rule _#PUA_Block_2345Cn{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 06 00 00 " strings : $a_80_0 = {32 33 34 35 4d 69 6e 69 50 61 67 65 } //2345MiniPage 1 $a_80_1 = {32 33 34 35 50 69 6e 79 69 6e } //2345Pinyin 1 $a_80_2 = {53 4f 46 54 57 41 52 45 5c 32 33 34 35 2e 63 6f 6d } //SOFTWARE\2345.com 1 $a_80_3 = {32 33 34 35 4d 69 6e 69 50 61 67 65 2e 70 64 62 } //2345MiniPage.pdb 1 $a_80_4 = {75 70 64 61 74 65 72 5f 61 75 74 6f } //updater_auto 1 $a_80_5 = {32 33 34 35 50 43 53 61 66 65 42 6f 6f 74 41 73 73 69 73 74 61 6e 74 2e 65 78 65 } //2345PCSafeBootAssistant.exe 1 condition: ((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1) >=6 } rule _#PUA_Block_2345Cn_2{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 54 6f 6f 6c 2e 70 64 62 } //2 \bin\Win32\Release\pdb\2345PicTool.pdb $a_00_2 = {52 00 43 00 50 00 69 00 63 00 5f 00 50 00 6f 00 70 00 75 00 70 00 5f 00 54 00 6f 00 6f 00 6c 00 } //1 RCPic_Popup_Tool $a_00_3 = {2f 00 70 00 69 00 63 00 5f 00 72 00 65 00 61 00 6c 00 74 00 69 00 6d 00 65 00 2f 00 69 00 6e 00 64 00 65 00 78 00 2e 00 70 00 68 00 70 00 } //1 /pic_realtime/index.php condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*2+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=5 } rule _#PUA_Block_2345Cn_3{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 07 00 00 " strings : $a_80_0 = {32 33 34 35 4d 69 6e 69 50 61 67 65 } //2345MiniPage 1 $a_80_1 = {4d 69 6e 69 44 75 6d 70 57 72 69 74 65 44 75 6d 70 } //MiniDumpWriteDump 1 $a_80_2 = {4d 69 6e 69 50 61 67 65 4d 61 69 6e } //MiniPageMain 1 $a_80_3 = {75 70 64 61 74 65 2e 6d 69 6e 69 70 61 67 65 2e 32 33 34 35 2e 63 63 } //update.minipage.2345.cc 1 $a_80_4 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 1 $a_80_5 = {2f 6d 69 6e 69 70 61 67 65 2f 69 6e 64 65 78 2e 70 68 70 } ///minipage/index.php 1 $a_80_6 = {5c 32 33 34 35 4d 69 6e 69 50 61 67 65 2e 70 64 62 } //\2345MiniPage.pdb 1 condition: ((#a_80_0 & 1)*1+(#a_80_1 & 1)*1+(#a_80_2 & 1)*1+(#a_80_3 & 1)*1+(#a_80_4 & 1)*1+(#a_80_5 & 1)*1+(#a_80_6 & 1)*1) >=6 } rule _#PUA_Block_2345Cn_4{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 53 00 76 00 63 00 } //2 $a_00_2 = {2d 00 2d 00 66 00 72 00 6f 00 6d 00 3d 00 70 00 69 00 63 00 5f 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 } //2 --from=pic_service $a_00_3 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 53 76 63 2e 70 64 62 } //2 \bin\Win32\Release\pdb\2345PicSvc.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_5{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 4c 00 6f 00 61 00 64 00 65 00 72 00 } //1 $a_00_2 = {6d 69 6e 69 70 61 67 65 5f 77 69 6e 64 6f 77 5f 70 75 73 68 } //1 minipage_window_push $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 72 63 69 6d 61 67 65 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 4c 6f 61 64 65 72 2e 70 64 62 } //1 :\zhanlue\rcimage\bin\Win32\Release\pdb\2345PicLoader.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_6{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 55 00 70 00 64 00 61 00 74 00 65 00 } //1 $a_00_2 = {6d 69 6e 69 70 61 67 65 5f 77 69 6e 64 6f 77 5f 70 75 73 68 } //1 minipage_window_push $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 72 63 69 6d 61 67 65 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 55 70 64 61 74 65 2e 70 64 62 } //1 :\zhanlue\rcimage\bin\Win32\Release\pdb\2345PicUpdate.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_7{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 68 00 65 00 6c 00 6c 00 50 00 72 00 6f 00 } //2 $a_00_2 = {2d 00 2d 00 69 00 73 00 49 00 6e 00 73 00 61 00 6c 00 6c 00 53 00 6f 00 66 00 74 00 4d 00 67 00 72 00 } //2 --isInsallSoftMgr $a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 68 65 6c 6c 50 72 6f 2e 70 64 62 } //2 \Rhino\Safe\Bin\Win32\release\pdb\2345ShellPro.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_8{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 75 00 69 00 74 00 65 00 } //2 $a_00_2 = {32 00 33 00 34 00 35 00 63 00 6f 00 6d 00 2e 00 32 00 33 00 34 00 35 00 53 00 75 00 69 00 74 00 65 00 2e 00 4d 00 75 00 74 00 65 00 78 00 } //2 2345com.2345Suite.Mutex $a_00_3 = {3a 5c 64 6c 6c 70 6c 75 67 69 6e 5c 53 6f 66 74 77 61 72 65 43 6f 6c 6c 65 63 74 69 6f 6e 5c 62 69 6e 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 32 33 34 35 53 75 69 74 65 2e 70 64 62 } //2 :\dllplugin\SoftwareCollection\bin\release_static\2345Suite.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_9{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 54 00 6f 00 6f 00 6c 00 } //1 $a_00_2 = {70 00 64 00 66 00 32 00 77 00 6f 00 72 00 64 00 5f 00 70 00 6c 00 75 00 67 00 5f 00 63 00 6f 00 6e 00 66 00 69 00 67 00 } //1 pdf2word_plug_config $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 54 6f 6f 6c 2e 70 64 62 } //1 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfTool.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_10{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 54 00 6f 00 6f 00 6c 00 } //1 $a_00_2 = {67 00 52 00 43 00 50 00 69 00 63 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 43 00 6c 00 6f 00 75 00 64 00 5f 00 43 00 6f 00 6e 00 66 00 69 00 67 00 } //1 gRCPic_Update_Cloud_Config $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 72 63 69 6d 61 67 65 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 54 6f 6f 6c 2e 70 64 62 } //1 :\zhanlue\rcimage\bin\Win32\Release\pdb\2345PicTool.