diff --git a/third_party/yara/elastic/RELEASE b/third_party/yara/elastic/RELEASE index 2ab1b1b80..8da7b2cb6 100644 --- a/third_party/yara/elastic/RELEASE +++ b/third_party/yara/elastic/RELEASE @@ -1 +1 @@ -d131ea8191d1999855d61d13b708392d8c2e6a6b +4e4cb2c4499c24c12a86ec7ef8c30bb2b7e9467a diff --git a/third_party/yara/elastic/Windows_Trojan_AuraStealer.yar b/third_party/yara/elastic/Windows_Trojan_AuraStealer.yar new file mode 100644 index 000000000..26e65d25e --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_AuraStealer.yar @@ -0,0 +1,21 @@ +rule Windows_Trojan_AuraStealer_5dd9a496 { + meta: + author = "Elastic Security" + id = "5dd9a496-f14f-4d96-a5e9-77432077374e" + fingerprint = "a3213eaab576c626cbb0ba99c4486ba184df6bbe4b33eca66184257597157285" + creation_date = "2026-04-09" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.AuraStealer" + reference_sample = "b06c1fe3b5f6577b03053b7ada25dc592e6e2c62e6c5d6d14799be1f955ad5aa" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a1 = { 8B 45 10 31 FF 85 C0 BE 06 00 00 00 0F 49 F0 83 7D 0C 00 0F 95 C0 89 F3 81 E3 00 04 00 00 0F 94 C2 20 C2 0F BA E6 10 0F B6 C2 8D 14 C5 00 00 00 00 } + $b2 = { 8A 1C 82 88 1C 81 8A 5C 82 01 88 5C 81 01 8A 5C 82 02 88 5C 81 02 8A 5C 82 03 88 5C 81 03 40 83 F8 08 75 DC B8 08 00 00 00 8A 7C 81 FC } + condition: + all of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_BrushLogger.yar b/third_party/yara/elastic/Windows_Trojan_BrushLogger.yar new file mode 100644 index 000000000..6d05a37c5 --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_BrushLogger.yar @@ -0,0 +1,21 @@ +rule Windows_Trojan_BrushLogger_304ee146 { + meta: + author = "Elastic Security" + id = "304ee146-8abf-4d4d-8b50-df90a641f400" + fingerprint = "bd66e7980779c7065a544d3578a685007fb00d6990320001ef8869a1d0ad969e" + creation_date = "2026-03-25" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.BrushLogger" + reference_sample = "4f1ea5ed6035e7c951e688bd9c2ec47a1e184a81e9ae783d4a0979501a1985cf" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a = "%02d-%02d-%d %02d:%02d " fullword + $b = { 81 ?? ?? A1 00 00 00 74 09 81 ?? ?? A0 00 00 00 75 09 6A 00 6A 10 E8 } + condition: + all of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_BrushWorm.yar b/third_party/yara/elastic/Windows_Trojan_BrushWorm.yar new file mode 100644 index 000000000..9daa30b25 --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_BrushWorm.yar @@ -0,0 +1,21 @@ +rule Windows_Trojan_BrushWorm_7c2098ef { + meta: + author = "Elastic Security" + id = "7c2098ef-a426-4331-8b04-e96fa8b42cb6" + fingerprint = "931842bcd7cfa1afcaf5313a9f18097bc733ed52679ad9459d0e872319f85afd" + creation_date = "2026-03-25" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.BrushWorm" + reference_sample = "89891aa3867c1a57512d77e8e248d4a35dd32e99dcda0344a633be402df4a9a7" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a = "internetCheckDomain" wide fullword + $b = { B8 00 00 00 40 33 C9 0F A2 48 8D ?? ?? ?? 