DefenderYara/Exploit/Win64/Anpobe/Exploit_Win64_Anpobe_A.yar

rule Exploit_Win64_Anpobe_A{
	meta:
		description = "Exploit:Win64/Anpobe.A,SIGNATURE_TYPE_PEHSTR_EXT,15 00 15 00 05 00 00 "
		
	strings :
		$a_80_0 = {43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 61 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 57 45 52 5c 52 65 70 6f 72 74 51 75 65 75 65 } //C:\ProgramData\Microsoft\Windows\WER\ReportQueue  1
		$a_80_1 = {53 43 48 54 41 53 4b 53 20 2f 52 75 6e 20 2f 54 6e 20 22 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 57 69 6e 64 6f 77 73 20 45 72 72 6f 72 20 52 65 70 6f 72 74 69 6e 67 5c 51 75 65 75 65 52 65 70 6f 72 74 69 6e 67 22 } //SCHTASKS /Run /Tn "Microsoft\Windows\Windows Error Reporting\QueueReporting"  10
		$a_80_2 = {5c 52 65 70 6f 72 74 2e 77 65 72 } //\Report.wer  1
		$a_03_3 = {40 02 09 00 [0-0f] ff 15 } //5
		$a_01_4 = {44 65 76 69 63 65 49 6f 43 6f 6e 74 72 6f 6c } //5 DeviceIoControl
	condition:
		((#a_80_0  & 1)*1+(#a_80_1  & 1)*10+(#a_80_2  & 1)*1+(#a_03_3  & 1)*5+(#a_01_4  & 1)*5) >=21
 
}