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_11{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 } //1 $a_00_2 = {52 00 43 00 43 00 61 00 70 00 74 00 75 00 72 00 65 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 43 00 6f 00 6e 00 66 00 69 00 67 00 5f 00 49 00 6e 00 69 00 } //1 RCCapture_Update_Config_Ini $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 32 33 34 35 63 61 70 74 75 72 65 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 43 61 70 74 75 72 65 2e 70 64 62 } //1 :\zhanlue\2345capture\bin\Win32\Release\pdb\2345Capture.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_12{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 49 00 6e 00 73 00 74 00 44 00 6c 00 6c 00 } //1 $a_00_2 = {52 00 43 00 3a 00 3a 00 52 00 43 00 49 00 6e 00 73 00 74 00 44 00 6c 00 6c 00 53 00 74 00 61 00 74 00 3a 00 3a 00 49 00 6e 00 69 00 74 00 } //1 RC::RCInstDllStat::Init $a_00_3 = {3a 5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 49 6e 73 74 44 6c 6c 2e 70 64 62 } //1 :\RhinoProtect\Publish\OutPut\Bin\Win32\release\pdb\2345InstDll.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_13{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 44 00 75 00 6d 00 70 00 65 00 72 00 } //1 $a_00_2 = {32 00 33 00 34 00 35 00 50 00 64 00 66 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 2e 00 68 00 7a 00 76 00 } //1 2345PdfConverter.hzv $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 44 75 6d 70 65 72 2e 70 64 62 } //1 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfDumper.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_14{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 47 00 61 00 6d 00 65 00 48 00 61 00 6c 00 6c 00 } //1 $a_00_2 = {32 00 33 00 34 00 35 00 47 00 61 00 6d 00 65 00 48 00 61 00 6c 00 6c 00 5f 00 72 00 65 00 61 00 6c 00 74 00 69 00 6d 00 65 00 5f 00 73 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 73 00 } //1 2345GameHall_realtime_statistics $a_00_3 = {3a 5c 67 61 6d 65 68 61 6c 6c 5c 47 61 6d 65 48 61 6c 6c 5c 6f 75 74 5c 52 65 6c 65 61 73 65 5c 32 33 34 35 47 61 6d 65 48 61 6c 6c 2e 70 64 62 } //1 :\gamehall\GameHall\out\Release\2345GameHall.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_15{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 54 00 72 00 61 00 79 00 } //2 $a_00_2 = {5c 00 5c 00 2e 00 5c 00 70 00 69 00 70 00 65 00 5c 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 43 00 65 00 6e 00 74 00 65 00 72 00 5c 00 42 00 72 00 65 00 61 00 6b 00 70 00 61 00 64 00 } //2 \\.\pipe\2345SafeCenter\Breakpad $a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 61 66 65 54 72 61 79 2e 70 64 62 } //2 \Rhino\Safe\Bin\Win32\release\pdb\2345SafeTray.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_16{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 55 00 70 00 64 00 61 00 74 00 65 00 } //2 $a_00_2 = {5c 00 5c 00 2e 00 5c 00 70 00 69 00 70 00 65 00 5c 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 43 00 65 00 6e 00 74 00 65 00 72 00 5c 00 42 00 72 00 65 00 61 00 6b 00 70 00 61 00 64 00 } //2 \\.\pipe\2345SafeCenter\Breakpad $a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 61 66 65 55 70 64 61 74 65 2e 70 64 62 } //2 \Rhino\Safe\Bin\Win32\release\pdb\2345SafeUpdate.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_17{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {64 00 6f 00 63 00 74 00 6f 00 72 00 5f 00 32 00 33 00 34 00 35 00 65 00 78 00 70 00 6c 00 6f 00 72 00 65 00 72 00 2e 00 6e 00 61 00 6d 00 65 00 64 00 5f 00 6d 00 75 00 74 00 65 00 78 00 2e 00 72 00 65 00 70 00 61 00 69 00 72 00 69 00 6e 00 67 00 } //1 doctor_2345explorer.named_mutex.repairing $a_00_2 = {64 6f 63 74 6f 72 5f 6e 6f 74 69 63 65 5f 62 6f 61 72 64 5f 64 61 74 61 73 } //1 doctor_notice_board_datas $a_00_3 = {3a 5c 64 6c 6c 70 6c 75 67 69 6e 5c 44 6f 63 74 6f 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 44 6f 63 74 6f 72 5f 32 33 34 35 45 78 70 6c 6f 72 65 72 2e 70 64 62 } //1 :\dllplugin\Doctor\bin\Win32\Release\pdb\Doctor_2345Explorer.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_18{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 4d 00 61 00 69 00 6e 00 } //1 $a_00_2 = {52 00 43 00 4f 00 43 00 52 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 43 00 6f 00 6e 00 66 00 69 00 67 00 5f 00 49 00 6e 00 69 00 } //1 RCOCRConverter_Update_Config_Ini $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 6f 63 72 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 4f 43 52 4d 61 69 6e 2e 70 64 62 } //1 :\zhanlue\ocrconverter\bin\Win32\Release\pdb\2345OCRMain.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_19{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 4c 00 6f 00 61 00 64 00 65 00 72 00 } //1 $a_00_2 = {73 00 74 00 61 00 72 00 74 00 5f 00 75 00 70 00 5f 00 74 00 69 00 6d 00 65 00 73 00 5f 00 73 00 69 00 6e 00 63 00 65 00 5f 00 6c 00 61 00 73 00 74 00 5f 00 75 00 70 00 64 00 61 00 74 00 65 00 } //1 start_up_times_since_last_update $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 6f 63 72 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 4f 43 52 4c 6f 61 64 65 72 2e 70 64 62 } //1 :\zhanlue\ocrconverter\bin\Win32\release_static\pdb\2345OCRLoader.