diff --git a/malware5.pl b/malware5.pl
index aea4e68..b3d51a9 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -441,7 +441,7 @@ my @regexen = (
     qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
     qr/<\?php\s+eval\(stripslashes\(\@\$\_POST\[\(chr\(([0-9]{1,20})\)\.chr\(([0-9]{1,20})\)\)\]\)\)\;\?>/is,
     qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\;return\s+base64\_decode\(\$\w\[\$\w\]\)\;\}\s+\?>/is,
-    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
+    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})\).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
     qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
     qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,    
diff --git a/malwaresh.pl b/malwaresh.pl
index e23af7d..8f4415f 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -924,7 +924,7 @@ my @regexen = (
     qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
     qr/<\?php\s+eval\(stripslashes\(\@\$\_POST\[\(chr\(([0-9]{1,20})\)\.chr\(([0-9]{1,20})\)\)\]\)\)\;\?>/is,
     qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\;return\s+base64\_decode\(\$\w\[\$\w\]\)\;\}\s+\?>/is,
-    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
+    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})\).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
     qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
     qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,