 24 41 24 45 24 53 2d 32 35 36 2d 63 62 63 }
$d1 = { 24 7b 4f 7d 24 7b 50 7d 24 7b 45 7d 24 7b 4e 7d 24 7b 53 7d 24 7b 53 7d 24 7b 4c 7d 20 24 7b 45 7d 24 7b 4e 7d 24 7b 43 7d }
$d2 = { 2d 24 7b 41 7d 24 7b 45 7d 24 7b 53 7d 2d 32 35 36 2d 63 62 63 }
$e1 = { 2d 62 61 73 65 36 34 }
$e2 = { 2d 61 }
$e3 = { 2d 62 24 7b 41 7d 24 7b 53 7d 24 7b 45 7d 36 34 }
$f = { 2d 64 }
$g1 = { 2d 69 6e }
$g2 = { 2d 6e 6f 73 61 6c 74 }
$g3 = { 2d 73 61 6c 74 }
$g4 = { 2d 6b }
$g5 = { 2d 6f 75 74 }
$g6 = { 2d 70 61 73 73 }
$g7 = { 2d 50 24 41 24 53 24 53 }
$g8 = { 2d 24 7b 50 7d 24 7b 41 7d 24 7b 53 7d 24 7b 53 7d }
$h1 = { 64 64 20 69 66 3d 2f 64 65 76 2f 75 72 61 6e 64 6f 6d 20 62 73 3d 24 28 6a 6f 74 20 2d 72 20 31 20 35 20 31 35 29 }
$h2 = { 62 61 73 65 36 34 20 7c 20 74 72 20 2d 64 63 20 27 61 2d 7a 41 2d 5a 30 2d 39 27 }
$h3 = { 3c 65 6e 63 29 22 }
$h4 = { 52 65 73 6f 75 72 63 65 73 2f 65 6e 63 29 22 }
$h5 = { 73 68 65 6c 6c 5f 65 78 65 63 }
$h6 = { 65 76 61 6c }
$h7 ={ 63 68 6d 6f 64 20 2b 78 20 }
$h8 = { 73 75 62 70 72 6f 63 65 73 73 2e 50 6f 70 65 6e }
condition:
$a at 0 and filesize < 5KB and (all of ($b*) or all of ($c*) or all of ($d*)) and any of ($e*) and $f and any of ($g*) and any of ($h*)
}
rule XProtect_MACOS_5af1486
{
meta:
description = "MACOS.5af1486"
strings:
$a1 = { 00 70 72 6f 6d 70 74 00 69 63 6f 6e 00 }
$a2 = { 00 64 61 74 61 31 00 70 6c 69 73 74 00 }
$b1 = { 55 48 89 e5 48 83 ec 50 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? b9 ?? ?? ?? ?? 89 ca 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 89 c7 48 ?? ?? ?? e8 ?? ?? ?? ?? c7 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 8b ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 0f 85 ?? ?? ?? ?? 48 ?? ?? ?? 48 83 c4 50 5d c3 e8 ?? ?? ?? ?? }
condition:
Macho and (filesize < 2MB) and all of them
}
rule XProtect_MACOS_03b5cbe
{
meta:
description = "MACOS.03b5cbe"
strings:
$a = { 48 ?? ?? ?? ?? ?? ?? 31 c0 e8 ?? ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ff d6 49 ?? ?? ?? 49 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? b9 01 00 00 00 41 ff d6 49 ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ff d6 84 c0 74 ?? }
$b = { 73 74 61 74 75 73 2e 70 6c 69 73 74 }
$c = { 74 72 69 67 67 65 72 }
condition:
Macho and (filesize < 100KB) and all of them
}
rule XProtect_MACOS_ce3281e
{
meta:
description = "MACOS.ce3281e"
strings:
$a = { 4c ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 89 c7 e8 ?? ?? ?? ?? 49 89 c5 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c ?? ?? ?? ?? ?? ?? 31 c0 4c 89 f7 4c 89 e9 41 ff d4 48 89 c7 e8 ?? ?? ?? ?? 48 89 c3 4c ?? ?? ?? ?? ?? ?? 4c 89 ef 41 ff d6 4c ?? ?? ?? ?? ?? ?? 31 c0 4c 89 ff 48 89 de e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 41 ff d4 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 ?? ?? ?? 48 89 da 41 ff d4 49 89 c5 48 ?? ?? ?? ?? ?? ?? 4c 89 ef 41 ff d4 48 89 c7 e8 ?? ?? ?? ?? 48 89 c3 31 c0 4c 89 ff 48 89 de e8 ?? ?? ?? ?? 48 89 df 41 ff d6 4d 85 ed 74 ?? }
$b = { 50 61 74 68 20 74 6f 20 70 72 65 66 3a 20 25 40 }
$c = { 73 65 61 72 63 68 76 }
$d = { 66 6f 72 6d 3d 41 50 4d 43 53 31 }
$e = { 2f 4c 69 62 72 61 72 79 2f 50 72 65 66 65 72 65 6e 63 65 73 2f 70 72 65 66 2e 70 6c 69 73 74 }
$f = { 66 72 3d 61 61 70 6c 77 }
condition:
Macho and (filesize < 100KB) and all of them
}
rule XProtect_MACOS_9bdf6ec
{
meta:
description = "MACOS.9bdf6ec"
strings:
$a1 = { 48 8b 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 49 89 c4 48 89 df e8 ?? ?? ?? ?? 48 89 cb 48 89 c7 48 89 d6 48 89 da e8 ?? ?? ?? ?? 49 89 c6 48 89 df e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? be 18 00 00 00 ba 07 00 00 00 48 8d 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 89 c3 4c 89 6b 10 48 8d 05 ?? ?? ?? ?? 48 89 45 b0 48 89 5d b8 48 8b 05 ?? ?? ?? ?? 48 89 45 90 c7 45 98 00 00 00 42 c7 45 9c 00 00 00 00 0f 28 45 80 0f 11 45 a0 48 8d 7d 90 e8 ?? ?? ?? ?? 49 89 c7 4c 89 ef e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 48 8b 35 ?? ?? ?? ?? 4c 89 e7 4c 89 f2 4c 89 f9 e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 4c 89 f7 e8 ?? ?? ?? ?? 48 8b 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 48 8b 35 ?? ?? ?? ?? 48 89 c7 f3 0f 7e 05 ?? ?? ?? ?? e8 ?? ?? ?? ?? ff 55 c8 a8 01 }
$a2 = { e8 ?? ?? ?? ?? 41 80 e7 01 44 88 78 10 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 48 89 4b 20 48 89 43 28 48 ?? ?? ?? ?? ?? ?? 48 89 03 48 ?? ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 66 48 0f 6e c0 48 ?? ?? ?? ?? ?? ?? 66 48 0f 6e c8 66 0f 6c c8 f3 0f 7f 4b 10 48 89 df e8 ?? ?? ?? ?? 49 89 c7 48 ?? ?? ?? e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? 4c 89 e2 4c 89 f9 e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 4c 89 e7 e8 ?? ?? ?? ?? 4c 89 f7 4c 89 ee e8 ?? ?? ?? ?? }
$a3 = { 48 89 c3 4c 8b 7d b8 4c 89 ef e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 e7 4c 89 f2 48 89 d9 e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 4c 89 f7 e8 ?? ?? ?? ?? }
$a4 = { 49 8B ?? 00 4C 89 ?? E8 37 ?? 00 00 48 8D ?? ?? ?? 00 00 48 39 C3 74 ?? 48 8D ?? ?? ?? 00 00 48 BE 00 00 00 00 00 00 00 80 48 09 ?? 48 BF 30 00 00 00 00 00 00 D0 FF 55 ?? EB ?? 48 8D ?? ?? ?? 00 00 48 BE 00 00 00 00 00 00 00 80 48 09 ?? 48 BF 30 00 00 00 00 00 00 D0 E8 6F ?? 00 00 }
$a5 = {48 8B ?? ?? ?? 00 00 4C 8D ?? ?? FF FF FF 31 F6 48 89 DF E8 ?? ?? 00 00 49 89 C6 49 89 D5 48 89 DF 4C 89 E6 41 FF ?? ?? 4C 89 E8 48 C1 ?? ?? 48 3D ?? 00 00 00 0F 87 ?? ?? 00 00 4C 89 E8 48 C1 ?? ?? 3C ?? 0F 84 ?? 00 00 00 3C ?? 74 ?? 3C ?? 0F 84 ?? 00 00 00 4C 89 E8 48 C1 ?? ?? 0F B6 ?? 48 85 DB 75 ?? E9 ?? 00 00 00 49 8B ?? ?? 49 2B ?? ?? 0F 80 ?? ?? 00 00 }
$b1 = { 73 68 6f 77 50 72 65 66 65 72 65 6e 63 65 73 46 6f 72 45 78 74 65 6e 73 69 6f 6e 57 69 74 68 49 64 65 6e 74 69 66 69 65 72 3a 63 6f 6d 70 6c 65 74 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$b2 = { 67 65 74 53 74 61 74 65 4f 66 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 57 69 74 68 49 64 65 6e 74 69 66 69 65 72 3a 63 6f 6d 70 6c 65 74 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$c1 = { 6d 61 63 62 75 69 6c 64 65 72 5f 62 75 69 6c 64 73 }
$c2 = { 4c 6f 63 61 6c 53 61 66 61 72 69 41 70 70 45 78 74 }
$c3 = { 73 65 61 72 63 68 48 69 73 74 6f 72 79 }
$c4 = { 6d 61 74 63 68 44 61 74 61 54 69 6d 65 72 }
$c5 = { 6f 70 65 6e 50 72 65 66 }
$c6 = { 67 65 74 53 79 73 74 65 6d 55 55 49 44 }
$c7 = { 70 72 6f 63 65 73 73 49 6e 66 6f }
$c8 = { 61 72 67 75 6d 65 6e 74 73 }
$c9 = { 5f 49 4f 53 65 72 76 69 63 65 4d 61 74 63 68 69 6e 67 }
$c10 = { 48 BF 49 4F 50 6C 61 74 66 6F 48 BE 72 6D 55 55 49 44 00 EE }
condition:
Macho and (filesize < 200KB) and (1 of ($a*)) and (all of ($b*)) and (2 of ($c*))
}
rule XProtect_MACOS_e79dc35
{
meta:
description = "MACOS.e79dc35"
strings:
$a = { 73 65 61 72 63 68 [2-12] 2e 61 6b 61 6d 61 69 68 64 2e 6e 65 74 2f }
$b1 = { 49 be 79 73 00 00 00 00 00 ea 49 ?? ?? ?? ?? ?? ?? ?? ?? ?? 49 ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 48 89 d8 e8 ?? ?? ?? ?? be 02 00 00 00 4c 89 e7 e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 49 81 c6 f5 00 00 00 48 89 df 4c 89 ee 4c 89 f2 e8 ?? ?? ?? ?? 49 89 dd e8 ?? ?? ?? ?? 49 89 c7 41 ?? ?? ?? ?? 4c 89 e3 49 c7 c4 ff ff ff ff 49 d3 e4 49 f7 d4 4d 21 e7 4c 89 f8 48 c1 e8 06 48 ?? ?? ?? ?? 4c 0f a3 f8 0f 83 ?? ?? ?? ?? }
$b2 = { 4c 89 ef e8 ?? ?? ?? ?? 48 ?? 61 62 70 2d 64 61 74 61 48 be 00 00 00 00 00 00 00 e8 e8 ?? ?? ?? ?? 49 89 c4 48 ?? ?? ?? ?? ?? ?? 48 85 ff 75 ?? }
$b3 = { 49 89 c6 48 ?? ?? ?? ?? ?? ?? e8 ?? ?? ?? ?? 49 89 c7 4c 8b 6d b8 4c 89 ef e8 ?? ?? ?? ?? 48 8b bd 20 ff ff ff 4c 89 ee e8 ?? ?? ?? ?? 49 89 c4 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 48 89 c2 48 89 d9 e8 ?? ?? ?? ?? 48 89 c3 4c 89 ef e8 ?? ?? ?? ?? 4c 89 e7 e8 ?? ?? ?? ?? 48 85 db 0f 84 ?? ?? ?? ?? }
$b4 = { 48 8d b5 a0 fd ff ff 48 89 c7 e8 ?? ?? ?? ?? 4c 89 fa 48 89 55 a8 49 89 c7 0f 28 ?? ?? ?? ?? ?? 41 0f 11 47 10 48 ?? ?? ?? ?? ?? ?? 66 48 0f 6e c0 b8 02 00 00 00 66 48 0f 6e c8 66 0f 6c c1 66 0f 7f 4d c0 }
$b5 = { 49 ff c7 31 d2 4c 89 f8 48 f7 75 c0 48 8b 5d c8 48 3b 53 10 0f 82 ?? ?? ?? ?? }
$c1 = { 6c 61 73 74 48 65 61 72 74 62 65 61 74 }
$c2 = { 73 65 73 73 69 6f 6e 47 75 69 64 }
$c3 = { 65 78 74 65 6e 73 69 6f 6e 49 64 }
$c4 = { 75 73 65 72 47 75 69 64 }
$c5 = { 41 70 70 45 78 74 48 65 61 72 74 62 65 61 74 }
$c6 = { 69 73 4e 65 77 53 65 61 72 63 68 }
$c7 = { 73 65 6e 64 48 65 61 72 74 62 65 61 74 }
$c8 = { 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 48 61 6e 64 6c 65 72 }
$c9 = { 6d 65 73 73 61 67 65 52 65 63 65 69 76 65 64 }
$d1 = { 48 89 CA 48 83 E2 FC 48 8D 5A ?? 48 89 DF 48 C1 EF ?? 48 FF C7 89 FE 83 E6 ?? 48 83 FB 0C 73 18 66 0F EF C0 31 FF 66 0F EF C9 48 85 F6 }
$e1 = { 5f 49 4f 53 65 72 76 69 63 65 47 65 74 4d 61 74 63 68 69 6e 67 53 65 72 76 69 63 65 }
$e2 = { 5f 49 4f 53 65 72 76 69 63 65 4d 61 74 63 68 69 6e 67 }
$e3 = { 53 46 53 61 66 61 72 69 50 61 67 65 50 72 6f 70 65 72 74 69 65 73 }
$f1 = { 48 B8 53 55 50 45 52 53 54 52 48 89 85 ?? FE FF FF 48 B8 49 4E 47 44 55 44 45 EF }
$f2 = { 49 FF C7 31 D2 4C 89 F8 48 F7 [2-5] 48 3B 53 10 }
$f3 = { 48 BF 49 4F 50 6C 61 74 66 6F 48 BE 72 6D 55 55 49 44 00 EE }
$f4 = { 48 89 55 C8 0F B6 44 13 20 4C 8B B5 50 FF FF FF 48 8B 8D 58 FF FF FF 48 89 CA 48 C1 EA 3E 80 FA 01 74 2D }
$f5 = { 48 B8 59 57 30 54 64 53 54 52 }
condition:
Macho and (filesize < 2MB) and ((($a or any of ($b*)) and (2 of ($c*))) or (any of ($d*) and (all of ($e*))) or ((all of ($e*)) and 4 of ($f*))) and #c8 > 10
}
rule XProtect_MACOS_d92d83c
{
meta:
description = "MACOS.d92d83c"
strings:
$a1 = { 48 ?? ?? ?? ?? ?? ?? 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 41 ff d5 48 ?? ?? ?? c6 03 00 48 ?? ?? ?? ?? ?? ?? 4c 89 f6 41 ff d5 48 ?? ?? ?? ?? ?? ?? 48 89 c7 48 89 da 41 ff d5 48 89 c3 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 48 89 da 41 ff d5 48 ?? ?? ?? ?? ?? ?? 4c 89 ff 41 ff d5 84 c0 74 ?? }
$a2 = { 83 7e f8 00 78 ?? 4c 89 e7 e8 ?? ?? ?? ?? 49 8b 34 24 48 8b 45 c8 42 80 3c 3e 5c 75 ?? 4d 8d 6f 01 4c 3b 6e e8 73 ?? 83 7e f8 00 78 ?? 4c 89 }
$b1 = { 63 6f 6d 2e 6d 6d 2d 69 6e 73 74 61 6c 6c 2d 6d 61 63 6f 73 2e 77 77 77 }
$b2 = { 26 66 75 6e 6e 65 6c 3d }
$b3 = { 4d 4d 5f 50 41 53 53 57 44 }
condition:
Macho and (any of ($a*)) or (all of ($b*))
}
rule XProtect_MACOS_0e62876
{
meta:
description = "MACOS.0e62876"
strings:
$a = { 57 65 62 74 6f 6f 6c 73 43 6f 6e 66 69 67 }
$b = { 53 74 61 72 74 69 6e 67 20 70 72 6f 74 65 63 74 6f 72 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e }
$c = { 6a 73 46 72 6f 6d 41 70 70 6c 65 45 76 65 6e 74 73 45 6e 61 62 6c 65 64 }
$d = { 65 6e 61 62 6c 65 4a 73 46 72 6f 6d 41 70 70 6c 65 45 76 65 6e 74 73 }
$e = { 43 6c 69 63 6b 47 65 6e 65 72 61 74 6f 72 }
$f = { 73 6f 75 74 65 72 }
condition:
Macho and 3 of them
}
rule XProtect_MACOS_de444f2
{
meta:
description = "MACOS.de444f2"
strings:
$a1 = { (48 | 49) 63 ?? 41 32 ?? ?? (88 8D ?? ?? ?? ?? 48 | 48) ?? ?? 74 ?? 88 ?? 48 ?? ?? ?? eb ?? }
$a2 = { 48 8b [2-5] 48 89 ?? 48 f7 d? 48 01 c? 44 88 ?? ?? 48 8b [2-5] 48 89 c? 48 f7 d? 48 03 [2-5] ( 44 88 | 88 0c ) [1-2] 4? 83 f? ?? }
$a3 = { b1 ?? 41 be 01 00 00 00 4c 8d bd 7f ff ff ff 44 89 eb eb ?? }
$a4 = { 41 ff c? 90 49 63 c? 48 ?? ?? ?? ?? ?? ?? ( 44 32 34 0a 48 39 d8 74 ?? | 32 0c 02 88 8d 7f ff ff ff 48 8b 45 88 48 3b 45 90 74 ?? ) }
$a5 = { 90 0f 57 c0 4c 8d 65 80 41 0f 29 04 24 49 c7 44 24 }
$a6 = { ff cb 90 48 63 c3 48 ?? ?? ?? ?? ?? ?? 32 0c 02 48 8b 85 78 ff ff ff 48 3b 45 80 74 ?? }
$a7 = { 45 85 ?? 41 8d 4? ff b? ?? ?? ?? ?? 0f 4e c? 4? 8a ?? ?? b0 4? ff c? 4? 89 c6 }
$a8 = { 44 8a 74 05 b0 48 ff c0 48 89 85 ( a0 fa | 38 f4 ) ff ff }
$a9 = { 46 8a ?4 ?? b0 49 63 c5 48 ?? ?? ?? ?? ?? ?? 8a 04 08 88 85 ?8 f5 ff ff 4? 89 ?d ?8 fa ff ff 4? 89 ?d ?0 fa ff ff 48 83 a5 ?8 fa ff ff 00 4? 89 ?f 6a ?? 5e e8 ?? ?? ?? ?? 44 32 ?? ?8 f5 ff ff 44 88 ?5 ?0 f5 ff ff 48 8d bd ?? fa ff ff 48 8d b5 ?0 f5 ff ff e8 ?? ?? ?? ?? 4? 8? ?? 4? 8d ?5 }
$a10 = { 90 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 48 89 df 48 8d b5 08 f6 ff ff e8 ?? ?? ?? ?? 48 8b 85 b0 fa ff ff 0f b6 78 10 e8 ?? ?? ?? ?? 90 48 89 df e8 ?? ?? ?? ?? 49 ff c? }
$a11 = { 83 c2 fc 85 d2 6a ?? 58 0f 4e d0 4c 89 ef 48 89 de 6a ff 59 e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 4c 89 ef e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff 48 8d b5 98 f5 ff ff e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff e8 ?? ?? ?? ?? 49 ff c6 }
$a12 = { 0F 57 C0 0F 29 45 B0 48 C7 45 ?? 00 00 00 00 41 BD ?? 00 00 00 41 B6 ?? 31 DB BF ?? 00 00 00 31 C0 41 BF ?? 00 00 00 EB ??45 85 FF 41 8D ?? ?? 41 0F 4E CD 44 0F B6 ?? ?? ?? ?? FF FF 48 8B 45 ?? 48 8B ?? ?? 48 FF C7 41 89 CF 90 90 49 63 CF 46 32 ?? ?? }
$a13 = { 48 63 c3 48 ?? ?? ?? ?? ?? ?? 8a 04 08 42 32 44 2d b0 88 85 70 ff ff ff [2-6] f? 4c 89 e6 e8 ?? ?? ?? ?? 85 db 8d 43 ff 89 c3 ?? [0-4] 0f 4e d? 4c 89 ff 89 de e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 49 ff c5 }
$a14 = { 85 db 41 0f 4e dc 42 8a 4c 2d b0 49 ff c5 }
$a15 = { 49 63 c7 48 ?? ?? ?? ?? ?? ?? 8a 04 08 32 44 1d b0 88 85 70 ff ff ff 4c 89 f7 4c 89 ee e8 ?? ?? ?? ?? 45 85 ff 41 8d 47 ff 41 0f 4e c4 48 ff c3 41 89 c7 }
$b1 = { 41 64 6d 69 6e 20 53 75 63 63 65 73 73 3a 20 25 40 }
$b2 = { 45 72 72 6f 72 3a 20 25 40 }
$b3 = { 40 40 41 70 70 50 61 74 68 40 40 2f 43 6f 6e 74 65 6e 74 73 2f 4d 61 63 4f 53 }
$b4 = { 72 75 6e 41 70 70 }
condition:
Macho and filesize < 15MB and (any of ($a*)) and (any of ($b*))
}
rule XProtect_MACOS_b70290c
{
meta:
description = "MACOS.b70290c"
strings:
$a1 = { (48 | 49) 63 ?? 41 32 ?? ?? (88 8D ?? ?? ?? ?? 48 | 48) ?? ?? 74 ?? 88 ?? 48 ?? ?? ?? eb ?? }
$a2 = { 48 8b [2-5] 48 89 ?? 48 f7 d? 48 01 c? 44 88 ?? ?? 48 8b [2-5] 48 89 c? 48 f7 d? 48 03 [2-5] ( 44 88 | 88 0c ) [1-2] 4? 83 f? ?? }
$a3 = { b1 ?? 41 be 01 00 00 00 4c 8d bd 7f ff ff ff 44 89 eb eb ?? }
$a4 = { 41 ff c? 90 49 63 c? 48 ?? ?? ?? ?? ?? ?? ( 44 32 34 0a 48 39 d8 74 ?? | 32 0c 02 88 8d 7f ff ff ff 48 8b 45 88 48 3b 45 90 74 ?? ) }
$a5 = { 90 0f 57 c0 4c 8d 65 80 41 0f 29 04 24 49 c7 44 24 }
$a6 = { ff cb 90 48 63 c3 48 ?? ?? ?? ?? ?? ?? 32 0c 02 48 8b 85 78 ff ff ff 48 3b 45 80 74 ?? }
$a7 = { 45 85 ?? 41 8d 4? ff b? ?? ?? ?? ?? 0f 4e c? 4? 8a ?? ?? b0 4? ff c? 4? 89 c6 }
$a8 = { 44 8a 74 05 b0 48 ff c0 48 89 85 ( a0 fa | 38 f4 ) ff ff }
$a9 = { 46 8a ?4 ?? b0 49 63 c5 48 ?? ?? ?? ?? ?? ?? 8a 04 08 88 85 ?8 f5 ff ff 4? 89 ?d ?8 fa ff ff 4? 89 ?d ?0 fa ff ff 48 83 a5 ?8 fa ff ff 00 4? 89 ?f 6a ?? 5e e8 ?? ?? ?? ?? 44 32 ?? ?8 f5 ff ff 44 88 ?5 ?0 f5 ff ff 48 8d bd ?? fa ff ff 48 8d b5 ?0 f5 ff ff e8 ?? ?? ?? ?? 4? 8? ?? 4? 8d ?5 }
$a10 = { 90 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 48 89 df 48 8d b5 08 f6 ff ff e8 ?? ?? ?? ?? 48 8b 85 b0 fa ff ff 0f b6 78 10 e8 ?? ?? ?? ?? 90 48 89 df e8 ?? ?? ?? ?? 49 ff c? }
$a11 = { 83 c2 fc 85 d2 6a ?? 58 0f 4e d0 4c 89 ef 48 89 de 6a ff 59 e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 4c 89 ef e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff 48 8d b5 98 f5 ff ff e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff e8 ?? ?? ?? ?? 49 ff c6 }
$a12 = { 0F 57 C0 0F 29 45 B0 48 C7 45 ?? 00 00 00 00 41 BD ?? 00 00 00 41 B6 ?? 31 DB BF ?? 00 00 00 31 C0 41 BF ?? 00 00 00 EB ??45 85 FF 41 8D ?? ?? 41 0F 4E CD 44 0F B6 ?? ?? ?? ?? FF FF 48 8B 45 ?? 48 8B ?? ?? 48 FF C7 41 89 CF 90 90 49 63 CF 46 32 ?? ?? }
$a13 = { 48 63 c3 48 ?? ?? ?? ?? ?? ?? 8a 04 08 42 32 44 2d b0 88 85 70 ff ff ff [2-6] f? 4c 89 e6 e8 ?? ?? ?? ?? 85 db 8d 43 ff 89 c3 ?? [0-4] 0f 4e d? 4c 89 ff 89 de e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 49 ff c5 }
$a14 = { 85 db 41 0f 4e dc 42 8a 4c 2d b0 49 ff c5 }
$a15 = { 49 63 c7 48 ?? ?? ?? ?? ?? ?? 8a 04 08 32 44 1d b0 88 85 70 ff ff ff 4c 89 f7 4c 89 ee e8 ?? ?? ?? ?? 45 85 ff 41 8d 47 ff 41 0f 4e c4 48 ff c3 41 89 c7 }
$b1 = { 57 65 62 56 69 65 77 }
$b2 = { 4a 53 45 78 70 6f 72 74 }
condition:
Macho and filesize < 15MB and (any of ($a*)) and (any of ($b*))
}
rule XProtect_MACOS_22d71e9
{
meta:
description = "MACOS.22d71e9"
strings:
$a1 = { (48 | 49) 63 ?? 41 32 ?? ?? (88 8D ?? ?? ?? ?? 48 | 48) ?? ?? 74 ?? 88 ?? 48 ?? ?? ?? eb ?? }
$a2 = { 48 8b [2-5] 48 89 ?? 48 f7 d? 48 01 c? 44 88 ?? ?? 48 8b [2-5] 48 89 c? 48 f7 d? 48 03 [2-5] ( 44 88 | 88 0c ) [1-2] 4? 83 f? ?? }
$a3 = { b1 ?? 41 be 01 00 00 00 4c 8d bd 7f ff ff ff 44 89 eb eb ?? }
$a4 = { 41 ff c? 90 49 63 c? 48 ?? ?? ?? ?? ?? ?? ( 44 32 34 0a 48 39 d8 74 ?? | 32 0c 02 88 8d 7f ff ff ff 48 8b 45 88 48 3b 45 90 74 ?? ) }
$a5 = { 90 0f 57 c0 4c 8d 65 80 41 0f 29 04 24 49 c7 44 24 }
$a6 = { ff cb 90 48 63 c3 48 ?? ?? ?? ?? ?? ?? 32 0c 02 48 8b 85 78 ff ff ff 48 3b 45 80 74 ?? }
$a7 = { 45 85 ?? 41 8d 4? ff b? ?? ?? ?? ?? 0f 4e c? 4? 8a ?? ?? b0 4? ff c? 4? 89 c6 }
$a8 = { 44 8a 74 05 b0 48 ff c0 48 89 85 ( a0 fa | 38 f4 ) ff ff }
$a9 = { 46 8a ?4 ?? b0 49 63 c5 48 ?? ?? ?? ?? ?? ?? 8a 04 08 88 85 ?8 f5 ff ff 4? 89 ?d ?8 fa ff ff 4? 89 ?d ?0 fa ff ff 48 83 a5 ?8 fa ff ff 00 4? 89 ?f 6a ?? 5e e8 ?? ?? ?? ?? 44 32 ?? ?8 f5 ff ff 44 88 ?5 ?0 f5 ff ff 48 8d bd ?? fa ff ff 48 8d b5 ?0 f5 ff ff e8 ?? ?? ?? ?? 4? 8? ?? 4? 8d ?5 }
$a10 = { 90 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 44 89 ff e8 ?? ?? ?? ?? 48 89 df 48 8d b5 08 f6 ff ff e8 ?? ?? ?? ?? 48 8b 85 b0 fa ff ff 0f b6 78 10 e8 ?? ?? ?? ?? 90 48 89 df e8 ?? ?? ?? ?? 49 ff c? }
$a11 = { 83 c2 fc 85 d2 6a ?? 58 0f 4e d0 4c 89 ef 48 89 de 6a ff 59 e8 ?? ?? ?? ?? 48 89 df e8 ?? ?? ?? ?? 4c 89 ef e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff 48 8d b5 98 f5 ff ff e8 ?? ?? ?? ?? 48 8d bd 78 fa ff ff e8 ?? ?? ?? ?? 49 ff c6 }
$a12 = { 0F 57 C0 0F 29 45 B0 48 C7 45 ?? 00 00 00 00 41 BD ?? 00 00 00 41 B6 ?? 31 DB BF ?? 00 00 00 31 C0 41 BF ?? 00 00 00 EB ??45 85 FF 41 8D ?? ?? 41 0F 4E CD 44 0F B6 ?? ?? ?? ?? FF FF 48 8B 45 ?? 48 8B ?? ?? 48 FF C7 41 89 CF 90 90 49 63 CF 46 32 ?? ?? }
$a13 = { 48 63 c3 48 ?? ?? ?? ?? ?? ?? 8a 04 08 42 32 44 2d b0 88 85 70 ff ff ff [2-6] f? 4c 89 e6 e8 ?? ?? ?? ?? 85 db 8d 43 ff 89 c3 ?? [0-4] 0f 4e d? 4c 89 ff 89 de e8 ?? ?? ?? ?? 4c 89 ff e8 ?? ?? ?? ?? 49 ff c5 }
$a14 = { 85 db 41 0f 4e dc 42 8a 4c 2d b0 49 ff c5 }
$a15 = { 49 63 c7 48 ?? ?? ?? ?? ?? ?? 8a 04 08 32 44 1d b0 88 85 70 ff ff ff 4c 89 f7 4c 89 ee e8 ?? ?? ?? ?? 45 85 ff 41 8d 47 ff 41 0f 4e c4 48 ff c3 41 89 c7 }
$b1 = { 57 65 62 56 69 65 77 }
$b2 = { 4a 53 45 78 70 6f 72 74 }
condition:
Macho and filesize < 15MB and (any of ($a*)) and (not any of ($b*))
}
rule XProtect_MACOS_6175e25
{
meta:
description = "MACOS.6175e25"
strings:
$a1 = { 00 25 40 25 40 25 40 25 40 00 25 63 00 }
$a2 = { 64 65 6c 65 74 65 41 70 70 42 79 53 65 6c 66 }
$a3 = { 65 6e 63 72 79 70 74 44 65 63 72 79 70 74 4f 70 65 72 61 74 69 6f 6e }
$a4 = { 45 6e 63 6f 64 65 44 65 63 6f 64 65 4f 70 73 }
$a5 = { 63 72 65 61 74 46 69 6c 65 4f 6e 54 65 6d 70 3a 73 63 72 70 4e 61 6d 65 3a }
condition:
Macho and all of ($a*) and filesize < 200KB
}
rule XProtect_MACOS_d1e06b8
{
meta:
description = "MACOS.d1e06b8"
strings:
$a1 = { 2f 00 2f 00 2a 00 45 00 72 00 72 00 6f 00 72 00 43 00 6f 00 64 00 65 00 2a 00 5c 00 5c 00 }
$a2 = { 28 00 3c 00 5e 00 5e 00 5e 00 5e 00 3e 00 29 00 }
$a3 = { 74 72 61 63 6b 69 6e 67 58 4d 4c }
$a4 = { 41 00 6c 00 6c 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 64 00 41 00 70 00 70 00 73 00 }
$a5 = { 6f 66 66 65 72 5f 70 61 72 61 6d 65 74 65 72 }
$a6 = { 6f 00 66 00 66 00 65 00 72 00 5f 00 69 00 64 00 }
condition:
PE and all of ($a*) and filesize < 200KB
}
rule XProtect_OSX_28a9883
{
meta:
description = "OSX.28a9883"
strings:
$a1 = { 3A 6C 61 62 65 6C 3A 70 6C 69 73 74 50 61 74 68 3A }
$a2 = { 3A 62 69 6E 3A 70 6C 69 73 74 3A }
$a3 = { 21 40 23 24 7E 5E 26 2A 28 29 5B 5D 7B 7D 3A 3B 3C 3E 2C 2E 31 71 32 77 33 65 34 72 35 74 36 79 37 75 38 69 39 6F 30 70 41 5A 53 58 44 43 46 56 47 42 48 4E 4A 4D 4B 4C 51 57 45 52 54 59 55 49 }
condition:
Macho and all of ($a*)
}
rule XProtect_OSX_Bundlore_D
{
meta:
description = "OSX.Bundlore.D"
strings:
$a1 = { 20 00 65 00 63 00 68 00 6F 00 20 00 }
$a2 = { 20 00 7C 00 20 00 6F 00 70 00 65 00 6E 00 73 00 73 00 6C 00 20 00 65 00 6E 00 63 00 20 00 2D 00 61 00 65 00 73 00 2D 00 32 00 35 00 36 00 2D 00 63 00 66 00 62 00 20 00 2D 00 70 00 61 00 73 00 73 00 20 00 70 00 61 00 73 00 73 00 3A }
$a3 = { 00 2D 00 73 00 61 00 6C 00 74 00 20 00 2D 00 41 00 20 00 2D 00 61 00 20 00 2D 00 64 00 20 00 7C 00 20 00 62 00 61 00 73 00 68 00 20 00 2D 00 73 }
$b1 = { 46 61 73 64 55 41 53 }
condition:
$b1 at 0 and all of ($a*) and filesize <= 3000
}
rule XProtect_OSX_Particle_Smasher_A
{
meta:
description = "OSX.ParticleSmasher.A"
strings:
$a1 = { 63 6F 75 6C 64 6E 27 74 20 6F 70 65 6E 20 74 68 65 20 64 62 00 }
$a2 = { 25 40 2F 4F 50 45 52 41 2E 7A 69 70 00 }
$a3 = { 25 40 2F 43 48 52 4F 4D 45 5F 25 40 2E 7A 69 70 00 }
$a4 = { 25 40 2F 53 41 46 41 52 49 2E 7A 69 70 00 }
$a5 = { 25 40 2F 46 49 52 45 46 4F 58 5F 25 40 2E 7A 69 70 00 }
$a6 = { 63 70 20 25 40 2F 70 6C 61 63 65 73 2E 73 71 6C 69 74 65 20 25 40 2F 70 6C 61 63 65 73 2E 73 71 6C 69 74 65 2E 64 75 6D 70 00 }
$a7 = { 63 70 20 25 40 2F 48 69 73 74 6F 72 79 20 25 40 2F 48 69 73 74 6F 72 79 2E 64 75 6D 70 00 }
condition:
Macho and filesize < 450000 and all of ($a*)
}
rule XProtect_OSX_HiddenLotus_A
{
meta:
description = "OSX.HiddenLotus.A"
strings:
$a1 = { 00 2F 00 25 6C 64 00 00 00 00 00 00 00 00 00 00 00 }
$a2 = { 00 72 62 00 00 20 26 00 00 00 00 00 00 00 }
$a3 = { 00 25 64 00 20 32 3E 26 31 00 72 00 0D 0A 00 00 }
$a4 = { 00 25 30 32 78 00 00 00 00 00 00 00 }
$a5 = { 00 3D 00 3B 00 00 00 }
condition:
Macho and all of ($a*) and filesize < 180000
}
rule XProtect_OSX_Mughthesec_B
{
meta:
description = "OSX.Mughthesec.B"
strings:
$a1 = { 42 75 6E 64 6C 65 4D 65 55 70 }
$a2 = { 50 75 62 6C 69 73 68 65 72 4F 66 66 65 72 53 74 61 74 65 }
$a3 = { 49 6E 73 74 61 6C 6C 50 72 6F 67 72 65 73 73 53 74 61 74 65 }
$a4 = { 41 64 76 65 72 74 69 73 65 72 4F 66 66 65 72 53 74 61 74 65 }
$b1 = { 42 65 72 54 61 67 67 65 64 44 61 74 61 }
$b2 = { 42 45 52 50 72 69 6E 74 56 69 73 69 74 6F 72 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_OSX_HMining_D
{
meta:
description = "OSX.HMining.D"
strings:
$a1 = { 72 ?? 75 ?? 6E ?? 41 ?? 6C ?? 6C ?? 41 ?? 70 ?? 70 }
$a2 = { 66 ?? 69 ?? 72 ?? 65 ?? 46 ?? 6F ?? 78 ?? 53 ?? 65 ?? 74 ?? 4E ?? 74 ?? 53 ?? 70 }
$a3 = { 53 ?? 61 ?? 66 ?? 61 ?? 72 ?? 69 ?? 2E ?? 61 ?? 70 ?? 70 }
$a4 = { 63 ?? 6F ?? 6D ?? 2E ?? 61 ?? 70 ?? 70 ?? 6C ?? 65 ?? 2E ?? 53 ?? 61 ?? 66 ?? 61 ?? 72 ?? 69 }
$a5 = { 63 ?? 6F ?? 6D ?? 2E ?? 61 ?? 70 ?? 70 ?? 6C ?? 65 ?? 2E ?? 71 ?? 75 ?? 61 ?? 72 ?? 61 ?? 6E ?? 74 ?? 69 ?? 6E ?? 65 }
condition:
Macho and filesize <= 2000000 and all of ($a*)
}
rule XProtect_Bundlore_B
{
meta:
description = "OSX.Bundlore.B"
strings:
$a1 = { 46 61 73 64 55 41 53 }
$b1 = { 69 00 66 00 20 00 5B 00 5B 00 20 00 22 00 24 00 7B 00 6F 00 73 00 76 00 65 00 72 00 7D 00 22 00 20 00 3D 00 3D 00 20 00 2A 00 22 00 31 00 30 00 2E 00 31 00 32 00 22 00 2A 00 20 00 5D 00 5D 00 3B 00 20 00 74 00 68 00 65 00 6E 00 20 00 76 00 65 00 72 00 46 00 6F 00 6C 00 64 00 65 00 72 00 3D 00 22 00 53 00 69 00 65 00 72 00 72 00 61 00 2F 00 22 00 3B 00 20 00 66 00 69 00 3B 00 0A 00 20 00 20 00 20 00 20 00 63 00 75 00 72 00 6C 00 20 00 2D 00 73 00 4C 00 20 00 2D 00 6F 00 20 00 22 00 24 00 7B 00 54 00 4D 00 50 00 44 00 49 00 52 00 7D 00 }
$b2 = { 20 00 20 00 20 00 20 00 63 00 68 00 6D 00 6F 00 64 00 20 00 2B 00 78 00 20 00 22 00 24 00 7B 00 54 00 4D 00 50 00 44 00 49 00 52 00 7D 00 2F 00 }
$b3 = { 20 00 72 00 6D 00 20 00 2D 00 72 00 66 00 20 00 22 00 24 00 7B 00 54 00 4D 00 50 00 44 00 49 00 52 00 7D 00 2F 00 6D 00 6D 00 5F 00 73 00 74 00 75 00 62 00 22 00 }
condition:
$a1 at 0 and all of ($b*) and filesize <= 3000
}
rule XProtect_OSX_AceInstaller_B
{
meta:
description = "OSX.AceInstaller.B"
strings:
$a1 = { 41 63 65 49 6E 73 74 61 6C 6C 65 72 }
$a2 = { 73 65 74 4F 66 66 65 72 73 4C 61 62 65 6C }
$b1 = { 2F 74 6D 70 2F 70 73 63 72 2E 73 68 }
$b2 = { 2F 74 6D 70 2F 4F 66 66 65 72 25 6C 64 2E 73 68 }
$b3 = { 2F 74 6D 70 2F 6D 73 63 72 2E 73 68 }
condition:
Macho and filesize < 250000 and
$a1 or $a2 and
all of ($b*)
}
rule XProtect_AdLoad_B_2 : dropper
{
meta:
description = "OSX.AdLoad.B.2"
strings:
$a1 = {48 8B ?? ?? ?? ?? ?? 48 8D 5D B8 48 89 03 C7 43 08 00 00 00 C2 C7 43 0C 00 00 00 00 48 8D ?? ?? ?? ?? ?? 48 89 43 10 48 8D ?? ?? ?? ?? ?? 48 89 43 18 4C 89 F7 ?? ?? ?? ?? ?? ?? 48 89 43 20 4C 89 FF 48 89 DE ?? ?? ?? ?? ?? 4C 89 FF ?? ?? ?? 48 8B 7B 20 ?? ?? ??
