rule M_Hunting_TOUCHSHOT {
	meta:
		author = "Mandiant"
		description = "Hunting rule For TOUCHSHOT"
	strings:
		$path = "%s\\Microsoft\\Windows\\Themes\\" wide
		$format = "ddd-ddd"
		$s1 = "EnumDisplaySettingsExW"
		$s2 = "GetSystemMetrics"
		$s3 = "GetDC"
		$s5 = "ReleaseDC"
	condition:
		(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and (3 of ($s*)) and $path and $format
}