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_20{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 44 00 75 00 6d 00 70 00 65 00 72 00 } //1 $a_00_2 = {46 00 69 00 6c 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6f 00 6e 00 00 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 87 65 57 5b c6 8b 2b 52 2d 00 44 00 75 00 6d 00 70 00 0b 7a 8f 5e } //1 $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 6f 63 72 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 4f 43 52 44 75 6d 70 65 72 2e 70 64 62 } //1 :\zhanlue\ocrconverter\bin\Win32\release_static\pdb\2345OCRDumper.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_21{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 } //1 $a_00_2 = {70 00 69 00 6e 00 79 00 69 00 6e 00 2e 00 75 00 70 00 64 00 61 00 74 00 65 00 5f 00 74 00 6f 00 6f 00 6c 00 2e 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 5f 00 65 00 78 00 69 00 74 00 2e 00 65 00 76 00 65 00 6e 00 74 00 } //1 pinyin.update_tool.process_exit.event $a_00_3 = {5c 55 70 64 61 74 65 50 72 6f 67 72 61 6d 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 55 70 64 61 74 65 5f 32 33 34 35 50 69 6e 79 69 6e 2e 70 64 62 } //1 \UpdateProgram\bin\Win32\Release\pdb\Update_2345Pinyin.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_22{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 4d 00 61 00 69 00 6e 00 2e 00 65 00 78 00 65 00 } //1 $a_00_2 = {52 00 43 00 50 00 64 00 66 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 43 00 6f 00 6e 00 66 00 69 00 67 00 5f 00 49 00 6e 00 69 00 } //1 RCPdfConverter_Update_Config_Ini $a_02_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c (78 36 34|57 69 6e 33 32) 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 64 66 4d 61 69 6e 2e 70 64 62 } //1 condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_02_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_23{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 2e 00 65 00 78 00 65 00 } //1 $a_00_2 = {75 00 70 00 64 00 61 00 74 00 65 00 5f 00 32 00 33 00 34 00 35 00 2e 00 6e 00 61 00 6d 00 65 00 64 00 5f 00 6d 00 75 00 74 00 65 00 78 00 2e 00 73 00 69 00 67 00 6e 00 61 00 6c 00 } //1 update_2345.named_mutex.signal $a_00_3 = {3a 5c 74 72 75 6e 6b 5c 43 6f 6d 6d 6f 6e 50 6c 61 74 66 6f 72 6d 5c 55 70 64 61 74 65 50 72 6f 67 72 61 6d 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 55 70 64 61 74 65 5f 32 33 34 35 50 69 63 2e 70 64 62 } //1 :\trunk\CommonPlatform\UpdateProgram\bin\Win32\Release\pdb\Update_2345Pic.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_24{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 46 00 52 00 65 00 70 00 61 00 69 00 72 00 46 00 63 00 } //1 $a_00_2 = {5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 61 66 65 43 65 6e 74 65 72 44 69 66 66 2e 70 64 62 } //1 \RhinoProtect\Publish\OutPut\bin\Win32\Release\pdb\2345SafeCenterDiff.pdb $a_00_3 = {52 00 43 00 3a 00 3a 00 52 00 43 00 53 00 61 00 66 00 65 00 52 00 65 00 70 00 61 00 69 00 72 00 53 00 74 00 61 00 74 00 3a 00 3a 00 53 00 65 00 6e 00 64 00 52 00 65 00 61 00 6c 00 54 00 69 00 6d 00 65 00 53 00 74 00 61 00 74 00 } //1 RC::RCSafeRepairStat::SendRealTimeStat condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_25{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 4 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 57 00 69 00 7a 00 61 00 72 00 64 00 } //2 $a_00_2 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 57 69 7a 61 72 64 2e 70 64 62 } //2 \bin\Win32\Release\pdb\2345PinyinWizard.pdb $a_00_3 = {32 00 33 00 34 00 35 00 70 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 72 00 65 00 67 00 69 00 73 00 74 00 5f 00 70 00 69 00 70 00 65 00 5f 00 } //1 2345pinyin_regist_pipe_ $a_00_4 = {52 00 43 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 45 00 72 00 72 00 6f 00 72 00 5f 00 53 00 74 00 61 00 74 00 5f 00 53 00 65 00 6e 00 64 00 65 00 72 00 } //1 RCPinyin_Error_Stat_Sender condition: ((#a_80_0 & 1)*4+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=7 } rule _#PUA_Block_2345Cn_26{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {70 00 64 00 66 00 63 00 76 00 74 00 2e 00 32 00 33 00 34 00 35 00 2e 00 63 00 63 00 2f 00 68 00 65 00 6c 00 70 00 2e 00 68 00 74 00 6d 00 6c 00 } //1 pdfcvt.2345.cc/help.html $a_00_2 = {64 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 2e 00 32 00 33 00 34 00 35 00 2e 00 63 00 6e 00 2f 00 70 00 64 00 66 00 63 00 76 00 74 00 2f 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 5f 00 } //1 download.2345.cn/pdfcvt/2345PdfConverter_ $a_00_3 = {5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 74 6f 6f 6c 5c 46 69 6c 65 44 6f 77 6e 5c 62 69 6e 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 32 33 34 35 50 44 46 43 76 74 49 6e 73 74 61 6c 6c 65 72 2e 70 64 62 } //1 \pdfconverter\bin\tool\FileDown\bin\release_static\2345PDFCvtInstaller.