48 83 C4 30}
$b1 = {67 65 74 53 61 66 61 72 69 56 65 72 73 69 6F 6E}
condition:
Macho and filesize < 300000 and $a1 and $b1
}
rule XProtect_AdLoad_B_1
{
meta:
description = "OSX.AdLoad.B.1"
strings:
$a1 = {73 65 74 49 6E 73 74 61 6C 6C 46 69 6E 69 73 68 65 64 54 65 78 74}
$a2 = {73 65 74 46 69 6E 69 73 68 54 69 63 6B 49 6D 61 67 65 56 69 65 77}
$a3 = {4F 66 66 65 72 43 6F 6E 74 72 6F 6C 6C 65 72}
$a4 = {26 4F 46 46 45 52 5F 49 44 3D 25 40}
condition:
Macho and filesize < 400000 and (all of ($a*))
}
rule XProtect_AdLoad_A
{
meta:
description = "OSX.AdLoad.A"
strings:
$a1 = {73 65 74 4F 66 66 65 72 55 72 6C}
$a2 = {73 65 74 4F 66 66 65 72 50 61 74 68}
$a3 = {73 65 74 4F 66 66 65 72 4E 61 6D 65}
$a4 = {2F 74 6D 70 2F 50 72 6F 64 75 63 74 2E 64 6D 67}
condition:
Macho and filesize < 40000 and (all of ($a*))
}
rule XProtect_OSX_Mughthesec_A
{
meta:
description = "OSX.Mughthesec.A"
strings:
$a1 = { 54 52 4D 43 5F 49 6E 73 74 61 6C 6C 5F 53 74 61 72 74 5F 31 }
$a2 = { 66 61 6C 6C 62 61 63 6B 44 6D 67 4E 61 6D 65 }
$a3 = { 66 61 6C 6C 62 61 63 6B 49 6E 73 74 61 6C 6C 65 72 4E 61 6D 65 }
$a4 = { 6F 66 66 65 72 53 63 72 65 65 6E 55 72 6C }
$b1 = { 42 65 72 54 61 67 67 65 64 44 61 74 61 }
$b2 = { 42 45 52 50 72 69 6E 74 56 69 73 69 74 6F 72 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_OSX_Leverage_A
{
meta:
description = "OSX.Leverage.A"
strings:
$a1 = { FF 65 63 68 6F 20 27 3C 3F 78 6D 6C 20 }
$a2 = { 72 62 66 72 61 6D 65 77 6F 72 6B 2E 64 79 6C 69 62 }
$a3 = { 3? 6C 61 75 6E 63 68 63 74 6C 20 6C 6F 61 64 20 7E 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 41 67 65 6E 74 73 }
$a4 = { 6D 6B 64 69 72 20 7E 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 41 67 65 6E 74 73 }
$b1 = { 6D 57 61 69 74 46 6F 72 54 68 69 73 43 6F 6D 6D 61 6E 64 }
$b2 = { 6D 57 61 69 74 69 6E 67 46 6F 72 41 43 6F 6D 6D 61 6E 64 }
condition:
Macho and filesize < 3000000 and all of them
}
rule XProtect_OSX_ATG15_B
{
meta:
description = "OSX.ATG15.B"
xprotect_rule = true
strings:
$a1 = { 80 7C 39 3C 32 BA BB 80 F3 B9 B4 34 B8 34 39 80 }
$a2 = { FC BF 34 BA 7C BA 34 36 B9 BC BA 3C 80 7C 39 3C }
$a3 = { 32 BA BB 76 BA 34 3C B9 BF B7 8F 30 B3 B9 3C 32 }
$b1 = { 9C 85 89 27 8B 9C 85 89 27 8B 9C 85 89 27 8B 9C }
condition:
Macho and filesize < 200KB and all of them
}
rule XProtect_OSX_Genieo_G
{
meta:
description = "OSX.Genieo.G"
strings:
$a1 = {67 65 74 53 61 66 61 72 69 48 69 73 74 6F 72 79}
$a2 = {73 65 6c 65 63 74 20 63 6f 75 6e 74 28 2a 29 20 66 72 6f 6d 20 6d 6f 7a 5f 68 69 73 74 6f 72 79 76 69 73 69 74 73}
$a3 = {53 46 45 58 54 46 69 6c 65 4d 61 6e 61 67 65 72}
condition:
Macho and filesize < 2000000 and (all of ($a*))
}
rule XProtect_Genieo_G_1
{
meta:
description = "OSX.Genieo.G.1"
strings:
$b1 = {69 6e 73 74 61 6c 6c 5f 75 72 6c 5f 73 75 66 66 69 78}
$b2 = {76 65 72 5f 64 61}
$b3 = {6f 66 66 65 72 5f 69 64}
condition:
Macho and filesize < 2000000 and all of them
}
rule XProtect_OSX_Proton_B
{
meta:
description = "OSX.Proton.B"
condition:
Macho and filesize < 800000 and hash.sha1(0, filesize) == "a8ea82ee767091098b0e275a80d25d3bc79e0cea"
}
rule XProtect_OSX_Dok_B
{
meta:
description = "OSX.Dok.B"
strings:
$a1 = {53 65 6C 66 49 6E 73 74 61 6C 6C}
$a2 = {49 73 4C 6F 67 69 6E 53 63 72 69 70 74 45 78 69 73 74 73}
$a3 = {41 64 64 4C 6F 67 69 6E 53 63 72 69 70 74}
$b1 = {49 79 45 76 64 58 4E 79 4C 32 4A 70 62 69 39 6C 62 6E 59 67 63 48 6C 30 61 47 39 75 43 69 4D 67 4C 53 6F 74 49 47 4E 76 5A 47 6C 75 5A 7A 6F 67 64 58 52 6D 4C 54 67 67 4C 53 6F 74 43 6D 6C 74 63}
condition:
Macho and filesize < 600000 and filesize > 10000 and all of them
}
rule XProtect_OSX_Dok_A
{
meta:
description = "OSX.Dok.A"
strings:
$a1 = {55 70 64 61 74 65 73}
$a2 = {49 6E 73 74 61 6C 6C 54 6F 72}
$b1 = {49 6E 73 74 61 6C 6C 43 65 72 74}
$b2 = {62 61 73 65 36 34 20 2D 69 20 25 40}
condition:
Macho and filesize < 100000 and all of them
}
rule OSX_Bundlore_A
{
meta:
description = "OSX.Bundlore.A"
strings:
$a1 = { 4F 66 66 65 72 73 49 6E 73 74 61 6C 6C 53 63 72 69 70 74 55 72 6C }
$a2 = { 53 6F 66 74 77 61 72 65 49 6E 73 74 61 6C 6C 53 63 72 69 70 74 55 72 6C }
$a3 = { 63 6F 6D 2E 67 6F 6F 67 6C 65 2E 43 68 72 6F 6D 65 }
$a4 = { 2E 74 6D 70 6D 61 }
$a5 = { 50 6C 65 61 73 65 20 77 61 69 74 20 77 68 69 6C 65 20 79 6F 75 72 20 73 6F 66 74 77 61 72 65 20 69 73 20 62 65 69 6E 67 20 69 6E 73 74 61 6C 6C 65 64 2E 2E 2E }
condition:
filesize < 500000 and Macho and 4 of ($a*)
}
rule OSX_Findzip_A {
meta:
description = "OSX.Findzip.A"
strings:
$a = {54 6b 39 55 49 46 6c 50 56 56 49 67 54 45 46 4f 52 31 56 42 52 30 55 2f 49 46 56 54 52 53 42 6f 64 48 52 77 63 7a 6f 76 4c 33 52 79 59 57 35 7a 62 47 46 30 5a 53 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 44 51 6f 4e 43 6c 64 6f 59 58 51 67 61 47 46 77 63 47 56 75 5a 57 51 67 64 47 38 67 65 57 39 31 63 69 42 6d 61 57 78 6c 63 79 41 2f 44 51 70}
$b1 = {2f 75 73 72 2f 62 69 6e 2f 66 69 6e 64}
$b2 = {7b 7d 2e 63 72 79 70 74}
$b3 = {52 45 45 41 44 4d 45 21 2e 74 78 74}
$b4 = {2f 75 73 72 2f 62 69 6e 2f 64 69 73 6b 75 74 69 6c}
condition:
filesize < 100000 and Macho and ($a or (all of ($b*)))
}
rule OSX_Proton_A
{
meta:
description = "OSX.Proton.A"
strings:
$a1 = {4E 65 74 77 6F 72 6B 20 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E 20 6E 65 65 64 73 20 74 6F 20 75 70 64 61 74 65 20 44 48 43 50 20 73 65 74 74 69 6E 67 73 2E 20 54 79 70 65 20 79 6F 75 72 20 70 61 73 73 77 6F 72 64 20 74 6F 20 61 6C 6C 6F 77 20 74 68 69 73 2E}
$a2 = {49 6E 73 74 61 6C 6C 65 72 20 77 61 6E 74 73 20 74 6F 20 6D 61 6B 65 20 63 68 61 6E 67 65 73 2E 20 54 79 70 65 20 79 6F 75 72 20 70 61 73 73 77 6F 72 64 20 74 6F 20 61 6C 6C 6F 77 20 74 68 69 73}
$b1 = {66 69 6C 65 5F 75 70 6C 6F 61 64}
$b2 = {73 73 68 5F 74 75 6E 6E 65 6C}
$b3 = {64 6F 77 6E 6C 6F 61 64 5F 66 69 6C 65}
$b4 = {65 78 65 63 5F 70 75 73 68}
$b5 = {66 76 5F 61 63 74 69 6F 6E}
condition:
Macho and filesize < 200000 and all of ($b*) and any of ($a*)
}
rule OSX_XAgent_A
{
meta:
description = "OSX.XAgent.A"
strings:
$a = {49 0F BE 14 07 41 8D 45 FD 49 0F BE 34 07 41 8D 7D FF 41 8D 45 FE 49 0F BE 1C 07 48 83 FB 3D B8 00 00 00 00 B9 01 00 00 00 74 0A 42 0F B6 04 33 B9 02 00 00 00 42 8A 1C 32 42 0F B6 34 36 89 FA 49 0F BE 3C 17 45 31 C0 48 83 FF 3D 74 0E 46 0F B6 04 37 41 83 E0 3F B9 03 00 00 00 C0 E3 02 40 88 F2 C0 EA 04 80 E2 03 08 DA 88 55 D5 C1 E6 04 89 C2 C1 EA 02 83 E2 0F 09 F2 88 55 D6 C1 E0 06 44 09 C0 88 45 D7 4C 89 E7}
$s1 = {53 45 4C 45 43 54 20 68 6F 73 74 6E 61 6D 65 2C 20 65 6E 63 72 79 70 74 65 64 55 73 65 72 6E 61 6D 65 2C 20 65 6E 63 72 79 70 74 65 64 50 61 73 73 77 6F 72 64}
$s2 = {72 6D 20 2D 72 66 20 25 40 2F 4C 69 62 72 61 72 79 2F 41 73 73 69 73 74 61 6E 74 73 2F 2E 6C 6F 63 61 6C 2F}
condition:
Macho and filesize < 400000 and ((all of ($s*)) and $a)
}
rule OSX_iKitten_A
{
meta:
description = "OSX.iKitten.A"
strings:
$a = {48 83 F8 00 48 89 85 C0 FE FF FF 0F 84 FC 01 00 00 31 C0 89 C1 48 8D 95 F0 FE FF FF 48 83 C2 10 48 8B B5 00 FF FF FF 48 8B 36 48 8B BD C0 FE FF FF 48 89 B5 B8 FE FF FF 48 89 95 B0 FE FF FF 48 89 8D A8 FE FF FF 48 89 BD A0 FE FF FF 48 8B 85 A0 FE FF FF 48 8B 8D A8 FE FF FF 48 8B 95 B0 FE FF FF 48 8B 32 48 8B BD B8 FE FF FF 48 39 3E 48 89 85 98 FE FF FF 48 89 8D 90 FE FF FF 0F 84 0F 00 00 00 48 8B 85 C8 FE FF FF 48 89 C7}
$b = {48 89 45 E0 48 8B 3D 80 38 03 00 48 8B 35 E9 33 03 00 41 B8 04 00 00 00 44 89 C1 45 31 C0 44 89 C2 48 89 55 C0 48 89 C2 48 89 4D B8 4C 8B 45 C0 48 8B 45 C8 ?? ?? 48 89 C7 ?? ?? ?? ?? ?? 48 89 45 D8 48 8B 35 4A 34 03 00 48 8D 15 13 18 03 00 48 8D 0D 6C 17 03 00 48 89 C7 48 8B 45 C8 ?? ?? 48 89 C7}
$s1 = {69 66 20 63 61 74 20 2F 65 74 63 2F 72 63 2E 63 6F 6D 6D 6F 6E 20 7C 20 67 72 65 70 20 25 40 3B}
$s2 = {7A 69 70 20 2D 72 20 2D 6A 20 25 40 20 25 40}
condition:
Macho and filesize < 400000 and $a and $b and (all of ($s*))
}
rule OSX_HMining_C
{
meta:
description = "OSX.HMining.C"
strings:
$a1 = {55 48 89 E5 41 57 41 56 53 50 4C 8B 7F 48 4C 8B 77 50 48 8B 5F 58 48 89 DF ?? ?? ?? ?? ?? 4C 89 FF 4C 89 F6 48 89 DA ?? ?? ?? ?? ?? 48 89 C7 48 83 C4 08 5B 41 5E 41 5F 5D}
$a2 = {55 48 89 E5 41 57 41 56 41 54 53 41 89 CE 48 89 D3 48 89 DF ?? ?? ?? ?? ?? 48 89 DF ?? ?? ?? ?? ?? 48 89 CB 48 89 C7 48 89 D6 48 89 DA 44 89 F1 ?? ?? ?? ?? ?? 49 89 C6 49 89 D7 49 89 CC 48 89 DF ?? ?? ?? ?? ?? 4C 89 F7 4C 89 FE 4C 89 E2 ?? ?? ?? ?? ?? 48 89 C7 5B 41 5C 41 5E 41 5F 5D}
condition:
Macho and filesize <= 600000 and
all of ($a*)
}
rule HMiningB
{
meta:
description = "OSX.HMining.B"
strings:
$a1 = {48 89 C7 41 FF D6 48 89 85 E8 FE FF FF 0F 57 C0 0F 29 85 40 FF FF FF 0F 29 85 30 FF FF FF 0F 29 85 20 FF FF FF 0F 29 85 10 FF FF FF ?? ?? ?? ?? ?? ?? ?? 48 8D 95 10 FF FF FF 48 8D 8D 50 FF FF FF 41 B8 10 00 00 00 48 89 C7 41 FF D6 48 89 85 08 FF FF FF 48 85 C0 B8 00 00 00 00 48 89 85 D8 FE FF FF 0F 84 44 01 00 00 48 8B 85 20 FF FF FF 48 8B 00 48 89 85 F8 FE FF FF}
$a2 = {48 89 DF ?? ?? ?? 49 89 C4 4C 89 65 B8 ?? ?? ?? ?? ?? ?? ?? BA 04 00 00 00 4C 89 F7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 89 C7 ?? ?? ?? 48 89 45 C8 ?? ?? ?? ?? ?? ?? ?? 48 89 DF 41 FF D7 4C 89 F9 48 85 C0 74 59 ?? ?? ?? ?? ?? ?? ?? 45 31 FF 45 31 F6 4C 8B 6D C8 41 8A 45 00 43 30 04 3C 49 FF C5 41 FF C6 4D 63 F6 48 8B 7D C0 48 89 DE 49 89 CC 41 FF D4 49 39 C6 4C 0F 44 6D C8 B8 00 00 00 00 44 0F 44 F0 49 FF C7 48 8B 7D D0 48 89 DE 41 FF D4 4C 89 E1 4C 8B 65 B8 49 39 C7 72 B8 48 8B 45 D0 48 83 C4 28 5B 41 5C 41 5D 41 5E 41 5F 5D C3 }
condition:
Macho and filesize <= 500000 and all of ($a*)
}
rule NetwireA
{
meta:
description = "OSX.Netwire.A"
strings:
$a = { 03 04 15 1A 0D 0A 65 78 69 74 0D 0A 0D 0A 65 78 69 74 0A 0A 00 }
$b = { 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 33 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 65 63 6B 6F 0D 0A 41 63 63 65 70 74 3A 20 74 65 78 74 2F 68 74 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 68 74 6D 6C 2B 78 6D 6C 2C 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 6D 6C 3B 71 3D 30 2E 39 2C 69 6D 61 67 65 2F 77 65 62 70 2C 2A 2F 2A 3B 71 3D 30 2E 38 }
condition:
all of them
}
rule BundloreB
{
meta:
description = "OSX.Bundlore.B"
strings:
$a = {5F 5F 4D 41 5F 41 70 70 44 65 6C 65 67 61 74 65}
$b = {5F 5F 4D 41 5F 44 65 74 65 63 74 65 64 50 72 6F 64 75 63 74 73 48 61 6E 64 6C 65 72}
$c = {5F 5F 4D 41 5F 44 6D 67 53 6F 75 72 63 65 52 65 61 64 65 72}
condition:
2 of ($a,$b,$c)
}
rule EleanorA
{
meta:
description = "OSX.Eleanor.A"
condition:
filesize <= 3500 and uint8(0) == 0x23 and
(
hash.sha1(0, filesize) == "de642751e96b8c53744f031a6f7e929d53226321" or
hash.sha1(0, filesize) == "1f782e84ddbf5fd76426f6f9bf3d4238d2ec9a4b"
)
}
rule HMining_Binary_A
{
meta:
description = "OSX.HMining.A"
strings:
$a = {68 69 64 65 4F 70 65 72 61 74 6F 72 57 69 64 6F 77 41 66 74 65 72 41 64 6D 69 6E}
$b = {48 8B 85 98 FE FF FF 48 89 44 24 38 48 8B 85 90 FE FF FF 48 89 44 24 30 48 8B 85 80 FE FF FF 48 8B 8D 88 FE FF FF 48 89 4C 24 28 48 89 44 24 20 48 8B 85 00 FF FF FF 48 89 44 24 18 48 8B 85 F8 FE FF FF 48 89 44 24 10 48 8B 85 E8 FE FF FF 48 8B 8D F0 FE FF FF 48 89 4C 24 08 48 89 04 24}
$c = {61 6C 6C 43 6F 6D 70 65 74 69 74 6F 72 73 41 67 65 6E 74 44 65 6D 6F 6E 64}
$d = {63 72 65 61 74 65 41 6E 64 4C 6F 61 64 41 67 65 6E 74 50 6C 69 73 74 50 61 74 68 3A 61 67 65 6E 74 50 6C 69 73 74 4E 61 6D 65 3A 61 67 65 6E 74 50 6C 69 73 74 4B 65 79 41 72 72 3A 61 67 65 6E 74 50 6C 69 73 74 56 61 6C 41 72 72 3A 69 73 41 64 6D 69 6E 3A}
condition:
Macho and (($a and $b) or ($c and $d))
}
rule TroviProxyApp
{
meta:
description = "OSX.Trovi.A"
strings:
$a = {72 65 63 65 69 76 69 6E 67 57 65 62 73 69 74 65 53 74 61 72 74 65 64}
$b = {68 74 6D 6C 49 6E 6A 65 63 74 65 64}
condition:
Macho and ($a and $b)
}
rule HMining
{
meta:
description = "OSX.Hmining.A"
strings:
$a = {68 69 64 65 4F 70 65 72 61 74 6F 72 57 69 64 6F 77 41 66 74 65 72 41 64 6D 69 6E}
$b = {48 8B 85 98 FE FF FF 48 89 44 24 38 48 8B 85 90 FE FF FF 48 89 44 24 30 48 8B 85 80 FE FF FF 48 8B 8D 88 FE FF FF 48 89 4C 24 28 48 89 44 24 20 48 8B 85 00 FF FF FF 48 89 44 24 18 48 8B 85 F8 FE FF FF 48 89 44 24 10 48 8B 85 E8 FE FF FF 48 8B 8D F0 FE FF FF 48 89 4C 24 08 48 89 04 24}
condition:
Macho and ($a and $b)
}
rule BundloreA
{
meta:
description = "OSX.Bundlore.A"
strings:
$a = {5F 5F 6D 6D 5F 67 65 74 49 6E 6A 65 63 74 65 64 50 61 72 61 6D 73}
$b = {5F 5F 6D 6D 5F 72 75 6E 53 68 65 6C 6C 53 63 72 69 70 74 41 73 52 6F 6F 74}
condition:
Macho and ($a and $b)
}
rule GenieoE
{
meta:
description = "OSX.Genieo.E"
strings:
$a = {47 4E 53 69 6E 67 6C 65 74 6F 6E 47 6C 6F 62 61 6C 43 61 6C 63 75 6C 61 74 6F 72}
$b = {47 4E 46 61 6C 6C 62 61 63 6B 52 65 70 6F 72 74 48 61 6E 64 6C 65 72}
condition:
Macho and ($a and $b)
}
rule OSX_ExtensionsInstaller_A
{
meta:
description = "OSX.ExtensionsInstaller.A"
strings:
$a1 = {72 65 6D 6F 76 65 58 61 74 74 72 54 6F}
$a2 = {67 65 74 43 72 79 70 74 65 64 44 61 74 61 46 72 6F 6D 55 72 6C}
$a3 = {67 65 74 42 65 73 74 4F 66 66 65 72 43 6F 6E 66 69 67 3A 61 63 63 65 70 74 65 64 4F 66 66 65 72 73}
$b1 = {53 61 66 61 72 69 45 78 74 65 6E 73 69 6F 6E 49 6E 73 74 61 6C 6C 65 72}
$b2 = {54 61 72 43 6F 6D 70 72 65 73 73 6F 72}
condition:
Macho and filesize < 2500000 and all of them
}
rule InstallCoreA
{
meta:
description = "OSX.InstallCore.A"
strings:
$a = {C6 45 A0 65 C6 45 A1 52 C6 45 A2 4A C6 45 A3 50 C6 45 A4 5B C6 45 A5 57 C6 45 A6 72 C6 45 A7 48 C6 45 A8 53 C6 45 A9 5D C6 45 AA 25 C6 45 AB 33 C6 45 AC 42 C6 45 A0 53 B8 01 00 00 00}
$b = {49 89 DF 48 89 C3 FF D3 4C 89 EF FF D3 48 8B 7D B0 FF D3 48 8B 7D B8 FF D3 4C 89 FF FF D3 4C 8B 6D C0 48 8B 7D A8}
$c = {49 43 4A 61 76 61 53 63 72 69 70 74 45 6E 76 69 72 6F 6E 6D 65 6E 74 49 6E 66 6F}
condition:
Macho and ($a or $b or $c)
}
rule KeRangerA
{
meta:
description = "OSX.KeRanger.A"
strings:
$a = {48 8D BD D0 EF FF FF BE 00 00 00 00 BA 00 04 00 00 31 C0 49 89 D8 ?? ?? ?? ?? ?? 31 F6 4C 89 E7 ?? ?? ?? ?? ?? 83 F8 FF 74 57 C7 85 C4 EB FF FF 00 00 00 00}
condition:
Macho and $a
}
rule CrossRiderA : adware
{
meta:
description="OSX.CrossRider.A"
strings:
$a = {E9 00 00 00 00 48 8B 85 00 FE FF FF 8A 08 88 8D 5F FE FF FF 0F BE 95 5F FE FF FF 83 C2 D0 89 55 E0 48 8B B5 60 FE FF FF 48 8B BD 40 FE FF FF}
condition:
Macho and $a
}
rule GenieoDropper
{
meta:
description = "OSX.GenieoDropper.A"
strings:
$a = {66756E6374696F6E204163636570744F666665727328297B}
$b = {747261636B416E616C79746963734576656E742822657865637574696F6E222C224A7352756E22293B}
condition:
$a and $b
}
rule XcodeGhost
{
meta:
description = "OSX.XcodeGhost.A"
strings:
$a = {8346002008903046 [0-1000] 082108A800910021019101210296032203955346CDF810B0059406900120}
$b = {8346002007902046 [0-1000] 082107A8009100210DF10409032289E8320801214346059606900120}
$c = {8346002007903046 [0-1000] 082107A800910021019101210296032203955346CDF810B0059406900020}
condition:
Macho and ($a or $b or $c)
}
rule GenieoD
{
meta:
description = "OSX.Genieo.D"
strings:
$a = {49 89 C4 0F 57 C0 0F 29 85 80 FE FF FF 0F 29 85 70 FE FF FF 0F 29 85 60 FE FF FF 0F 29 85 50 FE FF FF 41 B8 10 00 00 00 4C 89 E7 48 8B B5 40 FE FF FF 48 8D 95 50 FE FF FF 48}
$b = {F2 0F 59 C1 F2 0F 5C D0 F2 0F 11 55 B8 0F 28 C2 F2 0F 10 55 D8 F2 0F 10 5D C8 F2 0F 58 DA F2 0F 59 D1 F2 0F 5C DA F2 0F 11 5D B0 0F 28 CB 31 FF BE 05 00 00 00 31 D2}
$c = {49 6E 73 74 61 6C 6C 4D 61 63 41 70 70 44 65 6C 65 67 61 74 65}
condition:
($a or $b) and $c
}
rule GenieoC
{
meta:
description = "OSX.Genieo.C"
condition:
Macho and filesize <= 500000 and
hash.sha1(0, filesize) == "a3e827031f1466444272499ef853484bac1eb90b"
}
rule GenieoB
{
meta:
description = "OSX.Genieo.B"
condition:
Macho and filesize <= 600000 and
(hash.sha1(0, filesize) == "495735da5fb582b93d90fff2c8b996d25e21aa31" or hash.sha1(0, filesize) == "0e196c0677bf6f94411229defc94639dd1b62b76")
}
rule VindinstallerA
{
meta:
description = "OSX.Vindinstaller.A"
condition:
Macho and filesize <= 1200000 and
hash.sha1(0, filesize) == "c040eee0f0d06d672cbfca94f2cbfc19795dd98d"
}
rule OpinionSpyB
{
meta:
description = "OSX.OpinionSpy.B"
condition:
filesize <= 9000000 and hash.sha1(0, filesize) == "a0d0b9d34f07c7d99852b9b833ba8f472bb56516"
}
rule GenieoA
{
meta:
description = "OSX.Genieo.A"
condition:
Macho and filesize <= 400000 and
hash.sha1(0, filesize) == "d07341c08173d0e885e6cafd7d5c50ebde07b205"
}
rule InstallImitatorC
{
meta:
description = "OSX.InstallImitator.C"
condition:
Macho and filesize <= 400000 and
hash.sha1(0, filesize) == "eeac1275e018e886b3288daae7b07842aec57efd"
}
rule InstallImitatorB
{
meta:
description = "OSX.InstallImitator.B"
strings:
$a = {4989C64C89FF41FFD44889DF41FFD4488B7DC041FFD4488B7DA841FFD4488B5DB84889DF41FFD4488B7DB041FFD44889DF41FFD44C89F74883C4385B415C415D415E415F5D}
condition:
Macho and $a
}
rule InstallImitatorA
{
meta:
description = "OSX.InstallImitator.A"
condition:
Macho and filesize <= 800000 and
(
hash.sha1(0, filesize) == "f58722369a28920076220247a0c4e3360765f0ba" or
hash.sha1(0, filesize) == "3b7e269867c5e1223f502d39dc14de30b1efdda9" or
hash.sha1(0, filesize) == "734d7e37ec664a7607e62326549cb7d3088ed023" or
hash.sha1(0, filesize) == "ea45a2a22ca9a02c07bb4b2367e5d64ea7314731" or
hash.sha1(0, filesize) == "f9646dc74337ee23a8c159f196419c46518a8095" or
hash.sha1(0, filesize) == "cd9b8da9e01f3ebf0e13c526a372fa65495e3778" or
hash.sha1(0, filesize) == "16b59ab450a9c1adab266aefcf4e8f8cf405ac9c" or
hash.sha1(0, filesize) == "4c87de3aa5a9c79c7f477baa4a23fba0e62dc9d8" or
hash.sha1(0, filesize) == "4df5387fe72b8abe0e341012334b8993f399d366"
)
}
rule VSearchA
{
meta:
description = "OSX.VSearch.A"
condition:
Macho and filesize <= 2000000 and
(
hash.sha1(0, filesize) == "6c6acb179b232c0f1a6bb27699809320cc2c1529" or
hash.sha1(0, filesize) == "cebb19fee8fd72c0975ea9a19feea3b5ce555f94" or
hash.sha1(0, filesize) == "1503f1d7d275e976cd94cfd72929e0409e0cf76a" or
hash.sha1(0, filesize) == "c50adfa949a70b33d77050d7f0e2f86bccbc25cf" or
hash.sha1(0, filesize) == "40346b3946d7824d38f5ba71181f5c06805200af"
)
}
rule MachookA
{
meta:
description = "OSX.Machook.A"
condition:
Macho and filesize <= 40000 and
(
hash.sha1(0, filesize) == "e2b9578780ae318dbdb949aac32a7dde6c77d918" or
hash.sha1(0, filesize) == "bb8cbc2ab928d66fa1f17e02ff2634ad38a477d6"
)
}
rule MachookB
{
meta:
description = "OSX.Machook.B"
condition:
Macho and filesize <= 100000 and
(
hash.sha1(0, filesize) == "ae3e35f8ac6a2a09abdb17dbce3874b9fd9a7b7b"
)
}
rule IWormA
{
meta:
description = "OSX.iWorm.A"
xprotect_rule = true
condition:
Macho and filesize <= 200000 and
(
hash.sha1(0, filesize) == "c0800cd5095b28da4b6ca01468a279fb5be6921a"
)
}
rule IWormBC
{
meta:
description = "OSX.iWorm.B/C"
xprotect_rule = true
condition:
filesize <= 500 and hash.sha1(0, filesize) == "5e68569d32772a479dfa9e6a23b2f3ae74b2028f"
}
rule NetWeirdB
{
meta:
description = "OSX.NetWeird.ii"
xprotect_rule = true
condition:
Macho and filesize <= 200000 and
(
hash.sha1(0, filesize) == "ed119afc2cc662e983fed2517e44e321cf695eee" or
hash.sha1(0, filesize) == "b703e0191eabaa41e1188c6a098fed36964732e2"
)
}
rule NetWeirdA
{
meta:
description = "OSX.NetWeird.i"
xprotect_rule = true
condition:
Macho and filesize <= 200000 and
(
hash.sha1(0, filesize) == "6f745ef4f9f521984d8738300148e83f50d01a9d" or
hash.sha1(0, filesize) == "56abae0864220fc56ede6a121fde676b5c22e2e9"
)
}
rule GetShellA
{
meta:
description = "OSX.GetShell.A"
xprotect_rule = true
condition:
Macho and filesize <= 21000 and
(
hash.sha1(0, filesize) == "112d4e785e363abfec51155a5536c072a0da4986"
)
}
rule LaoShuA
{
meta:
description = "OSX.LaoShu.A"
xprotect_rule = true
condition:
Macho and filesize <= 50000 and
(
hash.sha1(0, filesize) == "2e243393a4e997d53d3d80516571a64f10313116"
)
}
rule AbkA
{
meta:
description = "OSX.Abk.A"
xprotect_rule = true
condition:
Macho and filesize <= 250000 and
(
hash.sha1(0, filesize) == "3edb177abc8934fdc7d537f5115bb4fb6ab41c3f"
)
}
rule CoinThiefA
{
meta:
description = "OSX.CoinThief.A"
xprotect_rule = true
condition:
filesize <= 350000 and (
hash.sha1(0, filesize) == "37c4bc94f2c08e90a47825fe7b2afbce908b5d74"
)
}
rule CoinThiefB
{
meta:
description = "OSX.CoinThief.B"
xprotect_rule = true
condition:
filesize <= 3000000 and (
hash.sha1(0, filesize) == "c2b81f705670c837c0bf5a2ddd1e398e967c0a08" or
hash.sha1(0, filesize) == "02e243157dbc8803a364e9410a5c41b36de64c95"
)
}
rule CoinThiefC
{
meta:
description = "OSX.CoinThief.C"
xprotect_rule = true
condition:
Macho and filesize <= 29000 and
(
hash.sha1(0, filesize) == "d4d1480a623378202517cf86efc4ec27f3232f0d"
)
}
rule RSPlugA
{
meta:
description = "OSX.RSPlug.A"
xprotect_rule = true
strings:
$a1 = {4D6F7A696C6C61706C75672E706C7567696E00}
$a2 = {5665726966696564446F776E6C6F6164506C7567696E00}
$a3 = {5665726966696564446F776E6C6F6164506C7567696E2E7273726300}
$b1 = {3C6B65793E4946506B67466C616744656661756C744C6F636174696F6E3C2F6B65793E}
$b2 = {3C737472696E673E2F4C6962726172792F496E7465726E657420506C75672D496E732F3C2F737472696E673E}
condition:
all of ($a*) or all of ($b*)
}
rule IServiceA
{
meta:
description = "OSX.Iservice.A/B"
xprotect_rule = true
strings:
$a = {27666F72272073746570206D7573742062652061206E756D6265720025733A25753A206661696C656420617373657274696F6E20602573270A0000002F55736572732F6A61736F6E2F64696172726865612F6165732F6165735F6D6F6465732E63000000625F706F73203D3D2030000062616E0036392E39322E3137372E3134363A3539323031007177666F6A7A6C6B2E66726565686F737469612E636F6D3A31303234000000007374617274757000666600002C000000726F6F74000000002F62696E2F7368}
condition:
Macho and $a
}
rule HellRTS
{
meta:
description = "OSX.HellRTS.A"
xprotect_rule = true
strings:
$a1 = {656C6C5261697365722053657276657200165F44454255475F4C4F475F505249564154452E747874}
$a2 = {5374617274536572766572203E20212053455256455220524553544152544544}
$a3 = {2F7573722F62696E2F64656661756C7473207772697465206C6F67696E77696E646F77204175746F4C61756E636865644170706C69636174696F6E44696374696F6E617279202D61727261792D61646420273C646963743E3C6B65793E486964653C2F6B65793E3C00192F3E3C6B65793E506174683C2F6B65793E3C737472696E673E00113C2F737472696E673E3C2F646963743E27}
$a4 = {48656C6C52616973657220536572766572}
condition:
filesize <= 100000 and
hash.sha1(0, filesize) == "a8afa8e646bd6a02cfaa844735b94c50820bb9f5" or
hash.sha1(0, filesize) == "0ba58f54b44b2ee8a1f149e1a686deeedebb79ba" or
all of ($a*)
}
rule OpinionSpyA
{
meta:
description = "OSX.OpinionSpy"
xprotect_rule = true
strings:
$a = {504B010214000A0000000800547D8B3B9B0231BC [4] 502D0700250000000000 [12] 636F6D2F697A666F7267652F697A7061636B2F70616E656C732F706F696E7374616C6C6572}
condition:
$a
}
rule MacDefenderA
{
meta:
description = "OSX.MacDefender.A"
xprotect_rule = true
strings:
$a1 = {3C6B65793E434642756E646C654964656E7469666965723C2F6B65793E}
$a2 = {3C737472696E673E636F6D2E41564D616B6572732E}
$a3 = {2E706B673C2F737472696E673E}
$b1 = {436F6E74726F6C43656E746572442E6E6962}
$b2 = {5669727573466F756E642E706E67}
$b3 = {57616C6C65742E706E67}
$b4 = {61666669642E747874}
condition:
all of ($a*) or all of ($b*)
}
rule MacDefenderB
{
meta:
description = "OSX.MacDefender.B"
xprotect_rule = true
strings:
$a = {436F6E74656E7473 [0-64] 496E666F2E706C697374 [0-64] 4D61634F53 [0-256] 5265736F7572636573 [0-128] 0000 (0AF101134A4495 | 0B20012B644D93 | 0B1F01B1239428 | 0B1F0158C4CC11) 000000000000000000000008446F776E6C6F6164506963742E706E6700000000}
condition:
filesize <= 1000000 and
($a or
hash.sha1(0, filesize) == "03fce25a7823e63139752506668eededae4d33b7" or
hash.sha1(0, filesize) == "0dceacd1eb6d25159bbf9408bfa0b75dd0eac181" or
hash.sha1(0, filesize) == "1191ed22b3f3a7578e0cedf8993f6d647a7302b1" or
hash.sha1(0, filesize) == "5fd47e23be3a2a2de526398c53bc27ebc4794e61" or
hash.sha1(0, filesize) == "6b1b5d799bbc766f564c838c965baf2ca31502df" or
hash.sha1(0, filesize) == "7eb5702f706e370ced910dd30f73fef3e725c2bb" or
hash.sha1(0, filesize) == "7815c43edd431d6f0a96da8e166347f36ee9f932" or
hash.sha1(0, filesize) == "a172738a91bada5967101e9d3d7ef2f7c058b75b" or
hash.sha1(0, filesize) == "b350021f80ff6dacd31a53d8446d21e333e68790" or
hash.sha1(0, filesize) == "eb876a4fd893fd54da1057d854f5043f6c144b67" or
hash.sha1(0, filesize) == "3596070edc0badcf9e29f4b1172f00cebb863396" or
hash.sha1(0, filesize) == "8cfce1b81e03242c36de4ad450f199f6f4d76841"
)
}
rule QHostWBA
{
meta:
description = "OSX.QHostWB.A"
xprotect_rule = true
strings:
$a = {3C6B65793E434642756E646C654964656E7469666965723C2F6B65793E0A093C737472696E673E636F6D2E466C617368506C617965722E666C617368706C617965722E706B673C2F737472696E673E [0-400] 3C6B65793E4946506B67466C6167417574686F72697A6174696F6E416374696F6E3C2F6B65793E0A093C737472696E673E526F6F74417574686F72697A6174696F6E3C2F737472696E673E}
condition:
filesize <= 15000 and ($a or hash.sha1(0, filesize) == "968430f1500fc475b6507f3c1d575714c785801a"
)
}
rule RevirA
{
meta:
description = "OSX.Revir.A"
xprotect_rule = true
condition:
Macho and filesize <= 300000 and
(
hash.sha1(0, filesize) == "60b0ef03b65d08e4ea753c63a93d26467e9b953e"
)
}
rule RevirB
{
meta:
description = "OSX.Revir.ii"
xprotect_rule = true
condition:
Macho and filesize <= 50000 and (
hash.sha1(0, filesize) == "20196eaac0bf60ca1184a517b88b564bf80d64b2"
)
}
rule FlashbackA
{
meta:
description = "OSX.Flashback.A"
xprotect_rule = true
condition:
filesize <= 200000 and (
hash.sha1(0, filesize) == "4cca20ffe6413a34176daab9b073bcd7f78a02b9" or
hash.sha1(0, filesize) == "2b69d70a55e6effcabe5317334c09c83e8d615eb" or
hash.sha1(0, filesize) == "bd5e541ee0aeba084f10b1149459db7898677e40" or
hash.sha1(0, filesize) == "033de56ba7d4e5198838530c75c7570cd5996da8" or
hash.sha1(0, filesize) == "a99f651cdcef3766572576c5dab58ba48c0819c0" or
hash.sha1(0, filesize) == "6da26fd20abb4815c56f638924dc82cf6ca65caf" or
hash.sha1(0, filesize) == "ffdcd8fb4697d4c88513b99cc748e73cf50f9186" or
hash.sha1(0, filesize) == "026107095b367d7c1249ef7ad356ecd613ebe814" or
hash.sha1(0, filesize) == "02a35e2ef3ccdf50d0755b27b42c21e8ce857d09"
)
}
rule FlashbackB
{
meta:
description = "OSX.Flashback.B"
xprotect_rule = true
condition:
filesize <= 200000 and (
hash.sha1(0, filesize) == "fd7810b4458a583cca9c610bdf5a4181baeb2233" or
hash.sha1(0, filesize) == "7004aec6b8193b8c3e8032d720dc121b23b921b7" or
hash.sha1(0, filesize) == "b87a94ddd93fc036215056fbbed92380eefcadc2" or
hash.sha1(0, filesize) == "3f40c8d93bc7d32d3c48eedacc0cd411cf273dba"
) or
filesize <= 300000 and (
hash.sha1(0, filesize) == "e266dd856008863704dd9af7608a58137d8936ba" or
hash.sha1(0, filesize) == "7b6d5edf04a357d123f2da219f0c7c085ffa67fc" or
hash.sha1(0, filesize) == "284484b13022e809956bb20b6ba741bd2c0a7117"
)
}
rule FlashbackC
{
meta:
description = "OSX.Flashback.C"
xprotect_rule = true
condition:
filesize <= 300000 and (
hash.sha1(0, filesize) == "12f814ef8258caa2b84bf763af8333e738b5df76" or
hash.sha1(0, filesize) == "131db26684cfa17a675f5ff9a67a82ce2864ac95" or
hash.sha1(0, filesize) == "140fba4cafa2a3dff128c5cceeb12ce3e846fa2b" or
hash.sha1(0, filesize) == "585e1e8aa48680ba2c4c159c6a422f05a5ca1e5c" or
hash.sha1(0, filesize) == "392b6b110cec1960046061d37ca0368d1c769c65" or
hash.sha1(0, filesize) == "b95a2a9a15a67c1f4dfce1f3ee8ef4429f86747c"
)
}
rule DevilRobberA
{
meta:
description = "OSX.DevilRobber.A"
xprotect_rule = true
strings:
$a1 = {504C4953545F4E414D453D2224484F4D452F4C6962726172792F4C61756E63684167656E74732F636F6D2E6170706C652E6C6567696F6E2E706C69737422}
$a2 = {63686D6F64202B78202224484F4D452F244D41494E5F4449522F24455845435F4E414D4522}
$a3 = {636F6D2E6170706C652E6C6567696F6E}
$b = {3C6B65793E434642756E646C6545786563757461626C653C2F6B65793E [0-20] 3C737472696E673E707265666C696768743C2F737472696E673E}
condition:
(Macho and all of ($a*)) or $b
}
rule DevilRobberB
{
meta:
description = "OSX.DevilRobber.B"
xprotect_rule = true
strings:
$a1 = {455845435F4E414D453D}
$a2 = {53485F4E414D453D}
$a3 = {415243484956455F4E414D453D}
$a4 = {504C4953545F4E414D453D2224484F4D452F4C6962726172792F4C61756E63684167656E74732F636F6D2E6170706C652E6D6F707065722E706C697374220A}
$a5 = {63686D6F64202B78202224484F4D452F244D41494E5F4449522F24455845435F4E414D4522}
$a6 = {63686D6F64202B78202224484F4D452F244D41494E5F4449522F645F73746172742E736822}
$a7 = {3C737472696E673E636F6D2E6170706C652E6D6F707065723C2F737472696E673E}
condition:
all of ($a*)
}
rule FileStealB
{
meta:
description = "OSX.FileSteal.ii"
xprotect_rule = true
condition:
Macho and filesize <= 115000 and
(
hash.sha1(0, filesize) == "1eedde872cc14492b2e6570229c0f9bc54b3f258"
)
}
rule FileStealA
{
meta:
description = "OSX.FileSteal.i"
xprotect_rule = true
strings:
$a1 = {46696C654261636B757041707044656C6567617465}
$a2 = {5461736B57726170706572}
$a3 = {2F7573722F62696E2F6375726C}
$a4 = {5A697055706C6F6164}
condition:
Macho and all of ($a*)
}
rule MDropperA
{
meta:
description = "OSX.Mdropper.i"
xprotect_rule = true
strings:
$a1 = {2F746D702F6C61756E63682D6873002F746D702F6C61756E63682D687365002F746D702F}
$a2 = {0023212F62696E2F73680A2F746D702F6C61756E63682D68736520260A6F70656E202F746D702F66696C652E646F6320260A0A}
$a3 = {00005F5F504147455A45524F00}
$a4 = {005F5F6D685F657865637574655F686561646572}
condition:
all of ($a*)
}
rule FkCodecA
{
meta:
description = "OSX.FkCodec.i"
xprotect_rule = true
strings:
$a = {3C6B65793E6E616D653C2F6B65793E0A093C646963743E0A09093C6B65793E656E3C2F6B65793E0A09093C737472696E673E436F6465632D4D3C2F737472696E673E0A093C2F646963743E0A093C6B65793E76657273696F6E3C2F6B65793E}
condition:
$a
}
rule MaControlA
{
meta:
description = "OSX.MaControl.i"
xprotect_rule = true
condition:
Macho and filesize <= 110000 and (
hash.sha1(0, filesize) == "8a86ff808d090d400201a1f94d8f706a9da116ca"
)
}
rule RevirC
{
meta:
description = "OSX.Revir.iii"
xprotect_rule = true
condition:
Macho and filesize <= 25000 and
(
hash.sha1(0, filesize) == "265dafd0978c0b3254b1ac27dbedb59593722d2d"
)
}
rule RevirD
{
meta:
description = "OSX.Revir.iv"
xprotect_rule = true
condition:
Macho and filesize <= 40000 and
(
hash.sha1(0, filesize) == "782312db766a42337af30093a2fd358eeed97f53"
)
}
rule SMSSendA
{
meta:
description = "OSX.SMSSend.i"
xprotect_rule = true
condition:
Macho and filesize <= 15000000 and
(
hash.sha1(0, filesize) == "6c2b47384229eba6f398c74a0ba1516b3a674723"
)
}
rule SMSSendB
{
meta:
description = "OSX.SMSSend.ii"
xprotect_rule = true
condition:
Macho and filesize <= 15000000 and (
hash.sha1(0, filesize) == "a07d8497519404728f431aeec1cd35d37efc1cbb"
)
}
rule EICAR
{
meta:
description = "OSX.eicar.com.i"
xprotect_rule = true
condition:
filesize <= 100000000 and hash.sha1(0, filesize) == "3395856ce81f2b7382dee72602f798b642f14140"
}
rule AdPluginA
{
meta:
description = "OSX.AdPlugin.i"
xprotect_rule = true
condition:
filesize <= 500000 and hash.sha1(0, filesize) == "f63805148d85d8b757a50580bba11e02c192a2b8"
}
rule AdPluginB
{
meta:
description = "OSX.AdPlugin2.i"
xprotect_rule = true
condition:
filesize <= 40000 and hash.sha1(0, filesize) == "fe59a309e5689374dba50bc7349d62148f1ab9aa"
}
rule LeverageA
{
meta:
description = "OSX.Leverage.a"
xprotect_rule = true
condition:
Macho and filesize <= 2500000 and
(
hash.sha1(0, filesize) == "41448afcb7b857866a5f6e77d3ef3a393598f91e"
)
}
rule PrxlA
{
meta:
description = "OSX.Prxl.2"
xprotect_rule = true
condition:
Macho and filesize <= 24000 and
(
hash.sha1(0, filesize) == "edff0cd0111ee1e3a85dbd0961485be1499bdb66" or
hash.sha1(0, filesize) == "429ed6bced9bb18b95e7a5b5de9a7b023a2a7d2c" or
hash.sha1(0, filesize) == "f1a32e53439d3adc967a3b47f9071de6c10fce4e"
)
}
rule XProtect_MACOS_51f7dde
{
meta:
description = "MACOS.51f7dde"
strings:
$a = { 63 6F 6D 2E 72 65 66 6F 67 2E 76 69 65 77 65 72 }
$b = { 53 6D 6F 6B 65 43 6F 6E 74 72 6F 6C 6C 65 72 }
$c1 = { 75 70 64 61 74 65 53 6D 6F 6B 65 53 74 61 74 75 73 }
$c2 = { 70 61 75 73 65 53 6D 6F 6B 65 3A }
$c3 = { 72 65 73 75 6D 65 53 6D 6F 6B 65 3A }
$c4 = { 73 74 6F 70 53 6D 6F 6B 65 3A }
condition:
Macho and filesize < 2MB and all of them
}
rule XProtect_MACOS_cb4abc2
{
meta:
description = "MACOS.cb4abc2"
strings:
$s1 = { 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 41 67 65 6E 74 73 2F 63 6F 6D 2E 61 65 78 2D 6C 6F 6F 70 2E 61 67 65 6E 74 2E 70 6C 69 73 74 }
$s2 = { 2F 4C 69 62 72 61 72 79 2F 4C 61 75 6E 63 68 44 61 65 6D 6F 6E 73 2F 63 6F 6D 2E 61 65 78 2D 6C 6F 6F 70 2E 61 67 65 6E 74 2E 70 6C 69 73 74 }
$s3 = { 2F 70 72 6F 63 2F 25 64 2F 74 61 73 6B }
$s4 = { 2F 70 72 6F 63 2F 25 64 2F 63 6D 64 6C 69 6E 65 }
