rule GreenDispenser { strings: $s1 = "dispenserprogm" wide ascii nocase $s2 = "del.exe" wide ascii nocase $s3 = "sdelete.pdb" wide ascii nocase $s4 = "MSXFS.dll" wide ascii nocase $s5 = "sdelete" wide ascii nocase condition: all of them and // MZ signature at offset 0 and ... uint16(0) == 0x5A4D and // ... PE signature at offset stored in MZ header at 0x3C uint32(uint32(0x3C)) == 0x00004550 }