alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE HermeticWizard - WMI Spreader - Remote Process Creation M1"; flow:established,to_server; content:"|05 00 00|"; content:"W|00|i|00|n|00|3|00|2|00|_|00|P|00|r|00|o|00|c|00|e|00|s|00|s|00|"; distance:0; content:"C|00|r|00|e|00|a|00|t|00|e|00|"; within:200; content:"regsvr32|2e|exe|20 2f|s|20 2f|i|20|"; distance:0; fast_pattern; content:"|5c|c"; within:500; pcre:"/^[A-F0-9]{12}/R"; content:"|2e|dll|00|"; within:5; reference:url,www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/; reference:md5,517d2b385b846d6ea13b75b8adceb061; classtype:trojan-activity; sid:2035418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2022_03_09, deployment Internal, deployment Datacenter, malware_family HermeticWizard, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_15;)