$s5 = { 2F 70 72 6F 63 2F 25 64 2F 73 74 61 74 75 73 }
$s6 = { 63 5F 32 39 31 30 2E 63 6C 73 }
$s7 = { 6B 5F 33 38 37 32 2E 63 6C 73 }
$s8 = { 2F 4C 69 62 72 61 72 79 2F 43 61 63 68 65 73 2F 63 6F 6D 2E 61 70 70 6C 65 2E 61 70 70 73 74 6F 72 65 2E 64 62 }
$s9 = { 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 31 30 2E 30 3B 20 57 69 6E 36 34 3B 20 78 36 34 29 20 41 70 70 6C 65 57 65 62 4B 69 74 2F 35 33 37 2E 33 36 20 28 4B 48 54 4D 4C 2C 20 6C 69 6B 65 20 47 65 63 6B 6F 29 20 43 68 72 6F 6D 65 2F 36 35 2E 30 2E 33 33 32 35 2E 31 38 31 20 53 61 66 61 72 69 2F 35 33 37 2E 33 36 }
condition:
Macho and filesize < 1MB and all of them
}
rule XProtect_MACOS_fa6a259
{
meta:
description = "MACOS.fa6a259"
strings:
$s1 = { 63 6F 6D 2E 54 69 6E 6B 61 4F 54 50 }
$s2 = { 2E 63 6F 6D 2E 54 69 6E 6B 61 4F 54 50 }
$s3 = { 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 20 26 26 20 63 68 6D 6F 64 20 2B 78 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 20 26 26 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 }
$s4 = { 63 75 72 6C 20 2D 6B 20 2D 6F 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 68 74 74 70 73 3A 2F 2F 6C 6F 6E 65 65 61 67 6C 65 72 65 63 6F 72 64 73 2E 63 6F 6D 2F 77 70 2D 63 6F 6E 74 65 6E 74 2F 75 70 6C 6F 61 64 73 2F 32 30 32 30 2F 30 31 2F 69 6D 61 67 65 73 2E 74 67 7A 2E 30 30 31 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 20 26 26 20 63 68 6D 6F 64 20 2B 78 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 20 26 26 20 7E 2F 4C 69 62 72 61 72 79 2F 2E 6D 69 6E 61 20 3E 20 2F 64 65 76 2F 6E 75 6C 6C 20 32 3E 26 31 }
condition:
Macho and filesize < 1MB and ( ($s1 and $s3) or ($s2 and $s4) )
}
rule XProtect_MACOS_61ee022
{
meta:
description = "MACOS.61ee022"
strings:
$s1 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 6B 72 61 6B 65 6E 2E 63 6F 6D 2F 30 2F 70 75 62 6C 69 63 2F 4F 48 4C 43 3F 70 61 69 72 3D }
$s2 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 68 75 6F 62 69 2E 70 72 6F 2F 6D 61 72 6B 65 74 2F 68 69 73 74 6F 72 79 2F 6B 6C 69 6E 65 3F 70 65 72 69 6F 64 3D }
$s3 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 62 69 6E 61 6E 63 65 2E 63 6F 6D 2F 61 70 69 2F 76 33 2F 6B 6C 69 6E 65 73 3F 69 6E 74 65 72 76 61 6C 3D }
$s4 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 6B 72 61 6B 65 6E 2E 63 6F 6D 2F 30 2F 70 75 62 6C 69 63 2F 54 69 63 6B 65 72 3F 70 61 69 72 3D }
$s5 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 68 75 6F 62 69 2E 70 72 6F 2F 6D 61 72 6B 65 74 2F 64 65 74 61 69 6C 3F 73 79 6D 62 6F 6C 3D }
$s6 = { 68 74 74 70 73 3A 2F 2F 61 70 69 2E 62 69 6E 61 6E 63 65 2E 63 6F 6D 2F 61 70 69 2F 76 33 2F 74 69 63 6B 65 72 2F 32 34 68 72 3F 73 79 6D 62 6F 6C 3D }
$s7 = { 2F 56 6F 6C 75 6D 65 73 2F 57 6F 72 6B 2F 57 6F 72 6B 2F 43 6F 64 69 6E 67 2F }
$s8 = { 45 6D 61 69 6C 20 69 73 20 69 6E 76 61 6C 69 64 61 74 65 2E }
$s9 = { 50 61 73 73 77 6F 72 64 20 69 73 20 69 6E 63 6F 72 72 65 63 74 2E }
$s10 = { 50 6C 65 61 73 65 20 69 6E 70 75 74 20 63 6F 6E 66 69 72 6D 20 70 61 73 73 77 6F 72 64 2E }
$s11 = { 50 6C 65 61 73 65 20 69 6E 70 75 74 20 70 61 73 73 77 6F 72 64 2E }
$s12 = { 53 75 63 63 65 73 73 66 75 6C 6C 79 20 63 72 65 61 74 65 64 20 61 20 6E 65 77 20 61 63 63 6F 75 6E 74 2E }
$s13 = { 54 68 69 73 20 61 63 63 6F 75 6E 74 20 61 6C 72 65 61 64 79 20 65 78 69 73 74 73 2E }
$s14 = { 50 61 73 73 77 6F 72 64 20 69 73 20 77 72 6F 6E 67 2E }
$s15 = { 55 73 65 72 20 64 6F 65 73 20 6E 6F 74 20 65 78 69 73 74 21 }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_bb90861
{
meta:
description = "MACOS.bb90861"
strings:
$s1 = { 25 73 2E 6C 63 6B }
$s2 = { 53 48 45 4C 4C }
$s3 = { 2F 62 69 6E 2F 7A 73 68 }
$s4 = { 5F 52 55 4E 5F 54 41 47 5F 53 45 52 56 45 52 31 }
$s5 = { 5F 52 55 4E 5F 54 41 47 5F 53 45 52 56 45 52 32 }
$s6 = { 5F 52 55 4E 5F 54 41 47 5F 50 52 4F 58 59 }
$s7 = { 5F 52 55 4E 5F 54 41 47 5F 50 52 4F 58 59 5F 55 53 45 52 }
$s8 = { 5F 52 55 4E 5F 54 41 47 5F 50 52 4F 58 59 5F 50 57 44 }
$s9 = { 5F 52 55 4E 5F 54 41 47 5F 46 4F 52 57 41 52 44 }
$s10 = { 5F 52 55 4E 5F 54 41 47 5F 54 41 52 47 45 54 }
$s11 = { 5F 52 55 4E 5F 54 41 47 5F 4C 49 53 54 45 4E }
$s12 = { 5F 52 55 4E 5F 54 41 47 5F 55 49 44 }
$s13 = { 5F 52 55 4E 5F 54 41 47 5F 54 49 4D 45 5F 43 4F 4E 4E }
$s14 = { 5F 45 58 50 4C 4F 52 45 52 5F 46 49 4C 54 45 52 }
$s15 = { 5F 45 58 50 4C 4F 52 45 52 5F 44 49 52 5F 53 45 4C 46 }
$s16 = { 5F 45 58 50 4C 4F 52 45 52 5F 44 49 52 5F 50 41 52 45 4E 54 }
$s17 = { 5F 45 58 50 4C 4F 52 45 52 5F 53 54 52 5F 54 59 50 45 }
$s18 = { 5F 45 58 50 4C 4F 52 45 52 5F 46 49 4C 45 5F 44 45 4C 45 54 45 5F 54 59 50 45 }
$s19 = { 5F 46 49 4C 45 54 49 4D 45 5F 53 54 52 5F 54 59 50 45 }
$s20 = { 5F 43 4D 44 5F 54 45 53 54 }
$s21 = { 5F 43 4D 44 5F 52 55 4E }
$s22 = { 5F 54 49 4D 45 5F 46 4F 52 4D 41 54 }
$s23 = { 5F 43 4D 44 5F 53 55 43 43 45 53 53 }
$s24 = { 5F 43 4D 44 5F 46 41 49 4C 45 44 }
$s25 = { 5F 50 52 4F 58 59 5F 43 4F 4E 4E 45 43 54 }
$s26 = { 5F 50 52 4F 58 59 5F 48 54 54 50 }
$s27 = { 5F 50 52 4F 58 59 5F 55 53 45 52 5F 41 47 45 4E 54 }
$s28 = { 5F 50 52 4F 58 59 5F 4B 45 45 50 5F 43 4F 4E 4E 45 43 54 49 4F 4E }
$s29 = { 5F 50 52 4F 58 59 5F 50 52 4F 47 4D 41 }
$s30 = { 5F 50 52 4F 58 59 5F 4D 4F 44 45 5F 42 41 53 49 43 }
$s31 = { 5F 50 52 4F 58 59 5F 4D 4F 44 45 5F 4E 54 4C 4D }
condition:
Macho and filesize < 500KB and all of them
}
rule XProtect_MACOS_2070d41
{
meta:
description = "MACOS.2070d41"
strings:
$a = { 46 61 73 64 55 41 53 }
$b1 = { 00 63 00 75 00 72 00 6C 00 20 00 2D 00 2D 00 63 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 2D 00 74 00 69 00 6D 00 65 00 6F 00 75 00 74 00 20 00 [2-4] 20 00 2D 00 6B 00 73 00 20 00 2D 00 64 00 20 }
$b2 = { 00 63 00 75 00 72 00 6C 00 20 00 2D 00 6B 00 73 00 20 00 2D 00 2D 00 63 00 6F 00 6E 00 6E 00 65 00 63 00 74 00 2D 00 74 00 69 00 6D 00 65 00 6F 00 75 00 74 00 20 00 [2-4] 20 00 2D 00 64 00 20 }
$c1 = { 00 2F 00 61 00 67 00 65 00 6E 00 74 00 2F 00 6C 00 6F 00 67 00 2E 00 70 00 68 00 70 }
$c2 = { 00 2F 00 61 00 70 00 70 00 6C 00 65 00 2F 00 6C 00 6F 00 67 00 2E 00 70 00 68 00 70 }
$d1 = { 00 58 00 2D 00 4D 00 6F 00 64 00 75 00 6C 00 65 00 3A 00 20 }
$d2 = { 00 58 00 2D 00 55 00 73 00 65 00 72 00 3A 00 20 }
condition:
$a at 0 and filesize < 100KB and any of ($b*) and any of ($c*) and all of ($d*)
}
rule XProtect_MACOS_9e2bab9
{
meta:
description = "MACOS.9e2bab9"
strings:
$a = { 46 61 73 64 55 41 53 }
$b1 = { 18 2E 73 79 73 6F 65 78 65 63 54 45 58 54 FF FF 80 }
$b2 = { 6B 6F 63 6C 0A FF ?? 00 04 0A 63 6F 62 6A 0A FF ?? 00 18 2E 63 6F 72 65 63 6E 74 65 2A 2A 2A 2A }
$b3 = { 2A 2A 2A 2A 03 FF ?? 00 64 0A FF ?? 00 04 0A 70 63 6E 74 0A FF ?? 00 04 0A 54 45 58 54 0A FF ?? 00 08 0B 6B 66 72 6D 49 44 }
$c1 = { 00 A7 00 D3 00 D2 00 D8 00 C5 00 CD 00 D2 00 C9 00 D6 00 D7 }
$c2 = { 00 C6 00 D9 00 CD 00 D0 00 C8 00 C3 00 DA 00 C9 00 D2 00 C8 00 D3 00 D6 }
$c3 = { 00 C6 00 D9 00 CD 00 D0 00 C8 00 C3 00 DA 00 C9 00 D6 00 D7 00 CD 00 D3 00 D2 }
$c4 = { 00 D3 00 D7 00 C5 00 C7 00 D3 00 D1 00 D4 00 CD 00 D0 00 C9 }
$c5 = { 00 D3 00 D7 00 C5 00 D7 00 C7 00 D6 00 CD 00 D4 00 D8 }
condition:
$a at 0 and filesize < 100KB and all of ($b*) and any of ($c*)
}
rule XProtect_MACOS_889c9e6
{
meta:
description = "MACOS.889c9e6"
strings:
$a = { 23 21 2F 75 73 72 2F 62 69 6E 2F 65 6E 76 20 62 61 73 68 0A }
$b1 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 47 6F 6F 67 6C 65 20 43 68 72 6F 6D 65 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 33 34 }
$b2 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 42 72 61 76 65 20 42 72 6F 77 73 65 72 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 33 38 34 }
$b3 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 4D 69 63 72 6F 73 6F 66 74 20 45 64 67 65 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 36 34 }
$b4 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 66 69 72 65 66 6F 78 22 20 2D 2D 73 74 61 72 74 2D 64 65 62 75 67 67 65 72 2D 73 65 72 76 65 72 20 77 73 3A 31 39 32 34 30 }
$b5 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 4F 70 65 72 61 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 33 38 }
$b6 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 33 36 30 43 68 72 6F 6D 65 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 36 38 }
$b7 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 59 61 6E 64 65 78 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 33 36 }
$b8 = { 2F 43 6F 6E 74 65 6E 74 73 2F 4D 61 63 4F 53 2F 43 68 72 6F 6D 69 75 6D 22 20 2D 2D 72 65 6D 6F 74 65 2D 64 65 62 75 67 67 69 6E 67 2D 70 6F 72 74 3D 31 39 32 33 36 }
$b9 = { 2F 4C 69 62 72 61 72 79 2F 43 6F 6E 74 61 69 6E 65 72 73 2F 53 61 66 61 72 69 2F 72 75 6E 2E 70 79 }
condition:
$a at 0 and any of ($b*) and filesize < 200
}
rule XProtect_MACOS_1db9cfa
{
meta:
description = "MACOS.1db9cfa"
condition:
Macho and filesize < 10MB and (
hash.sha1(0, 22032) == "04b823a72f134918f64cd6bbac8251f95a42b052" or
hash.sha1(0, 50704) == "082fa2d8b3841899f5fbe244f1a6ee6247a00c1c" or
hash.sha1(0, 22032) == "102229386892fd0aa16ca349919cd9b20db30dc8" or
hash.sha1(0, 50704) == "10f8a912c90317c1eeecce12fc8c1c1d7b5655ab" or
hash.sha1(0, 22032) == "1f22744799d3d13e851cb1dedf4cbb1b28eda695" or
hash.sha1(0, 50704) == "2217a4633fd8654972e980d436cb9c38d324dd29" or
hash.sha1(0, 50704) == "234562f93adebf3db00578ff347cc14baf68a531" or
hash.sha1(0, 50704) == "3e64273d156321b3503fd5738fd88c3820ab66d2" or
hash.sha1(0, 50704) == "4b8d96e88c9057314bd68e1101f055b8a84f8edf" or
hash.sha1(0, 50704) == "562b30388e335ffd3658fc5dedcba6a0f5ff0aad" or
hash.sha1(0, 22032) == "60c7b8e84f5103f4597199f30bffcb79e4271d37" or
hash.sha1(0, 50704) == "6110eaa6053fbd77171f52147ef0a863f8bd7328" or
hash.sha1(0, 13780) == "684e8a068d2af353930bf7007cc502488374b984" or
hash.sha1(0, 50704) == "6a9ed3bda52b6d1e0f2c3fb8d644f8434203d6ee" or
hash.sha1(0, 50704) == "6bf52006ce9e6dc23e26e2a2151edc12cd726966" or
hash.sha1(0, 17936) == "6e683382cefa20d9ec6133f4558ab18e8d5daa1f" or
hash.sha1(0, 50704) == "75c39a6b0a66c33badbbd07bb096631936c076e7" or
hash.sha1(0, 50704) == "8b4207ac1c227f98119c0b719cc5896d606ee362" or
hash.sha1(0, 22032) == "8dc7a8c88896758d139366fa054ff9ad848270a0" or
hash.sha1(0, 50704) == "a603a6c65156c3fb932f8671da03c0c77db5408f" or
hash.sha1(0, 22032) == "ac269f677a14406d1e4a9ef4f0fa3cc272e370d2" or
hash.sha1(0, 50704) == "b4ffa58582cc3e8ef2525667b73df98667bd0266" or
hash.sha1(0, 50704) == "d1900adb4983a979155b9b2bc4042784baf24963" or
hash.sha1(0, 50704) == "e7076183c90d4937ff6c95ad4aa24af14a3162be" or
hash.sha1(0, 50704) == "f13c3959ccdbb8850dadc39d97fe36c31d96b7f1" or
hash.sha1(0, 50704) == "f53da2ae651f2806cbf5723fecc1455364e8ff35" or
hash.sha1(0, 50704) == "fe7e7bce3032cd05fe19067f28cee24ef8adcc32" or
hash.sha1(0, 50704) == "5a7d2fcb0ca59364cb764a698af08921dc05681f" or
hash.sha1(0, 50704) == "ff2a1f98d1aefcb0e9d67b8b8bc5703b20dbcc39" or
hash.sha1(0, 50704) == "1aba53a2a364e782c5e18fffba067b19d634204c" or
hash.sha1(0, 50704) == "6581957d1a7cde24a375bfa73e11bae17d1ef779" or
hash.sha1(0, 50704) == "daaad99d3162d037b9b4a610c87867d0cfa7fa8f" or
hash.sha1(0, 50704) == "9327e28f0bbdb215c0a0d050acad16ac74470d84" or
hash.sha1(0, 50704) == "31ac2f1783a9dd807e8478304471cebcaa5a8818" or
(hash.sha1(12480, 3383) == "004f76d87aa8a54b3f8e7a81c05907c435fe0e1a" and hash.sha1(32944, 10899) == "19f6ff8f2e5373c6ceea6c5ce3a5ca508b215e54") or
(hash.sha1(12480, 3383) == "a84321e906733c899446e9f8f7c033d9839c9041" and hash.sha1(32944, 3213) == "4712921d105a4874c2371542bbbf1b64fa3216eb") or
(hash.sha1(12480, 3383) == "12622a1009c200ba049a66931efdfeed4776f6d4" and hash.sha1(32944, 12539) == "9b93e47be24e03e33926e2f0456eed1b4b1dd971") or
(hash.sha1(12496, 3367) == "5f9d750a6da1d886edc6c9a5dfabe0623997046e" and hash.sha1(32944, 3138) == "500c2199792632959ed04dc8b0a9799dac353519") or
(hash.sha1(12480, 3383) == "f7ac34703d0ab6c02a0197b1b9347ec6ffa4a968" and hash.sha1(32944, 11631) == "b7ca72ad28280f4778efa49da6346f01de7e82c7") or
(hash.sha1(12480, 3383) == "e53163e5f4524a1d078bad5de96c8f656e37abce" and hash.sha1(32944, 2731) == "8950d8649618253e55b60afaf36e33604a0c9139") or
(hash.sha1(12480, 3383) == "5cd351e839c033869add29a91494c2fb75c6c5b8" and hash.sha1(32944, 12985) == "ffc27549dc1e020de294a7559cd5ab6f880f237c") or
(hash.sha1(12480, 3383) == "7894b20f73a8e7473e01ebe655cfe209dd8d69b6" and hash.sha1(32944, 3332) == "7073d411e84c2d59537df8d7e60d7fff7ee6f38c") or
(hash.sha1(12496, 3367) == "863fea54f1f228a2e2f20a9e1c616ce64932bef5" and hash.sha1(32944, 12131) == "b2156d6d36c88d2e606f10d9baf2718fc6c0ecb8") or
(hash.sha1(12480, 3383) == "69dc7106e4a79703984f2fabb87e4b6ae0207dc3" and hash.sha1(32944, 9685) == "66ffd2cb4aa2e6a1baf194b94d84ff4b2971facf") or
(hash.sha1(12480, 3383) == "9f20e6eac2f59ba91be98698faeafe244adfed19" and hash.sha1(32944, 11922) == "267bd25181d8e5dd496c818ace38e460f5fc1786") or
(hash.sha1(12624, 3230) == "45923099d3f99bd94f9a5c58e24f9ca77d92ca3f" and hash.sha1(32944, 10719) == "5a6fc07dfa47009d756ad5169a17376351eeeb66") or
(hash.sha1(12640, 3214) == "fe768b3234600e95541a9c7348e13afb845c3257" and hash.sha1(32944, 12314) == "ef70d0b3058349817eeaac627cb8747d4922511b")
)
}
rule XProtect_MACOS_6eaea4b
{
meta:
description = "MACOS.6eaea4b"
condition:
Macho and filesize < 10MB and (
hash.sha1(0, 454544) == "8bda23d6fe3c5f61bbe035b3b3955c128fe5fd0c" or
hash.sha1(0, 478384) == "eff0e86a0c1fdb31442b3b27ae275265144b22ec" or
hash.sha1(0, 888976) == "3bddee4293c423dcf791872e214c364b89df558b" or
hash.sha1(0, 465728) == "ab859e350bca96ed8ab4d3ee87ecbdaad42cbf76" or
hash.sha1(0, 462816) == "175a12023d4de5d0b2cb484fa6b22f4a579c59b0" or
hash.sha1(0, 465536) == "c91343995496fc20c853d177411338cfe954994f" or
hash.sha1(0, 465536) == "231b970b66af08780b6fbaf07367d1c8d73d7f8e" or
hash.sha1(0, 888976) == "674493bd15f6df947d6a32d42ffd800197a05a9a" or
hash.sha1(0, 482496) == "7034b366281882f3839089dbc99dde1c409db2d1" or
hash.sha1(0, 482416) == "f2a6ca3b9ebcfab66eda50621dbf1bb1e52d3e07" or
hash.sha1(0, 465936) == "f058b8f68f2e306ca00f3c43b485536ec9efa13a" or
hash.sha1(0, 482608) == "cadcf5a2618893e06477dde8162a651c0b971ad7" or
hash.sha1(0, 922656) == "b6cd41a0b199a131572e9185805a523a4af285b5" or
(hash.sha1(23728, 267226) == "e15f33dc0ab40e560b25a2548fa76f98c46d7a64" and hash.sha1(492920, 235168) == "5134edfe096a6ff12f803cfd4c1ec54927846e33") or
(hash.sha1(21520, 269322) == "920c2ba31e95917aa2aa5e0b9f60c62034e913b0" and hash.sha1(490900, 237060) == "0bd8de35f2a5924eda4655a8b358805560cd7da5") or
(hash.sha1(45744, 277834) == "1812f9c0cc91ac3f1b21549ba3345bd388687be8" and hash.sha1(522084, 238540) == "a7634e3dcd5541fa5f7358c81b91bbf9086ab7f9") or
(hash.sha1(45440, 278122) == "572efd9090128cb2ba7cf03a1ef95852b8803d61" and hash.sha1(521784, 238816) == "a229148416fa671c5ee1aa546c5ffef3c8695acc") or
(hash.sha1(45456, 278106) == "01677a4751a36b7c2e85350a0325450d06ddf94b" and hash.sha1(521784, 238816) == "a1bf16e40febb8fae0d61462fb098b3885b48d05") or
(hash.sha1(36704, 270282) == "02f12d6efddb9915ef5e48dc8672e8c49eaf695d" and hash.sha1(508868, 235172) == "0cdb4314624dd23045bf48ecb7e736d4ab452b14") or
(hash.sha1(53088, 270282) == "02f12d6efddb9915ef5e48dc8672e8c49eaf695d" and hash.sha1(525252, 235172) == "0cdb4314624dd23045bf48ecb7e736d4ab452b14") or
hash.sha1(0, 478384) == "dd7e5f9407f670a8ee04ba4b326c70c409db4871" or
hash.sha1(0, 474224) == "166f3d5be9cde70c3bf0a22fbb8365d13d81ca34" or
hash.sha1(0, 450256) == "e6beeb6b32a140904a648fca9dab614d73dcd94c" or
hash.sha1(0, 474224) == "09b03db91357d5a067439d101e81c163f4eba4b0" or
hash.sha1(0, 888864) == "e386145673963ebfedc99665868106ec00e23607" or
hash.sha1(0, 922480) == "bd13d22095d377938c50088e59fa3079143cb0f2" or
(hash.sha1(26160, 264618) == "25cb0ea0b706034409c7439ada832e141a9099cf" and hash.sha1(495056, 232672) == "bdc7c63c90390e7d737c04f37fe068b1d4398931") or
(hash.sha1(24704, 266058) == "e522e55f91c3fe14079fa142b0ffd41a929657c9" and hash.sha1(493628, 234068) == "aaa386881e9f0c210e8c300667c4631b9a32b365") or
(hash.sha1(47920, 275578) == "e29a36bf609f5c1700c91261574bf83757f5d6cc" and hash.sha1(524636, 235708) == "f87ee1e0488fbf3c64ab9cc40bfcef5745357afc") or
(hash.sha1(47616, 275866) == "e2dbe92730b3e06937d5270b21abd8151ba3a504" and hash.sha1(524348, 235988) == "d43f3b412debf84206efc2732a65926681b94e24") or
(hash.sha1(47632, 275850) == "5fb180aefdfa3a3c7163bd37fac7b8eb193e5286" and hash.sha1(524352, 235984) == "0a59d04c27ca3761e71330bcaf3c79e77fe665f3") or
(hash.sha1(22208, 268314) == "757f1e6b691c2e91f5b9fcebacf35edfcc9ce315" and hash.sha1(493612, 233732) == "639f0af300aed26656ac217ce28565f8eaed8d35") or
(hash.sha1(22208, 268314) == "757f1e6b691c2e91f5b9fcebacf35edfcc9ce315" and hash.sha1(493612, 233732) == "639f0af300aed26656ac217ce28565f8eaed8d35") or
hash.sha1(0, 454448) == "e4b84e22214062b57a3f3a81fba5d4ddd163b0bb" or
hash.sha1(0, 474144) == "5c448f6272d63a57c0e7965d09bd93e23a15ee86" or
hash.sha1(0, 888864) == "a15f39ce5007e25e742d071d15c8e38658165e5a" or
hash.sha1(0, 922384) == "cbf08fae71fcd46cc852fad7502685466c40e168" or
(hash.sha1(25584, 264906) == "38ae77158e1ce3079a36303bf45d46246befc753" and hash.sha1(494844, 232940) == "dddb9c37fa39a49c7e17f77ea8176fe0a29e23a2") or
(hash.sha1(24128, 266330) == "da85d3675bbd891f6e7d0269173243adaa1300ff" and hash.sha1(493444, 234284) == "d0fa0e947ab4d51278bc3c2be092918345dc9fc5") or
(hash.sha1(46928, 276282) == "51b695a80c74a0d30d4c614a8ecc605457bb7adc" and hash.sha1(524176, 236216) == "05806c64f585306b25a75ccdb071375ed1c74098") or
(hash.sha1(46624, 276570) == "326e55ae93aeced73be9bf830a574a4ea551b231" and hash.sha1(523872, 236496) == "55efadfed76814a75f11ed255da7ebdf90248a1d") or
(hash.sha1(46656, 276554) == "77b726c10e6d381456704be730c76b5963ff9625" and hash.sha1(523876, 236492) == "4420fede63ed01fd9fd20428d8738b105e8c6e41") or
(hash.sha1(37392, 269162) == "77756fb4720bc7ea364a947df659495a473ff15d" and hash.sha1(509160, 234424) == "dfdab2704a010782a4b0dfd180569c0aa245c866") or
(hash.sha1(53776, 269162) == "77756fb4720bc7ea364a947df659495a473ff15d" and hash.sha1(525544, 234424) == "dfdab2704a010782a4b0dfd180569c0aa245c866") or
hash.sha1(0, 450112) == "21b63689d192a7d1309d98afa35d42f695098d7a" or
hash.sha1(0, 474048) == "509dba18a168fdeecf990704741e14cb17b2a31e" or
hash.sha1(0, 888656) == "3a1665f1b92f1aae4eb44753f5134b3a0ec0a35f" or
hash.sha1(0, 444752) == "4a86f9cd51d9682a67bdd9921542806b9c32eef0" or
hash.sha1(0, 465232) == "5bb4e5bf7bab49945878993ca0faa70f83b732df" or
hash.sha1(0, 465888) == "5266f907da5c8fc78971e848fe89927acce2ba92" or
hash.sha1(0, 465792) == "d6a65d5bb692f5d82f0b1b688e660f1baf857538" or
hash.sha1(0, 922448) == "65e62ef1bd1ae50730974cafee5d8b22b97fa7aa" or
hash.sha1(0, 922448) == "a012a408a9a7108d71d771cb701725fa1894d539" or
hash.sha1(0, 922448) == "23d05530ee621b5f0410c5eac8840c7cf1e512e9" or
hash.sha1(0, 922448) == "2a62d6bcac7b0c5e75f561458e934ec45c77699c" or
(hash.sha1(25248, 264250) == "2d7ec4dcaad429421f2e61e62bbff0ca7cede95a" and hash.sha1(494424, 232080) == "ca15aa3cc18977d93bfc0f751305baaeadd02abc") or
(hash.sha1(24160, 265098) == "457869b75082919b9d44e3f9b3097bc1e2b76c0a" and hash.sha1(493392, 232872) == "6664a7a1399377447c6f4459e71a44aa0e30391e") or
(hash.sha1(45472, 276730) == "f32c2cdad1f8deb30cb235d2d196fb0d8b569dc2" and hash.sha1(521912, 237008) == "97a3e72e5426f7dcd4f40fc759336b0cf7073c10") or
(hash.sha1(45168, 277018) == "cafd8549f9a623c538d5c5b7799449c4121866bf" and hash.sha1(521608, 237288) == "e743db22d055f765d9948e0e66f934b67b7774f9") or
(hash.sha1(45152, 277034) == "81d3729c09971fce700a10e01284610a17003c5b" and hash.sha1(521588, 237308) == "be6313f77dc0de79a8d9e3d718f23cc5f8a7907b") or
(hash.sha1(36384, 269130) == "37bd3a555e23ee2f2792e78b79d30e6a1c0b2f1e" and hash.sha1(507920, 234144) == "fccc75ca700171c8d3fbc1add4b5f972ba0688d0") or
(hash.sha1(52768, 269130) == "37bd3a555e23ee2f2792e78b79d30e6a1c0b2f1e" and hash.sha1(524304, 234144) == "fccc75ca700171c8d3fbc1add4b5f972ba0688d0") or
hash.sha1(0, 955424) == "8d2f1644320ba4f90b2cd23eeca51843168f59b8" or
hash.sha1(0, 955424) == "263b243df32be6d9d9878c459d2fc6491342d547" or
(hash.sha1(52928, 269834) == "5e9380abd57f0f143b119695cba20cf4d98117bd" and hash.sha1(522040, 237840) == "78b2101b6fad4712a6df7905e7d51bbd5208bb48") or
(hash.sha1(51600, 271146) == "d334ecef808a49eb3841c1cdadc6bf1c9d2a6d2b" and hash.sha1(520692, 239156) == "0e0a6f18ddfb9620f9547ab6d4f5fe8fe29d6c1a") or
(hash.sha1(43104, 279610) == "5c1d1d356040ff714838ddb516620fbca71d0b45" and hash.sha1(519864, 239880) == "71c1b3143e3896dca48a674bd2155e6f450c5d61") or
(hash.sha1(42800, 279898) == "4e8afb74fe55b941c8e8eceeb77d8d4bee8e7a4c" and hash.sha1(519560, 240160) == "4b700681cb0a1a62831cdd3f4b5e79205ff11aa5") or
(hash.sha1(42800, 279898) == "627c3801155a14f4b985bf8e8549d9baf16c7da2" and hash.sha1(519564, 240156) == "3742d2860894378a745a8998013e42fcbeda44bf") or
(hash.sha1(33968, 272138) == "3b1254e5401eab70fcba51413a325347a5628ec2" and hash.sha1(506532, 236628) == "492e728422320a33d819b1133c7968b29bf17447") or
(hash.sha1(50352, 272138) == "3b1254e5401eab70fcba51413a325347a5628ec2" and hash.sha1(522916, 236628) == "492e728422320a33d819b1133c7968b29bf17447") or
hash.sha1(0, 450256) == "373d5b73e02899bda6091936efdd768821ba3dd2" or
hash.sha1(0, 474224) == "8d0f391449c0e479c189c10da873d047c2327d5f" or
hash.sha1(0, 888864) == "4db9cd9b165c3d820ab4f456df551e8f03c7a797" or
hash.sha1(0, 465728) == "163a01132cd6c038c8692d4ba5f50681181c74ce" or
hash.sha1(0, 465760) == "68387bf302163de4dcdcc9a7b1bb53d50ecc7256" or
hash.sha1(0, 905696) == "b05c39e48ac7959545028d20acd41010ae5726f4" or
hash.sha1(0, 922384) == "2a6d37160f21ec13aa6c692a3ca3374db3d35e96" or
(hash.sha1(27440, 263226) == "f4ab841ecd1d48e3085ae92b0b1ca8604e85ce83" and hash.sha1(496240, 231608) == "66be42c88520537be247d29f3b117323612dcdfc") or
(hash.sha1(25936, 264682) == "2bb4155dad4a0c6c8eec33e3ae5fd7bfc40d71f6" and hash.sha1(494820, 232972) == "5ec40ea1630d3f919171cf4a1fb64abf83bf9f5a") or
(hash.sha1(49008, 274346) == "ffe4482ab09ad6915bf594aa5b856bdd4e45e1bd" and hash.sha1(525904, 234536) == "b9f835adcc3332ffd4a041397550fbdaa36bfdbb") or
(hash.sha1(48704, 274634) == "2357331346f7bdab42efe34077d4f2cbf0aeeb47" and hash.sha1(525600, 234816) == "395d3290248c761e506f70d2e1517df586f0f4b2") or
(hash.sha1(48736, 274618) == "7b06f11ef35e3303ce0a24a0873e61c24f1a1f44" and hash.sha1(525604, 234812) == "b96a33dfe6f7df8e5af7b3b602750891d19f951e") or
(hash.sha1(23056, 267290) == "dd3b3211c25317d28f9a3ae3f400fe019b4fff4c" and hash.sha1(494756, 232636) == "0cf7e3b710028528974fbddf7791745568866535") or
(hash.sha1(23056, 267290) == "dd3b3211c25317d28f9a3ae3f400fe019b4fff4c" and hash.sha1(494756, 232636) == "0cf7e3b710028528974fbddf7791745568866535") or
hash.sha1(0, 454448) == "0d1cbf5473fab9156922de90a09b7a2e64aef328" or
hash.sha1(0, 474160) == "501bdd880699749ae3a7a6e9c2230f903200fcab" or
hash.sha1(0, 888864) == "976a71300d0c76bdf505e4a70be5e173471d683d" or
hash.sha1(0, 922368) == "1396fdbff38b787d14b1135dcdfc367658669637" or
(hash.sha1(22288, 267866) == "3af51e49dd4401abc6a7a5834b14a448ccce7427" and hash.sha1(491096, 236000) == "6aade93d0c0b34b96525f6ca30ec8de4caa62bce") or
(hash.sha1(53536, 269354) == "8628b9d4fa183c6d3b216a2b4c86ea4dd638bcf6" and hash.sha1(522536, 237272) == "5b1e151c1e216f952bdadf156e3ca14d4568cdc1") or
(hash.sha1(43552, 279306) == "c855d3e10958b6af42db92a3e361d1b27bb94c2d" and hash.sha1(520852, 238836) == "a896bbdbbca929b2e17919171725a2041452a9ec") or
(hash.sha1(43248, 279594) == "be15c2de5a35c24947fd625873d1748d64bfc1fb" and hash.sha1(520548, 239116) == "1d4da70c86c505e8117a2197a8c0ddae6f4ced72") or
(hash.sha1(43248, 279594) == "2673f90a96a4e00dbc2b873a9da32bcc0dbd84be" and hash.sha1(520552, 239112) == "7521b7b36a9276b87ffda4cd1e4be95ec4fdaa27") or
(hash.sha1(34416, 271818) == "7dc98e2010a865259407dd987601a4816f06a7e8" and hash.sha1(506396, 236660) == "4f17547c6c83d106cea576825fe838bbf07c69d1") or
(hash.sha1(50800, 271818) == "7dc98e2010a865259407dd987601a4816f06a7e8" and hash.sha1(522780, 236660) == "4f17547c6c83d106cea576825fe838bbf07c69d1") or
hash.sha1(0, 450256) == "533972a1736426bc23a715eb662e6374c6ea400a" or
hash.sha1(0, 474224) == "db31ba474d8f75437872f5caf275c1dd2609ee89" or
hash.sha1(0, 888864) == "eccacfd1946df9b74c8515aa5b54eab01c7582cb" or
hash.sha1(0, 469936) == "7377d0f081d93eb47ec5e6893e51291895622d91" or
hash.sha1(0, 922688) == "e4b6c56faa97493dc0f0f7c4fc2196096ef66513" or
(hash.sha1(25008, 264890) == "befbd5b2ce01539a857d9332bbba88bae2ac65a1" and hash.sha1(493260, 233572) == "7bb48f16db086713c52b723e0d60495eb813aee2") or
(hash.sha1(23632, 266250) == "450ec6c3f8109bf48bfa35ec8161a257765c17ae" and hash.sha1(491924, 234876) == "38584bebb3271d4a334adea2c6fdcc638c1df55f") or
(hash.sha1(47728, 274922) == "78b279ef031f5aae76a5376922bff5915eaeefb5" and hash.sha1(523088, 236360) == "8eba37d5f875f52c0bc935531cb0bb3f6793c81f") or
(hash.sha1(47424, 275210) == "4281ce5084d7f669374146b405def7872234aaed" and hash.sha1(522788, 236636) == "d45a917cbf21c272e7c8e6dd2148e32392d4939d") or
(hash.sha1(47424, 275210) == "91145c92e2e85d6ed5dd33f6e0c32f84d2f76d02" and hash.sha1(522788, 236636) == "763b985cbc7bb60934e848ca6375cf8dda59f47a") or
(hash.sha1(37296, 268714) == "cecfc085a9108edd47052e5a57e64670b59962eb" and hash.sha1(509452, 233364) == "ed630344a18228c94d6a7b5434757b42f8a7046e") or
(hash.sha1(53680, 268714) == "cecfc085a9108edd47052e5a57e64670b59962eb" and hash.sha1(525836, 233364) == "ed630344a18228c94d6a7b5434757b42f8a7046e") or
hash.sha1(0, 465600) == "d019a86482f03a0012d82a4455212ad36c9c09eb" or
hash.sha1(0, 466240) == "30b7f694684af729619f30567be5443f849a3399" or
hash.sha1(0, 465616) == "26565b29cfdd7de87da708ed45f4ab4799bdbb28" or
hash.sha1(0, 466224) == "de662a98ff4cdfeca3eb95e746d9c253b73ee846" or
hash.sha1(0, 448304) == "509aea0eb79253ced67a045738f1b9c6c84271ad" or
hash.sha1(0, 466272) == "2c1142a9d938e415f23dd40205909686a3c69c51" or
hash.sha1(0, 465600) == "acd00ea03ea2d9a2b43e8b076ee29b71255246b1" or
hash.sha1(0, 466304) == "4ff733254fd4ef6e0df07bcb5215f391437f3592" or
hash.sha1(0, 466224) == "926cc0c45610e286edccfe8104a95a096bfbaab2" or
hash.sha1(0, 465328) == "c4e43c7d6e8aeb39654906a1b8445402b04db355" or
hash.sha1(0, 465328) == "8a4994c138a24960818db2eec5c702acf25b0750" or
hash.sha1(0, 465328) == "fe026ba19524c71dbf70923bde8ca065f5f8e186" or
hash.sha1(0, 465616) == "a898e15d701e50f0c869abf62fab5cfe7854fa70" or
hash.sha1(0, 466240) == "572b4e472e25da27b64b29d40e0bf5f85448bcff" or
hash.sha1(0, 465776) == "74d8f5f5e904637d5b3383291d2d169643dda302" or
hash.sha1(0, 465328) == "df3896ea9f02ed8b4b1e8e13588766fb16b8aab0" or
hash.sha1(0, 465328) == "4a0359acfa8454454f8775ebc235f5bbd47b4d6c" or
hash.sha1(0, 465616) == "49916762bab2816fcd93fb553d5231d320ed1b51" or
(hash.sha1(22416, 268442) == "9c87e5a1281614714986c2fc0e934dbe6b57a746" and hash.sha1(491736, 236240) == "3aab2900d91e10f16a8c699d7f2f49e6ccf83827") or
(hash.sha1(54272, 269322) == "c2db6347040d8d76c85d28fa04e79024e17fc1bd" and hash.sha1(523648, 237064) == "02f286233bbc98aa840ab6b70dbf4f66d462111d") or
(hash.sha1(45744, 277818) == "551275307722b5ef579f5e7da5c9b59e2433f4c9" and hash.sha1(522048, 238560) == "fd16c95286f5f9d1ff87dc93f0417d4a3c35986a") or
(hash.sha1(45440, 278106) == "9ed6803200759a489e1a645ecb68cfbed2ebd166" and hash.sha1(521748, 238836) == "fc033effb80619af879cacae80ca2010b4662a1e") or
(hash.sha1(45456, 278090) == "1e725c6e13618a08164d9614402d9efa9d8c0e59" and hash.sha1(521748, 238836) == "1c432482778154334802e5d25b496690497485f0") or
(hash.sha1(36672, 270266) == "26cf2ce4510cac9f319eaab76b6a7f1425df0c79" and hash.sha1(508820, 235172) == "fbc9bf6bea034248ec8b96bb049af6c70837dbb7") or
(hash.sha1(53056, 270266) == "26cf2ce4510cac9f319eaab76b6a7f1425df0c79" and hash.sha1(525204, 235172) == "fbc9bf6bea034248ec8b96bb049af6c70837dbb7")
)
}
rule XProtect_MACOS_7f5b902
{
meta:
description = "MACOS.7f5b902"
strings:
$a1 = { 2f 71 75 65 72 79 2f 74 6f 3f 71 69 3d 31 26 63 61 74 65 67 6f 72 79 3d 77 65 62 26 61 70 70 5f 69 64 3d }
$a2 = { 2f 69 6e 73 74 61 6c 6c 2f 61 67 65 6e 74 5f 75 70 64 61 74 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a3 = { 2f 6d 6f 6e 65 74 69 7a 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a4 = { 2f 69 6e 73 74 61 6c 6c 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a5 = { 2f 69 6e 73 74 61 6c 6c 2f 66 69 72 73 74 5f 74 69 6d 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a6 = { 2f 74 61 73 6b 2d 66 6f 72 3f 65 6d 69 64 3d }
$b1 = { 26 65 78 74 3d 31 26 7a 3d 35 26 71 75 65 72 79 3d 6d 79 51 75 65 72 79 }
$b2 = { 63 6f 6d 2e 61 70 70 6c 65 2e 71 75 61 72 61 6e 74 69 6e 65 }
$b3 = { 67 65 74 20 76 65 72 73 69 6f 6e 20 6f 66 20 61 70 70 6c 69 63 61 74 69 6f 6e 20 22 53 61 66 61 72 69 22 }
$b4 = { 26 26 69 73 5f 73 65 74 5f 73 70 5f 61 70 70 72 6f 76 65 64 3d }
$b5 = { 26 69 73 5f 69 6e 73 74 61 6c 6c 5f 61 63 63 65 70 74 65 64 3d }
$b6 = { 41 72 65 20 79 6f 75 20 73 75 72 65 20 79 6f 75 20 77 61 6e 74 20 74 6f 20 71 75 69 74 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 3f }
$b7 = { 51 75 69 74 69 6e 67 20 77 69 6c 6c 20 63 61 6e 63 65 6c 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e }
condition:
Macho and ( 1 of ( $a* ) ) and ( 3 of ( $b* ) ) and filesize < 400KB
}
rule XProtect_MACOS_a291b70
{
meta:
description = "MACOS.a291b70"
strings:
$a1 = { 2f 69 6e 73 74 61 6c 6c 2f 61 67 65 6e 74 5f 75 70 64 61 74 65 3f 65 6d 69 64 3d }
$a2 = { 2f 6d 6f 6e 65 74 69 7a 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a3 = { 2f 69 6e 73 74 61 6c 6c 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a4 = { 2f 69 6e 73 74 61 6c 6c 2f 66 69 72 73 74 5f 74 69 6d 65 3f 73 65 73 73 69 6f 6e 5f 69 64 3d }
$a5 = { 25 40 3f 65 6d 69 64 3d 25 40 26 61 70 70 49 64 3d 25 40 }
$b1 = { 63 6f 6d 2e 61 70 70 6c 65 2e 71 75 61 72 61 6e 74 69 6e 65 }
$b2 = { 67 65 74 20 76 65 72 73 69 6f 6e 20 6f 66 20 61 70 70 6c 69 63 61 74 69 6f 6e 20 22 53 61 66 61 72 69 22 }
$b3 = { 26 69 73 5f 73 65 74 5f 73 70 5f 61 70 70 72 6f 76 65 64 3d }
$b4 = { 26 69 73 5f 69 6e 73 74 61 6c 6c 5f 61 63 63 65 70 74 65 64 3d }
$b5 = { 26 73 61 66 61 72 69 5f 73 70 5f 73 65 74 3d }
$b6 = { 41 72 65 20 79 6f 75 20 73 75 72 65 20 79 6f 75 20 77 61 6e 74 20 74 6f 20 71 75 69 74 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e 20 3f }
$b7 = { 51 75 69 74 69 6e 67 20 77 69 6c 6c 20 63 61 6e 63 65 6c 20 69 6e 73 74 61 6c 6c 61 74 69 6f 6e }
$b8 = { 69 6f 72 65 67 20 2d 6c 20 7c 20 67 72 65 70 20 2d 65 20 4d 61 6e 75 66 61 63 74 75 72 65 72 20 2d 65 20 5c 27 56 65 6e 64 6f 72 20 4e 61 6d 65 5c 27 }
$b9 = { 73 65 61 72 63 68 20 69 73 20 64 65 73 69 67 6e 65 64 20 74 6f 20 70 72 6f 76 69 64 65 20 79 6f 75 20 74 68 65 20 62 65 73 74 20 73 65 61 72 63 68 20 65 78 70 65 72 69 65 6e 63 65 }
$b10 = { 73 65 61 72 63 68 20 72 65 73 75 6c 74 73 20 61 6e 64 20 72 65 63 6f 6d 6d 61 6e 64 61 74 69 6f 6e 73 20 69 6e 20 72 65 61 6c 20 74 69 6d 65 2c 20 65 6e 6a 6f 79 }
condition:
Macho and ( 2 of ( $a* ) ) and ( 4 of ( $b* ) ) and filesize < 500KB
}
rule XProtect_MACOS_30445d1
{
meta:
description = "MACOS.30445d1"
strings:
$a1 = { 23 21 2f 62 69 6e 2f 73 68 }
$a2 = { 23 21 2f 62 69 6e 2f 62 61 73 68 }
$b = { 68 69 6e 74 3d 22 24 28 6c 73 20 7c 20 67 72 65 70 20 2d 76 20 27 31 2e 70 6e 67 5c 7c 32 2e 69 63 6e 73 5c 7c 63 6f 6e 76 65 72 74 65 72 2e 74 6f 6f 6c 5c 7c 73 63 72 69 70 74 2d 65 6e 63 27 29 22 }
$c = { 63 6d 64 3d 22 24 28 6f 70 65 6e 73 73 6c 20 65 6e 63 20 2d 64 20 2d 61 65 73 2d 32 35 36 2d 63 62 63 20 2d 41 20 2d 62 61 73 65 36 34 20 2d 6b 20 24 68 69 6e 74 20 2d 69 6e 20 73 63 72 69 70 74 2d 65 6e 63 20 7c 20 73 68 20 2d 29 22 }
condition:
any of ( $a* ) and $b and $c and filesize < 5MB
}
rule XProtect_MACOS_d4735e3
{
meta:
description = "MACOS.d4735e3"
strings:
$a1 = { 8B B2 C4 67 56 5C 63 42 8E F0 CF C5 F4 8D 87 AE 58 0C 5B A4 14 }
$a2 = { D2 5A C9 65 FE D7 69 C7 A7 3B F9 5E 6A 35 9B 20 20 65 77 E5 14 }
$b1 = { 41 0f b6 55 ?? 49 8d 3c 1f 31 c0 4c 89 e6 e8 ?? ?? ?? ?? 49 ff c5 48 83 c3 ?? 48 83 fb ?? 75 ?? }
$b2 = { 49 89 f5 49 89 fe bf ?? ?? ?? ?? }
$b3 = { 25 30 32 78 00 }
$c = { 0f b6 33 31 c6 40 88 31 48 ff c3 48 ff c1 ff ca 75 ?? }
$d = {
31 ff e8 ?? ?? ?? ?? 89 c7 e8 ?? ?? ?? ?? e8 ??
