((Image:\\wmic.exe OR OriginalFileName:wmic.exe OR ParentImage:\\wmiprvse.exe) ((CommandLine:reg* CommandLine:\ add\ *) (CommandLine:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run* OR CommandLine:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run* OR CommandLine:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run*))) ((CommandLine:\:\\Perflogs* OR CommandLine:\:\\ProgramData'* OR CommandLine:\:\\Windows\\Temp* OR CommandLine:\:\\Temp* OR CommandLine:\\AppData\\Local\\Temp* OR CommandLine:\\AppData\\Roaming* OR CommandLine:\:\\$Recycle.bin* OR CommandLine:\:\\Users\\Default* OR CommandLine:\:\\Users\\public* OR CommandLine:%temp%* OR CommandLine:%tmp%* OR CommandLine:%Public%* OR CommandLine:%AppData%*) OR (CommandLine:\:\\Users\\* (CommandLine:\\Favorites* OR CommandLine:\\Favourites* OR CommandLine:\\Contacts* OR CommandLine:\\Music* OR CommandLine:\\Pictures* OR CommandLine:\\Documents* OR CommandLine:\\Photos*)))