rule Hemigate {
	meta:
		description = "detect Hemigate in memory"
	strings:
		$cmd1 = ".?AVCATcpSocket@@"
		$cmd2 = ".?AVCBaseSocket@@"
		$cmd3 = ".?AVCFile@@"
		$cmd4 = ".?AVCmd@"
		$cmd5 = ".?AVCPro@@"
		$cmd6 = ".?AVCRdp@@"
		$cmd7 = ".?AVCShell@@"
		$cmd8 = ".?AVCSocket5@@"
		$cmd9 = ".?AVCSTlsSocket@@"
		$cmd10 = ".?AVCTransf@@"
		$cmd11 = ".?AVCFileMoniter@@"
		$cmd12 = ".?AVCKeylogPlug@@"
		$cmd13 = ".?AVCPipe@@"
	condition:
		8 of them
}