?? ?? ?? 48 63 c8 48 69 c9 ?? ?? ?? ?? 48 89 ca
48 c1 ea ?? 48 c1 f9 ?? 01 d1 c1 e1 ?? 8d 0c c9
f7 d9 8d 7c 08 ?? e8 ?? ?? ?? ??
}
$e1 = { 30 48 37 42 53 35 34 71 42 66 75 47 37 61 6c 6d 71 66 76 55 37 63 6e 32 35 31 42 6c 6b 4e 43 5a 68 55 70 62 6b 61 6f 30 78 67 71 57 6c 57 77 46 4c 44 42 58 68 37 68 68 44 70 49 47 6b 6b 35 76 6f 42 4d 72 44 33 43 52 33 70 42 44 4b 75 43 70 48 36 4b 6e 6b 49 73 33 37 7a 4d 57 31 47 58 68 39 62 42 32 75 65 57 48 53 71 77 3d }
$e2 = { 75 70 41 63 75 6b 43 31 71 68 50 72 45 45 39 4d 78 6f 42 45 76 37 6d 4d 6d 37 50 59 54 73 61 50 6f 70 6f 55 2b 73 41 49 68 4d 50 74 70 52 4a 55 63 35 57 41 6d 47 4a 38 6a 6c 71 76 6a 7a 63 7a 6f 4e 44 39 32 77 64 71 57 30 33 53 30 65 64 63 6b 33 49 41 50 59 3d 3d }
$e3 = { 4d 31 61 79 42 61 69 39 76 38 72 50 46 41 77 58 74 48 46 59 2f 76 41 54 2b 70 4c 31 64 44 68 62 39 35 36 74 6a 44 63 4e 4d 37 41 3d }
$e4 = { 4d 6c 6b 48 56 64 52 62 4f 6b 72 61 39 73 2b 47 36 35 4d 41 6f 4c 67 61 33 34 30 74 33 2b 7a 6a 2f 75 38 4c 50 66 50 33 68 69 67 3d }
$e5 = { 31 53 69 62 34 48 66 50 75 52 51 6a 70 78 49 70 45 43 6e 78 78 54 50 69 75 33 46 58 4f 46 41 48 4d 78 2f 2b 39 4d 45 56 76 39 4d 2b 68 31 6e 67 56 37 54 35 57 55 50 33 62 30 7a 73 67 30 51 64 }
$f = { 49 4a 4b 4c 4d 4e 4f 50 67 68 69 6a 6b 6c 6d 6e 41 42 43 44 45 46 47 48 51 52 53 54 55 56 57 58 34 35 36 37 38 39 2b 2f 6f 70 71 72 73 74 75 76 59 5a 61 62 63 64 65 66 77 78 79 7a 30 31 32 33 }
condition:
Macho and filesize < 200KB and 1 of ( $a* ) and 1 of ( $b* ) and $c and $d and 2 of ( $e* ) and $f
}
rule XProtect_MACOS_b5bd028
{
meta:
description = "MACOS.b5bd028"
strings:
$a = { 23 21 2f 62 69 6e 2f 62 61 73 68 }
$b1 = { 2f 70 61 72 61 6d 73 4a 73 6f 6e 2e 6a 73 6f 6e }
$b2 = { 2f 2e 52 65 73 6f 75 72 63 65 73 }
condition:
$a at 0 and all of ($b*) and filesize < 1KB
}
rule XProtect_MACOS_d98ded3
{
meta:
description = "MACOS.d98ded3"
strings:
$a1 = { 50 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) 50 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) }
$a2 = { 50 50 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) }
$a3 = { 50 50 50 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) 58 ( 90 90 | 90 90 90 | 90 90 90 90 | 90 90 90 90 90 ) }
$b1 = { 5f 43 46 55 55 49 44 43 72 65 61 74 65 }
$b2 = { 5f 43 46 55 55 49 44 43 72 65 61 74 65 53 74 72 69 6e 67 }
$c1 = { 5f 73 79 73 74 65 6d }
$c2 = { 6c 61 75 6e 63 68 65 64 54 61 73 6b 57 69 74 68 4c 61 75 6e 63 68 50 61 74 68 3a 61 72 67 75 6d 65 6e 74 73 3a }
condition:
Macho and any of ($a*) and all of ($b*) and any of ($c*) and filesize < 5MB
}
rule XProtect_MACOS_9a3e9ed
{
meta:
description = "MACOS.9a3e9ed"
strings:
$a1 = { 55 48 89 e5 [0 - 2] 83 ff 7? 77 3? 89 f8 48 8d 0d ?? 2? 00 00 48 63 04 81 48 01 c8 ff e0 bf 09 00 00 00 e8 ?d 7? 00 00 [30 - 40] 31 (db | c0) }
$a2 = { f4 4f be a9 fd 7b 01 a9 fd 43 00 91 1f dc 01 71 08 ?? ?? 54 [0 - 30] 20 01 80 52 }
$a3 = { 5F 67 65 74 5F 75 70 64 61 74 65 72 5F 63 73 74 72 5F 63 6F 6E 73 74 }
$b1 = { 7b 73 65 61 72 63 68 54 48 }
$b2 = { 2e 6d 79 63 6f 75 70 6f 48 }
$b3 = { 6e 73 6d 61 72 74 73 6d 48 }
$b4 = { 70 72 75 64 65 6e 73 65 48 }
$b5 = { 5f 53 4d 4a 6f 62 53 75 62 6d 69 74 }
$b6 = { 5f 6b 53 4d 44 6f 6d 61 69 6e 53 79 73 74 65 6d 4c 61 75 6e 63 68 64 }
$b7 = { 49 4f 50 6c 61 74 66 6f 72 6d 53 65 72 69 61 6c 4e 75 6d 62 65 72 }
$b8 = { 79 6f 75 67 6f 74 75 70 64 61 74 65 64 }
$b9 = { 2d 6d 65 74 68 6f 64 3d 72 75 6e }
$b10 = { 72 65 74 72 69 65 76 65 4D 61 63 68 69 6E 65 49 64 }
$b11 = { 72 75 6E 41 70 70 6C 65 53 63 72 69 70 74 }
$b12 = { 6D 6F 64 69 66 79 55 73 65 72 44 65 66 61 75 6C 74 73 }
condition:
Macho and filesize < 500KB and ((2 of ($a*)) or (5 of ($b*)))
}
rule XProtect_MACOS_22f03bb
{
meta:
description = "MACOS.22f03bb"
strings:
$a1 = { 63 72 79 70 74 6F 5F 32 20 6C 6F 61 64 }
$a2 = { 68 6F 6F 6B 43 6F 6D 6D 6F 6E }
$a3 = { 6D 79 4F 43 4C 6F 67 3A }
$a4 = { 72 75 6E 53 68 65 6C 6C 57 69 74 68 43 6F 6D 6D 61 6E 64 3A 63 6F 6D 70 6C 65 74 65 42 6C 6F 63 6B }
condition:
Macho and (all of ($a*)) and filesize < 2MB
}
rule XProtect_MACOS_e150543
{
meta:
description = "MACOS.e150543"
strings:
$a1 = { 53 68 65 6c 6c 56 69 65 77 }
$a2 = { 6f 6b 45 76 74 }
$a3 = { 63 6c 6f 73 65 45 76 74 }
$a4 = { 63 61 6e 63 65 6c 45 76 74 }
$a5 = { 72 75 6e 4d 6f 64 61 6c 3a }
$a6 = { 4f 70 74 3a }
$a7 = { 63 72 61 62 73 3a }
$a8 = { 54 6d 70 3a }
condition:
Macho and 3 of them and filesize < 200KB
}
rule XProtect_MACOS_efb903b
{
meta:
description = "MACOS.efb903b"
strings:
$a = { 5f 64 69 73 70 61 74 63 68 5f 61 73 79 6e 63 }
$b1 = { 43 44 44 53 4d 61 63 42 61 73 65 49 6e 66 6f }
$b2 = {
68 74 74 70 3a 2f 2f 63
67 69 31 2e 61 70 6e 69
63 2e 6e 65 74 2f 63 67
69 2d 62 69 6e 2f 6d 79
2d 69 70 2e 70 68 70
}
$c = { 25 40 2f 4d 47 44 2f }
$d1 = {
44 72 69 76 65 43 72 65
64 73
}
$d2 = {
67 65 74 44 72 69 76 65
54 6f 4d 65 6d 6f 72 79
}
$d3 = {
63 68 65 63 6b 44 72 69
76 65 43 6d 64 46 69 6c
65 4c 69 73 74
}
condition:
Macho and filesize < 2MB and
all of ($a*) and
(any of ($b*) or all of ($c*)) and
2 of ($d*)
}
rule XProtect_snowdrift {
meta:
description = "SNOWDRIFT"
strings:
$a = {
68 74 74 70 73 3a 2f 2f
61 70 69 2e 70 63 6c 6f
75 64 2e 63 6f 6d 2f 67
65 74 66 69 6c 65 6c 69
6e 6b 3f 70 61 74 68 3d
25 40 26 66 6f 72 63 65
64 6f 77 6e 6c 6f 61 64
3d 31
}
$b = {
2d 5b 4d 61 6e 61 67 65
6d 65 6e 74 20 69 6e 69
74 43 6c 6f 75 64 3a 61
63 63 65 73 73 5f 74 6f
6b 65 6e 3a 5d
}
$c = {
2a 2e 64 6f 63 3b 2a 2e
64 6f 63 78 3b 2a 2e 78
6c 73 3b 2a 2e 78 6c 73
78 3b 2a 2e 70 70 74 3b
2a 2e 70 70 74 78 3b 2a
2e 68 77 70 3b 2a 2e 68
77 70 78 3b 2a 2e 63 73
76 3b 2a 2e 70 64 66 3b
2a 2e 72 74 66 3b 2a 2e
61 6d 72 3b 2a 2e 33 67
70 3b 2a 2e 6d 34 61 3b
2a 2e 74 78 74 3b 2a 2e
6d 70 33 3b 2a 2e 6a 70
67 3b 2a 2e 65 6d 6c 3b
2a 2e 65 6d 6c 78
}
condition:
Macho and 2 of them
}
rule XProtect_MACOS_da36796
{
meta:
description = "MACOS.da36796"
strings:
$ = { 4d 65 74 61 49 6e 73 74 61 6c 6c 65 72 }
$ = { 53 69 6c 65 6e 74 49 6e 73 74 61 6c 6c 65 72 57 69 6e 64 6f 77 }
$ = { 69 6e 73 74 61 6c 6c 65 72 2e 70 6c 69 73 74 }
$ = { 6d 65 74 61 64 61 74 61 55 52 4c }
$ = { 72 65 70 6f 72 74 55 52 4c }
condition:
Macho and all of them and filesize < 1MB
}
rule XProtect_MACOS_KEYSTEAL_A
{
meta:
description = "MACOS.KEYSTEAL.A"
strings:
$ = { 64 61 74 61 3A 61 70 70 6C 69 63 61 74 69 6F 6E 2F 78 2D 61 70 70 6C 65 2D 61 73 70 65 6E 2D 6D 6F 62 69 6C 65 70 72 6F 76 69 73 69 6F 6E 3B 62 61 73 65 36 34 2C 25 40 }
$ = { 00 6E 65 77 64 65 76 00 6E 65 77 69 64 00 67 6F 67 6F 67 6F 00 }
$ = { 7B 22 64 61 74 61 22 3A 22 25 40 22 7D }
condition:
Macho and all of them and filesize < 1MB
}
rule XProtect_HONKBOX_A
{
meta:
description = "MACOS.HONKBOX.A"
strings:
$ = { 65 34 70 70 67 7a 75 65 71 6a 69 61 6d 33 71 76 68 7a 66 66 77 72 61 61 6b 76 63 67 7a 72 6a 70 35 64 7a 6c 33 78 7a 76 32 34 77 36 71 35 72 6a 72 37 6b 71 2e 62 33 32 2e 69 32 70 }
$ = { 69 67 6e 6b 62 70 66 71 75 68 62 36 36 68 67 37 34 64 74 6b 69 71 69 65 74 79 6d 6d 68 63 33 78 77 63 66 77 70 73 70 62 37 36 62 34 77 64 61 64 76 32 63 71 2e 62 33 32 2e 69 32 70 }
$ = { 70 61 6b 6e 68 33 69 66 6b 33 6d 6a 32 67 71 35 77 36 67 62 66 7a 78 77 61 32 6e 64 36 71 6c 65 6b 6c 77 33 37 72 6c 7a 6f 63 71 69 70 71 37 71 34 6c 63 61 2e 62 33 32 2e 69 32 70 }
$ = { 68 67 68 73 66 6b 72 61 74 35 64 64 37 69 6b 71 7a 6b 33 64 33 68 35 6a 61 74 74 6a 78 6c 72 75 36 7a 6d 78 7a 78 64 37 79 33 77 69 62 36 67 6f 6f 64 6d 71 2e 62 33 32 2e 69 32 70 }
$ = { 6a 69 61 73 69 6c 33 61 37 6b 63 78 69 74 75 34 73 77 6c 69 78 62 6e 79 74 36 77 62 62 6d 36 35 6b 71 6b 6e 71 6b 6e 6e 76 6b 6a 32 79 76 6a 37 6c 6c 69 71 2e 62 33 32 2e 69 32 70 }
condition:
Macho and any of them and filesize < 200MB
}
rule XProtect_HONKBOX_B
{
meta:
description = "MACOS.HONKBOX.B"
strings:
$ = { 42 41 53 45 36 34 42 4c 4f 42 3d 22 58 51 41 41 67 41 44 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f }
$ = { 42 41 53 45 36 34 42 4c 4f 42 20 7c 20 62 61 73 65 36 34 20 2d 6f 20 22 }
$ = { 52 41 4e 44 4f 4d 20 25 20 31 30 30 30 }
condition:
Macho and all of them and filesize < 100MB
}
rule XProtect_HONKBOX_C
{
meta:
description = "MACOS.HONKBOX.C"
strings:
$ = { 50 4c 44 3d 22 58 51 41 41 67 41 44 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f }
$ = { 65 63 68 6f 20 24 50 4c 44 20 7c 20 62 61 73 65 36 34 20 2d 64 20 3e 20 22 }
$ = { 52 41 4e 44 4f 4d 20 25 20 31 30 30 30 }
condition:
Macho and all of them and filesize < 5MB
}
rule XProtect_MACOS_16e6816
{
meta:
description = "MACOS.16e6816"
strings:
$ = { 45 78 74 72 61 63 74 53 61 66 65 53 74 6f 72 61 67 65 50 61 73 73 77 6f 72 64 }
$ = { 44 65 63 72 79 70 74 4b 65 79 63 68 61 69 6e }
$ = { 44 75 6d 70 4b 65 79 43 68 61 69 6e }
$ = { 55 70 6c 6f 61 64 4b 65 79 63 68 61 69 6e }
$ = { 5a 69 70 46 6f 6c 64 65 72 }
$ = { 47 65 74 53 65 65 64 73 }
$ = { 43 55 52 52 45 4e 54 43 68 61 6e 44 69 72 43 6f 69 6e 6f 6d 69 43 6f 6e 76 65 72 74 43 6f 6f 6b 69 65 73 43 72 65 61 74 65 64 43 79 70 72 69 6f 74 }
$ = { 45 76 69 63 74 4e 53 }
condition:
Macho and 6 of them and filesize < 30MB
}
rule XProtect_MACOS_6319b53 {
meta:
description = "MACOS.6319b53"
strings:
$a = { 5f 75 75 69 64 5f 67 65 6e 65 72 61 74 65 5f 72 61 6e 64 6f 6d }
$b = { 5f 75 75 69 64 5f 75 6e 70 61 72 73 65 }
$c = { 5f 73 79 73 63 74 6c }
$d = { 5f 73 79 73 6c 6f 67 }
$e = { 5f 67 65 74 67 72 67 69 64 }
$f = { 5f 67 65 74 70 77 75 69 64 }
$g = { 5f 53 65 63 54 72 61 6e 73 66 6f 72 6d 45 78 65 63 75 74 65 }
$h = { 5f 49 4f 53 65 72 76 69 63 65 4d 61 74 63 68 69 6e 67 }
$i = { 5f 49 4f 53 65 72 76 69 63 65 47 65 74 4d 61 74 63 68 69 6e 67 53 65 72 76 69 63 65}
$j = { 42 65 72 54 61 67 67 65 64 }
$k = { 62 65 72 43 6f 6e 74 65 6e 74 }
$l = { 62 65 72 4c 65 6e 67 74 68 42 79 74 65 73 }
$m = { 49 4f 50 6c 61 74 66 6f 72 6d 55 55 49 44 }
$n = { 49 4f 50 6c 61 74 66 6f 72 6d 53 65 72 69 61 6c 4e 75 6d 62 65 72 }
condition:
Macho and all of them and filesize < 4MB
}
rule XProtect_MACOS_SOMA_A
{
meta:
description = "MACOS.SOMA.A"
strings:
$ = { 47 72 61 62 46 69 72 65 66 6f 78 }
$ = { 46 69 6c 65 47 72 61 62 62 65 72 }
$ = { 47 72 61 62 43 68 72 6f 6d ( 65 | 69 75 6d ) }
$ = { 2f 73 65 6e 64 6c 6f 67 }
$ = { 42 75 69 6c 64 49 44 }
condition:
Macho and all of them and filesize < 200MB
}
rule XProtect_MACOS_SOMA_C
{
meta:
description = "MACOS.SOMA.C"
strings:
$ = { 53 50 ( 48 61 72 64 | 53 6F 66 74 ) 77 61 72 65 44 61 74 61 54 79 70 65 }
$ = { 66 69 6e 64 2d 67 65 6e 65 72 69 63 2d 70 61 73 73 77 6f 72 64 }
$ = { 6b 65 79 63 68 61 69 6e 2d 64 62 }
$ = { 6f 73 61 73 63 72 69 70 74 }
$ = { 61 75 74 68 6f 6e 6c 79 }
condition:
Macho and all of them and filesize < 2MB
}
rule XProtect_MACOS_SOMA_D
{
meta:
description = "MACOS.SOMA.D"
strings:
$a01 = { 43 6f 6f 6b 69 65 73 2e 62 69 6e 61 72 79 63 6f 6f 6b 69 65 73 }
$a02 = { 57 65 62 20 44 61 74 61 }
$a03 = { 4c 6f 67 69 6e 20 44 61 74 61 }
$a04 = { 63 6f 6f 6b 69 65 73 2e 73 71 6c 69 74 65 }
$a05 = { 66 6f 72 6d 68 69 73 74 6f 72 79 2e 73 71 6c 69 74 65 }
$a06 = { 6b 65 79 34 2e 64 62 }
$a07 = { 6c 6f 67 69 6e 73 2e 6a 73 6f 6e }
$a08 = { 66 69 6e 64 2d 67 65 6e 65 72 69 63 2d 70 61 73 73 77 6f 72 64 }
$a09 = { 61 75 74 68 6f 6e 6c 79 }
$a10 = { 6f 73 61 73 63 72 69 70 74 }
$a11 = { 73 79 73 74 65 6d 5f 70 72 6f 66 69 6c 65 72 }
$a12 = { 53 50 53 6f 66 74 77 61 72 65 44 61 74 61 54 79 70 65 }
$a13 = { 53 50 48 61 72 64 77 61 72 65 44 61 74 61 54 79 70 65 }
$a14 = { 53 50 44 69 73 70 6c 61 79 73 44 61 74 61 54 79 70 65 }
$b1 = { 6f 6f 6b 6a 6c 62 6b 69 69 6a 69 6e 68 70 6d 6e 6a 66 66 63 6f 66 6a 6f 6e 62 66 62 67 61 6f 63 }
$b1_64 = { 62 32 39 72 61 6d 78 69 61 32 6c 70 61 6d 6c 75 61 48 42 74 62 6d 70 6d 5a 6d 4e 76 5a 6d 70 76 62 6d 4a 6d 59 6d 64 68 62 32 4d 3d }
$b2 = { 63 67 65 65 6f 64 70 66 61 67 6a 63 65 65 66 69 65 66 6c 6d 64 66 70 68 70 6c 6b 65 6e 6c 66 6b }
$b2_64 = { 59 32 64 6c 5a 57 39 6b 63 47 5a 68 5a 32 70 6a 5a 57 56 6d 61 57 56 6d 62 47 31 6b 5a 6e 42 6f 63 47 78 72 5a 57 35 73 5a 6d 73 3d }
$b3 = { 68 6e 68 6f 62 6a 6d 63 69 62 63 68 6e 6d 67 6c 66 62 6c 64 62 66 61 62 63 67 61 6b 6e 6c 6b 6a }
$b3_64 = { 61 47 35 6f 62 32 4a 71 62 57 4e 70 59 6d 4e 6f 62 6d 31 6e 62 47 5a 69 62 47 52 69 5a 6d 46 69 59 32 64 68 61 32 35 73 61 32 6f 3d }
$b4 = { 62 63 6f 70 67 63 68 68 6f 6a 6d 67 67 6d 66 66 69 6c 70 6c 6d 62 64 69 63 67 61 69 68 6c 6b 70 }
$b4_64 = { 59 6d 4e 76 63 47 64 6a 61 47 68 76 61 6d 31 6e 5a 32 31 6d 5a 6d 6c 73 63 47 78 74 59 6d 52 70 59 32 64 68 61 57 68 73 61 33 41 3d }
$b5 = { 68 6d 65 6f 62 6e 66 6e 66 63 6d 64 6b 64 63 6d 6c 62 6c 67 61 67 6d 66 70 66 62 6f 69 65 61 66 }
$b5_64 = { 61 47 31 6c 62 32 4a 75 5a 6d 35 6d 59 32 31 6b 61 32 52 6a 62 57 78 69 62 47 64 68 5a 32 31 6d 63 47 5a 69 62 32 6c 6c 59 57 59 3d }
$b6 = { 6e 6b 62 69 68 66 62 65 6f 67 61 65 61 6f 65 68 6c 65 66 6e 6b 6f 64 62 65 66 67 70 67 6b 6e 6e }
$b6_64 = { 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 34 3d }
condition:
Macho and 3 of ($a*) and 3 of ($b*) and filesize < 200MB
}
rule XProtect_MACOS_SOMA_E
{
meta:
description = "MACOS.SOMA.E"
strings:
$a = { 50 4f 53 54 20 2f 70 32 70 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 00 }
$a00 = { 50 4e 51 57 24 2a 76 35 78 29 42 5f 58 5d 21 3e 3e 20 1f 19 5c 7a 65 63 22 19 }
$a01 = { 51 4d 50 50 25 29 77 3a 79 2a 43 58 59 5e 20 21 3f 23 1e 1e 5d 79 64 6c 23 1a }
$a02 = { 52 4c 57 51 26 28 78 3b 7a 2b 44 59 5a 5f 3f 20 3c 22 19 1f 5e 78 6b 6d 20 1b }
$a03 = { 53 4b 56 52 27 27 79 38 7b 2c 45 5a 5b 40 3e 23 3d 25 18 1c 5f 77 6a 6e 21 1c }
$a04 = { 54 4a 55 53 28 26 7a 39 7c 2d 46 5b 44 41 3d 22 3a 24 1b 1d 50 76 69 6f 26 1d }
$a05 = { 55 49 54 5c 29 25 7b 3e 7d 2e 47 44 45 42 3c 25 3b 27 1a 12 51 75 68 68 27 1e }
$a06 = { 56 48 5b 5d 2a 24 7c 3f 7e 2f 58 45 46 43 3b 24 38 26 15 13 52 74 6f 69 24 1f }
$a07 = { 57 47 5a 5e 2b 23 7d 3c 7f 30 59 46 47 44 3a 27 39 29 14 10 53 73 6e 6a 25 20 }
$a08 = { 58 46 59 5f 2c 22 7e 3d 60 31 5a 47 40 45 39 26 36 28 17 11 54 72 6d 6b 1a 21 }
$a09 = { 59 45 58 58 2d 21 7f 22 61 32 5b 40 41 46 38 29 37 2b 16 16 55 71 6c 54 1b 22 }
$a0a = { 5a 44 5f 59 2e 20 60 23 62 33 5c 41 42 47 37 28 34 2a 11 17 56 70 53 55 18 23 }
$a0b = { 5b 43 5e 5a 2f 3f 61 20 63 34 5d 42 43 48 36 2b 35 2d 10 14 57 4f 52 56 19 24 }
$a0c = { 5c 42 5d 5b 30 3e 62 21 64 35 5e 43 4c 49 35 2a 32 2c 13 15 68 4e 51 57 1e 25 }
$a0d = { 5d 41 5c 44 31 3d 63 26 65 36 5f 4c 4d 4a 34 2d 33 2f 12 2a 69 4d 50 50 1f 26 }
$a0e = { 5e 40 43 45 32 3c 64 27 66 37 50 4d 4e 4b 33 2c 30 2e 2d 2b 6a 4c 57 51 1c 27 }
$a0f = { 5f 5f 42 46 33 3b 65 24 67 38 51 4e 4f 4c 32 2f 31 11 2c 28 6b 4b 56 52 1d 28 }
$a10 = { 40 5e 41 47 34 3a 66 25 68 39 52 4f 48 4d 31 2e 0e 10 2f 29 6c 4a 55 53 12 29 }
$a11 = { 41 5d 40 40 35 39 67 2a 69 3a 53 48 49 4e 30 11 0f 13 2e 2e 6d 49 54 5c 13 2a }
$a12 = { 42 5c 47 41 36 38 68 2b 6a 3b 54 49 4a 4f 0f 10 0c 12 29 2f 6e 48 5b 5d 10 2b }
$a13 = { 43 5b 46 42 37 37 69 28 6b 3c 55 4a 4b 70 0e 13 0d 15 28 2c 6f 47 5a 5e 11 2c }
$a14 = { 44 5a 45 43 38 36 6a 29 6c 3d 56 4b 74 71 0d 12 0a 14 2b 2d 60 46 59 5f 16 2d }
$a15 = { 45 59 44 4c 39 35 6b 2e 6d 3e 57 74 75 72 0c 15 0b 17 2a 22 61 45 58 58 17 2e }
$a16 = { 46 58 4b 4d 3a 34 6c 2f 6e 3f 68 75 76 73 0b 14 08 16 25 23 62 44 5f 59 14 2f }
$a17 = { 47 57 4a 4e 3b 33 6d 2c 6f 00 69 76 77 74 0a 17 09 19 24 20 63 43 5e 5a 15 30 }
$a18 = { 48 56 49 4f 3c 32 6e 2d 50 01 6a 77 70 75 09 16 06 18 27 21 64 42 5d 5b 0a 31 }
$a19 = { 49 55 48 48 3d 31 6f 12 51 02 6b 70 71 76 08 19 07 1b 26 26 65 41 5c 44 0b 32 }
$a1a = { 4a 54 4f 49 3e 30 50 13 52 03 6c 71 72 77 07 18 04 1a 21 27 66 40 43 45 08 33 }
$a1b = { 4b 53 4e 4a 3f 0f 51 10 53 04 6d 72 73 78 06 1b 05 1d 20 24 67 5f 42 46 09 34 }
$a1c = { 4c 52 4d 4b 00 0e 52 11 54 05 6e 73 7c 79 05 1a 02 1c 23 25 78 5e 41 47 0e 35 }
$a1d = { 4d 51 4c 74 01 0d 53 16 55 06 6f 7c 7d 7a 04 1d 03 1f 22 3a 79 5d 40 40 0f 36 }
$a1e = { 4e 50 73 75 02 0c 54 17 56 07 60 7d 7e 7b 03 1c 00 1e 3d 3b 7a 5c 47 41 0c 37 }
$a1f = { 4f 6f 72 76 03 0b 55 14 57 08 61 7e 7f 7c 02 1f 01 01 3c 38 7b 5b 46 42 0d 38 }
$a20 = { 70 6e 71 77 04 0a 56 15 58 09 62 7f 78 7d 01 1e 1e 00 3f 39 7c 5a 45 43 02 39 }
$a21 = { 71 6d 70 70 05 09 57 1a 59 0a 63 78 79 7e 00 01 1f 03 3e 3e 7d 59 44 4c 03 3a }
$a22 = { 72 6c 77 71 06 08 58 1b 5a 0b 64 79 7a 7f 1f 00 1c 02 39 3f 7e 58 4b 4d 00 3b }
$a23 = { 73 6b 76 72 07 07 59 18 5b 0c 65 7a 7b 60 1e 03 1d 05 38 3c 7f 57 4a 4e 01 3c }
$a24 = { 74 6a 75 73 08 06 5a 19 5c 0d 66 7b 64 61 1d 02 1a 04 3b 3d 70 56 49 4f 06 3d }
$a25 = { 75 69 74 7c 09 05 5b 1e 5d 0e 67 64 65 62 1c 05 1b 07 3a 32 71 55 48 48 07 3e }
$a26 = { 76 68 7b 7d 0a 04 5c 1f 5e 0f 78 65 66 63 1b 04 18 06 35 33 72 54 4f 49 04 3f }
$a27 = { 77 67 7a 7e 0b 03 5d 1c 5f 10 79 66 67 64 1a 07 19 09 34 30 73 53 4e 4a 05 40 }
$a28 = { 78 66 79 7f 0c 02 5e 1d 40 11 7a 67 60 65 19 06 16 08 37 31 74 52 4d 4b 7a 41 }
$a29 = { 79 65 78 78 0d 01 5f 02 41 12 7b 60 61 66 18 09 17 0b 36 36 75 51 4c 34 7b 42 }
$a2a = { 7a 64 7f 79 0e 00 40 03 42 13 7c 61 62 67 17 08 14 0a 31 37 76 50 33 35 78 43 }
$a2b = { 7b 63 7e 7a 0f 1f 41 00 43 14 7d 62 63 68 16 0b 15 0d 30 34 77 2f 32 36 79 44 }
$a2c = { 7c 62 7d 7b 10 1e 42 01 44 15 7e 63 6c 69 15 0a 12 0c 33 35 08 2e 31 37 7e 45 }
$a2d = { 7d 61 7c 64 11 1d 43 06 45 16 7f 6c 6d 6a 14 0d 13 0f 32 4a 09 2d 30 30 7f 46 }
$a2e = { 7e 60 63 65 12 1c 44 07 46 17 70 6d 6e 6b 13 0c 10 0e 4d 4b 0a 2c 37 31 7c 47 }
$a2f = { 7f 7f 62 66 13 1b 45 04 47 18 71 6e 6f 6c 12 0f 11 71 4c 48 0b 2b 36 32 7d 48 }
$a30 = { 60 7e 61 67 14 1a 46 05 48 19 72 6f 68 6d 11 0e 6e 70 4f 49 0c 2a 35 33 72 49 }
$a31 = { 61 7d 60 60 15 19 47 0a 49 1a 73 68 69 6e 10 71 6f 73 4e 4e 0d 29 34 3c 73 4a }
$a32 = { 62 7c 67 61 16 18 48 0b 4a 1b 74 69 6a 6f 6f 70 6c 72 49 4f 0e 28 3b 3d 70 4b }
$a33 = { 63 7b 66 62 17 17 49 08 4b 1c 75 6a 6b 10 6e 73 6d 75 48 4c 0f 27 3a 3e 71 4c }
$a34 = { 64 7a 65 63 18 16 4a 09 4c 1d 76 6b 14 11 6d 72 6a 74 4b 4d 00 26 39 3f 76 4d }
$a35 = { 65 79 64 6c 19 15 4b 0e 4d 1e 77 14 15 12 6c 75 6b 77 4a 42 01 25 38 38 77 4e }
$a36 = { 66 78 6b 6d 1a 14 4c 0f 4e 1f 08 15 16 13 6b 74 68 76 45 43 02 24 3f 39 74 4f }
$a37 = { 67 77 6a 6e 1b 13 4d 0c 4f 60 09 16 17 14 6a 77 69 79 44 40 03 23 3e 3a 75 50 }
$a38 = { 68 76 69 6f 1c 12 4e 0d 30 61 0a 17 10 15 69 76 66 78 47 41 04 22 3d 3b 6a 51 }
$a39 = { 69 75 68 68 1d 11 4f 72 31 62 0b 10 11 16 68 79 67 7b 46 46 05 21 3c 24 6b 52 }
$a3a = { 6a 74 6f 69 1e 10 30 73 32 63 0c 11 12 17 67 78 64 7a 41 47 06 20 23 25 68 53 }
$a3b = { 6b 73 6e 6a 1f 6f 31 70 33 64 0d 12 13 18 66 7b 65 7d 40 44 07 3f 22 26 69 54 }
$a3c = { 6c 72 6d 6b 60 6e 32 71 34 65 0e 13 1c 19 65 7a 62 7c 43 45 18 3e 21 27 6e 55 }
$a3d = { 6d 71 6c 14 61 6d 33 76 35 66 0f 1c 1d 1a 64 7d 63 7f 42 5a 19 3d 20 20 6f 56 }
$a3e = { 6e 70 13 15 62 6c 34 77 36 67 00 1d 1e 1b 63 7c 60 7e 5d 5b 1a 3c 27 21 6c 57 }
$a3f = { 6f 0f 12 16 63 6b 35 74 37 68 01 1e 1f 1c 62 7f 61 61 5c 58 1b 3b 26 22 6d 58 }
$a40 = { 10 0e 11 17 64 6a 36 75 38 69 02 1f 18 1d 61 7e 7e 60 5f 59 1c 3a 25 23 62 59 }
$a41 = { 11 0d 10 10 65 69 37 7a 39 6a 03 18 19 1e 60 61 7f 63 5e 5e 1d 39 24 2c 63 5a }
$a42 = { 12 0c 17 11 66 68 38 7b 3a 6b 04 19 1a 1f 7f 60 7c 62 59 5f 1e 38 2b 2d 60 5b }
$a43 = { 13 0b 16 12 67 67 39 78 3b 6c 05 1a 1b 00 7e 63 7d 65 58 5c 1f 37 2a 2e 61 5c }
$a44 = { 14 0a 15 13 68 66 3a 79 3c 6d 06 1b 04 01 7d 62 7a 64 5b 5d 10 36 29 2f 66 5d }
$a45 = { 15 09 14 1c 69 65 3b 7e 3d 6e 07 04 05 02 7c 65 7b 67 5a 52 11 35 28 28 67 5e }
$a46 = { 16 08 1b 1d 6a 64 3c 7f 3e 6f 18 05 06 03 7b 64 78 66 55 53 12 34 2f 29 64 5f }
$a47 = { 17 07 1a 1e 6b 63 3d 7c 3f 70 19 06 07 04 7a 67 79 69 54 50 13 33 2e 2a 65 60 }
$a48 = { 18 06 19 1f 6c 62 3e 7d 20 71 1a 07 00 05 79 66 76 68 57 51 14 32 2d 2b 5a 61 }
$a49 = { 19 05 18 18 6d 61 3f 62 21 72 1b 00 01 06 78 69 77 6b 56 56 15 31 2c 14 5b 62 }
$a4a = { 1a 04 1f 19 6e 60 20 63 22 73 1c 01 02 07 77 68 74 6a 51 57 16 30 13 15 58 63 }
$a4b = { 1b 03 1e 1a 6f 7f 21 60 23 74 1d 02 03 08 76 6b 75 6d 50 54 17 0f 12 16 59 64 }
$a4c = { 1c 02 1d 1b 70 7e 22 61 24 75 1e 03 0c 09 75 6a 72 6c 53 55 28 0e 11 17 5e 65 }
$a4d = { 1d 01 1c 04 71 7d 23 66 25 76 1f 0c 0d 0a 74 6d 73 6f 52 6a 29 0d 10 10 5f 66 }
$a4e = { 1e 00 03 05 72 7c 24 67 26 77 10 0d 0e 0b 73 6c 70 6e 6d 6b 2a 0c 17 11 5c 67 }
$a4f = { 1f 1f 02 06 73 7b 25 64 27 78 11 0e 0f 0c 72 6f 71 51 6c 68 2b 0b 16 12 5d 68 }
$a50 = { 00 1e 01 07 74 7a 26 65 28 79 12 0f 08 0d 71 6e 4e 50 6f 69 2c 0a 15 13 52 69 }
$a51 = { 01 1d 00 00 75 79 27 6a 29 7a 13 08 09 0e 70 51 4f 53 6e 6e 2d 09 14 1c 53 6a }
$a52 = { 02 1c 07 01 76 78 28 6b 2a 7b 14 09 0a 0f 4f 50 4c 52 69 6f 2e 08 1b 1d 50 6b }
$a53 = { 03 1b 06 02 77 77 29 68 2b 7c 15 0a 0b 30 4e 53 4d 55 68 6c 2f 07 1a 1e 51 6c }
$a54 = { 04 1a 05 03 78 76 2a 69 2c 7d 16 0b 34 31 4d 52 4a 54 6b 6d 20 06 19 1f 56 6d }
$a55 = { 05 19 04 0c 79 75 2b 6e 2d 7e 17 34 35 32 4c 55 4b 57 6a 62 21 05 18 18 57 6e }
$a56 = { 06 18 0b 0d 7a 74 2c 6f 2e 7f 28 35 36 33 4b 54 48 56 65 63 22 04 1f 19 54 6f }
$a57 = { 07 17 0a 0e 7b 73 2d 6c 2f 40 29 36 37 34 4a 57 49 59 64 60 23 03 1e 1a 55 70 }
$a58 = { 08 16 09 0f 7c 72 2e 6d 10 41 2a 37 30 35 49 56 46 58 67 61 24 02 1d 1b 4a 71 }
$a59 = { 09 15 08 08 7d 71 2f 52 11 42 2b 30 31 36 48 59 47 5b 66 66 25 01 1c 04 4b 72 }
$a5a = { 0a 14 0f 09 7e 70 10 53 12 43 2c 31 32 37 47 58 44 5a 61 67 26 00 03 05 48 73 }
$a5b = { 0b 13 0e 0a 7f 4f 11 50 13 44 2d 32 33 38 46 5b 45 5d 60 64 27 1f 02 06 49 74 }
$a5c = { 0c 12 0d 0b 40 4e 12 51 14 45 2e 33 3c 39 45 5a 42 5c 63 65 38 1e 01 07 4e 75 }
$a5d = { 0d 11 0c 34 41 4d 13 56 15 46 2f 3c 3d 3a 44 5d 43 5f 62 7a 39 1d 00 00 4f 76 }
$a5e = { 0e 10 33 35 42 4c 14 57 16 47 20 3d 3e 3b 43 5c 40 5e 7d 7b 3a 1c 07 01 4c 77 }
$a5f = { 0f 2f 32 36 43 4b 15 54 17 48 21 3e 3f 3c 42 5f 41 41 7c 78 3b 1b 06 02 4d 78 }
$a60 = { 30 2e 31 37 44 4a 16 55 18 49 22 3f 38 3d 41 5e 5e 40 7f 79 3c 1a 05 03 42 79 }
$a61 = { 31 2d 30 30 45 49 17 5a 19 4a 23 38 39 3e 40 41 5f 43 7e 7e 3d 19 04 0c 43 7a }
$a62 = { 32 2c 37 31 46 48 18 5b 1a 4b 24 39 3a 3f 5f 40 5c 42 79 7f 3e 18 0b 0d 40 7b }
$a63 = { 33 2b 36 32 47 47 19 58 1b 4c 25 3a 3b 20 5e 43 5d 45 78 7c 3f 17 0a 0e 41 7c }
$a64 = { 34 2a 35 33 48 46 1a 59 1c 4d 26 3b 24 21 5d 42 5a 44 7b 7d 30 16 09 0f 46 7d }
$a65 = { 35 29 34 3c 49 45 1b 5e 1d 4e 27 24 25 22 5c 45 5b 47 7a 72 31 15 08 08 47 7e }
$a66 = { 36 28 3b 3d 4a 44 1c 5f 1e 4f 38 25 26 23 5b 44 58 46 75 73 32 14 0f 09 44 7f }
$a67 = { 37 27 3a 3e 4b 43 1d 5c 1f 50 39 26 27 24 5a 47 59 49 74 70 33 13 0e 0a 45 80 }
$a68 = { 38 26 39 3f 4c 42 1e 5d 00 51 3a 27 20 25 59 46 56 48 77 71 34 12 0d 0b ba 81 }
$a69 = { 39 25 38 38 4d 41 1f 42 01 52 3b 20 21 26 58 49 57 4b 76 76 35 11 0c f4 bb 82 }
$a6a = { 3a 24 3f 39 4e 40 00 43 02 53 3c 21 22 27 57 48 54 4a 71 77 36 10 f3 f5 b8 83 }
$a6b = { 3b 23 3e 3a 4f 5f 01 40 03 54 3d 22 23 28 56 4b 55 4d 70 74 37 ef f2 f6 b9 84 }
$a6c = { 3c 22 3d 3b 50 5e 02 41 04 55 3e 23 2c 29 55 4a 52 4c 73 75 c8 ee f1 f7 be 85 }
$a6d = { 3d 21 3c 24 51 5d 03 46 05 56 3f 2c 2d 2a 54 4d 53 4f 72 8a c9 ed f0 f0 bf 86 }
$a6e = { 3e 20 23 25 52 5c 04 47 06 57 30 2d 2e 2b 53 4c 50 4e 8d 8b ca ec f7 f1 bc 87 }
$a6f = { 3f 3f 22 26 53 5b 05 44 07 58 31 2e 2f 2c 52 4f 51 b1 8c 88 cb eb f6 f2 bd 88 }
$a70 = { 20 3e 21 27 54 5a 06 45 08 59 32 2f 28 2d 51 4e ae b0 8f 89 cc ea f5 f3 b2 89 }
$a71 = { 21 3d 20 20 55 59 07 4a 09 5a 33 28 29 2e 50 b1 af b3 8e 8e cd e9 f4 fc b3 8a }
$a72 = { 22 3c 27 21 56 58 08 4b 0a 5b 34 29 2a 2f af b0 ac b2 89 8f ce e8 fb fd b0 8b }
$a73 = { 23 3b 26 22 57 57 09 48 0b 5c 35 2a 2b d0 ae b3 ad b5 88 8c cf e7 fa fe b1 8c }
$a74 = { 24 3a 25 23 58 56 0a 49 0c 5d 36 2b d4 d1 ad b2 aa b4 8b 8d c0 e6 f9 ff b6 8d }
$a75 = { 25 39 24 2c 59 55 0b 4e 0d 5e 37 d4 d5 d2 ac b5 ab b7 8a 82 c1 e5 f8 f8 b7 8e }
$a76 = { 26 38 2b 2d 5a 54 0c 4f 0e 5f c8 d5 d6 d3 ab b4 a8 b6 85 83 c2 e4 ff f9 b4 8f }
$a77 = { 27 37 2a 2e 5b 53 0d 4c 0f a0 c9 d6 d7 d4 aa b7 a9 b9 84 80 c3 e3 fe fa b5 90 }
$a78 = { 28 36 29 2f 5c 52 0e 4d f0 a1 ca d7 d0 d5 a9 b6 a6 b8 87 81 c4 e2 fd fb aa 91 }
$a79 = { 29 35 28 28 5d 51 0f b2 f1 a2 cb d0 d1 d6 a8 b9 a7 bb 86 86 c5 e1 fc e4 ab 92 }
$a7a = { 2a 34 2f 29 5e 50 f0 b3 f2 a3 cc d1 d2 d7 a7 b8 a4 ba 81 87 c6 e0 e3 e5 a8 93 }
$a7b = { 2b 33 2e 2a 5f af f1 b0 f3 a4 cd d2 d3 d8 a6 bb a5 bd 80 84 c7 ff e2 e6 a9 94 }
$a7c = { 2c 32 2d 2b a0 ae f2 b1 f4 a5 ce d3 dc d9 a5 ba a2 bc 83 85 d8 fe e1 e7 ae 95 }
$a7d = { 2d 31 2c d4 a1 ad f3 b6 f5 a6 cf dc dd da a4 bd a3 bf 82 9a d9 fd e0 e0 af 96 }
$a7e = { 2e 30 d3 d5 a2 ac f4 b7 f6 a7 c0 dd de db a3 bc a0 be 9d 9b da fc e7 e1 ac 97 }
$a7f = { 2f cf d2 d6 a3 ab f5 b4 f7 a8 c1 de df dc a2 bf a1 a1 9c 98 db fb e6 e2 ad 98 }
$a80 = { d0 ce d1 d7 a4 aa f6 b5 f8 a9 c2 df d8 dd a1 be be a0 9f 99 dc fa e5 e3 a2 99 }
