rule malware_windows_winnti_loadperf_dll_loader { meta: description = "Winnti APT group; gzwrite64 imported from loadoerf.ini" reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/" author = "@mimeframe" md5 = "879ce99e253e598a3c156258a9e81457" strings: $s1 = "loadoerf.ini" fullword ascii wide $s2 = "gzwrite64" fullword ascii wide condition: all of ($s*) }