89 07 89 5F 04 89 4F 08 89 57 0C 45 33 C0 } + condition: + all of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_CristalLoaders.yar b/third_party/yara/elastic/Windows_Trojan_CristalLoaders.yar new file mode 100644 index 000000000..b57b4780f --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_CristalLoaders.yar @@ -0,0 +1,24 @@ +rule Windows_Trojan_CristalLoaders_652f19ab { + meta: + author = "Elastic Security" + id = "652f19ab-4c8c-48d0-a7a8-fdf592ea29f1" + fingerprint = "f6f83fe8f20a1e9780e57c58b09786403663f6fd65f3d52d47e10bb98020d899" + creation_date = "2026-03-18" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.CristalLoaders" + reference_sample = "af92ec050ba5115a057c01365af3f154336921c1891a39a0186ac4ab7d45394f" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a1 = { 51 52 41 50 41 51 41 52 41 53 48 83 EC 20 B9 5D 68 FA 3C BA } + $a2 = { 51 52 41 50 41 51 41 52 41 53 48 83 EC 20 B9 5B BC 4A 6A BA } + $a3 = { 41 51 52 41 52 41 50 41 53 48 83 EC 20 B9 5B BC 4A 6A BA } + $b1 = { 51 52 41 50 41 51 41 52 41 53 48 83 EC 20 } + $b2 = { 41 5B 41 5A 41 59 41 58 5A 59 FF D0 } + condition: + 1 of ($a*) or all of ($b*) +} + diff --git a/third_party/yara/elastic/Windows_Trojan_NodeKeylogger.yar b/third_party/yara/elastic/Windows_Trojan_NodeKeylogger.yar new file mode 100644 index 000000000..c1122ec34 --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_NodeKeylogger.yar @@ -0,0 +1,24 @@ +rule Windows_Trojan_NodeKeylogger_ffc7db41 { + meta: + author = "Elastic Security" + id = "ffc7db41-c3a2-4fb7-98db-d8d93a607ef4" + fingerprint = "cbaa7c21cbf33754b22b820554e7f0a355f6ea76e4799dd47ff905a0ba851b01" + creation_date = "2026-03-22" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.NodeKeylogger" + reference_sample = "e58864cc22cd8ec17ae35dd810455d604aadab7c3f145b6c53b3c261855a4bb1" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a0 = "%s,%s,%i,%i,%ld,%ld,%i" fullword + $a1 = "MOUSE" fullword + $a2 = "KEYBOARD" fullword + $a3 = "DOWN" fullword + $b0 = { 81 7D 08 08 02 00 00 [6] 81 7D 08 01 02 00 00 73 ?? 81 7D 08 05 01 00 00 74 ?? 81 7D 08 05 01 00 00 [6] 81 7D 08 04 01 00 00 } + condition: + all of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_PhantomPull.yar b/third_party/yara/elastic/Windows_Trojan_PhantomPull.yar new file mode 100644 index 000000000..fafae2ea1 --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_PhantomPull.yar @@ -0,0 +1,25 @@ +rule Windows_Trojan_PhantomPull_e5dfd651 { + meta: + author = "Elastic Security" + id = "e5dfd651-5fd3-4d88-8de7-96ed5706f553" + fingerprint = "73d8dde2e57a9c883470c47a115ceeb194ebd39b01a1f5200b8677b25350b897" + creation_date = "2026-04-13" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.PhantomPull" + reference_sample = "70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $GetTickCount = { 48 83 C4 80 FF 15 ?? ?? ?? ?? 83 F8 FE 75 } + $djb2 = { 45 8B 0C 83 41 BA A7 C6 67 4E 49 01 C9 45 8A 01 } + $mutex = { 48 89 EB 83 E3 ?? 45 8A 2C 1C 45 32 2C 2E 45 0F B6 FD } + $str_decrypt = { 39 C2 7E ?? 49 89 C1 41 83 E1 ?? 47 8A 1C 0A 44 32 1C 01 45 88 1C 00 48 FF C0 } + $payload_decrypt = { 4C 89 C8 83 E0 0F 41 8A 14 02 43 30 14 0F 49 FF C1 44 39 CB } + $url = "/v1/updates/check?build=payloads" ascii fullword + condition: + 3 of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_PhantomPulse.yar b/third_party/yara/elastic/Windows_Trojan_PhantomPulse.yar new file mode 100644 index 000000000..387b24e5c --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_PhantomPulse.yar @@ -0,0 +1,23 @@ +rule Windows_Trojan_PhantomPulse_eaaa34fb { + meta: + author = "Elastic Security" + id = "eaaa34fb-eb17-433a-ba0c-f5245cb581b4" + fingerprint = "36f5a16a014b315dc04c4c8f59bc3b653b17d0f67b5723a6b662b58709845008" + creation_date = "2026-04-13" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.PhantomPulse" + reference_sample = "9e3890d43366faec26523edaf91712640056ea2481cdefe2f5dfa6b2b642085d" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a = "[UNINSTALL 2/6] Removing Scheduled Task..." fullword + $b = "PhantomInject: host PID=%lu" fullword + $c = "inject: shellcode detected -> InjectShellcodePhantom" fullword + $d = "inject: shellcode detected, using phantom section hijack" fullword + condition: + all of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_Remus.yar b/third_party/yara/elastic/Windows_Trojan_Remus.yar new file mode 100644 index 000000000..4cb9e646d --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_Remus.yar @@ -0,0 +1,22 @@ +rule Windows_Trojan_Remus_7a39fb15 { + meta: + author = "Elastic Security" + id = "7a39fb15-e7d0-47a6-a817-f79dcdb82ed5" + fingerprint = "c1d3e07becc94ad265b6014f27403229e2e37bf5da3caccfdc5eda05006c5c67" + creation_date = "2026-04-08" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.Remus" + reference_sample = "0a8f734f10400f7ae8fef591147e78dab6350089683be84c1cb6c82113cb1319" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a1 = "# REMUS LOG" ascii fullword + $b1 = { 48 83 EC 10 4C 89 14 24 4C 89 5C 24 08 4D 31 DB 4C 8D 54 24 18 49 29 C2 4D 0F 42 DA 65 4C 8B 1C 25 10 00 00 00 4D 39 DA 73 ?? 66 ?? ?? ?? ?? ?? 4D 8D 9B 00 F0 FF FF 45 84 1B 4D 39 DA } + $b2 = { 81 3C D1 7C 65 E0 52 74 ?? 48 FF C2 48 39 D0 75 EF } + condition: + 2 of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_Stealc.yar b/third_party/yara/elastic/Windows_Trojan_Stealc.yar index 3c31b78aa..5bc6ab62f 100644 --- a/third_party/yara/elastic/Windows_Trojan_Stealc.yar +++ b/third_party/yara/elastic/Windows_Trojan_Stealc.yar @@ -94,3 +94,23 @@ rule Windows_Trojan_Stealc_41db1d4d { 3 of them } +rule Windows_Trojan_Stealc_df3cdc7e { + meta: + author = "Elastic Security" + id = "df3cdc7e-a9ef-4719-90ce-a45106166f00" + fingerprint = "71c93f3ff9248b5d13bd01cfedf2f5999e39689b7553fc606a623a9beca7d281" + creation_date = "2026-03-16" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.Stealc" + reference_sample = "503879c9c294cd7a2b7b13c643b93d8a8e7ae00af5b2b56fcbb90e6c096f40d6" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a = { 48 8B E8 48 8D 48 FF 48 83 F9 ?? ?? ?? ?? ?? ?? 00 48 8D 54 24 48 48 8B C8 FF 15 30 4E 01 00 85 C0 74 52 39 74 24 4C 75 4C 8B 5C 24 48 8D 4E 40 8B D3 FF 15 2F 4E 01 00 48 8B F8 48 85 C0 74 3E } + condition: + all of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_TCLBanker.yar b/third_party/yara/elastic/Windows_Trojan_TCLBanker.yar new file mode 100644 index 000000000..66314753d --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_TCLBanker.yar @@ -0,0 +1,101 @@ +rule Windows_Trojan_TCLBanker_a0287d4f { + meta: + author = "Elastic Security" + id = "a0287d4f-b3c8-4299-a13e-592ba5192491" + fingerprint = "6e07ed3db08c2e1da8003efab2730e97f7a9242717363f48fe1b1368821e45dd" + creation_date = "2026-04-27" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.TCLBanker" + reference_sample = "8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $str_decrypt = { 48 8D 41 1C 45 33 C0 48 8B C8 41 B9 FF 00 00 00 41 8D 50 23 } + $str_decrypt2 = { 66 33 51 EC 66 89 11 48 8D 49 02 49 83 F8 0A } + $syscall = { 75 1B 41 80 7F 01 8B 75 14 41 80 7F 02 D1 75 0D 41 80 7F 03 B8 75 06 } + $etw_patch = { BA 03 00 00 00 66 C7 03 33 C0 48 8B CB C6 43 02 C3 } + $gate = { 48 B8 F5 08 1D 97 3C E2 54 AB 48 89 44 24 48 48 B8 FD FE D9 45 25 B9 2E 95 } + $lang_check = { BA FF 03 00 00 8B