rule M_Hunting_Win_WiperPaths_1 {
	meta:
		author = "Mandiant"
		description = "Detects notable wiper strings"
		reference = "https://twitter.com/ESETresearch/status/1496581903205511181"
	strings:
		$w1 = "\\\\.\\EPMNTDRV" wide fullword
		$w2 = "\\\\.\\PhysicalDrive" wide fullword
		$w3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" wide fullword
		$w4 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
		$w5 = "\\\\?\\C:\\Documents and Settings" wide fullword
		$w6 = "<<Obsolete>>" wide fullword
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (all of them)
}