$a81 = { d1 cd d0 d0 a5 a9 f7 ba f9 aa c3 d8 d9 de a0 a1 bf a3 9e 9e dd f9 e4 ec a3 9a }
$a82 = { d2 cc d7 d1 a6 a8 f8 bb fa ab c4 d9 da df bf a0 bc a2 99 9f de f8 eb ed a0 9b }
$a83 = { d3 cb d6 d2 a7 a7 f9 b8 fb ac c5 da db c0 be a3 bd a5 98 9c df f7 ea ee a1 9c }
$a84 = { d4 ca d5 d3 a8 a6 fa b9 fc ad c6 db c4 c1 bd a2 ba a4 9b 9d d0 f6 e9 ef a6 9d }
$a85 = { d5 c9 d4 dc a9 a5 fb be fd ae c7 c4 c5 c2 bc a5 bb a7 9a 92 d1 f5 e8 e8 a7 9e }
$a86 = { d6 c8 db dd aa a4 fc bf fe af d8 c5 c6 c3 bb a4 b8 a6 95 93 d2 f4 ef e9 a4 9f }
$a87 = { d7 c7 da de ab a3 fd bc ff b0 d9 c6 c7 c4 ba a7 b9 a9 94 90 d3 f3 ee ea a5 a0 }
$a88 = { d8 c6 d9 df ac a2 fe bd e0 b1 da c7 c0 c5 b9 a6 b6 a8 97 91 d4 f2 ed eb 9a a1 }
$a89 = { d9 c5 d8 d8 ad a1 ff a2 e1 b2 db c0 c1 c6 b8 a9 b7 ab 96 96 d5 f1 ec d4 9b a2 }
$a8a = { da c4 df d9 ae a0 e0 a3 e2 b3 dc c1 c2 c7 b7 a8 b4 aa 91 97 d6 f0 d3 d5 98 a3 }
$a8b = { db c3 de da af bf e1 a0 e3 b4 dd c2 c3 c8 b6 ab b5 ad 90 94 d7 cf d2 d6 99 a4 }
$a8c = { dc c2 dd db b0 be e2 a1 e4 b5 de c3 cc c9 b5 aa b2 ac 93 95 e8 ce d1 d7 9e a5 }
$a8d = { dd c1 dc c4 b1 bd e3 a6 e5 b6 df cc cd ca b4 ad b3 af 92 aa e9 cd d0 d0 9f a6 }
$a8e = { de c0 c3 c5 b2 bc e4 a7 e6 b7 d0 cd ce cb b3 ac b0 ae ad ab ea cc d7 d1 9c a7 }
$a8f = { df df c2 c6 b3 bb e5 a4 e7 b8 d1 ce cf cc b2 af b1 91 ac a8 eb cb d6 d2 9d a8 }
$a90 = { c0 de c1 c7 b4 ba e6 a5 e8 b9 d2 cf c8 cd b1 ae 8e 90 af a9 ec ca d5 d3 92 a9 }
$a91 = { c1 dd c0 c0 b5 b9 e7 aa e9 ba d3 c8 c9 ce b0 91 8f 93 ae ae ed c9 d4 dc 93 aa }
$a92 = { c2 dc c7 c1 b6 b8 e8 ab ea bb d4 c9 ca cf 8f 90 8c 92 a9 af ee c8 db dd 90 ab }
$a93 = { c3 db c6 c2 b7 b7 e9 a8 eb bc d5 ca cb f0 8e 93 8d 95 a8 ac ef c7 da de 91 ac }
$a94 = { c4 da c5 c3 b8 b6 ea a9 ec bd d6 cb f4 f1 8d 92 8a 94 ab ad e0 c6 d9 df 96 ad }
$a95 = { c5 d9 c4 cc b9 b5 eb ae ed be d7 f4 f5 f2 8c 95 8b 97 aa a2 e1 c5 d8 d8 97 ae }
$a96 = { c6 d8 cb cd ba b4 ec af ee bf e8 f5 f6 f3 8b 94 88 96 a5 a3 e2 c4 df d9 94 af }
$a97 = { c7 d7 ca ce bb b3 ed ac ef 80 e9 f6 f7 f4 8a 97 89 99 a4 a0 e3 c3 de da 95 b0 }
$a98 = { c8 d6 c9 cf bc b2 ee ad d0 81 ea f7 f0 f5 89 96 86 98 a7 a1 e4 c2 dd db 8a b1 }
$a99 = { c9 d5 c8 c8 bd b1 ef 92 d1 82 eb f0 f1 f6 88 99 87 9b a6 a6 e5 c1 dc c4 8b b2 }
$a9a = { ca d4 cf c9 be b0 d0 93 d2 83 ec f1 f2 f7 87 98 84 9a a1 a7 e6 c0 c3 c5 88 b3 }
$a9b = { cb d3 ce ca bf 8f d1 90 d3 84 ed f2 f3 f8 86 9b 85 9d a0 a4 e7 df c2 c6 89 b4 }
$a9c = { cc d2 cd cb 80 8e d2 91 d4 85 ee f3 fc f9 85 9a 82 9c a3 a5 f8 de c1 c7 8e b5 }
$a9d = { cd d1 cc f4 81 8d d3 96 d5 86 ef fc fd fa 84 9d 83 9f a2 ba f9 dd c0 c0 8f b6 }
$a9e = { ce d0 f3 f5 82 8c d4 97 d6 87 e0 fd fe fb 83 9c 80 9e bd bb fa dc c7 c1 8c b7 }
$a9f = { cf ef f2 f6 83 8b d5 94 d7 88 e1 fe ff fc 82 9f 81 81 bc b8 fb db c6 c2 8d b8 }
$aa0 = { f0 ee f1 f7 84 8a d6 95 d8 89 e2 ff f8 fd 81 9e 9e 80 bf b9 fc da c5 c3 82 b9 }
$aa1 = { f1 ed f0 f0 85 89 d7 9a d9 8a e3 f8 f9 fe 80 81 9f 83 be be fd d9 c4 cc 83 ba }
$aa2 = { f2 ec f7 f1 86 88 d8 9b da 8b e4 f9 fa ff 9f 80 9c 82 b9 bf fe d8 cb cd 80 bb }
$aa3 = { f3 eb f6 f2 87 87 d9 98 db 8c e5 fa fb e0 9e 83 9d 85 b8 bc ff d7 ca ce 81 bc }
$aa4 = { f4 ea f5 f3 88 86 da 99 dc 8d e6 fb e4 e1 9d 82 9a 84 bb bd f0 d6 c9 cf 86 bd }
$aa5 = { f5 e9 f4 fc 89 85 db 9e dd 8e e7 e4 e5 e2 9c 85 9b 87 ba b2 f1 d5 c8 c8 87 be }
$aa6 = { f6 e8 fb fd 8a 84 dc 9f de 8f f8 e5 e6 e3 9b 84 98 86 b5 b3 f2 d4 cf c9 84 bf }
$aa7 = { f7 e7 fa fe 8b 83 dd 9c df 90 f9 e6 e7 e4 9a 87 99 89 b4 b0 f3 d3 ce ca 85 c0 }
$aa8 = { f8 e6 f9 ff 8c 82 de 9d c0 91 fa e7 e0 e5 99 86 96 88 b7 b1 f4 d2 cd cb fa c1 }
$aa9 = { f9 e5 f8 f8 8d 81 df 82 c1 92 fb e0 e1 e6 98 89 97 8b b6 b6 f5 d1 cc b4 fb c2 }
$aaa = { fa e4 ff f9 8e 80 c0 83 c2 93 fc e1 e2 e7 97 88 94 8a b1 b7 f6 d0 b3 b5 f8 c3 }
$aab = { fb e3 fe fa 8f 9f c1 80 c3 94 fd e2 e3 e8 96 8b 95 8d b0 b4 f7 af b2 b6 f9 c4 }
$aac = { fc e2 fd fb 90 9e c2 81 c4 95 fe e3 ec e9 95 8a 92 8c b3 b5 88 ae b1 b7 fe c5 }
$aad = { fd e1 fc e4 91 9d c3 86 c5 96 ff ec ed ea 94 8d 93 8f b2 ca 89 ad b0 b0 ff c6 }
$aae = { fe e0 e3 e5 92 9c c4 87 c6 97 f0 ed ee eb 93 8c 90 8e cd cb 8a ac b7 b1 fc c7 }
$aaf = { ff ff e2 e6 93 9b c5 84 c7 98 f1 ee ef ec 92 8f 91 f1 cc c8 8b ab b6 b2 fd c8 }
$ab0 = { e0 fe e1 e7 94 9a c6 85 c8 99 f2 ef e8 ed 91 8e ee f0 cf c9 8c aa b5 b3 f2 c9 }
$ab1 = { e1 fd e0 e0 95 99 c7 8a c9 9a f3 e8 e9 ee 90 f1 ef f3 ce ce 8d a9 b4 bc f3 ca }
$ab2 = { e2 fc e7 e1 96 98 c8 8b ca 9b f4 e9 ea ef ef f0 ec f2 c9 cf 8e a8 bb bd f0 cb }
$ab3 = { e3 fb e6 e2 97 97 c9 88 cb 9c f5 ea eb 90 ee f3 ed f5 c8 cc 8f a7 ba be f1 cc }
$ab4 = { e4 fa e5 e3 98 96 ca 89 cc 9d f6 eb 94 91 ed f2 ea f4 cb cd 80 a6 b9 bf f6 cd }
$ab5 = { e5 f9 e4 ec 99 95 cb 8e cd 9e f7 94 95 92 ec f5 eb f7 ca c2 81 a5 b8 b8 f7 ce }
$ab6 = { e6 f8 eb ed 9a 94 cc 8f ce 9f 88 95 96 93 eb f4 e8 f6 c5 c3 82 a4 bf b9 f4 cf }
$ab7 = { e7 f7 ea ee 9b 93 cd 8c cf e0 89 96 97 94 ea f7 e9 f9 c4 c0 83 a3 be ba f5 d0 }
$ab8 = { e8 f6 e9 ef 9c 92 ce 8d b0 e1 8a 97 90 95 e9 f6 e6 f8 c7 c1 84 a2 bd bb ea d1 }
$ab9 = { e9 f5 e8 e8 9d 91 cf f2 b1 e2 8b 90 91 96 e8 f9 e7 fb c6 c6 85 a1 bc a4 eb d2 }
$aba = { ea f4 ef e9 9e 90 b0 f3 b2 e3 8c 91 92 97 e7 f8 e4 fa c1 c7 86 a0 a3 a5 e8 d3 }
$abb = { eb f3 ee ea 9f ef b1 f0 b3 e4 8d 92 93 98 e6 fb e5 fd c0 c4 87 bf a2 a6 e9 d4 }
$abc = { ec f2 ed eb e0 ee b2 f1 b4 e5 8e 93 9c 99 e5 fa e2 fc c3 c5 98 be a1 a7 ee d5 }
$abd = { ed f1 ec 94 e1 ed b3 f6 b5 e6 8f 9c 9d 9a e4 fd e3 ff c2 da 99 bd a0 a0 ef d6 }
$abe = { ee f0 93 95 e2 ec b4 f7 b6 e7 80 9d 9e 9b e3 fc e0 fe dd db 9a bc a7 a1 ec d7 }
$abf = { ef 8f 92 96 e3 eb b5 f4 b7 e8 81 9e 9f 9c e2 ff e1 e1 dc d8 9b bb a6 a2 ed d8 }
$ac0 = { 90 8e 91 97 e4 ea b6 f5 b8 e9 82 9f 98 9d e1 fe fe e0 df d9 9c ba a5 a3 e2 d9 }
$ac1 = { 91 8d 90 90 e5 e9 b7 fa b9 ea 83 98 99 9e e0 e1 ff e3 de de 9d b9 a4 ac e3 da }
$ac2 = { 92 8c 97 91 e6 e8 b8 fb ba eb 84 99 9a 9f ff e0 fc e2 d9 df 9e b8 ab ad e0 db }
$ac3 = { 93 8b 96 92 e7 e7 b9 f8 bb ec 85 9a 9b 80 fe e3 fd e5 d8 dc 9f b7 aa ae e1 dc }
$ac4 = { 94 8a 95 93 e8 e6 ba f9 bc ed 86 9b 84 81 fd e2 fa e4 db dd 90 b6 a9 af e6 dd }
$ac5 = { 95 89 94 9c e9 e5 bb fe bd ee 87 84 85 82 fc e5 fb e7 da d2 91 b5 a8 a8 e7 de }
$ac6 = { 96 88 9b 9d ea e4 bc ff be ef 98 85 86 83 fb e4 f8 e6 d5 d3 92 b4 af a9 e4 df }
$ac7 = { 97 87 9a 9e eb e3 bd fc bf f0 99 86 87 84 fa e7 f9 e9 d4 d0 93 b3 ae aa e5 e0 }
$ac8 = { 98 86 99 9f ec e2 be fd a0 f1 9a 87 80 85 f9 e6 f6 e8 d7 d1 94 b2 ad ab da e1 }
$ac9 = { 99 85 98 98 ed e1 bf e2 a1 f2 9b 80 81 86 f8 e9 f7 eb d6 d6 95 b1 ac 94 db e2 }
$aca = { 9a 84 9f 99 ee e0 a0 e3 a2 f3 9c 81 82 87 f7 e8 f4 ea d1 d7 96 b0 93 95 d8 e3 }
$acb = { 9b 83 9e 9a ef ff a1 e0 a3 f4 9d 82 83 88 f6 eb f5 ed d0 d4 97 8f 92 96 d9 e4 }
$acc = { 9c 82 9d 9b f0 fe a2 e1 a4 f5 9e 83 8c 89 f5 ea f2 ec d3 d5 a8 8e 91 97 de e5 }
$acd = { 9d 81 9c 84 f1 fd a3 e6 a5 f6 9f 8c 8d 8a f4 ed f3 ef d2 ea a9 8d 90 90 df e6 }
$ace = { 9e 80 83 85 f2 fc a4 e7 a6 f7 90 8d 8e 8b f3 ec f0 ee ed eb aa 8c 97 91 dc e7 }
$acf = { 9f 9f 82 86 f3 fb a5 e4 a7 f8 91 8e 8f 8c f2 ef f1 d1 ec e8 ab 8b 96 92 dd e8 }
$ad0 = { 80 9e 81 87 f4 fa a6 e5 a8 f9 92 8f 88 8d f1 ee ce d0 ef e9 ac 8a 95 93 d2 e9 }
$ad1 = { 81 9d 80 80 f5 f9 a7 ea a9 fa 93 88 89 8e f0 d1 cf d3 ee ee ad 89 94 9c d3 ea }
$ad2 = { 82 9c 87 81 f6 f8 a8 eb aa fb 94 89 8a 8f cf d0 cc d2 e9 ef ae 88 9b 9d d0 eb }
$ad3 = { 83 9b 86 82 f7 f7 a9 e8 ab fc 95 8a 8b b0 ce d3 cd d5 e8 ec af 87 9a 9e d1 ec }
$ad4 = { 84 9a 85 83 f8 f6 aa e9 ac fd 96 8b b4 b1 cd d2 ca d4 eb ed a0 86 99 9f d6 ed }
$ad5 = { 85 99 84 8c f9 f5 ab ee ad fe 97 b4 b5 b2 cc d5 cb d7 ea e2 a1 85 98 98 d7 ee }
$ad6 = { 86 98 8b 8d fa f4 ac ef ae ff a8 b5 b6 b3 cb d4 c8 d6 e5 e3 a2 84 9f 99 d4 ef }
$ad7 = { 87 97 8a 8e fb f3 ad ec af c0 a9 b6 b7 b4 ca d7 c9 d9 e4 e0 a3 83 9e 9a d5 f0 }
$ad8 = { 88 96 89 8f fc f2 ae ed 90 c1 aa b7 b0 b5 c9 d6 c6 d8 e7 e1 a4 82 9d 9b ca f1 }
$ad9 = { 89 95 88 88 fd f1 af d2 91 c2 ab b0 b1 b6 c8 d9 c7 db e6 e6 a5 81 9c 84 cb f2 }
$ada = { 8a 94 8f 89 fe f0 90 d3 92 c3 ac b1 b2 b7 c7 d8 c4 da e1 e7 a6 80 83 85 c8 f3 }
$adb = { 8b 93 8e 8a ff cf 91 d0 93 c4 ad b2 b3 b8 c6 db c5 dd e0 e4 a7 9f 82 86 c9 f4 }
$adc = { 8c 92 8d 8b c0 ce 92 d1 94 c5 ae b3 bc b9 c5 da c2 dc e3 e5 b8 9e 81 87 ce f5 }
$add = { 8d 91 8c b4 c1 cd 93 d6 95 c6 af bc bd ba c4 dd c3 df e2 fa b9 9d 80 80 cf f6 }
$ade = { 8e 90 b3 b5 c2 cc 94 d7 96 c7 a0 bd be bb c3 dc c0 de fd fb ba 9c 87 81 cc f7 }
$adf = { 8f af b2 b6 c3 cb 95 d4 97 c8 a1 be bf bc c2 df c1 c1 fc f8 bb 9b 86 82 cd f8 }
$ae0 = { b0 ae b1 b7 c4 ca 96 d5 98 c9 a2 bf b8 bd c1 de de c0 ff f9 bc 9a 85 83 c2 f9 }
$ae1 = { b1 ad b0 b0 c5 c9 97 da 99 ca a3 b8 b9 be c0 c1 df c3 fe fe bd 99 84 8c c3 fa }
$ae2 = { b2 ac b7 b1 c6 c8 98 db 9a cb a4 b9 ba bf df c0 dc c2 f9 ff be 98 8b 8d c0 fb }
$ae3 = { b3 ab b6 b2 c7 c7 99 d8 9b cc a5 ba bb a0 de c3 dd c5 f8 fc bf 97 8a 8e c1 fc }
$ae4 = { b4 aa b5 b3 c8 c6 9a d9 9c cd a6 bb a4 a1 dd c2 da c4 fb fd b0 96 89 8f c6 fd }
$ae5 = { b5 a9 b4 bc c9 c5 9b de 9d ce a7 a4 a5 a2 dc c5 db c7 fa f2 b1 95 88 88 c7 fe }
$ae6 = { b6 a8 bb bd ca c4 9c df 9e cf b8 a5 a6 a3 db c4 d8 c6 f5 f3 b2 94 8f 89 c4 ff }
$ae7 = { b7 a7 ba be cb c3 9d dc 9f d0 b9 a6 a7 a4 da c7 d9 c9 f4 f0 b3 93 8e 8a c5 00 }
$ae8 = { b8 a6 b9 bf cc c2 9e dd 80 d1 ba a7 a0 a5 d9 c6 d6 c8 f7 f1 b4 92 8d 8b 3a 01 }
$ae9 = { b9 a5 b8 b8 cd c1 9f c2 81 d2 bb a0 a1 a6 d8 c9 d7 cb f6 f6 b5 91 8c 74 3b 02 }
$aea = { ba a4 bf b9 ce c0 80 c3 82 d3 bc a1 a2 a7 d7 c8 d4 ca f1 f7 b6 90 73 75 38 03 }
$aeb = { bb a3 be ba cf df 81 c0 83 d4 bd a2 a3 a8 d6 cb d5 cd f0 f4 b7 6f 72 76 39 04 }
$aec = { bc a2 bd bb d0 de 82 c1 84 d5 be a3 ac a9 d5 ca d2 cc f3 f5 48 6e 71 77 3e 05 }
$aed = { bd a1 bc a4 d1 dd 83 c6 85 d6 bf ac ad aa d4 cd d3 cf f2 0a 49 6d 70 70 3f 06 }
$aee = { be a0 a3 a5 d2 dc 84 c7 86 d7 b0 ad ae ab d3 cc d0 ce 0d 0b 4a 6c 77 71 3c 07 }
$aef = { bf bf a2 a6 d3 db 85 c4 87 d8 b1 ae af ac d2 cf d1 31 0c 08 4b 6b 76 72 3d 08 }
$af0 = { a0 be a1 a7 d4 da 86 c5 88 d9 b2 af a8 ad d1 ce 2e 30 0f 09 4c 6a 75 73 32 09 }
$af1 = { a1 bd a0 a0 d5 d9 87 ca 89 da b3 a8 a9 ae d0 31 2f 33 0e 0e 4d 69 74 7c 33 0a }
$af2 = { a2 bc a7 a1 d6 d8 88 cb 8a db b4 a9 aa af 2f 30 2c 32 09 0f 4e 68 7b 7d 30 0b }
$af3 = { a3 bb a6 a2 d7 d7 89 c8 8b dc b5 aa ab 50 2e 33 2d 35 08 0c 4f 67 7a 7e 31 0c }
$af4 = { a4 ba a5 a3 d8 d6 8a c9 8c dd b6 ab 54 51 2d 32 2a 34 0b 0d 40 66 79 7f 36 0d }
$af5 = { a5 b9 a4 ac d9 d5 8b ce 8d de b7 54 55 52 2c 35 2b 37 0a 02 41 65 78 78 37 0e }
$af6 = { a6 b8 ab ad da d4 8c cf 8e df 48 55 56 53 2b 34 28 36 05 03 42 64 7f 79 34 0f }
$af7 = { a7 b7 aa ae db d3 8d cc 8f 20 49 56 57 54 2a 37 29 39 04 00 43 63 7e 7a 35 10 }
$af8 = { a8 b6 a9 af dc d2 8e cd 70 21 4a 57 50 55 29 36 26 38 07 01 44 62 7d 7b 2a 11 }
$af9 = { a9 b5 a8 a8 dd d1 8f 32 71 22 4b 50 51 56 28 39 27 3b 06 06 45 61 7c 64 2b 12 }
$afa = { aa b4 af a9 de d0 70 33 72 23 4c 51 52 57 27 38 24 3a 01 07 46 60 63 65 28 13 }
$afb = { ab b3 ae aa df 2f 71 30 73 24 4d 52 53 58 26 3b 25 3d 00 04 47 7f 62 66 29 14 }
$afc = { ac b2 ad ab 20 2e 72 31 74 25 4e 53 5c 59 25 3a 22 3c 03 05 58 7e 61 67 2e 15 }
$afd = { ad b1 ac 54 21 2d 73 36 75 26 4f 5c 5d 5a 24 3d 23 3f 02 1a 59 7d 60 60 2f 16 }
$afe = { ae b0 53 55 22 2c 74 37 76 27 40 5d 5e 5b 23 3c 20 3e 1d 1b 5a 7c 67 61 2c 17 }
$aff = { af 4f 52 56 23 2b 75 34 77 28 41 5e 5f 5c 22 3f 21 21 1c 18 5b 7b 66 62 2d 18 }
$b = { 73 65 63 75 72 69 74 79 20 32 3e 26 31 20 3e 20 2f 64 65 76 2f 6e 75 6c 6c 20 66 69 6e 64 2d 67 65 6e 65 72 69 63 2d 70 61 73 73 77 6f 72 64 20 2d 67 61 20 27 43 68 72 6f 6d 65 27 20 7c 20 61 77 6b 20 27 7b 70 72 69 6e 74 20 24 32 7d 27 }
$b00 = { 73 64 61 76 76 6c 72 7e 28 3b 34 2d 3d 2d 30 2f 3f 75 77 65 3b 7b 63 7b 74 39 7c 72 72 79 33 78 45 4f 47 51 4d 46 0b 57 49 5a 59 5c 43 5f 4a 0f 1d 56 53 13 13 76 5e 45 57 54 5f 1c 1c 41 1e 5e 37 2a 62 64 3f 35 34 2e 26 3d 6a 6f 7e 30 69 }
$b01 = { 72 67 60 71 77 6f 73 71 29 38 35 2a 3c 2e 31 30 3e 76 76 62 3a 78 62 74 75 3a 7d 75 73 7a 32 47 44 4c 46 56 4c 45 0a 58 48 59 58 5b 42 5c 4b 10 1c 55 52 14 12 75 5f 4a 56 57 5e 1b 1d 42 1f 21 36 29 63 63 3e 36 35 21 27 3e 6b 68 7f 33 68 }
$b02 = { 71 66 67 70 74 6e 7c 70 2a 39 32 2b 3f 2f 2e 31 3d 77 71 63 39 79 6d 75 76 3b 7a 74 70 7b 0d 46 47 4d 41 57 4f 44 05 59 4b 58 5f 5a 41 5d 54 11 1f 54 55 15 11 74 50 4b 55 56 59 1a 1e 43 60 20 35 28 64 62 3d 37 3a 20 24 3f 6c 69 7c 32 77 }
$b03 = { 70 61 66 73 75 61 7d 73 2b 3e 33 28 3e 30 2f 32 3c 70 70 60 38 76 6c 76 77 3c 7b 77 71 44 0c 45 46 4a 40 54 4e 4b 04 5a 4a 5f 5e 59 40 42 55 12 1e 53 54 16 10 7b 51 48 54 51 58 19 1f 3c 61 23 34 2f 65 61 3c 38 3b 23 25 38 6d 6a 7d 2d 76 }
$b04 = { 77 60 65 72 7a 60 7e 72 2c 3f 30 29 21 31 2c 33 3b 71 73 61 37 77 6f 77 70 3d 78 76 4e 45 0f 44 41 4b 43 55 41 4a 07 5b 4d 5e 5d 58 5f 43 56 13 19 52 57 17 1f 7a 52 49 53 50 5b 18 60 3d 62 22 33 2e 66 60 33 39 38 22 22 39 6e 6b 62 2c 75 }
$b05 = { 76 63 64 7d 7b 63 7f 75 2d 3c 31 36 20 32 2d 34 3a 72 72 6e 36 74 6e 70 71 3e 79 49 4f 46 0e 43 40 48 42 5a 40 49 06 5c 4c 5d 5c 47 5e 40 57 14 18 51 56 18 1e 79 53 4e 52 53 5a 67 61 3e 63 25 32 2d 67 6f 32 3a 39 25 23 3a 6f 74 63 2f 74 }
$b06 = { 75 62 6b 7c 78 62 78 74 2e 3d 2e 37 23 33 2a 35 39 73 7d 6f 35 75 69 71 72 3f 46 48 4c 47 09 42 43 49 4d 5b 43 48 01 5d 4f 5c 43 46 5d 41 50 15 1b 50 59 19 1d 78 54 4f 51 52 25 66 62 3f 64 24 31 2c 68 6e 31 3b 3e 24 20 3b 70 75 60 2e 73 }
$b07 = { 74 6d 6a 7f 79 65 79 77 2f 22 2f 34 22 34 2b 36 38 7c 7c 6c 34 72 68 72 73 00 47 4b 4d 40 08 41 42 46 4c 58 42 4f 00 5e 4e 43 42 45 5c 46 51 16 1a 5f 58 1a 1c 7f 55 4c 50 2d 24 65 63 38 65 27 30 23 69 6d 30 3c 3f 27 21 24 71 76 61 29 72 }
$b08 = { 7b 6c 69 7e 7e 64 7a 76 30 23 2c 35 25 35 28 37 37 7d 7f 6d 33 73 6b 73 4c 01 44 4a 4a 41 0b 40 4d 47 4f 59 45 4e 03 5f 51 42 41 44 5b 47 52 17 15 5e 5b 1b 1b 7e 56 4d 2f 2c 27 64 64 39 66 26 3f 22 6a 6c 37 3d 3c 26 3e 25 72 77 66 28 71 }
$b09 = { 7a 6f 68 79 7f 67 7b 69 31 20 2d 32 24 36 29 38 36 7e 7e 6a 32 70 6a 4c 4d 02 45 4d 4b 42 0a 4f 4c 44 4e 5e 44 4d 02 40 50 41 40 43 5a 44 53 18 14 5d 5a 1c 1a 7d 57 32 2e 2f 26 63 65 3a 67 29 3e 21 6b 6b 36 3e 3d 39 3f 26 73 70 67 2b 70 }
$b0a = { 79 6e 6f 78 7c 66 64 68 32 21 2a 33 27 37 26 39 35 7f 79 6b 31 71 55 4d 4e 03 42 4c 48 43 05 4e 4f 45 49 5f 47 4c 1d 41 53 40 47 42 59 45 5c 19 17 5c 5d 1d 19 7c 28 33 2d 2e 21 62 66 3b 68 28 3d 20 6c 6a 35 3f 22 38 3c 27 74 71 64 2a 7f }
$b0b = { 78 69 6e 7b 7d 79 65 6b 33 26 2b 30 26 38 27 3a 34 78 78 68 30 4e 54 4e 4f 04 43 4f 49 4c 04 4d 4e 42 48 5c 46 53 1c 42 52 47 46 41 58 4a 5d 1a 16 5b 5c 1e 18 03 29 30 2c 29 20 61 67 34 69 2b 3c 27 6d 69 34 20 23 3b 3d 20 75 72 65 25 7e }
$b0c = { 7f 68 6d 7a 62 78 66 6a 34 27 28 31 29 39 24 3b 33 79 7b 69 0f 4f 57 4f 48 05 40 4e 46 4d 07 4c 49 43 4b 5d 59 52 1f 43 55 46 45 40 57 4b 5e 1b 11 5a 5f 1f 67 02 2a 31 2b 28 23 60 68 35 6a 2a 3b 26 6e 68 2b 21 20 3a 3a 21 76 73 6a 24 7d }
$b0d = { 7e 6b 6c 65 63 7b 67 6d 35 24 29 3e 28 3a 25 3c 32 7a 7a 56 0e 4c 56 48 49 06 41 41 47 4e 06 4b 48 40 4a 42 58 51 1e 44 54 45 44 4f 56 48 5f 1c 10 59 5e 60 66 01 2b 36 2a 2b 22 6f 69 36 6b 2d 3a 25 6f 77 2a 22 21 3d 3b 22 77 7c 6b 27 7c }
$b0e = { 7d 6a 73 64 60 7a 60 6c 36 25 26 3f 2b 3b 22 3d 31 7b 45 57 0d 4d 51 49 4a 07 4e 40 44 4f 01 4a 4b 41 55 43 5b 50 19 45 57 44 4b 4e 55 49 58 1d 13 58 21 61 65 00 2c 37 29 2a 2d 6e 6a 37 6c 2c 39 24 70 76 29 23 26 3c 38 23 78 7d 68 26 7b }
$b0f = { 7c 75 72 67 61 7d 61 6f 37 2a 27 3c 2a 3c 23 3e 30 44 44 54 0c 4a 50 4a 4b 08 4f 43 45 48 00 49 4a 5e 54 40 5a 57 18 46 56 4b 4a 4d 54 4e 59 1e 12 27 20 62 64 07 2d 34 28 25 2c 6d 6b 30 6d 2f 38 3b 71 75 28 24 27 3f 39 2c 79 7e 69 21 7a }
$b10 = { 63 74 71 66 66 7c 62 6e 38 2b 24 3d 2d 3d 20 3f 0f 45 47 55 0b 4b 53 4b 44 09 4c 42 42 49 03 48 55 5f 57 41 5d 56 1b 47 59 4a 49 4c 53 4f 5a 1f 6d 26 23 63 63 06 2e 35 27 24 2f 6c 6c 31 6e 2e 27 3a 72 74 2f 25 24 3e 36 2d 7a 7f 6e 20 79 }
$b11 = { 62 77 70 61 67 7f 63 61 39 28 25 3a 2c 3e 21 00 0e 46 46 52 0a 48 52 44 45 0a 4d 45 43 4a 02 57 54 5c 56 46 5c 55 1a 48 58 49 48 4b 52 4c 5b 60 6c 25 22 64 62 05 2f 3a 26 27 2e 6b 6d 32 6f 31 26 39 73 73 2e 26 25 31 37 2e 7b 78 6f 23 78 }
$b12 = { 61 76 77 60 64 7e 6c 60 3a 29 22 3b 2f 3f 1e 01 0d 47 41 53 09 49 5d 45 46 0b 4a 44 40 4b 1d 56 57 5d 51 47 5f 54 15 49 5b 48 4f 4a 51 4d 24 61 6f 24 25 65 61 04 20 3b 25 26 29 6a 6e 33 70 30 25 38 74 72 2d 27 2a 30 34 2f 7c 79 6c 22 47 }
$b13 = { 60 71 76 63 65 71 6d 63 3b 2e 23 38 2e 00 1f 02 0c 40 40 50 08 46 5c 46 47 0c 4b 47 41 54 1c 55 56 5a 50 44 5e 5b 14 4a 5a 4f 4e 49 50 32 25 62 6e 23 24 66 60 0b 21 38 24 21 28 69 6f 2c 71 33 24 3f 75 71 2c 28 2b 33 35 28 7d 7a 6d 1d 46 }
$b14 = { 67 70 75 62 6a 70 6e 62 3c 2f 20 39 11 01 1c 03 0b 41 43 51 07 47 5f 47 40 0d 48 46 5e 55 1f 54 51 5b 53 45 51 5a 17 4b 5d 4e 4d 48 2f 33 26 63 69 22 27 67 6f 0a 22 39 23 20 2b 68 70 2d 72 32 23 3e 76 70 23 29 28 32 32 29 7e 7b 52 1c 45 }
$b15 = { 66 73 74 6d 6b 73 6f 65 3d 2c 21 06 10 02 1d 04 0a 42 42 5e 06 44 5e 40 41 0e 49 59 5f 56 1e 53 50 58 52 4a 50 59 16 4c 5c 4d 4c 37 2e 30 27 64 68 21 26 68 6e 09 23 3e 22 23 2a 77 71 2e 73 35 22 3d 77 7f 22 2a 29 35 33 2a 7f 44 53 1f 44 }
$b16 = { 65 72 7b 6c 68 72 68 64 3e 2d 1e 07 13 03 1a 05 09 43 4d 5f 05 45 59 41 42 0f 56 58 5c 57 19 52 53 59 5d 4b 53 58 11 4d 5f 4c 33 36 2d 31 20 65 6b 20 29 69 6d 08 24 3f 21 22 35 76 72 2f 74 34 21 3c 78 7e 21 2b 2e 34 30 2b 40 45 50 1e 43 }
$b17 = { 64 7d 7a 6f 69 75 69 67 3f 12 1f 04 12 04 1b 06 08 4c 4c 5c 04 42 58 42 43 10 57 5b 5d 50 18 51 52 56 5c 48 52 5f 10 4e 5e 33 32 35 2c 36 21 66 6a 2f 28 6a 6c 0f 25 3c 20 3d 34 75 73 28 75 37 20 33 79 7d 20 2c 2f 37 31 14 41 46 51 19 42 }
$b18 = { 6b 7c 79 6e 6e 74 6a 66 00 13 1c 05 15 05 18 07 07 4d 4f 5d 03 43 5b 43 5c 11 54 5a 5a 51 1b 50 5d 57 5f 49 55 5e 13 4f 21 32 31 34 2b 37 22 67 65 2e 2b 6b 6b 0e 26 3d 3f 3c 37 74 74 29 76 36 2f 32 7a 7c 27 2d 2c 36 0e 15 42 47 56 18 41 }
$b19 = { 6a 7f 78 69 6f 77 6b 59 01 10 1d 02 14 06 19 08 06 4e 4e 5a 02 40 5a 5c 5d 12 55 5d 5b 52 1a 5f 5c 54 5e 4e 54 5d 12 30 20 31 30 33 2a 34 23 68 64 2d 2a 6c 6a 0d 27 22 3e 3f 36 73 75 2a 77 39 2e 31 7b 7b 26 2e 2d 09 0f 16 43 40 57 1b 40 }
$b1a = { 69 7e 7f 68 6c 76 54 58 02 11 1a 03 17 07 16 09 05 4f 49 5b 01 41 45 5d 5e 13 52 5c 58 53 15 5e 5f 55 59 4f 57 5c 6d 31 23 30 37 32 29 35 2c 69 67 2c 2d 6d 69 0c 38 23 3d 3e 31 72 76 2b 78 38 2d 30 7c 7a 25 2f 12 08 0c 17 44 41 54 1a 4f }
$b1b = { 68 79 7e 6b 6d 49 55 5b 03 16 1b 00 16 08 17 0a 04 48 48 58 00 5e 44 5e 5f 14 53 5f 59 5c 14 5d 5e 52 58 4c 56 23 6c 32 22 37 36 31 28 3a 2d 6a 66 2b 2c 6e 68 13 39 20 3c 39 30 71 77 24 79 3b 2c 37 7d 79 24 10 13 0b 0d 10 45 42 55 15 4e }
$b1c = { 6f 78 7d 6a 52 48 56 5a 04 17 18 01 19 09 14 0b 03 49 4b 59 1f 5f 47 5f 58 15 50 5e 56 5d 17 5c 59 53 5b 4d 29 22 6f 33 25 36 35 30 27 3b 2e 6b 61 2a 2f 6f 77 12 3a 21 3b 38 33 70 78 25 7a 3a 2b 36 7e 78 1b 11 10 0a 0a 11 46 43 5a 14 4d }
$b1d = { 6e 7b 7c 55 53 4b 57 5d 05 14 19 0e 18 0a 15 0c 02 4a 4a 46 1e 5c 46 58 59 16 51 51 57 5e 16 5b 58 50 5a 32 28 21 6e 34 24 35 34 3f 26 38 2f 6c 60 29 2e 70 76 11 3b 26 3a 3b 32 7f 79 26 7b 3d 2a 35 7f 47 1a 12 11 0d 0b 12 47 4c 5b 17 4c }
$b1e = { 6d 7a 43 54 50 4a 50 5c 06 15 16 0f 1b 0b 12 0d 01 4b 55 47 1d 5d 41 59 5a 17 5e 50 54 5f 11 5a 5b 51 25 33 2b 20 69 35 27 34 3b 3e 25 39 28 6d 63 28 31 71 75 10 3c 27 39 3a 3d 7e 7a 27 7c 3c 29 34 40 46 19 13 16 0c 08 13 48 4d 58 16 4b }
$b1f = { 6c 45 42 57 51 4d 51 5f 07 1a 17 0c 1a 0c 13 0e 00 54 54 44 1c 5a 40 5a 5b 18 5f 53 55 58 10 59 5a 2e 24 30 2a 27 68 36 26 3b 3a 3d 24 3e 29 6e 62 37 30 72 74 17 3d 24 38 35 3c 7d 7b 20 7d 3f 28 0b 41 45 18 14 17 0f 09 1c 49 4e 59 11 4a }
$b20 = { 53 44 41 56 56 4c 52 5e 08 1b 14 0d 1d 0d 10 0f 1f 55 57 45 1b 5b 43 5b 54 19 5c 52 52 59 13 58 25 2f 27 31 2d 26 6b 37 29 3a 39 3c 23 3f 2a 6f 7d 36 33 73 73 16 3e 25 37 34 3f 7c 7c 21 7e 3e 17 0a 42 44 1f 15 14 0e 06 1d 4a 4f 5e 10 49 }
$b21 = { 52 47 40 51 57 4f 53 51 09 18 15 0a 1c 0e 11 10 1e 56 56 42 1a 58 42 54 55 1a 5d 55 53 5a 12 27 24 2c 26 36 2c 25 6a 38 28 39 38 3b 22 3c 2b 70 7c 35 32 74 72 15 3f 2a 36 37 3e 7b 7d 22 7f 01 16 09 43 43 1e 16 15 01 07 1e 4b 48 5f 13 48 }
$b22 = { 51 46 47 50 54 4e 5c 50 0a 19 12 0b 1f 0f 0e 11 1d 57 51 43 19 59 4d 55 56 1b 5a 54 50 5b 6d 26 27 2d 21 37 2f 24 65 39 2b 38 3f 3a 21 3d 34 71 7f 34 35 75 71 14 30 2b 35 36 39 7a 7e 23 40 00 15 08 44 42 1d 17 1a 00 04 1f 4c 49 5c 12 57 }
$b23 = { 50 41 46 53 55 41 5d 53 0b 1e 13 08 1e 10 0f 12 1c 50 50 40 18 56 4c 56 57 1c 5b 57 51 24 6c 25 26 2a 20 34 2e 2b 64 3a 2a 3f 3e 39 20 22 35 72 7e 33 34 76 70 1b 31 28 34 31 38 79 7f 1c 41 03 14 0f 45 41 1c 18 1b 03 05 18 4d 4a 5d 0d 56 }
$b24 = { 57 40 45 52 5a 40 5e 52 0c 1f 10 09 01 11 0c 13 1b 51 53 41 17 57 4f 57 50 1d 58 56 2e 25 6f 24 21 2b 23 35 21 2a 67 3b 2d 3e 3d 38 3f 23 36 73 79 32 37 77 7f 1a 32 29 33 30 3b 78 40 1d 42 02 13 0e 46 40 13 19 18 02 02 19 4e 4b 42 0c 55 }
$b25 = { 56 43 44 5d 5b 43 5f 55 0d 1c 11 16 00 12 0d 14 1a 52 52 4e 16 54 4e 50 51 1e 59 29 2f 26 6e 23 20 28 22 3a 20 29 66 3c 2c 3d 3c 27 3e 20 37 74 78 31 36 78 7e 19 33 2e 32 33 3a 47 41 1e 43 05 12 0d 47 4f 12 1a 19 05 03 1a 4f 54 43 0f 54 }
$b26 = { 55 42 4b 5c 58 42 58 54 0e 1d 0e 17 03 13 0a 15 19 53 5d 4f 15 55 49 51 52 1f 26 28 2c 27 69 22 23 29 2d 3b 23 28 61 3d 2f 3c 23 26 3d 21 30 75 7b 30 39 79 7d 18 34 2f 31 32 05 46 42 1f 44 04 11 0c 48 4e 11 1b 1e 04 00 1b 50 55 40 0e 53 }
$b27 = { 54 4d 4a 5f 59 45 59 57 0f 02 0f 14 02 14 0b 16 18 5c 5c 4c 14 52 48 52 53 60 27 2b 2d 20 68 21 22 26 2c 38 22 2f 60 3e 2e 23 22 25 3c 26 31 76 7a 3f 38 7a 7c 1f 35 2c 30 0d 04 45 43 18 45 07 10 03 49 4d 10 1c 1f 07 01 04 51 56 41 09 52 }
$b28 = { 5b 4c 49 5e 5e 44 5a 56 10 03 0c 15 05 15 08 17 17 5d 5f 4d 13 53 4b 53 2c 61 24 2a 2a 21 6b 20 2d 27 2f 39 25 2e 63 3f 31 22 21 24 3b 27 32 77 75 3e 3b 7b 7b 1e 36 2d 0f 0c 07 44 44 19 46 06 1f 02 4a 4c 17 1d 1c 06 1e 05 52 57 46 08 51 }
$b29 = { 5a 4f 48 59 5f 47 5b 49 11 00 0d 12 04 16 09 18 16 5e 5e 4a 12 50 4a 2c 2d 62 25 2d 2b 22 6a 2f 2c 24 2e 3e 24 2d 62 20 30 21 20 23 3a 24 33 78 74 3d 3a 7c 7a 1d 37 12 0e 0f 06 43 45 1a 47 09 1e 01 4b 4b 16 1e 1d 19 1f 06 53 50 47 0b 50 }
$b2a = { 59 4e 4f 58 5c 46 44 48 12 01 0a 13 07 17 06 19 15 5f 59 4b 11 51 35 2d 2e 63 22 2c 28 23 65 2e 2f 25 29 3f 27 2c 7d 21 33 20 27 22 39 25 3c 79 77 3c 3d 7d 79 1c 08 13 0d 0e 01 42 46 1b 48 08 1d 00 4c 4a 15 1f 02 18 1c 07 54 51 44 0a 5f }
$b2b = { 58 49 4e 5b 5d 59 45 4b 13 06 0b 10 06 18 07 1a 14 58 58 48 10 2e 34 2e 2f 64 23 2f 29 2c 64 2d 2e 22 28 3c 26 33 7c 22 32 27 26 21 38 2a 3d 7a 76 3b 3c 7e 78 23 09 10 0c 09 00 41 47 14 49 0b 1c 07 4d 49 14 00 03 1b 1d 00 55 52 45 05 5e }
$b2c = { 5f 48 4d 5a 42 58 46 4a 14 07 08 11 09 19 04 1b 13 59 5b 49 6f 2f 37 2f 28 65 20 2e 26 2d 67 2c 29 23 2b 3d 39 32 7f 23 35 26 25 20 37 2b 3e 7b 71 3a 3f 7f 47 22 0a 11 0b 08 03 40 48 15 4a 0a 1b 06 4e 48 0b 01 00 1a 1a 01 56 53 4a 04 5d }
$b2d = { 5e 4b 4c 45 43 5b 47 4d 15 04 09 1e 08 1a 05 1c 12 5a 5a 36 6e 2c 36 28 29 66 21 21 27 2e 66 2b 28 20 2a 22 38 31 7e 24 34 25 24 2f 36 28 3f 7c 70 39 3e 40 46 21 0b 16 0a 0b 02 4f 49 16 4b 0d 1a 05 4f 57 0a 02 01 1d 1b 02 57 5c 4b 07 5c }
$b2e = { 5d 4a 53 44 40 5a 40 4c 16 05 06 1f 0b 1b 02 1d 11 5b 25 37 6d 2d 31 29 2a 67 2e 20 24 2f 61 2a 2b 21 35 23 3b 30 79 25 37 24 2b 2e 35 29 38 7d 73 38 01 41 45 20 0c 17 09 0a 0d 4e 4a 17 4c 0c 19 04 50 56 09 03 06 1c 18 03 58 5d 48 06 5b }
$b2f = { 5c 55 52 47 41 5d 41 4f 17 0a 07 1c 0a 1c 03 1e 10 24 24 34 6c 2a 30 2a 2b 68 2f 23 25 28 60 29 2a 3e 34 20 3a 37 78 26 36 2b 2a 2d 34 2e 39 7e 72 07 00 42 44 27 0d 14 08 05 0c 4d 4b 10 4d 0f 18 1b 51 55 08 04 07 1f 19 0c 59 5e 49 01 5a }
$b30 = { 43 54 51 46 46 5c 42 4e 18 0b 04 1d 0d 1d 00 1f 6f 25 27 35 6b 2b 33 2b 24 69 2c 22 22 29 63 28 35 3f 37 21 3d 36 7b 27 39 2a 29 2c 33 2f 3a 7f 4d 06 03 43 43 26 0e 15 07 04 0f 4c 4c 11 4e 0e 07 1a 52 54 0f 05 04 1e 16 0d 5a 5f 4e 00 59 }
$b31 = { 42 57 50 41 47 5f 43 41 19 08 05 1a 0c 1e 01 60 6e 26 26 32 6a 28 32 24 25 6a 2d 25 23 2a 62 37 34 3c 36 26 3c 35 7a 28 38 29 28 2b 32 2c 3b 40 4c 05 02 44 42 25 0f 1a 06 07 0e 4b 4d 12 4f 11 06 19 53 53 0e 06 05 11 17 0e 5b 58 4f 03 58 }
$b32 = { 41 56 57 40 44 5e 4c 40 1a 09 02 1b 0f 1f 7e 61 6d 27 21 33 69 29 3d 25 26 6b 2a 24 20 2b 7d 36 37 3d 31 27 3f 34 75 29 3b 28 2f 2a 31 2d 04 41 4f 04 05 45 41 24 00 1b 05 06 09 4a 4e 13 50 10 05 18 54 52 0d 07 0a 10 14 0f 5c 59 4c 02 a7 }
$b33 = { 40 51 56 43 45 51 4d 43 1b 0e 03 18 0e 60 7f 62 6c 20 20 30 68 26 3c 26 27 6c 2b 27 21 34 7c 35 36 3a 30 24 3e 3b 74 2a 3a 2f 2e 29 30 12 05 42 4e 03 04 46 40 2b 01 18 04 01 08 49 4f 0c 51 13 04 1f 55 51 0c 08 0b 13 15 08 5d 5a 4d fd a6 }