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_27{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {32 00 33 00 34 00 35 00 70 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 72 00 65 00 67 00 69 00 73 00 74 00 5f 00 70 00 69 00 70 00 65 00 5f 00 } //1 2345pinyin_regist_pipe_ $a_00_2 = {32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 47 00 75 00 69 00 64 00 65 00 5f 00 4c 00 6f 00 67 00 69 00 6e 00 5f 00 4d 00 75 00 74 00 65 00 78 00 } //1 2345Pinyin_Guide_Login_Mutex $a_00_3 = {3a 00 5c 00 7a 00 68 00 61 00 6e 00 6c 00 75 00 65 00 5c 00 32 00 33 00 34 00 35 00 69 00 6e 00 70 00 75 00 74 00 5c 00 70 00 72 00 6f 00 6a 00 65 00 63 00 74 00 5c 00 70 00 69 00 6e 00 79 00 69 00 6e 00 63 00 6f 00 6e 00 66 00 69 00 67 00 5c 00 73 00 72 00 63 00 5c 00 71 00 71 00 5f 00 64 00 65 00 74 00 65 00 63 00 74 00 } //1 :\zhanlue\2345input\project\pinyinconfig\src\qq_detect condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_28{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 4 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 79 00 6d 00 62 00 6f 00 6c 00 } //2 $a_00_2 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 53 79 6d 62 6f 6c 2e 70 64 62 } //2 \bin\Win32\Release\pdb\2345PinyinSymbol.pdb $a_00_3 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //1 Global\2345PinyinServiceNotifyMonitorEvent $a_00_4 = {75 00 69 00 2f 00 53 00 65 00 74 00 74 00 69 00 6e 00 67 00 55 00 49 00 2e 00 64 00 75 00 69 00 } //1 ui/SettingUI.dui condition: ((#a_80_0 & 1)*4+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=7 } rule _#PUA_Block_2345Cn_29{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 55 00 70 00 64 00 61 00 74 00 65 00 } //1 $a_00_2 = {52 00 43 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 55 00 70 00 64 00 61 00 74 00 65 00 5f 00 53 00 6b 00 69 00 6e 00 5f 00 50 00 75 00 73 00 68 00 5f 00 49 00 6d 00 6d 00 65 00 64 00 69 00 61 00 74 00 65 00 6c 00 79 00 } //1 RCPinyin_Update_Skin_Push_Immediately $a_00_3 = {3a 00 5c 00 7a 00 68 00 61 00 6e 00 6c 00 75 00 65 00 5c 00 32 00 33 00 34 00 35 00 69 00 6e 00 70 00 75 00 74 00 5c 00 70 00 72 00 6f 00 6a 00 65 00 63 00 74 00 5c 00 70 00 69 00 6e 00 79 00 69 00 6e 00 75 00 70 00 64 00 61 00 74 00 65 00 5c 00 73 00 72 00 63 00 5c 00 } //1 :\zhanlue\2345input\project\pinyinupdate\src\ condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_30{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 05 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 76 00 63 00 } //3 $a_00_2 = {52 00 43 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 45 00 72 00 72 00 6f 00 72 00 5f 00 53 00 74 00 61 00 74 00 5f 00 53 00 65 00 6e 00 64 00 65 00 72 00 } //2 RCPinyin_Error_Stat_Sender $a_02_3 = {5c 32 33 34 35 49 6e 70 75 74 (44 75 6d 70|) 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 53 76 63 2e 70 64 62 } //1 $a_00_4 = {5c 32 33 34 35 50 69 6e 79 69 6e 5c 6e 65 77 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 53 76 63 2e 70 64 62 } //1 \2345Pinyin\new\bin\Win32\Release\pdb\2345PinyinSvc.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*3+(#a_00_2 & 1)*2+(#a_02_3 & 1)*1+(#a_00_4 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_31{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 6f 00 66 00 74 00 4d 00 67 00 72 00 } //2 $a_00_2 = {52 00 43 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 53 00 6f 00 66 00 74 00 4d 00 67 00 72 00 3a 00 3a 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 53 00 74 00 61 00 74 00 3a 00 6f 00 6c 00 64 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 25 00 73 00 2c 00 20 00 6e 00 65 00 77 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 25 00 73 00 } //2 RCInstallSoftMgr::InstallStat:oldVersion=%s, newVersion=%s $a_02_3 = {5c 73 6f 66 74 6d 67 72 5c 6d 61 69 6e 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 (|5f 73 74 61 74 69 63) 5c 70 64 62 5c 32 33 34 35 53 6f 66 74 4d 67 72 2e 70 64 62 } //2 condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_02_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_32{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 43 00 6c 00 6f 00 75 00 64 00 } //1 $a_00_2 = {32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 50 00 69 00 63 00 5f 00 46 00 61 00 63 00 65 00 5f 00 45 00 6d 00 6f 00 6a 00 5f 00 4d 00 75 00 74 00 65 00 78 00 } //1 2345Pinyin_Pic_Face_Emoj_Mutex $a_00_3 = {3a 00 5c 00 7a 00 68 00 61 00 6e 00 6c 00 75 00 65 00 5c 00 32 00 33 00 34 00 35 00 69 00 6e 00 70 00 75 00 74 00 5c 00 70 00 72 00 6f 00 6a 00 65 00 63 00 74 00 5c 00 70 00 69 00 6e 00 79 00 69 00 6e 00 63 00 6c 00 6f 00 75 00 64 00 5c 00 73 00 72 00 63 00 5c 00 77 00 65 00 62 00 5f 00 62 00 75 00 73 00 69 00 6e 00 65 00 73 00 73 00 5c 00 } //1 :\zhanlue\2345input\project\pinyincloud\src\web_business\ condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_33{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 43 00 53 00 61 00 66 00 65 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //1 Global\2345PCSafeServiceNotifyMonitorEvent $a_00_2 = {52 00 43 00 3a 00 3a 00 52 00 43 00 46 00 69 00 6c 00 65 00 41 00 73 00 73 00 6f 00 63 00 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 65 00 72 00 3a 00 3a 00 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 53 00 6f 00 66 00 74 00 } //1 RC::RCFileAssocDownloader::DownloadSoft $a_00_3 = {5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 41 73 73 6f 63 69 61 74 65 2e 70 64 62 } //1 \RhinoProtect\Publish\OutPut\bin\Win32\Release\pdb\2345Associate.