Detect-It-Easy/db/PE/Microsoft_dotNET_installer.1.sg

// Detect It Easy: detection rule file
// Author: hypn0 <hypn0@mail.ru>

init("installer", "Microsoft dotNET installer");

function detect() {
    if (PE.compareEP("e8$$$$$$$$8bff558bec83ec..a1........8365....8365....5357bf........bb........3bc774..85c374")) {
        if (PE.findSignature(PE.getOverlayOffset(), Math.min(0x110, PE.getOverlaySize()), "'7z'bcaf") != -1) {
            sOptions = "7zip";
            bDetected = true;
        }
    }

    return result();
}