$b34 = { 47 50 55 42 4a 50 4e 42 1c 0f 00 19 71 61 7c 63 6b 21 23 31 67 27 3f 27 20 6d 28 26 3e 35 7f 34 31 3b 33 25 31 3a 77 2b 3d 2e 2d 28 0f 13 06 43 49 02 07 47 4f 2a 02 19 03 00 0b 48 50 0d 52 12 03 1e 56 50 03 09 08 12 12 09 5e 5b b2 fc a5 }
$b35 = { 46 53 54 4d 4b 53 4f 45 1d 0c 01 66 70 62 7d 64 6a 22 22 3e 66 24 3e 20 21 6e 29 39 3f 36 7e 33 30 38 32 2a 30 39 76 2c 3c 2d 2c 17 0e 10 07 44 48 01 06 48 4e 29 03 1e 02 03 0a 57 51 0e 53 15 02 1d 57 5f 02 0a 09 15 13 0a 5f a4 b3 ff a4 }
$b36 = { 45 52 5b 4c 48 52 48 44 1e 0d 7e 67 73 63 7a 65 69 23 2d 3f 65 25 39 21 22 6f 36 38 3c 37 79 32 33 39 3d 2b 33 38 71 2d 3f 2c 13 16 0d 11 00 45 4b 00 09 49 4d 28 04 1f 01 02 15 56 52 0f 54 14 01 1c 58 5e 01 0b 0e 14 10 0b a0 a5 b0 fe a3 }
$b37 = { 44 5d 5a 4f 49 55 49 47 1f 72 7f 64 72 64 7b 66 68 2c 2c 3c 64 22 38 22 23 70 37 3b 3d 30 78 31 32 36 3c 28 32 3f 70 2e 3e 13 12 15 0c 16 01 46 4a 0f 08 4a 4c 2f 05 1c 00 1d 14 55 53 08 55 17 00 13 59 5d 00 0c 0f 17 11 f4 a1 a6 b1 f9 a2 }
$b38 = { 4b 5c 59 4e 4e 54 4a 46 60 73 7c 65 75 65 78 67 67 2d 2f 3d 63 23 3b 23 3c 71 34 3a 3a 31 7b 30 3d 37 3f 29 35 3e 73 2f 01 12 11 14 0b 17 02 47 45 0e 0b 4b 4b 2e 06 1d 1f 1c 17 54 54 09 56 16 0f 12 5a 5c 07 0d 0c 16 ee f5 a2 a7 b6 f8 a1 }
$b39 = { 4a 5f 58 49 4f 57 4b 39 61 70 7d 62 74 66 79 68 66 2e 2e 3a 62 20 3a 3c 3d 72 35 3d 3b 32 7a 3f 3c 34 3e 2e 34 3d 72 10 00 11 10 13 0a 14 03 48 44 0d 0a 4c 4a 2d 07 02 1e 1f 16 53 55 0a 57 19 0e 11 5b 5b 06 0e 0d e9 ef f6 a3 a0 b7 fb a0 }
$b3a = { 49 5e 5f 48 4c 56 34 38 62 71 7a 63 77 67 76 69 65 2f 29 3b 61 21 25 3d 3e 73 32 3c 38 33 75 3e 3f 35 39 2f 37 3c 4d 11 03 10 17 12 09 15 0c 49 47 0c 0d 4d 49 2c 18 03 1d 1e 11 52 56 0b 58 18 0d 10 5c 5a 05 0f f2 e8 ec f7 a4 a1 b4 fa af }
$b3b = { 48 59 5e 4b 4d 29 35 3b 63 76 7b 60 76 68 77 6a 64 28 28 38 60 3e 24 3e 3f 74 33 3f 39 3c 74 3d 3e 32 38 2c 36 03 4c 12 02 17 16 11 08 1a 0d 4a 46 0b 0c 4e 48 33 19 00 1c 19 10 51 57 04 59 1b 0c 17 5d 59 04 f0 f3 eb ed f0 a5 a2 b5 f5 ae }
$b3c = { 4f 58 5d 4a 32 28 36 3a 64 77 78 61 79 69 74 6b 63 29 2b 39 7f 3f 27 3f 38 75 30 3e 36 3d 77 3c 39 33 3b 2d 09 02 4f 13 05 16 15 10 07 1b 0e 4b 41 0a 0f 4f 57 32 1a 01 1b 18 13 50 58 05 5a 1a 0b 16 5e 58 fb f1 f0 ea ea f1 a6 a3 ba f4 ad }
$b3d = { 4e 5b 5c 35 33 2b 37 3d 65 74 79 6e 78 6a 75 6c 62 2a 2a 26 7e 3c 26 38 39 76 31 31 37 3e 76 3b 38 30 3a 12 08 01 4e 14 04 15 14 1f 06 18 0f 4c 40 09 0e 50 56 31 1b 06 1a 1b 12 5f 59 06 5b 1d 0a 15 5f a7 fa f2 f1 ed eb f2 a7 ac bb f7 ac }
$b3e = { 4d 5a 23 34 30 2a 30 3c 66 75 76 6f 7b 6b 72 6d 61 2b 35 27 7d 3d 21 39 3a 77 3e 30 34 3f 71 3a 3b 31 05 13 0b 00 49 15 07 14 1b 1e 05 19 08 4d 43 08 11 51 55 30 1c 07 19 1a 1d 5e 5a 07 5c 1c 09 14 a0 a6 f9 f3 f6 ec e8 f3 a8 ad b8 f6 ab }
$b3f = { 4c 25 22 37 31 2d 31 3f 67 7a 77 6c 7a 6c 73 6e 60 34 34 24 7c 3a 20 3a 3b 78 3f 33 35 38 70 39 3a 0e 04 10 0a 07 48 16 06 1b 1a 1d 04 1e 09 4e 42 17 10 52 54 37 1d 04 18 15 1c 5d 5b 00 5d 1f 08 eb a1 a5 f8 f4 f7 ef e9 fc a9 ae b9 f1 aa }
$b40 = { 33 24 21 36 36 2c 32 3e 68 7b 74 6d 7d 6d 70 6f 7f 35 37 25 7b 3b 23 3b 34 79 3c 32 32 39 73 38 05 0f 07 11 0d 06 4b 17 09 1a 19 1c 03 1f 0a 4f 5d 16 13 53 53 36 1e 05 17 14 1f 5c 5c 01 5e 1e f7 ea a2 a4 ff f5 f4 ee e6 fd aa af be f0 a9 }
$b41 = { 32 27 20 31 37 2f 33 31 69 78 75 6a 7c 6e 71 70 7e 36 36 22 7a 38 22 34 35 7a 3d 35 33 3a 72 07 04 0c 06 16 0c 05 4a 18 08 19 18 1b 02 1c 0b 50 5c 15 12 54 52 35 1f 0a 16 17 1e 5b 5d 02 5f e1 f6 e9 a3 a3 fe f6 f5 e1 e7 fe ab a8 bf f3 a8 }
$b42 = { 31 26 27 30 34 2e 3c 30 6a 79 72 6b 7f 6f 6e 71 7d 37 31 23 79 39 2d 35 36 7b 3a 34 30 3b 4d 06 07 0d 01 17 0f 04 45 19 0b 18 1f 1a 01 1d 14 51 5f 14 15 55 51 34 10 0b 15 16 19 5a 5e 03 a0 e0 f5 e8 a4 a2 fd f7 fa e0 e4 ff ac a9 bc f2 b7 }
$b43 = { 30 21 26 33 35 21 3d 33 6b 7e 73 68 7e 70 6f 72 7c 30 30 20 78 36 2c 36 37 7c 3b 37 31 04 4c 05 06 0a 00 14 0e 0b 44 1a 0a 1f 1e 19 00 02 15 52 5e 13 14 56 50 3b 11 08 14 11 18 59 5f fc a1 e3 f4 ef a5 a1 fc f8 fb e3 e5 f8 ad aa bd ed b6 }
$b44 = { 37 20 25 32 3a 20 3e 32 6c 7f 70 69 61 71 6c 73 7b 31 33 21 77 37 2f 37 30 7d 38 36 0e 05 4f 04 01 0b 03 15 01 0a 47 1b 0d 1e 1d 18 1f 03 16 53 59 12 17 57 5f 3a 12 09 13 10 1b 58 a0 fd a2 e2 f3 ee a6 a0 f3 f9 f8 e2 e2 f9 ae ab a2 ec b5 }
$b45 = { 36 23 24 3d 3b 23 3f 35 6d 7c 71 76 60 72 6d 74 7a 32 32 2e 76 34 2e 30 31 7e 39 09 0f 06 4e 03 00 08 02 1a 00 09 46 1c 0c 1d 1c 07 1e 00 17 54 58 11 16 58 5e 39 13 0e 12 13 1a a7 a1 fe a3 e5 f2 ed a7 af f2 fa f9 e5 e3 fa af b4 a3 ef b4 }
$b46 = { 35 22 2b 3c 38 22 38 34 6e 7d 6e 77 63 73 6a 75 79 33 3d 2f 75 35 29 31 32 7f 06 08 0c 07 49 02 03 09 0d 1b 03 08 41 1d 0f 1c 03 06 1d 01 10 55 5b 10 19 59 5d 38 14 0f 11 12 e5 a6 a2 ff a4 e4 f1 ec a8 ae f1 fb fe e4 e0 fb b0 b5 a0 ee b3 }
$b47 = { 34 2d 2a 3f 39 25 39 37 6f 62 6f 74 62 74 6b 76 78 3c 3c 2c 74 32 28 32 33 40 07 0b 0d 00 48 01 02 06 0c 18 02 0f 40 1e 0e 03 02 05 1c 06 11 56 5a 1f 18 5a 5c 3f 15 0c 10 ed e4 a5 a3 f8 a5 e7 f0 e3 a9 ad f0 fc ff e7 e1 e4 b1 b6 a1 e9 b2 }
$b48 = { 3b 2c 29 3e 3e 24 3a 36 70 63 6c 75 65 75 68 77 77 3d 3f 2d 73 33 2b 33 0c 41 04 0a 0a 01 4b 00 0d 07 0f 19 05 0e 43 1f 11 02 01 04 1b 07 12 57 55 1e 1b 5b 5b 3e 16 0d ef ec e7 a4 a4 f9 a6 e6 ff e2 aa ac f7 fd fc e6 fe e5 b2 b7 a6 e8 b1 }
$b49 = { 3a 2f 28 39 3f 27 3b 29 71 60 6d 72 64 76 69 78 76 3e 3e 2a 72 30 2a 0c 0d 42 05 0d 0b 02 4a 0f 0c 04 0e 1e 04 0d 42 00 10 01 00 03 1a 04 13 58 54 1d 1a 5c 5a 3d 17 f2 ee ef e6 a3 a5 fa a7 e9 fe e1 ab ab f6 fe fd f9 ff e6 b3 b0 a7 eb b0 }
$b4a = { 39 2e 2f 38 3c 26 24 28 72 61 6a 73 67 77 66 79 75 3f 39 2b 71 31 15 0d 0e 43 02 0c 08 03 45 0e 0f 05 09 1f 07 0c 5d 01 13 00 07 02 19 05 1c 59 57 1c 1d 5d 59 3c e8 f3 ed ee e1 a2 a6 fb a8 e8 fd e0 ac aa f5 ff e2 f8 fc e7 b4 b1 a4 ea bf }
$b4b = { 38 29 2e 3b 3d 39 25 2b 73 66 6b 70 66 78 67 7a 74 38 38 28 70 0e 14 0e 0f 44 03 0f 09 0c 44 0d 0e 02 08 1c 06 13 5c 02 12 07 06 01 18 0a 1d 5a 56 1b 1c 5e 58 c3 e9 f0 ec e9 e0 a1 a7 f4 a9 eb fc e7 ad a9 f4 e0 e3 fb fd e0 b5 b2 a5 e5 be }
$b4c = { 3f 28 2d 3a 22 38 26 2a 74 67 68 71 69 79 64 7b 73 39 3b 29 4f 0f 17 0f 08 45 00 0e 06 0d 47 0c 09 03 0b 1d 19 12 5f 03 15 06 05 00 17 0b 1e 5b 51 1a 1f 5f a7 c2 ea f1 eb e8 e3 a0 a8 f5 aa ea fb e6 ae a8 eb e1 e0 fa fa e1 b6 b3 aa e4 bd }
$b4d = { 3e 2b 2c 25 23 3b 27 2d 75 64 69 7e 68 7a 65 7c 72 3a 3a 16 4e 0c 16 08 09 46 01 01 07 0e 46 0b 08 00 0a 02 18 11 5e 04 14 05 04 0f 16 08 1f 5c 50 19 1e a0 a6 c1 eb f6 ea eb e2 af a9 f6 ab ed fa e5 af b7 ea e2 e1 fd fb e2 b7 bc ab e7 bc }
$b4e = { 3d 2a 33 24 20 3a 20 2c 76 65 66 7f 6b 7b 62 7d 71 3b 05 17 4d 0d 11 09 0a 47 0e 00 04 0f 41 0a 0b 01 15 03 1b 10 59 05 17 04 0b 0e 15 09 18 5d 53 18 e1 a1 a5 c0 ec f7 e9 ea ed ae aa f7 ac ec f9 e4 b0 b6 e9 e3 e6 fc f8 e3 b8 bd a8 e6 bb }
$b4f = { 3c 35 32 27 21 3d 21 2f 77 6a 67 7c 6a 7c 63 7e 70 04 04 14 4c 0a 10 0a 0b 48 0f 03 05 08 40 09 0a 1e 14 00 1a 17 58 06 16 0b 0a 0d 14 0e 19 5e 52 e7 e0 a2 a4 c7 ed f4 e8 e5 ec ad ab f0 ad ef f8 fb b1 b5 e8 e4 e7 ff f9 ec b9 be a9 e1 ba }
$b50 = { 23 34 31 26 26 3c 22 2e 78 6b 64 7d 6d 7d 60 7f 4f 05 07 15 4b 0b 13 0b 04 49 0c 02 02 09 43 08 15 1f 17 01 1d 16 5b 07 19 0a 09 0c 13 0f 1a 5f ad e6 e3 a3 a3 c6 ee f5 e7 e4 ef ac ac f1 ae ee e7 fa b2 b4 ef e5 e4 fe f6 ed ba bf ae e0 b9 }
$b51 = { 22 37 30 21 27 3f 23 21 79 68 65 7a 6c 7e 61 40 4e 06 06 12 4a 08 12 04 05 4a 0d 05 03 0a 42 17 14 1c 16 06 1c 15 5a 08 18 09 08 0b 12 0c 1b a0 ac e5 e2 a4 a2 c5 ef fa e6 e7 ee ab ad f2 af f1 e6 f9 b3 b3 ee e6 e5 f1 f7 ee bb b8 af e3 b8 }
$b52 = { 21 36 37 20 24 3e 2c 20 7a 69 62 7b 6f 7f 5e 41 4d 07 01 13 49 09 1d 05 06 4b 0a 04 00 0b 5d 16 17 1d 11 07 1f 14 55 09 1b 08 0f 0a 11 0d e4 a1 af e4 e5 a5 a1 c4 e0 fb e5 e6 e9 aa ae f3 b0 f0 e5 f8 b4 b2 ed e7 ea f0 f4 ef bc b9 ac e2 87 }
$b53 = { 20 31 36 23 25 31 2d 23 7b 6e 63 78 6e 40 5f 42 4c 00 00 10 48 06 1c 06 07 4c 0b 07 01 14 5c 15 16 1a 10 04 1e 1b 54 0a 1a 0f 0e 09 10 f2 e5 a2 ae e3 e4 a6 a0 cb e1 f8 e4 e1 e8 a9 af ec b1 f3 e4 ff b5 b1 ec e8 eb f3 f5 e8 bd ba ad dd 86 }
$b54 = { 27 30 35 22 2a 30 2e 22 7c 6f 60 79 51 41 5c 43 4b 01 03 11 47 07 1f 07 00 4d 08 06 1e 15 5f 14 11 1b 13 05 11 1a 57 0b 1d 0e 0d 08 ef f3 e6 a3 a9 e2 e7 a7 af ca e2 f9 e3 e0 eb a8 b0 ed b2 f2 e3 fe b6 b0 e3 e9 e8 f2 f2 e9 be bb 92 dc 85 }
$b55 = { 26 33 34 2d 2b 33 2f 25 7d 6c 61 46 50 42 5d 44 4a 02 02 1e 46 04 1e 00 01 4e 09 19 1f 16 5e 13 10 18 12 0a 10 19 56 0c 1c 0d 0c f7 ee f0 e7 a4 a8 e1 e6 a8 ae c9 e3 fe e2 e3 ea b7 b1 ee b3 f5 e2 fd b7 bf e2 ea e9 f5 f3 ea bf 84 93 df 84 }
$b56 = { 25 32 3b 2c 28 32 28 24 7e 6d 5e 47 53 43 5a 45 49 03 0d 1f 45 05 19 01 02 4f 16 18 1c 17 59 12 13 19 1d 0b 13 18 51 0d 1f 0c f3 f6 ed f1 e0 a5 ab e0 e9 a9 ad c8 e4 ff e1 e2 f5 b6 b2 ef b4 f4 e1 fc b8 be e1 eb ee f4 f0 eb 80 85 90 de 83 }
$b57 = { 24 3d 3a 2f 29 35 29 27 7f 52 5f 44 52 44 5b 46 48 0c 0c 1c 44 02 18 02 03 50 17 1b 1d 10 58 11 12 16 1c 08 12 1f 50 0e 1e f3 f2 f5 ec f6 e1 a6 aa ef e8 aa ac cf e5 fc e0 fd f4 b5 b3 e8 b5 f7 e0 f3 b9 bd e0 ec ef f7 f1 d4 81 86 91 d9 82 }
$b58 = { 2b 3c 39 2e 2e 34 2a 26 40 53 5c 45 55 45 58 47 47 0d 0f 1d 43 03 1b 03 1c 51 14 1a 1a 11 5b 10 1d 17 1f 09 15 1e 53 0f e1 f2 f1 f4 eb f7 e2 a7 a5 ee eb ab ab ce e6 fd ff fc f7 b4 b4 e9 b6 f6 ef f2 ba bc e7 ed ec f6 ce d5 82 87 96 d8 81 }
$b59 = { 2a 3f 38 29 2f 37 2b 19 41 50 5d 42 54 46 59 48 46 0e 0e 1a 42 00 1a 1c 1d 52 15 1d 1b 12 5a 1f 1c 14 1e 0e 14 1d 52 f0 e0 f1 f0 f3 ea f4 e3 a8 a4 ed ea ac aa cd e7 e2 fe ff f6 b3 b5 ea b7 f9 ee f1 bb bb e6 ee ed c9 cf d6 83 80 97 db 80 }
$b5a = { 29 3e 3f 28 2c 36 14 18 42 51 5a 43 57 47 56 49 45 0f 09 1b 41 01 05 1d 1e 53 12 1c 18 13 55 1e 1f 15 19 0f 17 1c ad f1 e3 f0 f7 f2 e9 f5 ec a9 a7 ec ed ad a9 cc f8 e3 fd fe f1 b2 b6 eb b8 f8 ed f0 bc ba e5 ef d2 c8 cc d7 84 81 94 da 8f }
$b5b = { 28 39 3e 2b 2d 09 15 1b 43 56 5b 40 56 48 57 4a 44 08 08 18 40 1e 04 1e 1f 54 13 1f 19 1c 54 1d 1e 12 18 0c 16 e3 ac f2 e2 f7 f6 f1 e8 fa ed aa a6 eb ec ae a8 d3 f9 e0 fc f9 f0 b1 b7 e4 b9 fb ec f7 bd b9 e4 d0 d3 cb cd d0 85 82 95 d5 8e }
$b5c = { 2f 38 3d 2a 12 08 16 1a 44 57 58 41 59 49 54 4b 43 09 0b 19 5f 1f 07 1f 18 55 10 1e 16 1d 57 1c 19 13 1b 0d e9 e2 af f3 e5 f6 f5 f0 e7 fb ee ab a1 ea ef af b7 d2 fa e1 fb f8 f3 b0 b8 e5 ba fa eb f6 be b8 db d1 d0 ca ca d1 86 83 9a d4 8d }
$b5d = { 2e 3b 3c 15 13 0b 17 1d 45 54 59 4e 58 4a 55 4c 42 0a 0a 06 5e 1c 06 18 19 56 11 11 17 1e 56 1b 18 10 1a f2 e8 e1 ae f4 e4 f5 f4 ff e6 f8 ef ac a0 e9 ee b0 b6 d1 fb e6 fa fb f2 bf b9 e6 bb fd ea f5 bf 87 da d2 d1 cd cb d2 87 8c 9b d7 8c }
$b5e = { 2d 3a 03 14 10 0a 10 1c 46 55 56 4f 5b 4b 52 4d 41 0b 15 07 5d 1d 01 19 1a 57 1e 10 14 1f 51 1a 1b 11 e5 f3 eb e0 a9 f5 e7 f4 fb fe e5 f9 e8 ad a3 e8 f1 b1 b5 d0 fc e7 f9 fa fd be ba e7 bc fc e9 f4 80 86 d9 d3 d6 cc c8 d3 88 8d 98 d6 8b }
$b5f = { 2c 05 02 17 11 0d 11 1f 47 5a 57 4c 5a 4c 53 4e 40 14 14 04 5c 1a 00 1a 1b 58 1f 13 15 18 50 19 1a ee e4 f0 ea e7 a8 f6 e6 fb fa fd e4 fe e9 ae a2 f7 f0 b2 b4 d7 fd e4 f8 f5 fc bd bb e0 bd ff e8 cb 81 85 d8 d4 d7 cf c9 dc 89 8e 99 d1 8a }
$b60 = { 13 04 01 16 16 0c 12 1e 48 5b 54 4d 5d 4d 50 4f 5f 15 17 05 5b 1b 03 1b 14 59 1c 12 12 19 53 18 e5 ef e7 f1 ed e6 ab f7 e9 fa f9 fc e3 ff ea af bd f6 f3 b3 b3 d6 fe e5 f7 f4 ff bc bc e1 be fe d7 ca 82 84 df d5 d4 ce c6 dd 8a 8f 9e d0 89 }
$b61 = { 12 07 00 11 17 0f 13 11 49 58 55 4a 5c 4e 51 50 5e 16 16 02 5a 18 02 14 15 5a 1d 15 13 1a 52 e7 e4 ec e6 f6 ec e5 aa f8 e8 f9 f8 fb e2 fc eb b0 bc f5 f2 b4 b2 d5 ff ea f6 f7 fe bb bd e2 bf c1 d6 c9 83 83 de d6 d5 c1 c7 de 8b 88 9f d3 88 }
$b62 = { 11 06 07 10 14 0e 1c 10 4a 59 52 4b 5f 4f 4e 51 5d 17 11 03 59 19 0d 15 16 5b 1a 14 10 1b ad e6 e7 ed e1 f7 ef e4 a5 f9 eb f8 ff fa e1 fd f4 b1 bf f4 f5 b5 b1 d4 f0 eb f5 f6 f9 ba be e3 80 c0 d5 c8 84 82 dd d7 da c0 c4 df 8c 89 9c d2 97 }
$b63 = { 10 01 06 13 15 01 1d 13 4b 5e 53 48 5e 50 4f 52 5c 10 10 00 58 16 0c 16 17 5c 1b 17 11 e4 ac e5 e6 ea e0 f4 ee eb a4 fa ea ff fe f9 e0 e2 f5 b2 be f3 f4 b6 b0 db f1 e8 f4 f1 f8 b9 bf dc 81 c3 d4 cf 85 81 dc d8 db c3 c5 d8 8d 8a 9d cd 96 }
$b64 = { 17 00 05 12 1a 00 1e 12 4c 5f 50 49 41 51 4c 53 5b 11 13 01 57 17 0f 17 10 5d 18 16 ee e5 af e4 e1 eb e3 f5 e1 ea a7 fb ed fe fd f8 ff e3 f6 b3 b9 f2 f7 b7 bf da f2 e9 f3 f0 fb b8 80 dd 82 c2 d3 ce 86 80 d3 d9 d8 c2 c2 d9 8e 8b 82 cc 95 }
$b65 = { 16 03 04 1d 1b 03 1f 15 4d 5c 51 56 40 52 4d 54 5a 12 12 0e 56 14 0e 10 11 5e 19 e9 ef e6 ae e3 e0 e8 e2 fa e0 e9 a6 fc ec fd fc e7 fe e0 f7 b4 b8 f1 f6 b8 be d9 f3 ee f2 f3 fa 87 81 de 83 c5 d2 cd 87 8f d2 da d9 c5 c3 da 8f 94 83 cf 94 }
$b66 = { 15 02 0b 1c 18 02 18 14 4e 5d 4e 57 43 53 4a 55 59 13 1d 0f 55 15 09 11 12 5f e6 e8 ec e7 a9 e2 e3 e9 ed fb e3 e8 a1 fd ef fc e3 e6 fd e1 f0 b5 bb f0 f9 b9 bd d8 f4 ef f1 f2 c5 86 82 df 84 c4 d1 cc 88 8e d1 db de c4 c0 db 90 95 80 ce 93 }
$b67 = { 14 0d 0a 1f 19 05 19 17 4f 42 4f 54 42 54 4b 56 58 1c 1c 0c 54 12 08 12 13 a0 e7 eb ed e0 a8 e1 e2 e6 ec f8 e2 ef a0 fe ee e3 e2 e5 fc e6 f1 b6 ba ff f8 ba bc df f5 ec f0 cd c4 85 83 d8 85 c7 d0 c3 89 8d d0 dc df c7 c1 c4 91 96 81 c9 92 }
$b68 = { 1b 0c 09 1e 1e 04 1a 16 50 43 4c 55 45 55 48 57 57 1d 1f 0d 53 13 0b 13 ec a1 e4 ea ea e1 ab e0 ed e7 ef f9 e5 ee a3 ff f1 e2 e1 e4 fb e7 f2 b7 b5 fe fb bb bb de f6 ed cf cc c7 84 84 d9 86 c6 df c2 8a 8c d7 dd dc c6 de c5 92 97 86 c8 91 }
$b69 = { 1a 0f 08 19 1f 07 1b 09 51 40 4d 52 44 56 49 58 56 1e 1e 0a 52 10 0a ec ed a2 e5 ed eb e2 aa ef ec e4 ee fe e4 ed a2 e0 f0 e1 e0 e3 fa e4 f3 b8 b4 fd fa bc ba dd f7 d2 ce cf c6 83 85 da 87 c9 de c1 8b 8b d6 de dd d9 df c6 93 90 87 cb 90 }
$b6a = { 19 0e 0f 18 1c 06 04 08 52 41 4a 53 47 57 46 59 55 1f 19 0b 51 11 f5 ed ee a3 e2 ec e8 e3 a5 ee ef e5 e9 ff e7 ec bd e1 f3 e0 e7 e2 f9 e5 fc b9 b7 fc fd bd b9 dc c8 d3 cd ce c1 82 86 db 88 c8 dd c0 8c 8a d5 df c2 d8 dc c7 94 91 84 ca 9f }
$b6b = { 18 09 0e 1b 1d 19 05 0b 53 46 4b 50 46 58 47 5a 54 18 18 08 50 ee f4 ee ef a4 e3 ef e9 ec a4 ed ee e2 e8 fc e6 f3 bc e2 f2 e7 e6 e1 f8 ea fd ba b6 fb fc be b8 e3 c9 d0 cc c9 c0 81 87 d4 89 cb dc c7 8d 89 d4 c0 c3 db dd c0 95 92 85 c5 9e }
$b6c = { 1f 08 0d 1a 02 18 06 0a 54 47 48 51 49 59 44 5b 53 19 1b 09 af ef f7 ef e8 a5 e0 ee e6 ed a7 ec e9 e3 eb fd f9 f2 bf e3 f5 e6 e5 e0 f7 eb fe bb b1 fa ff bf 87 e2 ca d1 cb c8 c3 80 88 d5 8a ca db c6 8e 88 cb c1 c0 da da c1 96 93 8a c4 9d }
$b6d = { 1e 0b 0c 05 03 1b 07 0d 55 44 49 5e 48 5a 45 5c 52 1a 1a f6 ae ec f6 e8 e9 a6 e1 e1 e7 ee a6 eb e8 e0 ea e2 f8 f1 be e4 f4 e5 e4 ef f6 e8 ff bc b0 f9 fe 80 86 e1 cb d6 ca cb c2 8f 89 d6 8b cd da c5 8f 97 ca c2 c1 dd db c2 97 9c 8b c7 9c }
$b6e = { 1d 0a 13 04 00 1a 00 0c 56 45 46 5f 4b 5b 42 5d 51 1b e5 f7 ad ed f1 e9 ea a7 ee e0 e4 ef a1 ea eb e1 f5 e3 fb f0 b9 e5 f7 e4 eb ee f5 e9 f8 bd b3 f8 c1 81 85 e0 cc d7 c9 ca cd 8e 8a d7 8c cc d9 c4 90 96 c9 c3 c6 dc d8 c3 98 9d 88 c6 9b }
$b6f = { 1c 15 12 07 01 1d 01 0f 57 4a 47 5c 4a 5c 43 5e 50 e4 e4 f4 ac ea f0 ea eb a8 ef e3 e5 e8 a0 e9 ea fe f4 e0 fa f7 b8 e6 f6 eb ea ed f4 ee f9 be b2 c7 c0 82 84 e7 cd d4 c8 c5 cc 8d 8b d0 8d cf d8 db 91 95 c8 c4 c7 df d9 cc 99 9e 89 c1 9a }
$b70 = { 03 14 11 06 06 1c 02 0e 58 4b 44 5d 4d 5d 40 5f af e5 e7 f5 ab eb f3 eb e4 a9 ec e2 e2 e9 a3 e8 f5 ff f7 e1 fd f6 bb e7 f9 ea e9 ec f3 ef fa bf 8d c6 c3 83 83 e6 ce d5 c7 c4 cf 8c 8c d1 8e ce c7 da 92 94 cf c5 c4 de d6 cd 9a 9f 8e c0 99 }
$b71 = { 02 17 10 01 07 1f 03 01 59 48 45 5a 4c 5e 41 a0 ae e6 e6 f2 aa e8 f2 e4 e5 aa ed e5 e3 ea a2 f7 f4 fc f6 e6 fc f5 ba e8 f8 e9 e8 eb f2 ec fb 80 8c c5 c2 84 82 e5 cf da c6 c7 ce 8b 8d d2 8f d1 c6 d9 93 93 ce c6 c5 d1 d7 ce 9b 98 8f c3 98 }
$b72 = { 01 16 17 00 04 1e 0c 00 5a 49 42 5b 4f 5f be a1 ad e7 e1 f3 a9 e9 fd e5 e6 ab ea e4 e0 eb bd f6 f7 fd f1 e7 ff f4 b5 e9 fb e8 ef ea f1 ed c4 81 8f c4 c5 85 81 e4 c0 db c5 c6 c9 8a 8e d3 90 d0 c5 d8 94 92 cd c7 ca d0 d4 cf 9c 99 8c c2 e7 }
$b73 = { 00 11 16 03 05 11 0d 03 5b 4e 43 58 4e a0 bf a2 ac e0 e0 f0 a8 e6 fc e6 e7 ac eb e7 e1 f4 bc f5 f6 fa f0 e4 fe fb b4 ea fa ef ee e9 f0 d2 c5 82 8e c3 c4 86 80 eb c1 d8 c4 c1 c8 89 8f cc 91 d3 c4 df 95 91 cc c8 cb d3 d5 c8 9d 9a 8d bd e6 }
$b74 = { 07 10 15 02 0a 10 0e 02 5c 4f 40 59 b1 a1 bc a3 ab e1 e3 f1 a7 e7 ff e7 e0 ad e8 e6 fe f5 bf f4 f1 fb f3 e5 f1 fa b7 eb fd ee ed e8 cf d3 c6 83 89 c2 c7 87 8f ea c2 d9 c3 c0 cb 88 90 cd 92 d2 c3 de 96 90 c3 c9 c8 d2 d2 c9 9e 9b f2 bc e5 }
$b75 = { 06 13 14 0d 0b 13 0f 05 5d 4c 41 a6 b0 a2 bd a4 aa e2 e2 fe a6 e4 fe e0 e1 ae e9 f9 ff f6 be f3 f0 f8 f2 ea f0 f9 b6 ec fc ed ec d7 ce d0 c7 84 88 c1 c6 88 8e e9 c3 de c2 c3 ca 97 91 ce 93 d5 c2 dd 97 9f c2 ca c9 d5 d3 ca 9f e4 f3 bf e4 }
$b76 = { 05 12 1b 0c 08 12 08 04 5e 4d be a7 b3 a3 ba a5 a9 e3 ed ff a5 e5 f9 e1 e2 af f6 f8 fc f7 b9 f2 f3 f9 fd eb f3 f8 b1 ed ff ec d3 d6 cd d1 c0 85 8b c0 c9 89 8d e8 c4 df c1 c2 d5 96 92 cf 94 d4 c1 dc 98 9e c1 cb ce d4 d0 cb e0 e5 f0 be e3 }
$b77 = { 04 1d 1a 0f 09 15 09 07 5f b2 bf a4 b2 a4 bb a6 a8 ec ec fc a4 e2 f8 e2 e3 b0 f7 fb fd f0 b8 f1 f2 f6 fc e8 f2 ff b0 ee fe d3 d2 d5 cc d6 c1 86 8a cf c8 8a 8c ef c5 dc c0 dd d4 95 93 c8 95 d7 c0 d3 99 9d c0 cc cf d7 d1 b4 e1 e6 f1 b9 e2 }
$b78 = { 0b 1c 19 0e 0e 14 0a 06 a0 b3 bc a5 b5 a5 b8 a7 a7 ed ef fd a3 e3 fb e3 fc b1 f4 fa fa f1 bb f0 fd f7 ff e9 f5 fe b3 ef c1 d2 d1 d4 cb d7 c2 87 85 ce cb 8b 8b ee c6 dd df dc d7 94 94 c9 96 d6 cf d2 9a 9c c7 cd cc d6 ae b5 e2 e7 f6 b8 e1 }
$b79 = { 0a 1f 18 09 0f 17 0b f9 a1 b0 bd a2 b4 a6 b9 a8 a6 ee ee fa a2 e0 fa fc fd b2 f5 fd fb f2 ba ff fc f4 fe ee f4 fd b2 d0 c0 d1 d0 d3 ca d4 c3 88 84 cd ca 8c 8a ed c7 c2 de df d6 93 95 ca 97 d9 ce d1 9b 9b c6 ce cd a9 af b6 e3 e0 f7 bb e0 }
$b7a = { 09 1e 1f 08 0c 16 f4 f8 a2 b1 ba a3 b7 a7 b6 a9 a5 ef e9 fb a1 e1 e5 fd fe b3 f2 fc f8 f3 b5 fe ff f5 f9 ef f7 fc 8d d1 c3 d0 d7 d2 c9 d5 cc 89 87 cc cd 8d 89 ec d8 c3 dd de d1 92 96 cb 98 d8 cd d0 9c 9a c5 cf b2 a8 ac b7 e4 e1 f4 ba ef }
$b7b = { 08 19 1e 0b 0d e9 f5 fb a3 b6 bb a0 b6 a8 b7 aa a4 e8 e8 f8 a0 fe e4 fe ff b4 f3 ff f9 fc b4 fd fe f2 f8 ec f6 c3 8c d2 c2 d7 d6 d1 c8 da cd 8a 86 cb cc 8e 88 f3 d9 c0 dc d9 d0 91 97 c4 99 db cc d7 9d 99 c4 b0 b3 ab ad b0 e5 e2 f5 b5 ee }
$b7c = { 0f 18 1d 0a f2 e8 f6 fa a4 b7 b8 a1 b9 a9 b4 ab a3 e9 eb f9 bf ff e7 ff f8 b5 f0 fe f6 fd b7 fc f9 f3 fb ed c9 c2 8f d3 c5 d6 d5 d0 c7 db ce 8b 81 ca cf 8f 97 f2 da c1 db d8 d3 90 98 c5 9a da cb d6 9e 98 bb b1 b0 aa aa b1 e6 e3 fa b4 ed }
$b7d = { 0e 1b 1c f5 f3 eb f7 fd a5 b4 b9 ae b8 aa b5 ac a2 ea ea e6 be fc e6 f8 f9 b6 f1 f1 f7 fe b6 fb f8 f0 fa d2 c8 c1 8e d4 c4 d5 d4 df c6 d8 cf 8c 80 c9 ce 90 96 f1 db c6 da db d2 9f 99 c6 9b dd ca d5 9f e7 ba b2 b1 ad ab b2 e7 ec fb b7 ec }
$b7e = { 0d 1a e3 f4 f0 ea f0 fc a6 b5 b6 af bb ab b2 ad a1 eb f5 e7 bd fd e1 f9 fa b7 fe f0 f4 ff b1 fa fb f1 c5 d3 cb c0 89 d5 c7 d4 db de c5 d9 c8 8d 83 c8 d1 91 95 f0 dc c7 d9 da dd 9e 9a c7 9c dc c9 d4 e0 e6 b9 b3 b6 ac a8 b3 e8 ed f8 b6 eb }
$b7f = { 0c e5 e2 f7 f1 ed f1 ff a7 ba b7 ac ba ac b3 ae a0 f4 f4 e4 bc fa e0 fa fb b8 ff f3 f5 f8 b0 f9 fa ce c4 d0 ca c7 88 d6 c6 db da dd c4 de c9 8e 82 d7 d0 92 94 f7 dd c4 d8 d5 dc 9d 9b c0 9d df c8 ab e1 e5 b8 b4 b7 af a9 bc e9 ee f9 b1 ea }
$b80 = { f3 e4 e1 f6 f6 ec f2 fe a8 bb b4 ad bd ad b0 af bf f5 f7 e5 bb fb e3 fb f4 b9 fc f2 f2 f9 b3 f8 c5 cf c7 d1 cd c6 8b d7 c9 da d9 dc c3 df ca 8f 9d d6 d3 93 93 f6 de c5 d7 d4 df 9c 9c c1 9e de b7 aa e2 e4 bf b5 b4 ae a6 bd ea ef fe b0 e9 }
$b81 = { f2 e7 e0 f1 f7 ef f3 f1 a9 b8 b5 aa bc ae b1 b0 be f6 f6 e2 ba f8 e2 f4 f5 ba fd f5 f3 fa b2 c7 c4 cc c6 d6 cc c5 8a d8 c8 d9 d8 db c2 dc cb 90 9c d5 d2 94 92 f5 df ca d6 d7 de 9b 9d c2 9f a1 b6 a9 e3 e3 be b6 b5 a1 a7 be eb e8 ff b3 e8 }
$b82 = { f1 e6 e7 f0 f4 ee fc f0 aa b9 b2 ab bf af ae b1 bd f7 f1 e3 b9 f9 ed f5 f6 bb fa f4 f0 fb 8d c6 c7 cd c1 d7 cf c4 85 d9 cb d8 df da c1 dd d4 91 9f d4 d5 95 91 f4 d0 cb d5 d6 d9 9a 9e c3 e0 a0 b5 a8 e4 e2 bd b7 ba a0 a4 bf ec e9 fc b2 f7 }
$b83 = { f0 e1 e6 f3 f5 e1 fd f3 ab be b3 a8 be b0 af b2 bc f0 f0 e0 b8 f6 ec f6 f7 bc fb f7 f1 c4 8c c5 c6 ca c0 d4 ce cb 84 da ca df de d9 c0 c2 d5 92 9e d3 d4 96 90 fb d1 c8 d4 d1 d8 99 9f bc e1 a3 b4 af e5 e1 bc b8 bb a3 a5 b8 ed ea fd ad f6 }
$b84 = { f7 e0 e5 f2 fa e0 fe f2 ac bf b0 a9 a1 b1 ac b3 bb f1 f3 e1 b7 f7 ef f7 f0 bd f8 f6 ce c5 8f c4 c1 cb c3 d5 c1 ca 87 db cd de dd d8 df c3 d6 93 99 d2 d7 97 9f fa d2 c9 d3 d0 db 98 e0 bd e2 a2 b3 ae e6 e0 b3 b9 b8 a2 a2 b9 ee eb e2 ac f5 }
$b85 = { f6 e3 e4 fd fb e3 ff f5 ad bc b1 b6 a0 b2 ad b4 ba f2 f2 ee b6 f4 ee f0 f1 be f9 c9 cf c6 8e c3 c0 c8 c2 da c0 c9 86 dc cc dd dc c7 de c0 d7 94 98 d1 d6 98 9e f9 d3 ce d2 d3 da e7 e1 be e3 a5 b2 ad e7 ef b2 ba b9 a5 a3 ba ef f4 e3 af f4 }
$b86 = { f5 e2 eb fc f8 e2 f8 f4 ae bd ae b7 a3 b3 aa b5 b9 f3 fd ef b5 f5 e9 f1 f2 bf c6 c8 cc c7 89 c2 c3 c9 cd db c3 c8 81 dd cf dc c3 c6 dd c1 d0 95 9b d0 d9 99 9d f8 d4 cf d1 d2 a5 e6 e2 bf e4 a4 b1 ac e8 ee b1 bb be a4 a0 bb f0 f5 e0 ae f3 }
$b87 = { f4 ed ea ff f9 e5 f9 f7 af a2 af b4 a2 b4 ab b6 b8 fc fc ec b4 f2 e8 f2 f3 80 c7 cb cd c0 88 c1 c2 c6 cc d8 c2 cf 80 de ce c3 c2 c5 dc c6 d1 96 9a df d8 9a 9c ff d5 cc d0 ad a4 e5 e3 b8 e5 a7 b0 a3 e9 ed b0 bc bf a7 a1 a4 f1 f6 e1 a9 f2 }
$b88 = { fb ec e9 fe fe e4 fa f6 b0 a3 ac b5 a5 b5 a8 b7 b7 fd ff ed b3 f3 eb f3 cc 81 c4 ca ca c1 8b c0 cd c7 cf d9 c5 ce 83 df d1 c2 c1 c4 db c7 d2 97 95 de db 9b 9b fe d6 cd af ac a7 e4 e4 b9 e6 a6 bf a2 ea ec b7 bd bc a6 be a5 f2 f7 e6 a8 f1 }
$b89 = { fa ef e8 f9 ff e7 fb e9 b1 a0 ad b2 a4 b6 a9 b8 b6 fe fe ea b2 f0 ea cc cd 82 c5 cd cb c2 8a cf cc c4 ce de c4 cd 82 c0 d0 c1 c0 c3 da c4 d3 98 94 dd da 9c 9a fd d7 b2 ae af a6 e3 e5 ba e7 a9 be a1 eb eb b6 be bd b9 bf a6 f3 f0 e7 ab f0 }
$b8a = { f9 ee ef f8 fc e6 e4 e8 b2 a1 aa b3 a7 b7 a6 b9 b5 ff f9 eb b1 f1 d5 cd ce 83 c2 cc c8 c3 85 ce cf c5 c9 df c7 cc 9d c1 d3 c0 c7 c2 d9 c5 dc 99 97 dc dd 9d 99 fc a8 b3 ad ae a1 e2 e6 bb e8 a8 bd a0 ec ea b5 bf a2 b8 bc a7 f4 f1 e4 aa ff }
$b8b = { f8 e9 ee fb fd f9 e5 eb b3 a6 ab b0 a6 b8 a7 ba b4 f8 f8 e8 b0 ce d4 ce cf 84 c3 cf c9 cc 84 cd ce c2 c8 dc c6 d3 9c c2 d2 c7 c6 c1 d8 ca dd 9a 96 db dc 9e 98 83 a9 b0 ac a9 a0 e1 e7 b4 e9 ab bc a7 ed e9 b4 a0 a3 bb bd a0 f5 f2 e5 a5 fe }
$b8c = { ff e8 ed fa e2 f8 e6 ea b4 a7 a8 b1 a9 b9 a4 bb b3 f9 fb e9 8f cf d7 cf c8 85 c0 ce c6 cd 87 cc c9 c3 cb dd d9 d2 9f c3 d5 c6 c5 c0 d7 cb de 9b 91 da df 9f e7 82 aa b1 ab a8 a3 e0 e8 b5 ea aa bb a6 ee e8 ab a1 a0 ba ba a1 f6 f3 ea a4 fd }
$b8d = { fe eb ec e5 e3 fb e7 ed b5 a4 a9 be a8 ba a5 bc b2 fa fa d6 8e cc d6 c8 c9 86 c1 c1 c7 ce 86 cb c8 c0 ca c2 d8 d1 9e c4 d4 c5 c4 cf d6 c8 df 9c 90 d9 de e0 e6 81 ab b6 aa ab a2 ef e9 b6 eb ad ba a5 ef f7 aa a2 a1 bd bb a2 f7 fc eb a7 fc }
$b8e = { fd ea f3 e4 e0 fa e0 ec b6 a5 a6 bf ab bb a2 bd b1 fb c5 d7 8d cd d1 c9 ca 87 ce c0 c4 cf 81 ca cb c1 d5 c3 db d0 99 c5 d7 c4 cb ce d5 c9 d8 9d 93 d8 a1 e1 e5 80 ac b7 a9 aa ad ee ea b7 ec ac b9 a4 f0 f6 a9 a3 a6 bc b8 a3 f8 fd e8 a6 fb }
$b8f = { fc f5 f2 e7 e1 fd e1 ef b7 aa a7 bc aa bc a3 be b0 c4 c4 d4 8c ca d0 ca cb 88 cf c3 c5 c8 80 c9 ca de d4 c0 da d7 98 c6 d6 cb ca cd d4 ce d9 9e 92 a7 a0 e2 e4 87 ad b4 a8 a5 ac ed eb b0 ed af b8 bb f1 f5 a8 a4 a7 bf b9 ac f9 fe e9 a1 fa }
$b90 = { e3 f4 f1 e6 e6 fc e2 ee b8 ab a4 bd ad bd a0 bf 8f c5 c7 d5 8b cb d3 cb c4 89 cc c2 c2 c9 83 c8 d5 df d7 c1 dd d6 9b c7 d9 ca c9 cc d3 cf da 9f ed a6 a3 e3 e3 86 ae b5 a7 a4 af ec ec b1 ee ae a7 ba f2 f4 af a5 a4 be b6 ad fa ff ee a0 f9 }
$b91 = { e2 f7 f0 e1 e7 ff e3 e1 b9 a8 a5 ba ac be a1 80 8e c6 c6 d2 8a c8 d2 c4 c5 8a cd c5 c3 ca 82 d7 d4 dc d6 c6 dc d5 9a c8 d8 c9 c8 cb d2 cc db e0 ec a5 a2 e4 e2 85 af ba a6 a7 ae eb ed b2 ef b1 a6 b9 f3 f3 ae a6 a5 b1 b7 ae fb f8 ef a3 f8 }
$b92 = { e1 f6 f7 e0 e4 fe ec e0 ba a9 a2 bb af bf 9e 81 8d c7 c1 d3 89 c9 dd c5 c6 8b ca c4 c0 cb 9d d6 d7 dd d1 c7 df d4 95 c9 db c8 cf ca d1 cd a4 e1 ef a4 a5 e5 e1 84 a0 bb a5 a6 a9 ea ee b3 f0 b0 a5 b8 f4 f2 ad a7 aa b0 b4 af fc f9 ec a2 c7 }
$b93 = { e0 f1 f6 e3 e5 f1 ed e3 bb ae a3 b8 ae 80 9f 82 8c c0 c0 d0 88 c6 dc c6 c7 8c cb c7 c1 d4 9c d5 d6 da d0 c4 de db 94 ca da cf ce c9 d0 b2 a5 e2 ee a3 a4 e6 e0 8b a1 b8 a4 a1 a8 e9 ef ac f1 b3 a4 bf f5 f1 ac a8 ab b3 b5 a8 fd fa ed 9d c6 }
$b94 = { e7 f0 f5 e2 ea f0 ee e2 bc af a0 b9 91 81 9c 83 8b c1 c3 d1 87 c7 df c7 c0 8d c8 c6 de d5 9f d4 d1 db d3 c5 d1 da 97 cb dd ce cd c8 af b3 a6 e3 e9 a2 a7 e7 ef 8a a2 b9 a3 a0 ab e8 f0 ad f2 b2 a3 be f6 f0 a3 a9 a8 b2 b2 a9 fe fb d2 9c c5 }
$b95 = { e6 f3 f4 ed eb f3 ef e5 bd ac a1 86 90 82 9d 84 8a c2 c2 de 86 c4 de c0 c1 8e c9 d9 df d6 9e d3 d0 d8 d2 ca d0 d9 96 cc dc cd cc b7 ae b0 a7 e4 e8 a1 a6 e8 ee 89 a3 be a2 a3 aa f7 f1 ae f3 b5 a2 bd f7 ff a2 aa a9 b5 b3 aa ff c4 d3 9f c4 }
$b96 = { e5 f2 fb ec e8 f2 e8 e4 be ad 9e 87 93 83 9a 85 89 c3 cd df 85 c5 d9 c1 c2 8f d6 d8 dc d7 99 d2 d3 d9 dd cb d3 d8 91 cd df cc b3 b6 ad b1 a0 e5 eb a0 a9 e9 ed 88 a4 bf a1 a2 b5 f6 f2 af f4 b4 a1 bc f8 fe a1 ab ae b4 b0 ab c0 c5 d0 9e c3 }