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_34{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 41 00 64 00 52 00 74 00 50 00 72 00 6f 00 74 00 65 00 63 00 74 00 } //2 $a_00_2 = {3a 00 5c 00 72 00 68 00 69 00 6e 00 6f 00 5c 00 73 00 61 00 66 00 65 00 5c 00 73 00 72 00 63 00 5c 00 61 00 64 00 72 00 74 00 70 00 72 00 6f 00 74 00 65 00 63 00 74 00 5c 00 61 00 64 00 72 00 74 00 70 00 72 00 6f 00 74 00 65 00 63 00 74 00 5c 00 72 00 63 00 6d 00 61 00 69 00 6e 00 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 63 00 70 00 70 00 } //2 :\rhino\safe\src\adrtprotect\adrtprotect\rcmainapplication.cpp $a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 41 64 52 74 50 72 6f 74 65 63 74 2e 70 64 62 } //2 \Rhino\Safe\Bin\Win32\release\pdb\2345AdRtProtect.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_35{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 43 00 65 00 6e 00 74 00 65 00 72 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 } //1 $a_00_2 = {32 00 33 00 34 00 35 00 53 00 61 00 66 00 65 00 43 00 65 00 6e 00 74 00 65 00 72 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 20 00 53 00 74 00 61 00 72 00 74 00 2e 00 20 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 3a 00 20 00 25 00 73 00 } //1 2345SafeCenterInstaller Start. CmdLine: %s $a_00_3 = {3a 5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 61 66 65 43 65 6e 74 65 72 49 6e 73 74 61 6c 6c 65 72 2e 70 64 62 } //1 :\RhinoProtect\Publish\OutPut\bin\Win32\Release\pdb\2345SafeCenterInstaller.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_36{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 63 00 44 00 75 00 6d 00 70 00 65 00 72 00 } //1 $a_00_2 = {52 00 43 00 50 00 69 00 63 00 5f 00 6d 00 69 00 6e 00 69 00 64 00 75 00 6d 00 70 00 5f 00 73 00 65 00 6e 00 64 00 5f 00 68 00 69 00 73 00 74 00 6f 00 72 00 79 00 5f 00 6d 00 75 00 74 00 65 00 78 00 5f 00 7b 00 38 00 35 00 46 00 38 00 42 00 41 00 42 00 41 00 2d 00 41 00 31 00 44 00 43 00 2d 00 34 00 46 00 37 00 41 00 2d 00 41 00 46 00 37 00 38 00 2d 00 45 00 42 00 35 00 45 00 32 00 46 00 37 00 31 00 39 00 41 00 42 00 46 00 7d 00 } //1 RCPic_minidump_send_history_mutex_{85F8BABA-A1DC-4F7A-AF78-EB5E2F719ABF} $a_00_3 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 63 44 75 6d 70 65 72 2e 70 64 62 } //1 \bin\Win32\Release\pdb\2345PicDumper.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_37{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 46 00 61 00 63 00 65 00 54 00 6f 00 6f 00 6c 00 5f 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 } //1 $a_00_2 = {32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 5f 00 50 00 69 00 63 00 5f 00 46 00 61 00 63 00 65 00 5f 00 42 00 75 00 62 00 62 00 6c 00 65 00 5f 00 4d 00 75 00 74 00 65 00 78 00 } //1 2345Pinyin_Pic_Face_Bubble_Mutex $a_00_3 = {3a 00 5c 00 7a 00 68 00 61 00 6e 00 6c 00 75 00 65 00 5c 00 32 00 33 00 34 00 35 00 69 00 6e 00 70 00 75 00 74 00 5c 00 70 00 72 00 6f 00 6a 00 65 00 63 00 74 00 5c 00 70 00 69 00 6e 00 79 00 69 00 6e 00 70 00 69 00 63 00 66 00 61 00 63 00 65 00 74 00 6f 00 6f 00 6c 00 5c 00 73 00 72 00 63 00 5c 00 64 00 61 00 74 00 61 00 5c 00 } //1 :\zhanlue\2345input\project\pinyinpicfacetool\src\data\ condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_38{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,06 00 06 00 05 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 5 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 54 00 6f 00 6f 00 6c 00 } //3 $a_02_2 = {5c 32 33 34 35 69 6e 70 75 74 (|44 75 6d 70) 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 54 6f 6f 6c 2e 70 64 62 } //3 $a_00_3 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //1 Global\2345PinyinServiceNotifyMonitorEvent $a_00_4 = {32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 54 00 6f 00 6f 00 6c 00 2e 00 75 00 73 00 74 00 } //1 2345PinyinTool.ust condition: ((#a_80_0 & 1)*5+(#a_00_1 & 1)*3+(#a_02_2 & 1)*3+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=6 } rule _#PUA_Block_2345Cn_39{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 05 00 00 " strings : $a_00_0 = {45 00 78 00 65 00 63 00 75 00 74 00 65 00 20 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 20 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 20 00 54 00 61 00 73 00 6b 00 } //2 Execute 2345Pinyin MiniPage Task $a_00_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 41 00 70 00 70 00 2e 00 64 00 6c 00 6c 00 } //2 $a_02_2 = {5c 52 43 4d 69 6e 69 50 61 67 65 [0-08] 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 4d 69 6e 69 70 61 67 65 4d 61 69 6e 2e 70 64 62 } //2 $a_00_3 = {32 00 33 00 34 00 35 00 6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2d 00 68 00 77 00 6e 00 64 00 2d 00 70 00 72 00 6f 00 70 00 2d 00 6e 00 61 00 6d 00 65 00 } //1 2345minipage-hwnd-prop-name $a_00_4 = {6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2e 00 73 00 