rule Windows_Trojan_ProtectS_9f6eaa90 { meta: author = "Elastic Security" id = "9f6eaa90-b3d4-4f0f-a81e-8010be0a6d36" fingerprint = "46bf59901876794dcc338923076939d765d3ce7f14d784b9687fbc05461ed6b4" creation_date = "2022-04-04" last_modified = "2022-06-09" threat_name = "Windows.Trojan.ProtectS" reference_sample = "c0330e072b7003f55a3153ac3e0859369b9c3e22779b113284e95ce1e2ce2099" severity = 50 arch_context = "x86" scan_context = "file" license = "Elastic License v2" os = "windows" strings: $str1 = "\\ProtectS.pdb" condition: int16(uint32(0x3C) + 0x5c) == 0x0001 and $str1 }