$b97 = { e4 fd fa ef e9 f5 e9 e7 bf 92 9f 84 92 84 9b 86 88 cc cc dc 84 c2 d8 c2 c3 90 d7 db dd d0 98 d1 d2 d6 dc c8 d2 df 90 ce de b3 b2 b5 ac b6 a1 e6 ea af a8 ea ec 8f a5 bc a0 bd b4 f5 f3 a8 f5 b7 a0 b3 f9 fd a0 ac af b7 b1 94 c1 c6 d1 99 c2 }
$b98 = { eb fc f9 ee ee f4 ea e6 80 93 9c 85 95 85 98 87 87 cd cf dd 83 c3 db c3 dc 91 d4 da da d1 9b d0 dd d7 df c9 d5 de 93 cf a1 b2 b1 b4 ab b7 a2 e7 e5 ae ab eb eb 8e a6 bd bf bc b7 f4 f4 a9 f6 b6 af b2 fa fc a7 ad ac b6 8e 95 c2 c7 d6 98 c1 }
$b99 = { ea ff f8 e9 ef f7 eb d9 81 90 9d 82 94 86 99 88 86 ce ce da 82 c0 da dc dd 92 d5 dd db d2 9a df dc d4 de ce d4 dd 92 b0 a0 b1 b0 b3 aa b4 a3 e8 e4 ad aa ec ea 8d a7 a2 be bf b6 f3 f5 aa f7 b9 ae b1 fb fb a6 ae ad 89 8f 96 c3 c0 d7 9b c0 }
$b9a = { e9 fe ff e8 ec f6 d4 d8 82 91 9a 83 97 87 96 89 85 cf c9 db 81 c1 c5 dd de 93 d2 dc d8 d3 95 de df d5 d9 cf d7 dc ed b1 a3 b0 b7 b2 a9 b5 ac e9 e7 ac ad ed e9 8c b8 a3 bd be b1 f2 f6 ab f8 b8 ad b0 fc fa a5 af 92 88 8c 97 c4 c1 d4 9a cf }
$b9b = { e8 f9 fe eb ed c9 d5 db 83 96 9b 80 96 88 97 8a 84 c8 c8 d8 80 de c4 de df 94 d3 df d9 dc 94 dd de d2 d8 cc d6 a3 ec b2 a2 b7 b6 b1 a8 ba ad ea e6 ab ac ee e8 93 b9 a0 bc b9 b0 f1 f7 a4 f9 bb ac b7 fd f9 a4 90 93 8b 8d 90 c5 c2 d5 95 ce }
$b9c = { ef f8 fd ea d2 c8 d6 da 84 97 98 81 99 89 94 8b 83 c9 cb d9 9f df c7 df d8 95 d0 de d6 dd 97 dc d9 d3 db cd a9 a2 ef b3 a5 b6 b5 b0 a7 bb ae eb e1 aa af ef f7 92 ba a1 bb b8 b3 f0 f8 a5 fa ba ab b6 fe f8 9b 91 90 8a 8a 91 c6 c3 da 94 cd }
$b9d = { ee fb fc d5 d3 cb d7 dd 85 94 99 8e 98 8a 95 8c 82 ca ca c6 9e dc c6 d8 d9 96 d1 d1 d7 de 96 db d8 d0 da b2 a8 a1 ee b4 a4 b5 b4 bf a6 b8 af ec e0 a9 ae f0 f6 91 bb a6 ba bb b2 ff f9 a6 fb bd aa b5 ff c7 9a 92 91 8d 8b 92 c7 cc db 97 cc }
$b9e = { ed fa c3 d4 d0 ca d0 dc 86 95 96 8f 9b 8b 92 8d 81 cb d5 c7 9d dd c1 d9 da 97 de d0 d4 df 91 da db d1 a5 b3 ab a0 e9 b5 a7 b4 bb be a5 b9 a8 ed e3 a8 b1 f1 f5 90 bc a7 b9 ba bd fe fa a7 fc bc a9 b4 c0 c6 99 93 96 8c 88 93 c8 cd d8 96 cb }
$b9f = { ec c5 c2 d7 d1 cd d1 df 87 9a 97 8c 9a 8c 93 8e 80 d4 d4 c4 9c da c0 da db 98 df d3 d5 d8 90 d9 da ae a4 b0 aa a7 e8 b6 a6 bb ba bd a4 be a9 ee e2 b7 b0 f2 f4 97 bd a4 b8 b5 bc fd fb a0 fd bf a8 8b c1 c5 98 94 97 8f 89 9c c9 ce d9 91 ca }
$ba0 = { d3 c4 c1 d6 d6 cc d2 de 88 9b 94 8d 9d 8d 90 8f 9f d5 d7 c5 9b db c3 db d4 99 dc d2 d2 d9 93 d8 a5 af a7 b1 ad a6 eb b7 a9 ba b9 bc a3 bf aa ef fd b6 b3 f3 f3 96 be a5 b7 b4 bf fc fc a1 fe be 97 8a c2 c4 9f 95 94 8e 86 9d ca cf de 90 c9 }
$ba1 = { d2 c7 c0 d1 d7 cf d3 d1 89 98 95 8a 9c 8e 91 90 9e d6 d6 c2 9a d8 c2 d4 d5 9a dd d5 d3 da 92 a7 a4 ac a6 b6 ac a5 ea b8 a8 b9 b8 bb a2 bc ab f0 fc b5 b2 f4 f2 95 bf aa b6 b7 be fb fd a2 ff 81 96 89 c3 c3 9e 96 95 81 87 9e cb c8 df 93 c8 }
$ba2 = { d1 c6 c7 d0 d4 ce dc d0 8a 99 92 8b 9f 8f 8e 91 9d d7 d1 c3 99 d9 cd d5 d6 9b da d4 d0 db ed a6 a7 ad a1 b7 af a4 e5 b9 ab b8 bf ba a1 bd b4 f1 ff b4 b5 f5 f1 94 b0 ab b5 b6 b9 fa fe a3 c0 80 95 88 c4 c2 9d 97 9a 80 84 9f cc c9 dc 92 d7 }
$ba3 = { d0 c1 c6 d3 d5 c1 dd d3 8b 9e 93 88 9e 90 8f 92 9c d0 d0 c0 98 d6 cc d6 d7 9c db d7 d1 a4 ec a5 a6 aa a0 b4 ae ab e4 ba aa bf be b9 a0 a2 b5 f2 fe b3 b4 f6 f0 9b b1 a8 b4 b1 b8 f9 ff 9c c1 83 94 8f c5 c1 9c 98 9b 83 85 98 cd ca dd 8d d6 }
$ba4 = { d7 c0 c5 d2 da c0 de d2 8c 9f 90 89 81 91 8c 93 9b d1 d3 c1 97 d7 cf d7 d0 9d d8 d6 ae a5 ef a4 a1 ab a3 b5 a1 aa e7 bb ad be bd b8 bf a3 b6 f3 f9 b2 b7 f7 ff 9a b2 a9 b3 b0 bb f8 c0 9d c2 82 93 8e c6 c0 93 99 98 82 82 99 ce cb c2 8c d5 }
$ba5 = { d6 c3 c4 dd db c3 df d5 8d 9c 91 96 80 92 8d 94 9a d2 d2 ce 96 d4 ce d0 d1 9e d9 a9 af a6 ee a3 a0 a8 a2 ba a0 a9 e6 bc ac bd bc a7 be a0 b7 f4 f8 b1 b6 f8 fe 99 b3 ae b2 b3 ba c7 c1 9e c3 85 92 8d c7 cf 92 9a 99 85 83 9a cf d4 c3 8f d4 }
$ba6 = { d5 c2 cb dc d8 c2 d8 d4 8e 9d 8e 97 83 93 8a 95 99 d3 dd cf 95 d5 c9 d1 d2 9f a6 a8 ac a7 e9 a2 a3 a9 ad bb a3 a8 e1 bd af bc a3 a6 bd a1 b0 f5 fb b0 b9 f9 fd 98 b4 af b1 b2 85 c6 c2 9f c4 84 91 8c c8 ce 91 9b 9e 84 80 9b d0 d5 c0 8e d3 }
$ba7 = { d4 cd ca df d9 c5 d9 d7 8f 82 8f 94 82 94 8b 96 98 dc dc cc 94 d2 c8 d2 d3 e0 a7 ab ad a0 e8 a1 a2 a6 ac b8 a2 af e0 be ae a3 a2 a5 bc a6 b1 f6 fa bf b8 fa fc 9f b5 ac b0 8d 84 c5 c3 98 c5 87 90 83 c9 cd 90 9c 9f 87 81 84 d1 d6 c1 89 d2 }
$ba8 = { db cc c9 de de c4 da d6 90 83 8c 95 85 95 88 97 97 dd df cd 93 d3 cb d3 ac e1 a4 aa aa a1 eb a0 ad a7 af b9 a5 ae e3 bf b1 a2 a1 a4 bb a7 b2 f7 f5 be bb fb fb 9e b6 ad 8f 8c 87 c4 c4 99 c6 86 9f 82 ca cc 97 9d 9c 86 9e 85 d2 d7 c6 88 d1 }
$ba9 = { da cf c8 d9 df c7 db c9 91 80 8d 92 84 96 89 98 96 de de ca 92 d0 ca ac ad e2 a5 ad ab a2 ea af ac a4 ae be a4 ad e2 a0 b0 a1 a0 a3 ba a4 b3 f8 f4 bd ba fc fa 9d b7 92 8e 8f 86 c3 c5 9a c7 89 9e 81 cb cb 96 9e 9d 99 9f 86 d3 d0 c7 8b d0 }
$baa = { d9 ce cf d8 dc c6 c4 c8 92 81 8a 93 87 97 86 99 95 df d9 cb 91 d1 b5 ad ae e3 a2 ac a8 a3 e5 ae af a5 a9 bf a7 ac fd a1 b3 a0 a7 a2 b9 a5 bc f9 f7 bc bd fd f9 9c 88 93 8d 8e 81 c2 c6 9b c8 88 9d 80 cc ca 95 9f 82 98 9c 87 d4 d1 c4 8a df }
$bab = { d8 c9 ce db dd d9 c5 cb 93 86 8b 90 86 98 87 9a 94 d8 d8 c8 90 ae b4 ae af e4 a3 af a9 ac e4 ad ae a2 a8 bc a6 b3 fc a2 b2 a7 a6 a1 b8 aa bd fa f6 bb bc fe f8 a3 89 90 8c 89 80 c1 c7 94 c9 8b 9c 87 cd c9 94 80 83 9b 9d 80 d5 d2 c5 85 de }
$bac = { df c8 cd da c2 d8 c6 ca 94 87 88 91 89 99 84 9b 93 d9 db c9 ef af b7 af a8 e5 a0 ae a6 ad e7 ac a9 a3 ab bd b9 b2 ff a3 b5 a6 a5 a0 b7 ab be fb f1 ba bf ff c7 a2 8a 91 8b 88 83 c0 c8 95 ca 8a 9b 86 ce c8 8b 81 80 9a 9a 81 d6 d3 ca 84 dd }
$bad = { de cb cc c5 c3 db c7 cd 95 84 89 9e 88 9a 85 9c 92 da da b6 ee ac b6 a8 a9 e6 a1 a1 a7 ae e6 ab a8 a0 aa a2 b8 b1 fe a4 b4 a5 a4 af b6 a8 bf fc f0 b9 be c0 c6 a1 8b 96 8a 8b 82 cf c9 96 cb 8d 9a 85 cf d7 8a 82 81 9d 9b 82 d7 dc cb 87 dc }
$bae = { dd ca d3 c4 c0 da c0 cc 96 85 86 9f 8b 9b 82 9d 91 db a5 b7 ed ad b1 a9 aa e7 ae a0 a4 af e1 aa ab a1 b5 a3 bb b0 f9 a5 b7 a4 ab ae b5 a9 b8 fd f3 b8 81 c1 c5 a0 8c 97 89 8a 8d ce ca 97 cc 8c 99 84 d0 d6 89 83 86 9c 98 83 d8 dd c8 86 db }
$baf = { dc d5 d2 c7 c1 dd c1 cf 97 8a 87 9c 8a 9c 83 9e 90 a4 a4 b4 ec aa b0 aa ab e8 af a3 a5 a8 e0 a9 aa be b4 a0 ba b7 f8 a6 b6 ab aa ad b4 ae b9 fe f2 87 80 c2 c4 a7 8d 94 88 85 8c cd cb 90 cd 8f 98 9b d1 d5 88 84 87 9f 99 8c d9 de c9 81 da }
$bb0 = { c3 d4 d1 c6 c6 dc c2 ce 98 8b 84 9d 8d 9d 80 9f ef a5 a7 b5 eb ab b3 ab a4 e9 ac a2 a2 a9 e3 a8 b5 bf b7 a1 bd b6 fb a7 b9 aa a9 ac b3 af ba ff cd 86 83 c3 c3 a6 8e 95 87 84 8f cc cc 91 ce 8e 87 9a d2 d4 8f 85 84 9e 96 8d da df ce 80 d9 }
$bb1 = { c2 d7 d0 c1 c7 df c3 c1 99 88 85 9a 8c 9e 81 e0 ee a6 a6 b2 ea a8 b2 a4 a5 ea ad a5 a3 aa e2 b7 b4 bc b6 a6 bc b5 fa a8 b8 a9 a8 ab b2 ac bb c0 cc 85 82 c4 c2 a5 8f 9a 86 87 8e cb cd 92 cf 91 86 99 d3 d3 8e 86 85 91 97 8e db d8 cf 83 d8 }
$bb2 = { c1 d6 d7 c0 c4 de cc c0 9a 89 82 9b 8f 9f fe e1 ed a7 a1 b3 e9 a9 bd a5 a6 eb aa a4 a0 ab fd b6 b7 bd b1 a7 bf b4 f5 a9 bb a8 af aa b1 ad 84 c1 cf 84 85 c5 c1 a4 80 9b 85 86 89 ca ce 93 d0 90 85 98 d4 d2 8d 87 8a 90 94 8f dc d9 cc 82 27 }
$bb3 = { c0 d1 d6 c3 c5 d1 cd c3 9b 8e 83 98 8e e0 ff e2 ec a0 a0 b0 e8 a6 bc a6 a7 ec ab a7 a1 b4 fc b5 b6 ba b0 a4 be bb f4 aa ba af ae a9 b0 92 85 c2 ce 83 84 c6 c0 ab 81 98 84 81 88 c9 cf 8c d1 93 84 9f d5 d1 8c 88 8b 93 95 88 dd da cd 7d 26 }
$bb4 = { c7 d0 d5 c2 ca d0 ce c2 9c 8f 80 99 f1 e1 fc e3 eb a1 a3 b1 e7 a7 bf a7 a0 ed a8 a6 be b5 ff b4 b1 bb b3 a5 b1 ba f7 ab bd ae ad a8 8f 93 86 c3 c9 82 87 c7 cf aa 82 99 83 80 8b c8 d0 8d d2 92 83 9e d6 d0 83 89 88 92 92 89 de db 32 7c 25 }
$bb5 = { c6 d3 d4 cd cb d3 cf c5 9d 8c 81 e6 f0 e2 fd e4 ea a2 a2 be e6 a4 be a0 a1 ee a9 b9 bf b6 fe b3 b0 b8 b2 aa b0 b9 f6 ac bc ad ac 97 8e 90 87 c4 c8 81 86 c8 ce a9 83 9e 82 83 8a d7 d1 8e d3 95 82 9d d7 df 82 8a 89 95 93 8a df 24 33 7f 24 }
$bb6 = { c5 d2 db cc c8 d2 c8 c4 9e 8d fe e7 f3 e3 fa e5 e9 a3 ad bf e5 a5 b9 a1 a2 ef b6 b8 bc b7 f9 b2 b3 b9 bd ab b3 b8 f1 ad bf ac 93 96 8d 91 80 c5 cb 80 89 c9 cd a8 84 9f 81 82 95 d6 d2 8f d4 94 81 9c d8 de 81 8b 8e 94 90 8b 20 25 30 7e 23 }
$bb7 = { c4 dd da cf c9 d5 c9 c7 9f f2 ff e4 f2 e4 fb e6 e8 ac ac bc e4 a2 b8 a2 a3 f0 b7 bb bd b0 f8 b1 b2 b6 bc a8 b2 bf f0 ae be 93 92 95 8c 96 81 c6 ca 8f 88 ca cc af 85 9c 80 9d 94 d5 d3 88 d5 97 80 93 d9 dd 80 8c 8f 97 91 74 21 26 31 79 22 }
$bb8 = { cb dc d9 ce ce d4 ca c6 e0 f3 fc e5 f5 e5 f8 e7 e7 ad af bd e3 a3 bb a3 bc f1 b4 ba ba b1 fb b0 bd b7 bf a9 b5 be f3 af 81 92 91 94 8b 97 82 c7 c5 8e 8b cb cb ae 86 9d 9f 9c 97 d4 d4 89 d6 96 8f 92 da dc 87 8d 8c 96 6e 75 22 27 36 78 21 }
$bb9 = { ca df d8 c9 cf d7 cb b9 e1 f0 fd e2 f4 e6 f9 e8 e6 ae ae ba e2 a0 ba bc bd f2 b5 bd bb b2 fa bf bc b4 be ae b4 bd f2 90 80 91 90 93 8a 94 83 c8 c4 8d 8a cc ca ad 87 82 9e 9f 96 d3 d5 8a d7 99 8e 91 db db 86 8e 8d 69 6f 76 23 20 37 7b 20 }
$bba = { c9 de df c8 cc d6 b4 b8 e2 f1 fa e3 f7 e7 f6 e9 e5 af a9 bb e1 a1 a5 bd be f3 b2 bc b8 b3 f5 be bf b5 b9 af b7 bc cd 91 83 90 97 92 89 95 8c c9 c7 8c 8d cd c9 ac 98 83 9d 9e 91 d2 d6 8b d8 98 8d 90 dc da 85 8f 72 68 6c 77 24 21 34 7a 2f }
$bbb = { c8 d9 de cb cd a9 b5 bb e3 f6 fb e0 f6 e8 f7 ea e4 a8 a8 b8 e0 be a4 be bf f4 b3 bf b9 bc f4 bd be b2 b8 ac b6 83 cc 92 82 97 96 91 88 9a 8d ca c6 8b 8c ce c8 b3 99 80 9c 99 90 d1 d7 84 d9 9b 8c 97 dd d9 84 70 73 6b 6d 70 25 22 35 75 2e }
$bbc = { cf d8 dd ca b2 a8 b6 ba e4 f7 f8 e1 f9 e9 f4 eb e3 a9 ab b9 ff bf a7 bf b8 f5 b0 be b6 bd f7 bc b9 b3 bb ad 89 82 cf 93 85 96 95 90 87 9b 8e cb c1 8a 8f cf d7 b2 9a 81 9b 98 93 d0 d8 85 da 9a 8b 96 de d8 7b 71 70 6a 6a 71 26 23 3a 74 2d }
$bbd = { ce db dc b5 b3 ab b7 bd e5 f4 f9 ee f8 ea f5 ec e2 aa aa a6 fe bc a6 b8 b9 f6 b1 b1 b7 be f6 bb b8 b0 ba 92 88 81 ce 94 84 95 94 9f 86 98 8f cc c0 89 8e d0 d6 b1 9b 86 9a 9b 92 df d9 86 db 9d 8a 95 df 27 7a 72 71 6d 6b 72 27 2c 3b 77 2c }
$bbe = { cd da a3 b4 b0 aa b0 bc e6 f5 f6 ef fb eb f2 ed e1 ab b5 a7 fd bd a1 b9 ba f7 be b0 b4 bf f1 ba bb b1 85 93 8b 80 c9 95 87 94 9b 9e 85 99 88 cd c3 88 91 d1 d5 b0 9c 87 99 9a 9d de da 87 dc 9c 89 94 20 26 79 73 76 6c 68 73 28 2d 38 76 2b }
$bbf = { cc a5 a2 b7 b1 ad b1 bf e7 fa f7 ec fa ec f3 ee e0 b4 b4 a4 fc ba a0 ba bb f8 bf b3 b5 b8 f0 b9 ba 8e 84 90 8a 87 c8 96 86 9b 9a 9d 84 9e 89 ce c2 97 90 d2 d4 b7 9d 84 98 95 9c dd db 80 dd 9f 88 6b 21 25 78 74 77 6f 69 7c 29 2e 39 71 2a }
$bc0 = { b3 a4 a1 b6 b6 ac b2 be e8 fb f4 ed fd ed f0 ef ff b5 b7 a5 fb bb a3 bb b4 f9 bc b2 b2 b9 f3 b8 85 8f 87 91 8d 86 cb 97 89 9a 99 9c 83 9f 8a cf dd 96 93 d3 d3 b6 9e 85 97 94 9f dc dc 81 de 9e 77 6a 22 24 7f 75 74 6e 66 7d 2a 2f 3e 70 29 }
$bc1 = { b2 a7 a0 b1 b7 af b3 b1 e9 f8 f5 ea fc ee f1 f0 fe b6 b6 a2 fa b8 a2 b4 b5 fa bd b5 b3 ba f2 87 84 8c 86 96 8c 85 ca 98 88 99 98 9b 82 9c 8b d0 dc 95 92 d4 d2 b5 9f 8a 96 97 9e db dd 82 df 61 76 69 23 23 7e 76 75 61 67 7e 2b 28 3f 73 28 }
$bc2 = { b1 a6 a7 b0 b4 ae bc b0 ea f9 f2 eb ff ef ee f1 fd b7 b1 a3 f9 b9 ad b5 b6 fb ba b4 b0 bb cd 86 87 8d 81 97 8f 84 c5 99 8b 98 9f 9a 81 9d 94 d1 df 94 95 d5 d1 b4 90 8b 95 96 99 da de 83 20 60 75 68 24 22 7d 77 7a 60 64 7f 2c 29 3c 72 37 }
$bc3 = { b0 a1 a6 b3 b5 a1 bd b3 eb fe f3 e8 fe f0 ef f2 fc b0 b0 a0 f8 b6 ac b6 b7 fc bb b7 b1 84 cc 85 86 8a 80 94 8e 8b c4 9a 8a 9f 9e 99 80 82 95 d2 de 93 94 d6 d0 bb 91 88 94 91 98 d9 df 7c 21 63 74 6f 25 21 7c 78 7b 63 65 78 2d 2a 3d 6d 36 }
$bc4 = { b7 a0 a5 b2 ba a0 be b2 ec ff f0 e9 e1 f1 ec f3 fb b1 b3 a1 f7 b7 af b7 b0 fd b8 b6 8e 85 cf 84 81 8b 83 95 81 8a c7 9b 8d 9e 9d 98 9f 83 96 d3 d9 92 97 d7 df ba 92 89 93 90 9b d8 20 7d 22 62 73 6e 26 20 73 79 78 62 62 79 2e 2b 22 6c 35 }
$bc5 = { b6 a3 a4 bd bb a3 bf b5 ed fc f1 f6 e0 f2 ed f4 fa b2 b2 ae f6 b4 ae b0 b1 fe b9 89 8f 86 ce 83 80 88 82 9a 80 89 c6 9c 8c 9d 9c 87 9e 80 97 d4 d8 91 96 d8 de b9 93 8e 92 93 9a 27 21 7e 23 65 72 6d 27 2f 72 7a 79 65 63 7a 2f 34 23 6f 34 }
$bc6 = { b5 a2 ab bc b8 a2 b8 b4 ee fd ee f7 e3 f3 ea f5 f9 b3 bd af f5 b5 a9 b1 b2 ff 86 88 8c 87 c9 82 83 89 8d 9b 83 88 c1 9d 8f 9c 83 86 9d 81 90 d5 db 90 99 d9 dd b8 94 8f 91 92 65 26 22 7f 24 64 71 6c 28 2e 71 7b 7e 64 60 7b 30 35 20 6e 33 }
$bc7 = { b4 ad aa bf b9 a5 b9 b7 ef e2 ef f4 e2 f4 eb f6 f8 bc bc ac f4 b2 a8 b2 b3 c0 87 8b 8d 80 c8 81 82 86 8c 98 82 8f c0 9e 8e 83 82 85 9c 86 91 d6 da 9f 98 da dc bf 95 8c 90 6d 64 25 23 78 25 67 70 63 29 2d 70 7c 7f 67 61 64 31 36 21 69 32 }
$bc8 = { bb ac a9 be be a4 ba b6 f0 e3 ec f5 e5 f5 e8 f7 f7 bd bf ad f3 b3 ab b3 8c c1 84 8a 8a 81 cb 80 8d 87 8f 99 85 8e c3 9f 91 82 81 84 9b 87 92 d7 d5 9e 9b db db be 96 8d 6f 6c 67 24 24 79 26 66 7f 62 2a 2c 77 7d 7c 66 7e 65 32 37 26 68 31 }
$bc9 = { ba af a8 b9 bf a7 bb a9 f1 e0 ed f2 e4 f6 e9 f8 f6 be be aa f2 b0 aa 8c 8d c2 85 8d 8b 82 ca 8f 8c 84 8e 9e 84 8d c2 80 90 81 80 83 9a 84 93 d8 d4 9d 9a dc da bd 97 72 6e 6f 66 23 25 7a 27 69 7e 61 2b 2b 76 7e 7d 79 7f 66 33 30 27 6b 30 }
$bca = { b9 ae af b8 bc a6 a4 a8 f2 e1 ea f3 e7 f7 e6 f9 f5 bf b9 ab f1 b1 95 8d 8e c3 82 8c 88 83 c5 8e 8f 85 89 9f 87 8c dd 81 93 80 87 82 99 85 9c d9 d7 9c 9d dd d9 bc 68 73 6d 6e 61 22 26 7b 28 68 7d 60 2c 2a 75 7f 62 78 7c 67 34 31 24 6a 3f }
$bcb = { b8 a9 ae bb bd b9 a5 ab f3 e6 eb f0 e6 f8 e7 fa f4 b8 b8 a8 f0 8e 94 8e 8f c4 83 8f 89 8c c4 8d 8e 82 88 9c 86 93 dc 82 92 87 86 81 98 8a 9d da d6 9b 9c de d8 43 69 70 6c 69 60 21 27 74 29 6b 7c 67 2d 29 74 60 63 7b 7d 60 35 32 25 65 3e }
$bcc = { bf a8 ad ba a2 b8 a6 aa f4 e7 e8 f1 e9 f9 e4 fb f3 b9 bb a9 cf 8f 97 8f 88 c5 80 8e 86 8d c7 8c 89 83 8b 9d 99 92 df 83 95 86 85 80 97 8b 9e db d1 9a 9f df 27 42 6a 71 6b 68 63 20 28 75 2a 6a 7b 66 2e 28 6b 61 60 7a 7a 61 36 33 2a 64 3d }
$bcd = { be ab ac a5 a3 bb a7 ad f5 e4 e9 fe e8 fa e5 fc f2 ba ba 96 ce 8c 96 88 89 c6 81 81 87 8e c6 8b 88 80 8a 82 98 91 de 84 94 85 84 8f 96 88 9f dc d0 99 9e 20 26 41 6b 76 6a 6b 62 2f 29 76 2b 6d 7a 65 2f 37 6a 62 61 7d 7b 62 37 3c 2b 67 3c }
$bce = { bd aa b3 a4 a0 ba a0 ac f6 e5 e6 ff eb fb e2 fd f1 bb 85 97 cd 8d 91 89 8a c7 8e 80 84 8f c1 8a 8b 81 95 83 9b 90 d9 85 97 84 8b 8e 95 89 98 dd d3 98 61 21 25 40 6c 77 69 6a 6d 2e 2a 77 2c 6c 79 64 30 36 69 63 66 7c 78 63 38 3d 28 66 3b }
$bcf = { bc b5 b2 a7 a1 bd a1 af f7 ea e7 fc ea fc e3 fe f0 84 84 94 cc 8a 90 8a 8b c8 8f 83 85 88 c0 89 8a 9e 94 80 9a 97 d8 86 96 8b 8a 8d 94 8e 99 de d2 67 60 22 24 47 6d 74 68 65 6c 2d 2b 70 2d 6f 78 7b 31 35 68 64 67 7f 79 6c 39 3e 29 61 3a }
$bd0 = { a3 b4 b1 a6 a6 bc a2 ae f8 eb e4 fd ed fd e0 ff cf 85 87 95 cb 8b 93 8b 84 c9 8c 82 82 89 c3 88 95 9f 97 81 9d 96 db 87 99 8a 89 8c 93 8f 9a df 2d 66 63 23 23 46 6e 75 67 64 6f 2c 2c 71 2e 6e 67 7a 32 34 6f 65 64 7e 76 6d 3a 3f 2e 60 39 }
$bd1 = { a2 b7 b0 a1 a7 bf a3 a1 f9 e8 e5 fa ec fe e1 c0 ce 86 86 92 ca 88 92 84 85 ca 8d 85 83 8a c2 97 94 9c 96 86 9c 95 da 88 98 89 88 8b 92 8c 9b 20 2c 65 62 24 22 45 6f 7a 66 67 6e 2b 2d 72 2f 71 66 79 33 33 6e 66 65 71 77 6e 3b 38 2f 63 38 }
$bd2 = { a1 b6 b7 a0 a4 be ac a0 fa e9 e2 fb ef ff de c1 cd 87 81 93 c9 89 9d 85 86 cb 8a 84 80 8b dd 96 97 9d 91 87 9f 94 d5 89 9b 88 8f 8a 91 8d 64 21 2f 64 65 25 21 44 60 7b 65 66 69 2a 2e 73 30 70 65 78 34 32 6d 67 6a 70 74 6f 3c 39 2c 62 07 }
$bd3 = { a0 b1 b6 a3 a5 b1 ad a3 fb ee e3 f8 ee c0 df c2 cc 80 80 90 c8 86 9c 86 87 cc 8b 87 81 94 dc 95 96 9a 90 84 9e 9b d4 8a 9a 8f 8e 89 90 72 65 22 2e 63 64 26 20 4b 61 78 64 61 68 29 2f 6c 31 73 64 7f 35 31 6c 68 6b 73 75 68 3d 3a 2d 5d 06 }
$bd4 = { a7 b0 b5 a2 aa b0 ae a2 fc ef e0 f9 d1 c1 dc c3 cb 81 83 91 c7 87 9f 87 80 cd 88 86 9e 95 df 94 91 9b 93 85 91 9a d7 8b 9d 8e 8d 88 6f 73 66 23 29 62 67 27 2f 4a 62 79 63 60 6b 28 30 6d 32 72 63 7e 36 30 63 69 68 72 72 69 3e 3b 12 5c 05 }
$bd5 = { a6 b3 b4 ad ab b3 af a5 fd ec e1 c6 d0 c2 dd c4 ca 82 82 9e c6 84 9e 80 81 ce 89 99 9f 96 de 93 90 98 92 8a 90 99 d6 8c 9c 8d 8c 77 6e 70 67 24 28 61 66 28 2e 49 63 7e 62 63 6a 37 31 6e 33 75 62 7d 37 3f 62 6a 69 75 73 6a 3f 04 13 5f 04 }
$bd6 = { a5 b2 bb ac a8 b2 a8 a4 fe ed de c7 d3 c3 da c5 c9 83 8d 9f c5 85 99 81 82 cf 96 98 9c 97 d9 92 93 99 9d 8b 93 98 d1 8d 9f 8c 73 76 6d 71 60 25 2b 60 69 29 2d 48 64 7f 61 62 75 36 32 6f 34 74 61 7c 38 3e 61 6b 6e 74 70 6b 00 05 10 5e 03 }
$bd7 = { a4 bd ba af a9 b5 a9 a7 ff d2 df c4 d2 c4 db c6 c8 8c 8c 9c c4 82 98 82 83 d0 97 9b 9d 90 d8 91 92 96 9c 88 92 9f d0 8e 9e 73 72 75 6c 76 61 26 2a 6f 68 2a 2c 4f 65 7c 60 7d 74 35 33 68 35 77 60 73 39 3d 60 6c 6f 77 71 54 01 06 11 59 02 }
$bd8 = { ab bc b9 ae ae b4 aa a6 c0 d3 dc c5 d5 c5 d8 c7 c7 8d 8f 9d c3 83 9b 83 9c d1 94 9a 9a 91 db 90 9d 97 9f 89 95 9e d3 8f 61 72 71 74 6b 77 62 27 25 6e 6b 2b 2b 4e 66 7d 7f 7c 77 34 34 69 36 76 6f 72 3a 3c 67 6d 6c 76 4e 55 02 07 16 58 01 }
$bd9 = { aa bf b8 a9 af b7 ab 99 c1 d0 dd c2 d4 c6 d9 c8 c6 8e 8e 9a c2 80 9a 9c 9d d2 95 9d 9b 92 da 9f 9c 94 9e 8e 94 9d d2 70 60 71 70 73 6a 74 63 28 24 6d 6a 2c 2a 4d 67 62 7e 7f 76 33 35 6a 37 79 6e 71 3b 3b 66 6e 6d 49 4f 56 03 00 17 5b 00 }
$bda = { a9 be bf a8 ac b6 94 98 c2 d1 da c3 d7 c7 d6 c9 c5 8f 89 9b c1 81 85 9d 9e d3 92 9c 98 93 d5 9e 9f 95 99 8f 97 9c 2d 71 63 70 77 72 69 75 6c 29 27 6c 6d 2d 29 4c 78 63 7d 7e 71 32 36 6b 38 78 6d 70 3c 3a 65 6f 52 48 4c 57 04 01 14 5a 0f }
$bdb = { a8 b9 be ab ad 89 95 9b c3 d6 db c0 d6 c8 d7 ca c4 88 88 98 c0 9e 84 9e 9f d4 93 9f 99 9c d4 9d 9e 92 98 8c 96 63 2c 72 62 77 76 71 68 7a 6d 2a 26 6b 6c 2e 28 53 79 60 7c 79 70 31 37 64 39 7b 6c 77 3d 39 64 50 53 4b 4d 50 05 02 15 55 0e }
$bdc = { af b8 bd aa 92 88 96 9a c4 d7 d8 c1 d9 c9 d4 cb c3 89 8b 99 df 9f 87 9f 98 d5 90 9e 96 9d d7 9c 99 93 9b 8d 69 62 2f 73 65 76 75 70 67 7b 6e 2b 21 6a 6f 2f 37 52 7a 61 7b 78 73 30 38 65 3a 7a 6b 76 3e 38 5b 51 50 4a 4a 51 06 03 1a 54 0d }
$bdd = { ae bb bc 95 93 8b 97 9d c5 d4 d9 ce d8 ca d5 cc c2 8a 8a 86 de 9c 86 98 99 d6 91 91 97 9e d6 9b 98 90 9a 72 68 61 2e 74 64 75 74 7f 66 78 6f 2c 20 69 6e 30 36 51 7b 66 7a 7b 72 3f 39 66 3b 7d 6a 75 3f 07 5a 52 51 4d 4b 52 07 0c 1b 57 0c }
$bde = { ad ba 83 94 90 8a 90 9c c6 d5 d6 cf db cb d2 cd c1 8b 95 87 dd 9d 81 99 9a d7 9e 90 94 9f d1 9a 9b 91 65 73 6b 60 29 75 67 74 7b 7e 65 79 68 2d 23 68 71 31 35 50 7c 67 79 7a 7d 3e 3a 67 3c 7c 69 74 00 06 59 53 56 4c 48 53 08 0d 18 56 0b }
$bdf = { ac 85 82 97 91 8d 91 9f c7 da d7 cc da cc d3 ce c0 94 94 84 dc 9a 80 9a 9b d8 9f 93 95 98 d0 99 9a 6e 64 70 6a 67 28 76 66 7b 7a 7d 64 7e 69 2e 22 77 70 32 34 57 7d 64 78 75 7c 3d 3b 60 3d 7f 68 4b 01 05 58 54 57 4f 49 5c 09 0e 19 51 0a }
$be0 = { 93 84 81 96 96 8c 92 9e c8 db d4 cd dd cd d0 cf df 95 97 85 db 9b 83 9b 94 d9 9c 92 92 99 d3 98 65 6f 67 71 6d 66 2b 77 69 7a 79 7c 63 7f 6a 2f 3d 76 73 33 33 56 7e 65 77 74 7f 3c 3c 61 3e 7e 57 4a 02 04 5f 55 54 4e 46 5d 0a 0f 1e 50 09 }
$be1 = { 92 87 80 91 97 8f 93 91 c9 d8 d5 ca dc ce d1 d0 de 96 96 82 da 98 82 94 95 da 9d 95 93 9a d2 67 64 6c 66 76 6c 65 2a 78 68 79 78 7b 62 7c 6b 30 3c 75 72 34 32 55 7f 6a 76 77 7e 3b 3d 62 3f 41 56 49 03 03 5e 56 55 41 47 5e 0b 08 1f 53 08 }
$be2 = { 91 86 87 90 94 8e 9c 90 ca d9 d2 cb df cf ce d1 dd 97 91 83 d9 99 8d 95 96 db 9a 94 90 9b 2d 66 67 6d 61 77 6f 64 25 79 6b 78 7f 7a 61 7d 74 31 3f 74 75 35 31 54 70 6b 75 76 79 3a 3e 63 00 40 55 48 04 02 5d 57 5a 40 44 5f 0c 09 1c 52 17 }
$be3 = { 90 81 86 93 95 81 9d 93 cb de d3 c8 de d0 cf d2 dc 90 90 80 d8 96 8c 96 97 dc 9b 97 91 64 2c 65 66 6a 60 74 6e 6b 24 7a 6a 7f 7e 79 60 62 75 32 3e 73 74 36 30 5b 71 68 74 71 78 39 3f 5c 01 43 54 4f 05 01 5c 58 5b 43 45 58 0d 0a 1d 4d 16 }
$be4 = { 97 80 85 92 9a 80 9e 92 cc df d0 c9 c1 d1 cc d3 db 91 93 81 d7 97 8f 97 90 dd 98 96 6e 65 2f 64 61 6b 63 75 61 6a 27 7b 6d 7e 7d 78 7f 63 76 33 39 72 77 37 3f 5a 72 69 73 70 7b 38 00 5d 02 42 53 4e 06 00 53 59 58 42 42 59 0e 0b 02 4c 15 }
$be5 = { 96 83 84 9d 9b 83 9f 95 cd dc d1 d6 c0 d2 cd d4 da 92 92 8e d6 94 8e 90 91 de 99 69 6f 66 2e 63 60 68 62 7a 60 69 26 7c 6c 7d 7c 67 7e 60 77 34 38 71 76 38 3e 59 73 6e 72 73 7a 07 01 5e 03 45 52 4d 07 0f 52 5a 59 45 43 5a 0f 14 03 4f 14 }
$be6 = { 95 82 8b 9c 98 82 98 94 ce dd ce d7 c3 d3 ca d5 d9 93 9d 8f d5 95 89 91 92 df 66 68 6c 67 29 62 63 69 6d 7b 63 68 21 7d 6f 7c 63 66 7d 61 70 35 3b 70 79 39 3d 58 74 6f 71 72 45 06 02 5f 04 44 51 4c 08 0e 51 5b 5e 44 40 5b 10 15 00 4e 13 }
$be7 = { 94 8d 8a 9f 99 85 99 97 cf c2 cf d4 c2 d4 cb d6 d8 9c 9c 8c d4 92 88 92 93 20 67 6b 6d 60 28 61 62 66 6c 78 62 6f 20 7e 6e 63 62 65 7c 66 71 36 3a 7f 78 3a 3c 5f 75 6c 70 4d 44 05 03 58 05 47 50 43 09 0d 50 5c 5f 47 41 44 11 16 01 49 12 }
$be8 = { 9b 8c 89 9e 9e 84 9a 96 d0 c3 cc d5 c5 d5 c8 d7 d7 9d 9f 8d d3 93 8b 93 6c 21 64 6a 6a 61 2b 60 6d 67 6f 79 65 6e 23 7f 71 62 61 64 7b 67 72 37 35 7e 7b 3b 3b 5e 76 6d 4f 4c 47 04 04 59 06 46 5f 42 0a 0c 57 5d 5c 46 5e 45 12 17 06 48 11 }
$be9 = { 9a 8f 88 99 9f 87 9b 89 d1 c0 cd d2 c4 d6 c9 d8 d6 9e 9e 8a d2 90 8a 6c 6d 22 65 6d 6b 62 2a 6f 6c 64 6e 7e 64 6d 22 60 70 61 60 63 7a 64 73 38 34 7d 7a 3c 3a 5d 77 52 4e 4f 46 03 05 5a 07 49 5e 41 0b 0b 56 5e 5d 59 5f 46 13 10 07 4b 10 }
$bea = { 99 8e 8f 98 9c 86 84 88 d2 c1 ca d3 c7 d7 c6 d9 d5 9f 99 8b d1 91 75 6d 6e 23 62 6c 68 63 25 6e 6f 65 69 7f 67 6c 3d 61 73 60 67 62 79 65 7c 39 37 7c 7d 3d 39 5c 48 53 4d 4e 41 02 06 5b 08 48 5d 40 0c 0a 55 5f 42 58 5c 47 14 11 04 4a 1f }
$beb = { 98 89 8e 9b 9d 99 85 8b d3 c6 cb d0 c6 d8 c7 da d4 98 98 88 d0 6e 74 6e 6f 24 63 6f 69 6c 24 6d 6e 62 68 7c 66 73 3c 62 72 67 66 61 78 6a 7d 3a 36 7b 7c 3e 38 63 49 50 4c 49 40 01 07 54 09 4b 5c 47 0d 09 54 40 43 5b 5d 40 15 12 05 45 1e }
$bec = { 9f 88 8d 9a 82 98 86 8a d4 c7 c8 d1 c9 d9 c4 db d3 99 9b 89 2f 6f 77 6f 68 25 60 6e 66 6d 27 6c 69 63 6b 7d 79 72 3f 63 75 66 65 60 77 6b 7e 3b 31 7a 7f 3f 07 62 4a 51 4b 48 43 00 08 55 0a 4a 5b 46 0e 08 4b 41 40 5a 5a 41 16 13 0a 44 1d }
$bed = { 9e 8b 8c 85 83 9b 87 8d d5 c4 c9 de c8 da c5 dc d2 9a 9a 76 2e 6c 76 68 69 26 61 61 67 6e 26 6b 68 60 6a 62 78 71 3e 64 74 65 64 6f 76 68 7f 3c 30 79 7e 00 06 61 4b 56 4a 4b 42 0f 09 56 0b 4d 5a 45 0f 17 4a 42 41 5d 5b 42 17 1c 0b 47 1c }
$bee = { 9d 8a 93 84 80 9a 80 8c d6 c5 c6 df cb db c2 dd d1 9b 65 77 2d 6d 71 69 6a 27 6e 60 64 6f 21 6a 6b 61 75 63 7b 70 39 65 77 64 6b 6e 75 69 78 3d 33 78 41 01 05 60 4c 57 49 4a 4d 0e 0a 57 0c 4c 59 44 10 16 49 43 46 5c 58 43 18 1d 08 46 1b }
$bef = { 9c 95 92 87 81 9d 81 8f d7 ca c7 dc ca dc c3 de d0 64 64 74 2c 6a 70 6a 6b 28 6f 63 65 68 20 69 6a 7e 74 60 7a 77 38 66 76 6b 6a 6d 74 6e 79 3e 32 47 40 02 04 67 4d 54 48 45 4c 0d 0b 50 0d 4f 58 5b 11 15 48 44 47 5f 59 4c 19 1e 09 41 1a }
$bf0 = { 83 94 91 86 86 9c 82 8e d8 cb c4 dd cd dd c0 df 2f 65 67 75 2b 6b 73 6b 64 29 6c 62 62 69 23 68 75 7f 77 61 7d 76 3b 67 79 6a 69 6c 73 6f 7a 3f 0d 46 43 03 03 66 4e 55 47 44 4f 0c 0c 51 0e 4e 47 5a 12 14 4f 45 44 5e 56 4d 1a 1f 0e 40 19 }
$bf1 = { 82 97 90 81 87 9f 83 81 d9 c8 c5 da cc de c1 20 2e 66 66 72 2a 68 72 64 65 2a 6d 65 63 6a 22 77 74 7c 76 66 7c 75 3a 68 78 69 68 6b 72 6c 7b 00 0c 45 42 04 02 65 4f 5a 46 47 4e 0b 0d 52 0f 51 46 59 13 13 4e 46 45 51 57 4e 1b 18 0f 43 18 }
$bf2 = { 81 96 97 80 84 9e 8c 80 da c9 c2 db cf df 3e 21 2d 67 61 73 29 69 7d 65 66 2b 6a 64 60 6b 3d 76 77 7d 71 67 7f 74 35 69 7b 68 6f 6a 71 6d 44 01 0f 44 45 05 01 64 40 5b 45 46 49 0a 0e 53 10 50 45 58 14 12 4d 47 4a 50 54 4f 1c 19 0c 42 67 }
$bf3 = { 80 91 96 83 85 91 8d 83 db ce c3 d8 ce 20 3f 22 2c 60 60 70 28 66 7c 66 67 2c 6b 67 61 74 3c 75 76 7a 70 64 7e 7b 34 6a 7a 6f 6e 69 70 52 45 02 0e 43 44 06 00 6b 41 58 44 41 48 09 0f 4c 11 53 44 5f 15 11 4c 48 4b 53 55 48 1d 1a 0d 3d 66 }
$bf4 = { 87 90 95 82 8a 90 8e 82 dc cf c0 d9 31 21 3c 23 2b 61 63 71 27 67 7f 67 60 2d 68 66 7e 75 3f 74 71 7b 73 65 71 7a 37 6b 7d 6e 6d 68 4f 53 46 03 09 42 47 07 0f 6a 42 59 43 40 4b 08 10 4d 12 52 43 5e 16 10 43 49 48 52 52 49 1e 1b 72 3c 65 }
$bf5 = { 86 93 94 8d 8b 93 8f 85 dd cc c1 26 30 22 3d 24 2a 62 62 7e 26 64 7e 60 61 2e 69 79 7f 76 3e 73 70 78 72 6a 70 79 36 6c 7c 6d 6c 57 4e 50 47 04 08 41 46 08 0e 69 43 5e 42 43 4a 17 11 4e 13 55 42 5d 17 1f 42 4a 49 55 53 4a 1f 64 73 3f 64 }
$bf6 = { 85 92 9b 8c 88 92 88 84 de cd 3e 27 33 23 3a 25 29 63 6d 7f 25 65 79 61 62 2f 76 78 7c 77 39 72 73 79 7d 6b 73 78 31 6d 7f 6c 53 56 4d 51 40 05 0b 40 49 09 0d 68 44 5f 41 42 55 16 12 4f 14 54 41 5c 18 1e 41 4b 4e 54 50 4b 60 65 70 3e 63 }
$bf7 = { 84 9d 9a 8f 89 95 89 87 df 32 3f 24 32 24 3b 26 28 6c 6c 7c 24 62 78 62 63 30 77 7b 7d 70 38 71 72 76 7c 68 72 7f 30 6e 7e 53 52 55 4c 56 41 06 0a 4f 48 0a 0c 6f 45 5c 40 5d 54 15 13 48 15 57 40 53 19 1d 40 4c 4f 57 51 34 61 66 71 39 62 }
$bf8 = { 8b 9c 99 8e 8e 94 8a 86 20 33 3c 25 35 25 38 27 27 6d 6f 7d 23 63 7b 63 7c 31 74 7a 7a 71 3b 70 7d 77 7f 69 75 7e 33 6f 41 52 51 54 4b 57 42 07 05 4e 4b 0b 0b 6e 46 5d 5f 5c 57 14 14 49 16 56 4f 52 1a 1c 47 4d 4c 56 2e 35 62 67 76 38 61 }
$bf9 = { 8a 9f 98 89 8f 97 8b 79 21 30 3d 22 34 26 39 28 26 6e 6e 7a 22 60 7a 7c 7d 32 75 7d 7b 72 3a 7f 7c 74 7e 6e 74 7d 32 50 40 51 50 53 4a 54 43 08 04 4d 4a 0c 0a 6d 47 42 5e 5f 56 13 15 4a 17 59 4e 51 1b 1b 46 4e 4d 29 2f 36 63 60 77 3b 60 }
