(CommandLine:powershell.exe\ mshta.exe\ http* CommandLine:.hta*) OR (CommandLine:reg\ query\ \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal\ Server\ Client\\Default\"* OR CommandLine:cmd.exe\ \/c\ taskkill\ \/im\ cmd.exe* OR CommandLine:\(New\-Object\ System.Net.WebClient\).UploadFile\('http*)