C8 66 23 C2 66 83 F8 16 75 } + $watchdog = "WATCHDOG: thread count suspicious (baseline=%d, current=%d, delta=%d)" ascii fullword + condition: + 3 of them +} + +rule Windows_Trojan_TCLBanker_5df0f971 { + meta: + author = "Elastic Security" + id = "5df0f971-0a77-43aa-a62f-8f10ff1be1e9" + fingerprint = "2a857ea549a5129ff3cfc23ca2c26ce986b0c154a070638bb3d65946a8ec7542" + creation_date = "2026-04-28" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.TCLBanker" + reference_sample = "701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $s1 = "[Persistence] EnsureInstalled: exe=" wide fullword + $s2 = "[Persistence] Task deleted OK" wide fullword + $s3 = "CommandLine FROM Win32_Process WHERE Name = 'msedge.exe'" wide fullword + $s4 = "KeyloggerHookThread" wide fullword + $s5 = "Fique atento ao telefone informado" wide fullword + $s6 = "O telefone deve ter 10" wide fullword + $s7 = "Trabalhando em atualizacoes" wide fullword + $s8 = "Win32_Process.Create falhou com codigo" wide fullword + condition: + 4 of them +} + +rule Windows_Trojan_TCLBanker_b5ef38c0 { + meta: + author = "Elastic Security" + id = "b5ef38c0-fada-44e6-85ae-f7e7747f9996" + fingerprint = "7af8112c19d301db1fa0a7605088b4b294a7b5ba20008c1f71bda46fc1babffd" + creation_date = "2026-04-28" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.TCLBanker" + reference_sample = "701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $s1 = "no_session: QR code detectado, sem conta logada" wide fullword + $s2 = "error: campaign not configured" wide fullword + $s3 = "error: 0 contacts after filter" wide fullword + $s4 = "whatsapp: sessao carregada" wide fullword + $s5 = "wpp_inject_failed" wide fullword + condition: + 4 of them +} + +rule Windows_Trojan_TCLBanker_8b41ae04 { + meta: + author = "Elastic Security" + id = "8b41ae04-ef4d-4391-8c4e-0eaa95d7982d" + fingerprint = "4dd69bcfbf7fd31d10bb5698f225ec0229168f15c76d609df30a9c35fdbd3f80" + creation_date = "2026-04-28" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.TCLBanker" + reference_sample = "668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $s1 = "outlook: extraindo contatos" wide fullword + $s2 = "error: 0 accounts with contacts in Outlook" wide fullword + $s3 = "GetNamespace('MAPI')" wide fullword + $s4 = "error: campaign not configured" wide fullword + $s5 = "-eq 'caixa de entrada'" wide fullword + condition: + 4 of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_Vidar.yar b/third_party/yara/elastic/Windows_Trojan_Vidar.yar index 231b42267..b7e882e3f 100644 --- a/third_party/yara/elastic/Windows_Trojan_Vidar.yar +++ b/third_party/yara/elastic/Windows_Trojan_Vidar.yar @@ -185,3 +185,50 @@ rule Windows_Trojan_Vidar_540563cf { 5 of them } +rule Windows_Trojan_Vidar_14210811 { + meta: + author = "Elastic Security" + id = "14210811-3bf5-400a-ab5d-f112023b1580" + fingerprint = "dc3a25458dc42f62ecee9078893a0f3850c89436bf5321c9e44f6618fe5a2d39" + creation_date = "2026-03-16" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.Vidar" + reference_sample = "07b84bdfa4d296bcf370019f1a94121e117082a9f02c8fc534c9fcf83df60e1f" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a = { 48 83 C4 40 49 89 C7 8B 05 5B ?? ?? ?? ?? ?? ?? B6 0D 00 8D 50 01 0F AF D0 83 E2 01 83 F9 0A 7C 6C 85 D2 74 68 48 83 EC 40 48 C7 44 24 30 00 00 00 00 C7 44 24 28 80 00 00 00 C7 44 24 20 03 00 } + condition: + all of them +} + +rule Windows_Trojan_Vidar_0f323538 { + meta: + author = "Elastic Security" + id = "0f323538-d789-4480-9b10-db31e0a18790" + fingerprint = "52039ef9b44bbe4a6594d4efdf20a124a13133e30bb8788978baf2fcd30013e4" + creation_date = "2026-03-16" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.Vidar" + reference_sample = "aae5335b89c8655cffbd9e2e8de1726be6bc38e68dcbb048aabb03a2012640aa" + severity = 100 + arch_context = "x86" + scan_context = "memory" + license = "Elastic License v2" + os = "windows" + strings: + $steam = "steamcommunity.com/profiles/" + $telegram = "telegram.me/" + $hwid = "Content-Disposition: form-data; name=\"hwid\"" + $browser2 = "\\IndexedDB\\chrome-extension__0.indexeddb.leveldb" + $browser4 = "\"encrypted_key\":\"" + $c1 = "information.txt" + $pipe = "\\\\.\\pipe\\test" + $telemetry1 = "\\telemetry.b64" + condition: + all of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_VoidStealer.yar b/third_party/yara/elastic/Windows_Trojan_VoidStealer.yar new file mode 100644 index 000000000..3dd0ff634 --- /dev/null +++ b/third_party/yara/elastic/Windows_Trojan_VoidStealer.yar @@ -0,0 +1,25 @@ +rule Windows_Trojan_VoidStealer_b17abbfd { + meta: + author = "Elastic Security" + id = "b17abbfd-8e5f-403e-b7fd-1bf6d3941f19" + fingerprint = "30095f55311c8b621c828ccc621e8877ca963e9f2760636e45609900ccbfa5f3" + creation_date = "2026-03-27" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.VoidStealer" + reference_sample = "f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a1 = { 7B 22 62 75 69 6C 64 5F 69 64 22 3A 22 } + $a2 = "\\\\.\\pipe\\browser_key_pipe" ascii wide + $a3 = { 22 2C 22 73 65 73 73 69 6F 6E 5F 69 64 22 3A 22 } + $a4 = "%d %b %y %H:%M %Z" wide fullword + $a5 = "OSCrypt.AppBoundProvider.Decrypt.ResultCode" ascii fullword + $a6 = "ft5HAfKQvejy8notJdgHNtzEZuHqShVuf2SUNW6wQ1r5dmM17r/rbmrT9AHdBQ==" ascii fullword + condition: + 5 of them +} + diff --git a/third_party/yara/elastic/Windows_Trojan_Winos.yar b/third_party/yara/elastic/Windows_Trojan_Winos.yar index d3a1b1fb9..e30577850 100644 --- a/third_party/yara/elastic/Windows_Trojan_Winos.yar +++ b/third_party/yara/elastic/Windows_Trojan_Winos.yar @@ -54,3 +54,32 @@ rule Windows_Trojan_Winos_a60d5880 { 4 of them } +rule Windows_Trojan_Winos_8da8c378 { + meta: + author = "Elastic Security" + id = "8da8c378-6594-439f-9ad8-8323564c07d2" + fingerprint = "b17624486cd5f605e8c261b3d49e8f347ad7fe2b1fd82410f1d9517a80b588c8" + creation_date = "2026-03-25" + last_modified = "2026-05-05" + threat_name = "Windows.Trojan.Winos" + reference_sample = "014ef95c17d2cca28356ce51366d9927e4db4c706fa3c2cf1b6bb284dc9722d1" + severity = 100 + arch_context = "x86" + scan_context = "file, memory" + license = "Elastic License v2" + os = "windows" + strings: + $a0 = "[CmdHandler] cmdUsdtHijackStart failed. bufferSize=" fullword + $a1 = "[CmdHandler] Error in USDT hijack thread:" fullword + $a2 = "[CmdHandler] heart beat failed. re-online" fullword + $a3 = "[CmdHandler] maybe is not root plugin." fullword + $a4 = "[CmdHandler] received re-online command from console." fullword + $a5 = "Received dup connection command from console, The progress will dup connection." fullword + $a6 = "[CmdHandler] failed to allocate memory for token user information." fullword + $a7 = "handle cmdExecuteCommand failed. bufferSize=" fullword + $a8 = "[KeyboardRecord] Failed to disable offline keyboard" fullword + $a9 = ".?AVKeyboardRecord@@" fullword + condition: + 5 of them +} +