74 00 61 00 74 00 } //1 minipage.stat condition: ((#a_00_0 & 1)*2+(#a_00_1 & 1)*2+(#a_02_2 & 1)*2+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=2 } rule _#PUA_Block_2345Cn_40{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,02 00 02 00 05 00 00 " strings : $a_00_0 = {45 00 78 00 65 00 63 00 75 00 74 00 65 00 20 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 20 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 20 00 54 00 61 00 73 00 6b 00 } //2 Execute 2345Pinyin MiniPage Task $a_00_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 48 00 65 00 6c 00 70 00 65 00 72 00 4d 00 61 00 69 00 6e 00 2e 00 64 00 6c 00 6c 00 } //2 $a_02_2 = {5c 48 65 6c 70 65 72 32 33 34 35 [0-08] 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 48 65 6c 70 65 72 4d 61 69 6e 2e 70 64 62 } //2 $a_00_3 = {68 00 65 00 6c 00 70 00 65 00 72 00 5f 00 74 00 72 00 61 00 79 00 5f 00 73 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 } //1 helper_tray_statistic $a_00_4 = {32 00 33 00 34 00 35 00 6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2d 00 68 00 77 00 6e 00 64 00 2d 00 70 00 72 00 6f 00 70 00 2d 00 6e 00 61 00 6d 00 65 00 } //1 2345minipage-hwnd-prop-name condition: ((#a_00_0 & 1)*2+(#a_00_1 & 1)*2+(#a_02_2 & 1)*2+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=2 } rule _#PUA_Block_2345Cn_41{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 52 00 54 00 50 00 72 00 6f 00 74 00 65 00 63 00 74 00 } //2 $a_00_2 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 52 00 43 00 41 00 56 00 37 00 45 00 34 00 37 00 44 00 41 00 39 00 33 00 2d 00 41 00 46 00 34 00 31 00 2d 00 34 00 34 00 35 00 30 00 2d 00 39 00 30 00 43 00 44 00 2d 00 33 00 31 00 43 00 37 00 38 00 31 00 32 00 35 00 32 00 38 00 37 00 44 00 5f 00 52 00 54 00 50 00 52 00 4f 00 54 00 45 00 43 00 54 00 5f 00 4d 00 55 00 54 00 45 00 58 00 } //2 Global\RCAV7E47DA93-AF41-4450-90CD-31C78125287D_RTPROTECT_MUTEX $a_00_3 = {5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 52 54 50 72 6f 74 65 63 74 2e 70 64 62 } //2 \RhinoProtect\Publish\OutPut\bin\Win32\Release\pdb\2345RTProtect.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_42{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4f 00 43 00 52 00 55 00 70 00 64 00 61 00 74 00 65 00 } //1 $a_00_2 = {7b 00 34 00 37 00 46 00 46 00 30 00 44 00 32 00 34 00 2d 00 45 00 30 00 41 00 35 00 2d 00 34 00 31 00 36 00 33 00 2d 00 38 00 35 00 34 00 36 00 2d 00 44 00 45 00 37 00 32 00 31 00 37 00 44 00 32 00 46 00 31 00 34 00 31 00 7d 00 2e 00 32 00 33 00 34 00 35 00 6f 00 63 00 72 00 2e 00 63 00 68 00 65 00 63 00 6b 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 2e 00 64 00 61 00 74 00 61 00 } //1 {47FF0D24-E0A5-4163-8546-DE7217D2F141}.2345ocr.checkversion.data $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 6f 63 72 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 4f 43 52 55 70 64 61 74 65 2e 70 64 62 } //1 :\zhanlue\ocrconverter\bin\Win32\release_static\pdb\2345OCRUpdate.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_43{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 4c 00 6f 00 61 00 64 00 65 00 72 00 } //1 $a_00_2 = {52 00 43 00 50 00 64 00 66 00 5f 00 4c 00 6f 00 61 00 64 00 65 00 72 00 5f 00 70 00 6c 00 75 00 67 00 69 00 6e 00 5f 00 70 00 64 00 66 00 32 00 78 00 5f 00 7b 00 42 00 32 00 39 00 30 00 45 00 44 00 32 00 34 00 2d 00 31 00 32 00 39 00 35 00 2d 00 34 00 42 00 35 00 35 00 2d 00 41 00 36 00 41 00 37 00 2d 00 35 00 45 00 42 00 44 00 33 00 32 00 31 00 46 00 34 00 37 00 33 00 42 00 7d 00 } //1 RCPdf_Loader_plugin_pdf2x_{B290ED24-1295-4B55-A6A7-5EBD321F473B} $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 4c 6f 61 64 65 72 2e 70 64 62 } //1 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfLoader.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_44{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 55 00 70 00 64 00 61 00 74 00 65 00 } //1 $a_00_2 = {7b 00 34 00 37 00 46 00 46 00 30 00 44 00 32 00 34 00 2d 00 45 00 30 00 41 00 35 00 2d 00 34 00 31 00 36 00 33 00 2d 00 38 00 35 00 34 00 36 00 2d 00 44 00 45 00 37 00 32 00 31 00 37 00 44 00 32 00 46 00 31 00 34 00 31 00 7d 00 2e 00 32 00 33 00 34 00 35 00 70 00 64 00 66 00 63 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 2e 00 6e 00 65 00 77 00 76 00 65 00 72 00 73 00 69 00 6f 00 6e 00 2e 00 64 00 61 00 74 00 61 00 } //1 {47FF0D24-E0A5-4163-8546-DE7217D2F141}.2345pdfconverter.newversion.data $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 55 70 64 61 74 65 2e 70 64 62 } //1 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfUpdate.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_45{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 52 00 74 00 50 00 72 00 6f 00 74 00 65 00 63 00 74 00 43 00 65 00 6e 00 74 00 65 00 72 00 } //2 $a_00_2 = {5c 00 72 00 68 00 69 00 6e 00 6f 00 5c 00 73 00 61 00 66 00 65 00 5c 00 73 00 72 00 63 00 5c 00 66 00 72 00 61 00 6d 00 65 00 77 00 6f 00 72 00 6b 00 5c 00 73 00 72 00 63 00 5c 00 66 00 72 00 61 00 6d 00 65 00 77 00 6f 00 72 00 6b 00 5c 00 73 00 72 00 63 00 5c 00 75 00 74 00 69 00 6c 00 73 00 5c 00 72 00 63 00 6d 00 6f 00 64 00 75 00 6c 00 65 00 74 00 68 00 72 00 65 00 61 00 64 00 73 00 79 00 6e 00 63 00 2e 00 63 00 70 00 70 00 } //2 \rhino\safe\src\framework\src\framework\src\utils\rcmodulethreadsync.cpp $a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 52 74 50 72 6f 74 65 63 74 43 65 6e 74 65 72 2e 70 64 62 } //2 \Rhino\Safe\Bin\Win32\release\pdb\2345RtProtectCenter.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_46{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 3 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 41 00 75 00 74 00 68 00 6f 00 72 00 69 00 74 00 79 00 50 00 72 00 6f 00 74 00 65 00 63 00 74 00 } //2 $a_00_2 = {3a 00 5c 00 72 00 68 00 69 00 6e 00 6f 00 5c 00 73 00 61 00 66 00 65 00 5c 00 73 00 72 00 63 00 5c 00 61 00 75 00 74 00 68 00 6f 00 72 00 69 00 74 00 79 00 70 00 72 00 6f 00 74 00 65 00 63 00 74 00 5c 00 61 00 75 00 74 00 68 00 6f 00 72 00 69 00 74 00 79 00 70 00 72 00 6f 00 74 00 65 00 63 00 74 00 5c 00 72 00 63 00 6d 00 61 00 69 00 6e 00 61 00 70 00 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 63 00 70 00 70 00 } //2 :\rhino\safe\src\authorityprotect\authorityprotect\rcmainapplication.cpp $a_00_3 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 42 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 41 75 74 68 6f 72 69 74 79 50 72 6f 74 65 63 74 2e 70 64 62 } //2 \Rhino\Safe\Bin\Win32\release\pdb\2345AuthorityProtect.pdb condition: ((#a_80_0 & 1)*3+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*2) >=4 } rule _#PUA_Block_2345Cn_47{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,0d 00 0d 00 05 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 8 $a_02_1 = {50 00 72 00 6f 00 64 00 75 00 63 00 74 00 4e 00 61 00 6d 00 65 00 00 00 00 00 32 00 33 00 34 00 35 00 89 5b 68 51 6b 53 eb 58 (0b 4e 7d 8f 68 56|28 57 bf 7e 89 5b c5 88 0b 7a 8f 5e) } //4 $a_00_2 = {5c 52 68 69 6e 6f 5c 53 61 66 65 5c 49 6e 73 74 61 6c 6c 5c 46 69 6c 65 44 6f 77 6e 5c 62 69 6e 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 32 33 34 35 53 61 66 65 44 6f 77 6e 6c 6f 61 64 65 72 2e 70 64 62 } //4 \Rhino\Safe\Install\FileDown\bin\release_static\2345SafeDownloader.pdb $a_00_3 = {52 00 43 00 3a 00 3a 00 52 00 43 00 53 00 61 00 66 00 65 00 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 3a 00 3a 00 50 00 72 00 65 00 70 00 61 00 72 00 65 00 50 00 6f 00 73 00 74 00 44 00 61 00 74 00 61 00 } //1 RC::RCSafeDownload::PreparePostData $a_00_4 = {52 00 43 00 3a 00 3a 00 52 00 43 00 53 00 61 00 66 00 65 00 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 3a 00 3a 00 52 00 65 00 71 00 75 00 69 00 72 00 65 00 57 00 65 00 62 00 44 00 61 00 74 00 61 00 } //1 RC::RCSafeDownload::RequireWebData condition: ((#a_80_0 & 1)*8+(#a_02_1 & 1)*4+(#a_00_2 & 1)*4+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=13 } rule _#PUA_Block_2345Cn_48{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,04 00 04 00 04 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 2 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 64 00 66 00 46 00 65 00 65 00 64 00 62 00 61 00 63 00 6b 00 } //1 $a_00_2 = {52 00 43 00 50 00 44 00 46 00 43 00 6f 00 6e 00 76 00 65 00 72 00 74 00 65 00 72 00 5f 00 6d 00 69 00 6e 00 69 00 64 00 75 00 6d 00 70 00 5f 00 67 00 65 00 6e 00 65 00 72 00 61 00 74 00 65 00 5f 00 6d 00 75 00 74 00 65 00 78 00 5f 00 7b 00 33 00 35 00 34 00 44 00 42 00 34 00 33 00 38 00 2d 00 41 00 45 00 32 00 38 00 2d 00 34 00 39 00 33 00 43 00 2d 00 42 00 35 00 45 00 45 00 2d 00 30 00 43 00 30 00 36 00 39 00 32 00 33 00 39 00 33 00 30 00 45 00 36 00 7d 00 } //1 RCPDFConverter_minidump_generate_mutex_{354DB438-AE28-493C-B5EE-0C06923930E6} $a_00_3 = {3a 5c 7a 68 61 6e 6c 75 65 5c 70 64 66 63 6f 6e 76 65 72 74 65 72 5c 62 69 6e 5c 57 69 6e 33 32 5c 72 65 6c 65 61 73 65 5f 73 74 61 74 69 63 5c 70 64 62 5c 32 33 34 35 50 64 66 46 65 65 64 62 61 63 6b 2e 70 64 62 } //1 :\zhanlue\pdfconverter\bin\Win32\release_static\pdb\2345PdfFeedback.pdb condition: ((#a_80_0 & 1)*2+(#a_00_1 & 1)*1+(#a_00_2 & 1)*1+(#a_00_3 & 1)*1) >=4 } rule _#PUA_Block_2345Cn_49{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 06 00 00 " strings : $a_00_0 = {45 00 78 00 65 00 63 00 75 00 74 00 65 00 20 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 20 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 20 00 54 00 61 00 73 00 6b 00 } //2 Execute 2345Pinyin MiniPage Task $a_00_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 2e 00 65 00 78 00 65 00 } //2 $a_00_2 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 42 00 6f 00 6f 00 74 00 41 00 73 00 73 00 69 00 73 00 74 00 61 00 6e 00 74 00 2e 00 65 00 78 00 65 00 } //2 $a_02_3 = {75 00 70 00 64 00 61 00 74 00 65 00 [0-02] 6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2e 00 32 00 33 00 34 00 35 00 2e 00 63 00 } //1 $a_00_4 = {6d 00 69 00 6e 00 69 00 70 00 61 00 67 00 65 00 2e 00 73 00 74 00 61 00 74 00 } //1 minipage.stat $a_00_5 = {5c 00 32 00 33 00 34 00 35 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 2e 00 4e 00 65 00 77 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 2e 00 64 00 61 00 74 00 61 00 } //1 \2345MiniPage.NewVersion.data condition: ((#a_00_0 & 1)*2+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_02_3 & 1)*1+(#a_00_4 & 1)*1+(#a_00_5 & 1)*1) >=5 } rule _#PUA_Block_2345Cn_50{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 4 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 53 00 46 00 47 00 75 00 61 00 72 00 64 00 } //2 $a_02_2 = {3a 5c 52 68 69 6e 6f 50 72 6f 74 65 63 74 5c 50 75 62 6c 69 73 68 5c 4f 75 74 50 75 74 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 53 46 47 75 61 72 64 (36 34|) 2e 70 64 62 } //2 $a_00_3 = {7b 00 22 00 43 00 72 00 61 00 73 00 68 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 43 00 6d 00 64 00 4c 00 69 00 6e 00 65 00 22 00 3a 00 22 00 2f 00 6e 00 6f 00 74 00 69 00 66 00 79 00 5f 00 67 00 75 00 61 00 72 00 64 00 22 00 2c 00 22 00 43 00 72 00 61 00 73 00 68 00 50 00 72 00 6f 00 63 00 65 00 73 00 73 00 50 00 61 00 74 00 68 00 22 00 3a 00 22 00 43 00 3a 00 5c 00 5c 00 32 00 33 00 34 00 35 00 53 00 46 00 47 00 75 00 61 00 72 00 64 00 2e 00 65 00 78 00 65 00 } //1 {"CrashProcessCmdLine":"/notify_guard","CrashProcessPath":"C:\\2345SFGuard.exe $a_00_4 = {2f 00 6e 00 6f 00 74 00 69 00 66 00 79 00 5f 00 64 00 65 00 73 00 6b 00 5f 00 67 00 75 00 61 00 72 00 64 00 } //1 /notify_desk_guard condition: ((#a_80_0 & 1)*4+(#a_00_1 & 1)*2+(#a_02_2 & 1)*2+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=7 } rule _#PUA_Block_2345Cn_51{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 4 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 } //2 $a_00_2 = {5c 62 69 6e 5c 78 36 34 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 49 6e 73 74 61 6c 6c 2e 70 64 62 } //2 \bin\x64\Release\pdb\2345PinyinInstall.pdb $a_00_3 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //1 Global\2345PinyinServiceNotifyMonitorEvent $a_00_4 = {7b 00 45 00 34 00 30 00 41 00 37 00 31 00 45 00 36 00 2d 00 35 00 45 00 34 00 38 00 2d 00 34 00 41 00 36 00 36 00 2d 00 38 00 42 00 41 00 31 00 2d 00 35 00 44 00 38 00 43 00 45 00 44 00 37 00 38 00 35 00 35 00 32 00 44 00 7d 00 5f 00 52 00 43 00 49 00 4d 00 5f 00 47 00 4c 00 4f 00 42 00 4c 00 45 00 5f 00 43 00 4f 00 4d 00 4d 00 4f 00 4d 00 5f 00 53 00 45 00 47 00 4d 00 45 00 4e 00 54 00 5f 00 53 00 48 00 41 00 52 00 45 00 44 00 } //1 {E40A71E6-5E48-4A66-8BA1-5D8CED78552D}_RCIM_GLOBLE_COMMOM_SEGMENT_SHARED condition: ((#a_80_0 & 1)*4+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=7 } rule _#PUA_Block_2345Cn_52{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 05 00 00 " strings : $a_80_0 = {45 78 65 63 75 74 65 20 32 33 34 35 50 69 6e 79 69 6e 20 4d 69 6e 69 50 61 67 65 20 54 61 73 6b } //Execute 2345Pinyin MiniPage Task 4 $a_00_1 = {49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 6d 00 65 00 00 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 6b 00 69 00 6e 00 55 00 74 00 69 00 6c 00 } //2 $a_00_2 = {5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 32 33 34 35 50 69 6e 79 69 6e 53 6b 69 6e 55 74 69 6c 2e 70 64 62 } //2 \bin\Win32\Release\pdb\2345PinyinSkinUtil.pdb $a_00_3 = {47 00 6c 00 6f 00 62 00 61 00 6c 00 5c 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 4e 00 6f 00 74 00 69 00 66 00 79 00 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 45 00 76 00 65 00 6e 00 74 00 } //1 Global\2345PinyinServiceNotifyMonitorEvent $a_00_4 = {7b 00 45 00 34 00 30 00 41 00 37 00 31 00 45 00 36 00 2d 00 35 00 45 00 34 00 38 00 2d 00 34 00 41 00 36 00 36 00 2d 00 38 00 42 00 41 00 31 00 2d 00 35 00 44 00 38 00 43 00 45 00 44 00 37 00 38 00 35 00 35 00 32 00 44 00 7d 00 5f 00 52 00 43 00 49 00 4d 00 5f 00 47 00 4c 00 4f 00 42 00 4c 00 45 00 5f 00 43 00 4f 00 4d 00 4d 00 4f 00 4d 00 5f 00 53 00 45 00 47 00 4d 00 45 00 4e 00 54 00 5f 00 53 00 48 00 41 00 52 00 45 00 44 00 } //1 {E40A71E6-5E48-4A66-8BA1-5D8CED78552D}_RCIM_GLOBLE_COMMOM_SEGMENT_SHARED condition: ((#a_80_0 & 1)*4+(#a_00_1 & 1)*2+(#a_00_2 & 1)*2+(#a_00_3 & 1)*1+(#a_00_4 & 1)*1) >=7 } rule _#PUA_Block_2345Cn_53{ meta: description = "!#PUA:Block:2345Cn,SIGNATURE_TYPE_PEHSTR,05 00 05 00 05 00 00 " strings : $a_01_0 = {45 00 78 00 65 00 63 00 75 00 74 00 65 00 20 00 32 00 33 00 34 00 35 00 50 00 69 00 6e 00 79 00 69 00 6e 00 20 00 4d 00 69 00 6e 00 69 00 50 00 61 00 67 00 65 00 20 00 54 00 61 00 73 00 6b 00 } //2 Execute 2345Pinyin MiniPage Task $a_01_1 = {4f 00 72 00 69 00 67 00 69 00 6e 00 61 00 6c 00 46 00 69 00 6c 00 65 00 6e 00 61 00 6d 00 65 00 00 00 48 00 65 00 6c 00 70 00 65 00 72 00 5f 00 32 00 33 00 34 00 35 00 2e 00 65 00 78 00 65 00 } //2 $a_01_2 = {43 6f 6d 6d 6f 6e 50 6c 61 74 66 6f 72 6d 5c 48 65 6c 70 65 72 32 33 34 35 5c 62 69 6e 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 70 64 62 5c 48 65 6c 70 65 72 5f 32 33 34 35 2e 70 64 62 } //1 CommonPlatform\Helper2345\bin\Win32\Release\pdb\Helper_2345.pdb $a_01_3 = {68 00 65 00 6c 00 70 00 65 00 72 00 5f 00 74 00 72 00 61 00 79 00 5f 00 73 00 74 00 61 00 74 00 69 00 73 00 74 00 69 00 63 00 } //1 helper_tray_statistic $a_01_4 = {68 00 65 00 6c 00 70 00 65 00 72 00 5f 00 32 00 33 00 34 00 35 00 2e 00 63 00 68 00 69 00 6c 00 64 00 5f 00 70 00 72 00 6f 00 63 00 65 00 73 00 73 00 2e 00 63 00 6f 00 6d 00 6d 00 6f 00 6e 00 } //1 helper_2345.child_process.common condition: ((#a_01_0 & 1)*2+(#a_01_1 & 1)*2+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=5 }