$bfa = { 89 9e 9f 88 8c 96 74 78 22 31 3a 23 37 27 36 29 25 6f 69 7b 21 61 65 7d 7e 33 72 7c 78 73 35 7e 7f 75 79 6f 77 7c 0d 51 43 50 57 52 49 55 4c 09 07 4c 4d 0d 09 6c 58 43 5d 5e 51 12 16 4b 18 58 4d 50 1c 1a 45 4f 32 28 2c 37 64 61 74 3a 6f }
$bfb = { 88 99 9e 8b 8d 69 75 7b 23 36 3b 20 36 28 37 2a 24 68 68 78 20 7e 64 7e 7f 34 73 7f 79 7c 34 7d 7e 72 78 6c 76 43 0c 52 42 57 56 51 48 5a 4d 0a 06 4b 4c 0e 08 73 59 40 5c 59 50 11 17 44 19 5b 4c 57 1d 19 44 30 33 2b 2d 30 65 62 75 35 6e }
$bfc = { 8f 98 9d 8a 72 68 76 7a 24 37 38 21 39 29 34 2b 23 69 6b 79 3f 7f 67 7f 78 35 70 7e 76 7d 37 7c 79 73 7b 6d 49 42 0f 53 45 56 55 50 47 5b 4e 0b 01 4a 4f 0f 17 72 5a 41 5b 58 53 10 18 45 1a 5a 4b 56 1e 18 3b 31 30 2a 2a 31 66 63 7a 34 6d }
$bfd = { 8e 9b 9c 75 73 6b 77 7d 25 34 39 2e 38 2a 35 2c 22 6a 6a 66 3e 7c 66 78 79 36 71 71 77 7e 36 7b 78 70 7a 52 48 41 0e 54 44 55 54 5f 46 58 4f 0c 00 49 4e 10 16 71 5b 46 5a 5b 52 1f 19 46 1b 5d 4a 55 1f 67 3a 32 31 2d 2b 32 67 6c 7b 37 6c }
$bfe = { 8d 9a 63 74 70 6a 70 7c 26 35 36 2f 3b 2b 32 2d 21 6b 75 67 3d 7d 61 79 7a 37 7e 70 74 7f 31 7a 7b 71 45 53 4b 40 09 55 47 54 5b 5e 45 59 48 0d 03 48 51 11 15 70 5c 47 59 5a 5d 1e 1a 47 1c 5c 49 54 60 66 39 33 36 2c 28 33 68 6d 78 36 6b }
$bff = { 8c 65 62 77 71 6d 71 7f 27 3a 37 2c 3a 2c 33 2e 20 74 74 64 3c 7a 60 7a 7b 38 7f 73 75 78 30 79 7a 4e 44 50 4a 47 08 56 46 5b 5a 5d 44 5e 49 0e 02 57 50 12 14 77 5d 44 58 55 5c 1d 1b 40 1d 5f 48 2b 61 65 38 34 37 2f 29 3c 69 6e 79 31 6a }
$adrop = { 74 65 6c 6c [1-10] 61 70 70 [1-15] 54 65 72 6d 69 6e 61 6c [1-10] 74 6f [1-10] 63 6c 6f 73 65 [1-10] 66 69 72 73 74 [1-10] 77 69 6e 64 6f 77 }
$bdrop = { 55 53 45 52 00 2f 55 73 65 72 73 2f 00 2f 65 78 65 00 63 68 6d 6f 64 20 2b 78 20 00 72 6d 20 00 }
condition:
Macho and any of ($a*) and any of ($b*) and filesize < 4MB
}
rule XProtect_MACOS_CHERRYPIE_A
{
meta:
description = "MACOS.CHERRYPIE.A"
strings:
$ = { 66 61 69 6c 65 64 20 74 6f 20 63 72 65 61 74 65 20 73 74 64 69 6e 20 70 69 70 65 3a 20 25 76 }
$ = { 63 6f 6d 6d 61 6e 64 20 66 69 6e 69 73 68 65 64 20 77 69 74 68 20 65 72 72 6f 72 3a 20 25 76 }
$ = { 2e 44 69 73 61 6c 6c 6f 77 45 6d 70 74 79 }
$ = { 2e 48 69 64 65 54 65 78 74 }
$ = { 2e 4e 6f 43 61 6e 63 65 6c }
condition:
Macho and all of them and filesize < 40MB
}
rule XProtect_MACOS_ADLOAD_WSS {
meta:
description = "MACOS.ADLOAD.WSS"
strings:
$a = { 6d 5f 63 75 72 73 6f 72 20 2d 20 6d 5f 73 74 61 72 74 20 3e 3d 20 32 }
$b = { 66 69 6c 6c 5f 6c 69 6e 65 5f 62 75 66 66 65 72 }
$c = { 42 65 72 54 61 67 67 65 64 }
$d = { 6d 69 73 73 69 6e 67 20 6f 72 20 77 72 6f 6e 67 20 6c 6f 77 20 73 75 72 72 6f 67 61 74 65 }
condition:
Macho and all of them and filesize < 14MB
}
rule XProtect_MACOS_BUNDLORE_E
{
meta:
description = "MACOS.BUNDLORE.E"
strings:
$ = { 6d 6d 50 61 73 73 77 64 53 75 63 63 65 73 73 }
$ = { 69 64 20 2d 75 6e 20 35 30 31 }
$ = { 69 73 5f 72 6f 6f 74 3d 24 7b 69 73 52 6f 6f 74 7d }
$ = { 63 6c 69 65 6e 74 2e 6d 6d 2d 62 71 2e 68 6f 73 74 }
$ = { 70 65 72 69 6f 64 69 6b 61 6c 2e 63 6f 6d }
condition:
4 of them
}
rule XProtect_MULTI_SNOWCAR
{
meta:
description = "MULTI.SNOWCAR"
strings:
$command_test = { 05 6c 18 00 09 00 1f 00 18 00 4c 00 }
$command_run = { 04 ab d9 00 de 00 c5 00 8b 00 }
$command_port_scan = { 0a 60 10 00 0f 00 12 00 14 00 3f 00 13 00 03 00 01 00 0e 00 40 00 }
$command_ping_scan = { 0a 75 05 00 1c 00 1b 00 12 00 2a 00 06 00 16 00 14 00 1b 00 55 00 }
condition:
2 of them
}
rule XProtect_MACOS_SHEEPSWAP_OBFCOMMON
{
meta:
description = "MACOS.SHEEPSWAP.OBFCOMMON"
strings:
$a1 = { 60 10 10 10 80 01 10 40 10 10 10 10 10 10 10 10 }
$a2 = { 48 8D 7D C8 48 89 CE 48 89 C2 E8 78 13 00 00 0F }
$a3 = { 47 8A 27 26 33 33 FC A0 74 BC AF EB 41 AD 86 C9 }
$a4 = { 10 48 85 C1 0F 84 7F 01 00 00 48 FF C8 48 21 C2 }
$b = { 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 48 61 6e 64 6c 65 72 }
condition:
Macho and 2 of ($a*) and $b
}
rule XProtect_macos_adload_common_data {
meta:
description = "MACOS.ADLOAD"
strings:
$common_data = {34 0c be 0f 00 7b 08 b6}
condition:
Macho and all of them
}
rule XProtect_MACOS_2fc5997
{
meta:
description = "MACOS.2fc5997"
strings:
$a0 = { 23 21 2f 62 69 6e 2f (62 61 73 68 | 73 68) }
$b0 = { 63 75 72 6c 20 2d 73 20 2d 4c 20 2d 6f 20 22 2f 76 61 72 2f 74 6d 70 2f [3-15] 2e 74 67 7a 22 }
$b1 = { 68 74 74 70 3a 2f 2f [12-20] 2f 73 74 61 74 69 63 2f 73 33 2f 65 78 65 63 36 36 32 35 2f [3-15] 2e 74 67 7a }
$b2 = { 6d 6b 64 69 72 20 2d 70 20 2f 76 61 72 2f 74 6d 70 }
$b3 = { 74 61 72 20 2d 78 7a 66 20 22 2f 76 61 72 2f 74 6d 70 2f [3-15] 2e 74 67 7a 22 20 2d 43 20 22 2f 76 61 72 2f 74 6d 70 2f [3-15] 2f 22 }
$b4 = { 66 75 6e 63 5f [1-12] (28 | 20 26) }
$b5 = { 73 6c 65 65 70 20 3? 3? 3? }
condition:
$a0 at 0 and filesize < 50KB and 4 of ($b*)
}
rule XProtect_MACOS_a6d7810
{
meta:
description = "MACOS.a6d7810"
strings:
$a0 = { 40 5f 49 4f 53 65 72 76 69 63 65 4d 61 74 63 68 69 6e 67 }
$a1 = { 40 5f 49 4f 52 65 67 69 73 74 72 79 45 6e 74 72 79 43 72 65 61 74 65 43 46 50 72 6f 70 65 72 74 79 }
$b0 = {
00 8b d5 df 3d d3 8f 3e
30 d6 55 26 39 a7 e6 fe
16 ea 5f 66 14 c2 72 b3
0d f6 1c c9 01 a5 6b 68
96 c2 9f 45 4e 7d 62 2b
e8 72 dd ea 99 cf 96 66
7c 54 1f 88 c7 1c e6 d3
9d 67 d3 11 c7 e0 5d 44
5e f2 4b b7 f0 07 d7 64
cf b4 1b 2d 53 22 88 d9
3c 16 8a 1a
}
$b1 = {
70 72 6f 63 65 73 73 49
6e 66 6f 00 61 72 67 75
6d 65 6e 74 73 00 66 69
72 73 74 4f 62 6a 65 63
74 00 6c 61 73 74 50 61
74 68 43 6f 6d 70 6f 6e
65 6e 74 00 65 6e 76 69
72 6f 6e 6d 65 6e 74 00
70 72 6f 63 65 73 73 49
64 65 6e 74 69 66 69 65
72 00 6e 75 6d 62 65 72
57 69 74 68 49 6e 74 3a
00 68 6f 73 74 4e 61 6d
65 00 67 6c 6f 62 61 6c
6c 79 55 6e 69 71 75 65
53 74 72 69 6e 67 00 73
74 72 69 6e 67 57 69 74
68 46 6f 72 6d 61 74 3a
}
condition:
Macho and filesize < 2MB and all of ($a*) and 1 of ($b*)
}
rule XProtect_macos_snowdock_crypt {
meta:
description = "MACOS.SNOWDOCK"
strings:
$key_1 = {1d82b8c76c847ff654295b7201390269}
$iv_1 = {99ed52008eced6de1dba5b72513039ae}
condition:
any of them
}
rule XProtect_MACOS_PIRRIT_GEN {
meta:
description = "MACOS.PIRRIT.GEN"
strings:
$ = {
37 A6 17 43 F9 86 21 ED 98 A3 94 C4 44 D7 68 25
ED 03 48 7E 7B 23 24 AA 80 47 B7 84 54 19 1B A7
C9 C1 DC BA F2 64 AC 99 88 74 CC 47 86 D6 C9 AC
80 0D EB 6A 4D B0 97 BF 4E 63 65 F3 F7 C7 C9 8D
3C 22 E6 40 4C 05 AD 7F AC B2 58 6F C6 E9 66 C0
04 D7 D1 D1 6B 02 4F 58 05 FF 7C B4 7C 7A 85 DA
BD 8B 48 89 2C A7 B8 D0 30 AA 2E 4D D5 C1 16 2C
E2 0D 59 62 DE D2 CB 0E F9 2D 91 B0 11 52 3E 36
97 E2 AE
}
$ = {
5F 76 08 37 D9 EC 03 49 64 C3 DD 15 3F DC 39 C9
F2 BC E0 68 9D 20 8B 6F 41 ED 00 C2 34 9D 85 61
53 6E 06 D0 A4 F7 D1 38 7E 9F 05 4B E9 BC F3 F6
54 B6 7C 77 60 83 D0 C1 7F E5 94 91 26 89 8E 77
66 F1 45 CD 83 44 97 C4 A3 AD 0F 4C AB 27 98 A7
F4 37 79 D0 90 97 56 F7 81 6E 68 1D
}
$ = {
52 41 52 41 52 41 52 41 52 41 52 41 52 41 52 41
52 41 52 41 52 41 52 41 52 41 52 41 52 41 52 41
52 41 52 41 52 41 52 41 52 41 52 41 52 41 52 41
52 41 52 41 60 2D 41 52 44 53 44 58 43 53 42 70
}
$ = {
4F 6F 1D E4 55 F8 00 36 BA A4 50 87 D2 DA 8B 0C
1E 8C 56 90 AD 7A 9B C4 0B AF B2 9C 51 AE 75 71
93 31 72 D0 4F 91 39 4D BA 76 CC 3A 37 06 33 1C
F9 A0 0E 71 FD EB 21 94 A4 7E C0 B2 B2 3F B4 5F
}
$ = {
54 42 52 41 52 41 52 41 52 41 52 41 52 41 52 41
52 41 52 41 52 41 52 41 52 41 52 41 52 41 52 41
52 41 52 41 52 41 52 42 52 42 60
}
$ = { 52 42 53 43 53 43 53 43 53 43 53 43 52 42 52 42 53 43 52 42 52 42 52 42 52 42 52 42 70 }
condition:
Macho and 2 of them
}
rule XProtect_MACOS_ADLOAD_FMT {
meta:
description = "MACOS.ADLOAD.FMT"
strings:
$ = "_Tt%cSs%zu%.*s%s"
$ = "_Tt%c%zu%.*s%zu%.*s%s"
$ = {20 0a 0d 09 0c 0b}
condition:
Macho and all of them
}
rule XProtect_MACOS_ADLOAD_GEN {
meta:
description = "MACOS.ADLOAD.GEN"
strings:
$ = {240CA84A00F42505A64A00B2260CA54D00D72605A34D00EC260BA14A00F227059E4D008B290BC65000EA290BC85000B82A0C994D00E52A0CF44C00DC2D1AE84C00A42E0CC84C00DA2E0CAA4C00BF300C9E4C00F83013924C00C53108864C00863208FA4B00F032FF01914F00A5350EFC49009A361AD54B00B43613B74B00C73621994B008638168D4B00C3}
$ = {3E46AC089C01AC0270C402C402D602D602D602447A465E3199020CBE0280026250EA063E8202CE0187014DA601060A1406484A0C20484A06464CBE04514D4C8606E2027F4C4D060A14484ABA013C4A20303020302A20303420303AA91C4D96048C01F801E002D802860192044CD001FE01334DD40220303C}
$ = {220CB44A00FF241AAC4A00C7250C904A00FD250CF64900BE2725E04900962818DB4900DF280CE3470084290CE14700872A05DF4700C52A0CD64900EA2A05D14900FF2A0BDA4700852C05CC49009E2D0BC14F00FD2D0BC34F00CB2E0CC74900F82E0CC54900E1311AC34900A9320CC14900DF320CBF49}
$ = {5400BD4405AC5600D6450BE55C00B5460BE75C0083470CA75600B0470C865600994A1AFE5500E14A0CE25500974B0CC85500E14C13C05500F44C27B45C009B4D249F5500BF4D249F5400E34D23855400864E23EB5300A94EB503D15300DE510F0000ED510CCC5300FB510CC753}
$ = {5900C6210CF75800CD241AEF580095250CD35800CB250CB95800B02718B15800F9270CE454009E280CE25400A12905E05400DF290CA95800842A05A75800992A0BDB54009F2B05A25800B82C0BE15F00972D}
$ = {4400B02F0CB84400A43118AF4400ED310CCF410098320CCD41009B3305CB4100E433059944008234059744009B340FC64100A535058D4400B7360FE84A009A370FEA4A00EC370C88440099380CE643}
$ = {E13918844B00AA3A0CFA4900CF3A0CF84900D23B05F64900903C0CFF4A00B53C05FA4A00CA3C0BF14900D03D05F54A00E93E0BC25000C83F0BC4500096400CF0}
$ = {3F0083070CB53B00B0070C943B00B70A1A8C3B00FF0A0CF03A00B50B0CD63A00A30D18CE3A00EC0D0CA43700910E0CA23700940F05A03700D20F0CC63A00F70F05C43A008C100B9B3700921105BF3A00AB120BAD3E008A130BAF3E00D8130CBA3A0085140C993A008017}
$ = {240CF65600B5250CF45600F82618CA5600EB2718BF6000BB280CF75D00E02808F55D00D62908EC5D00972A08C76000B42A08C96000C82A0EEE5D00D12B13D16000EA2C13C06300D12D13C26300A72E0C996000DB2E0C9E60}
$ = {310CD73700F7310CBD3700C2340BF84000F23411B8380083355E0000E1350CF43600EF350CEF3600FD350CEA36008B360CE5360099360CE03600A7360CDB3600B5360C}
$ = {280C803700862905FE3600C4290CA83800E92905A63800FE290BF93600842B05A138009D2C0BD13B00FC2C0BD33B00CA2D0C9C3800F72D0CFB370080311AF337}
$ = {4D4C8606E2027F4C4D060A14484ABA013C4A20303020302A20303420303AA91C4D96048C01F801E002D802860192044CD001FE01334DD40220303C42443C4244}
$ = {52415542524252415541554155415542524252415542524155425242524252415541554155415542524252425241554252425241554155415542524252425241}
$ = {6100E93D0BDB6700A33E0CF86100DF3E13DC6100F93E15BF6100E2410CB96A00F541088A5F008C4208ED5E00AB420AD35E00FE421892610083440C8D6100AD450BFB6600E7450C886100AA4613836100BD4615E46000A6490CCE5E00B94908AF5E00D04908925E00EF490AF85D00D54A0C9563009E4B08FE6400AE4B18CA6200B34C0CC56200DD4D0B9F6900974E0CC06200DA4E13A46200ED4E15876200D6510C896000E9}
$ = {0000B35A0CF35D00C15A0CEE5D00CF5A0CE95D00DD5A0CE45D00EB5A0CDF5D00F95A0CDA5D00875B0CCE5E00955B0CD56B00A35B0CA76B00B15B0CD55D00BF5B0CCE5E00CD5B0CD05D00DB5B0CCB5D00EC5B0CA56A00FD5B05806700875C0C916600985C0C9B6600A95C0C966600BA5C05926500C45C059A6300CE5C0CC06200DF}
$ = {842605B96A00B426058C6600E62625E76600902713E26600A32715C36600F7290CBB6A008A2A08C96500A12A08AC6500C02A0A926500932B13876600A62B15E86500FA2D0CB96A008D2E08D16300A42E08B46300C32E0A9A63009D2F05E76600C12F0FDA6400843013AE5F00B53031DA64}
$ = {0574860924A40DEA02E0033C42B00236C4023C42C802607A30FA0138E40772F201D401D601800152C60DDA018A015AB0018604F602E602CA02C302797EBC039C01C2047E5A86018804DA022E36188A01}
$ = {056A0B0D230BD22077103033DD11A701F00B2F12DE01F92CA20C58C904D504D703141222800ED60B9F14E70FDE063354103010300A0A0B323863B404D70300}
$ = {3C32CA2DD72D8D6CDB925CD30659CA4905A5C1E06B452F8290CBCD812A6CD92812C3CE34974A70115818AC3F50EEE06184665759D2FB63CAE394C260D05FC8E556B2B4A31747250F1811F50EF161268DD487404AE72FD34FC87BD590CC18DDE7BB}
$ = {3809A14000F4381380500087390C854000B63909904100843C3CDC4E00C03C16F44800D63C16D34800A13D0CCE4800C63E09954100E63E09B34100893F099A41009E3F09FB3F00A93F0CF63F00B73F0CF13F00C53F09EC3F00D03F0CEF4700DE3F0CE44100EA3F}
$ = {B7DA17276B66812AB432E7D67540C63E8AF136A062BE92B438F74178B0EE444462E97AA564F90B86A6BFFBB4B97ACA9BD14F5C8F43E4CDD3C93C7D3B96803D9D2817DCE3E693EA5FB21DCAA63F84C8A78C83CE0B}
$ = {B534271143F1E4CDEAE556DF49C37D646CDEFC777BE9B095635119DA76E2D379D86633D5B4B07A67E0B3907B89FB6AA16B06BBCF9A27DB864A8D9705A9CC308DE9A50A11CDC9902162C3177AA2}
$ = {F9650E098C1BDFDBA3AFEE4CCAC2B147A7312E01831DAF7DC55C5DB757B3729D2267AB28828F9CBA7B7ED9599403A2BCDE5422D6BF901B147BCE68F961C0158238AB466A14}
$ = {E5081DB0230387090CC4230398090CD82303B6091DEC2303D8090C802403E9090C942403870A1DA82403A90A0CBC2403BA0A0CD02403D80A1DE42403FA0A0CF824038B0B0C8C2503AB0B1DA02503CD0B0CB42503DE0B0CC82503FC0B1DDC25039E0C0CF02503AF0C0C842603CD0C1D982603EF0C0CAC2603800D0CC02603A00D1DD42603C20D0CE82603D30D0CFC2603E40D219027038A0E0CA427039B0E0CB82703AC0E21CC2703D20E0CE02703E30E0CF42703830F1D882803A50F0C9C2803B60F0CB02803C70F21C42803ED0F0CD82803FE0F0CEC2803A81029802903DB102194290381110CA8290392110CBC2903B2110FD02903C61121E42903EC110CF82903FD110C8C2A038E1213A02A03A61221B42A03CC120CC82A03DD120CDC2A03871329F02A03BA1321842B03E0130C982B03F1130CAC2B039B1429C02B03CE1421D42B03F4140CE82B0385150CFC2B0396150C902C03A7150CA42C03B8151AB82C03D71521CC2C03FD15EF01E02C03F1171AF42C03931F1DAC2103D33411F83403AD350CAF3603DC351AC33603F635C3}
$ = {BF03B804D60205FC071FC80B03E608CB03E20B03B60C13AC0E03CE0C15BA0E03E80D16E20B03830E13E00E03870FAC03E20B03B81213AE1403D01215BC1403EA1316E20B03851413E21403891572E20B03801613A91603D0160FE20B03DF168401}
$ = {8D1FF6FFFF9090486385B4F6FFFF89C2FFC28995B4F6FFFF488BB5B8F6FFFF31D248F7F6488DBD98F6FFFF4889D6E8}
$ = {B30D05BA1C00B80D180000D00D05C91C00D50D110000E60D2FD81C00950E340000C90E05961D00CE0E140000E20E0AA81D00EC0E150000810F05961D00860F110000970F05961D009C0F0D0000A90F05C31D00AE0F140000C20F05D51D00C70F180000DF0F05E41D00E40F1F}
$ = {306030501050201020201040203020105020203030201040203050403040D007B003D003708004D0078004C003D003C003B003D003B003C003C003E03AA003C0}
$ = {A51405BD2000AA141B0000C51418CC2000DD142B0000881505AB20008D15140000A1150AF02000AB15150000C01505AB2000C5150D0000D215058B2100D71514}
$ = {8E0B1B861B00A90B330000DC0B05BC1B00E10B0D0000EE0B05CE1B00F30B0D0000800C2EDD1B00AE0C140000C20C18EC1B00DA0C2E0000880D05991C008D0D0D}
$ = {24E0028004B003203030A0042030401030203020201010205030306030501050201020201040203020105020203030201040203050403040D007B003D0037080}
$ = {A20E01FE0408930D03BA055DA20E019E0608F00C03DA064AA20E01AB0708CD0C03E70749A20E01B70808AA0C0381095DA20E01E50908870C03AF0A5DA20E01930B08E4}
$ = {C1E83E88C188CA80EA0148897DF8488975F0884DEF8855EE740EEB008A45EF2C028845ED7421EB5448B8FFFFFFFFFFFFFF3F488B4DF04821C14889CFE8254B0000488945}
$ = {000089C148FFC90F90C248898D60FEFFFF88955FFEFFFF0F801808000031C089C1488B9560FEFFFF4829D1400F90C648FFC9400F90C74883F9004088B55EFEFFFF}
$ = {6E0025020000000400C0A6010000000000009034E001502030A01C50302080016080016010F01E5030503050900160505020102080012020D0195060101080054020E0025010409001403020200000000000}
$ = {0050220002802200008024000190240000302500017025000440320000903200011033000390350001F035000250370001B0370000C03800013039000219010301190B040100}
$ = {800970900420508017C008A006F00FA03050505050205090016070F013800160A00120E005B00380066010E0017080025030503090015050800150A001106010602010504050405050504050505050501010101010301020203030106010306000}
$ = {70404883C60F4883E6F04889E74829F74889FC488BB560FFFFFF4C8B46F84D8B48404983C10F4983E1F04989E24D29CA4C89D44989E34D29CB4C89DC4C895DE84889E34C29CB4889DC48895DE04C8B8D68}
$ = {C1E83E88C188CA80EA0148897DF8488975F0884DEF8855EE740EEB008A45EF2C028845ED741DEB4248B8FFFFFFFFFFFFFF3F488B4DF04821C14889CFE8DD0A00}
$ = {00000036ab000000d341000000db1b000000de33000000258d000000dc1c000000d227000000de4100000090d0ffffffe958000000d8570000007cbc000000cc1400000034bc0000004585000000bb03000000b327000000d7170000001b}
condition:
Macho and any of them
}
rule XProtect_MACOS_ADLOAD_SMC {
meta:
description = "MACOS.ADLOAD.SMC"
strings:
$smc_header = "smc100"
$escape_string = { 20 0a 0d 09 0c 0b 00 }
$arrow = "-> "
$m_parameter = "m="
condition:
Macho and (
$smc_header and
$escape_string and
($arrow or $m_parameter)
)
}
rule XProtect_MACOS_SHEEPSWAP_ALLBIDCOMMON
{
meta:
description = "MACOS.SHEEPSWAP.ALLBIDCOMMON"
strings:
$s_1 = { 67 65 74 53 74 61 74 65 4f 66 53 61 66 61 72 69 45 78 74 65 6e 73 69 6f 6e 57 69 74 68 49 64 65 6e 74 69 66 69 65 72 3a 63 6f 6d 70 6c 65 74 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$s_2 = { 73 68 6f 77 50 72 65 66 65 72 65 6e 63 65 73 46 6f 72 45 78 74 65 6e 73 69 6f 6e 57 69 74 68 49 64 65 6e 74 69 66 69 65 72 3a 63 6f 6d 70 6c 65 74 69 6f 6e 48 61 6e 64 6c 65 72 3a }
$s_3 = { 5f 73 77 69 66 74 }
$c_1 = { 00 11 22 30 60 29 30 80 01 53 42 54 43 70 10 54 43 70 10 53 42 53 42 53 42 58 44 70 30 60 15 41 }
$c_2 = { 41 52 41 52 41 52 41 52 41 52 41 52 42 52 42 60 23 43 70 30 53 44 70 10 70 10 60 0F 44 70 08 70 }
condition:
Macho and all of ($s_*) and #s_3 > 84 and any of ($c_*) and filesize < 1500KB
}
rule XProtect_MACOS_PIRRIT_A {
meta:
description = "MACOS.PIRRIT.A"
strings:
$ = {7B505576505F}
$ = {405f494f536572766963654d61746368696e67}
$ = {5544524770305341524152415241524152416045495242524370}
$ = {405f494f5265676973747279456e747279437265617465434650726f7065727479}
$ = {00654B39B42ECAF00FD402B66D691086D24FE7CF288C1D780CC3226FA7140A1011436E8ADEC866C7C4ABC1492CEAD175887366FDE50BD2678B95C9BD41965EAA92E1CAF0}
condition:
Macho and all of them
}
rule XProtect_MACOS_DOLITTLE_HJK {
meta:
description = "MACOS.DOLITTLE.HJK"
strings:
$a01 = { 4e 53 41 70 70 6c 65 53 63 72 69 70 74 }
$a02 = { 69 6e 69 74 57 69 74 68 53 6f 75 72 63 65 }
$b01 = { 4e 53 52 65 67 75 6c 61 72 45 78 70 72 65 73 73 69 6f 6e }
$b02 = { 72 61 6e 67 65 4f 66 46 69 72 73 74 4d 61 74 63 68 49 6e 53 74 72 69 6e 67 }
$c01 = { 55 52 4c 57 69 74 68 53 74 72 69 6e 67 }
$c02 = { 69 6e 69 74 57 69 74 68 55 52 4c }
$c03 = { 73 65 74 48 54 54 50 4d 65 74 68 6f 64 }
$d01 = { 55 54 46 38 53 74 72 69 6e 67 }
$d02 = { 73 74 72 69 6e 67 57 69 74 68 46 6f 72 6d 61 74 }
$d03 = { 63 6f 6d 70 6f 6e 65 6e 74 73 53 65 70 61 72 61 74 65 64 42 79 53 74 72 69 6e 67 }
$d04 = { 6f 62 6a 65 63 74 41 74 49 6e 64 65 78 65 64 53 75 62 73 63 72 69 70 74 }
$d05 = { 69 6e 74 56 61 6c 75 65 }
$d06 = { 61 70 70 65 6e 64 46 6f 72 6d 61 74 }
$e01 = { 55 52 4c 46 6f 72 41 70 70 6c 69 63 61 74 69 6f 6e 57 69 74 68 42 75 6e 64 6c 65 49 64 65 6e 74 69 66 69 65 72 }
$e02 = { 55 52 4c 46 6f 72 41 70 70 6c 69 63 61 74 69 6f 6e 54 6f 4f 70 65 6e 55 52 4c }
$e03 = { 62 75 6e 64 6c 65 57 69 74 68 55 52 4c }
$f01 = { 73 65 74 4c 61 75 6e 63 68 50 61 74 68 }
$f02 = { 73 65 74 41 72 67 75 6d 65 6e 74 73 }
$f03 = { 70 69 70 65 }
$f04 = { 73 65 74 53 74 61 6e 64 61 72 64 4f 75 74 70 75 74 }
$f05 = { 6c 61 75 6e 63 68 }
$f06 = { 66 69 6c 65 48 61 6e 64 6c 65 46 6f 72 52 65 61 64 69 6e 67 }
$f07 = { 72 65 61 64 44 61 74 61 54 6f 45 6e 64 4f 66 46 69 6c 65 }
$f08 = { 77 61 69 74 55 6e 74 69 6c 45 78 69 74 }
$h01 = { 73 65 74 54 69 74 6c 65 56 69 73 69 62 69 6c 69 74 79 }
$h02 = { 73 65 74 54 69 74 6c 65 62 61 72 41 70 70 65 61 72 73 54 72 61 6e 73 70 61 72 65 6e 74 }
$h03 = { 63 6f 6e 74 65 6e 74 52 65 63 74 46 6f 72 46 72 61 6d 65 52 65 63 74 }
$h04 = { 65 66 66 65 63 74 69 76 65 41 70 70 65 61 72 61 6e 63 65 }
$h05 = { 73 65 74 42 61 63 6b 67 72 6f 75 6e 64 43 6f 6c 6f 72 }
$h06 = { 69 6e 69 74 57 69 74 68 46 72 61 6d 65 }
$h07 = { 73 65 74 42 75 74 74 6f 6e 54 79 70 65 }
$h08 = { 73 65 74 42 65 7a 65 6c 53 74 79 6c 65 }
$g = { 73 65 74 49 67 6e 6f 72 65 73 4d 6f 75 73 65 45 76 65 6e 74 73 }
$i = { 2f 75 73 72 2f 6c 69 62 2f 6c 69 62 6f 62 6a 63 2e 41 2e 64 79 6c 69 62 }
$j = { 2f 53 79 73 74 65 6d 2f 4c 69 62 72 61 72 79 2f 46 72 61 6d 65 77 6f 72 6b 73 2f }
$k = /(\d{2,3}[\x21-\x2f\x3a-\x40\x5b-\x60\x7b-\x7e]){10}\x00/
$l01 = { 80 ?4 08 ?? [1-4] c8 48 ff c8 48 [3-5] 77 }
$l02 = { 8c 01 0a 4a 6c 41 00 39 0b 85 00 91 08 05 00 d1 }
condition:
Macho and 100KB < filesize and filesize < 1MB
and all of ($a*)
and all of ($b*)
and 2 of ($c*)
and 5 of ($d*)
and 2 of ($e*)
and 6 of ($f*)
and $g
and 6 of ($h*)
and $i
and (
(not (uint32be(0) == 0xcafebabe and uint32(4) < 0x14000000) and #j <= 8)
or ((uint32be(0) == 0xcafebabe and uint32(4) < 0x14000000) and #j <= 16)
)
and (#k > 50 or 1 of ($l*))
}
rule XProtect_MACOS_SHEEPSWAP_OBF_C
{
meta:
description = "MACOS.SHEEPSWAP.OBF.C"
strings:
$a1 = {51 7a 52 4a 5a 6e 77}
$a2 = {61 70 72 6f 54 45 58 54}
$a3 = {4e 6a 49 35 46 6e 4a}
$a4 = {52 30 5a 42 62 58 59}
$a5 = {75 70 78 54 45 58 54}
$a6 = {52 30 46 4e 62 58 30}
$b1 = {
75 ?? 8b 1e 48 83 ee fc
11 db 8a 16 73 ?? 83 e8
03 72 ?? c1 e0 08 0f b6
d2 09 d0 48 ff c6 83 ??
?? 0f 84 ?? ?? ?? ?? 48
63 e8 8d 41 01 41 ff d3
}
condition:
Macho and (any of ($a*) and $b1) and for any of ($a*) : ($ at 0xb0) and filesize > 30KB and filesize < 100KB
}
rule XProtect_MACOS_CRAPYRATOR_A1
{
meta:
description = "MACOS.CRAPYRATOR.A1"
strings:
$ = { 46 61 69 6c 65 64 21 00 4e 6f 74 68 69 6e 67 20 74 6f 20 64 6f 21 00 53 75 63 63 65 73 73 21 00 74 6f 6f 6c 00 }
$ = { 2d 5b 45 6c 65 76 61 74 65 20 72 75 6e 3a 5d }
condition:
Macho and all of them and filesize < 1MB
}
rule XProtect_MACOS_CRAPYRATOR_A2
{
meta:
description = "MACOS.CRAPYRATOR.A2"
strings:
$ = { 6c 61 73 74 45 78 65 63 75 74 65 64 53 63 72 69 70 74 48 61 73 68 }
$ = { dc 22 b6 f8 2e 21 ab 13 c0 b4 59 c8 10 af 39 60 }
condition:
Macho and all of them and filesize < 1MB
}
rule XProtect_MACOS_REALSTAR {
meta:
description = "MACOS.REALSTAR"
strings:
$a = {2e 2e 75 74 69 6c 73}
$b = {2e 2e 62 72 6f 77 73 65 72 73}
$c = {70 72 6f 67 72 61 6d 6d 65 73}
$d = {2e 2e 64 61 74 61 5f 73 74 65 61 6c 65 72 73 2e 2e}
$e = {46 69 72 65 46 6f 78 4b 65 79 53 74 65 61 6c 65 72}
$f = {43 68 72 6f 6d 65 4b 65 79 53 74 65 61 6c 65 72}
$g = {43 68 72 6f 6d 65 44 61 74 61 53 74 65 61 6c 65 72}
$h = {75 74 69 6c 73 3a 3a 67 65 74 5f 73 74 72 65 61 6d 5f 66 69 6c 65}
$i = {75 74 69 6c 73 3a 3a 67 65 74 5f 6f 73 5f 69 6e 66 6f}
$j = {75 74 69 6c 73 3a 3a 6d 61 6b 65 5f 73 63 72 65 65 6e}
$k = {75 74 69 6c 73 3a 3a 67 65 74 5f 63 68 65 63 6b 5f 62 72 6f 77 73 65 72}
$l = {75 74 69 6c 73 3a 3a 67 65 74 5f 6b 63 5f 6b 65 79 73}
condition:
Macho and 3 of them
}
rule XProtect_MACOS_FRISKYHORSE_COMMON {
meta:
description = "MACOS.FRISKYHORSE.COMMON"
strings:
$a = {4C89F74C89FE4C89E2E860FEFFFF4189C6B8FFFFFFFF45392F0F8E0101000083BDCCF7FFFF000F8EF400000031C0488985B8F7FFFF488985C0F7FFFFBF00080000}
$b = {0000418B0424412B0783F81D776BB8000800004C8DBDC0F7FFFF4889D9C6010048FFC148FFC875F58BBDCCF7FFFFBA000800004889DEE8}
$c = {AD7FACB2586FC6E966C004D7D1D16B024F5805FF7CB47C7A85DABD8B48892CA7AD7FACB2586FC6E966C004D7D1D16B024F5805FF7CB47C7A85DABD8B48892CA7}
$d = {2F62696E2F626173680062617368002D6300657865636C002825732920323E2631002F}
$e = {FEFFFF4189C6B8FFFFFFFF45392F0F8E0101000083BDCCF7FFFF000F8EF400000031C0488985B8F7FFFF488985C0F7FFFFBF00080000E8}
$f = {00004585F674134885C0740E31C9C604080048FFC14839CB75F45B415E5DC3554889E5}
$g = {C0F7FFFF4889D9C6010048FFC148FFC875F58BBDCCF7FFFFBA000800004889DEE8}
condition:
Macho and 4 of them
}
rule XProtect_MACOS_ADLOAD_SEARCH_DAEMON_B_COMMON {
meta:
description = "MACOS.ADLOAD.SEARCHDAEMONB.COMMON"
strings:
$string_1 = {3A40BA7F03C03B16996C038E3C088A6C03D53C2CF27603A13E16FB6B03EF3E08EC6B03B63F25C57503FB4016DD6B03C94108CE6B0390422C987403B04330A16B03E34308B46A039F4508AF6A03A74547C078039346168F6903E14608806903A8472CB47003ED4819F16803BE4908E26803874A1FA06F03BF4B19D36803904C08C46803D74C25DA6D039C4E16B56803EA4E08A66803B14F25}
$string_2 = {5B0AB5950303AB5C0AB3950303BC5D088BDA0203815E13EBE20203AC5E35DFF30203C9601ED3E20203E7600CBEE20203AB610AB9E20203E36215E1FA0203F86281020000F9640AED930303BB650AEB930303CC660886DA0203916713AEE20203BC6735A3F30203D9692196E20203FA690CFEE10203BE}
$string_3 = {5B0BFD860103EB5B08C1820103A25C0CFD860103BF5C0CBB7803CB5C0C996403D75C1DF96303F45C0FE66303BF5D12936603F45F0FCB7E03AC600FE16305BB6016C56305FB610CA86C05A6620CC06303B7620CBB6303C8620CFA82}
$string_4 = {03EC3A08894B03B13B13D54B03E73B35A84F03A93E13B24B03C83E14964B03EB3E13ED4A03A83F08E54A05B83F088E4B05DB3F07964D058C450AE84F03994508FF4C03A1450AEB4C03CD4518B54C}
condition:
Macho and all of them and filesize < 2MB
}
rule XProtect_MACOS_44db411
{
meta:
description = "MACOS.44db411"
gk_first_launch_only = true
match_type = 2
strings:
$a1 = { 2F 55 73 65 72 73 2F 25 40 2F 4C 69 62 72 61 72 79 2F 41 70 70 6C 69 63 61 74 69 6F 6E 20 53 75 70 70 6F 72 74 2F 53 6D 61 72 74 20 4D 61 63 20 43 61 72 65 2F 6C 69 63 65 6E 73 65 69 6E 66 6F 2E 70 6C 69 73 74 }
$b1 = { 69 73 45 78 70 69 72 65 64 4C 69 63 65 6E 73 65 }
$b2 = { 69 73 56 61 6C 69 64 4C 69 63 65 6E 73 65 }
$b3 = { 69 73 4D 6F 72 65 4C 69 63 65 6E 73 65 }
$b4 = { 69 73 4B 65 79 73 49 6E 63 6F 72 72 65 63 74 }
$b5 = { 64 61 79 73 52 65 6D 61 69 6E 69 6E 67 }
$c1 = { 63 6F 6D 2E 74 75 6E 65 75 70 6D 79 6D 61 63 }
condition:
Macho and
filesize < 8MB and
all of them
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment