(Image:\\schtasks.exe (CommandLine:\ \/Change\ * CommandLine:\ \/TN\ *)) (CommandLine:\\AppData\\Local\\Temp* OR CommandLine:\\AppData\\Roaming\\* OR CommandLine:\\Users\\Public\\* OR CommandLine:\\WINDOWS\\Temp\\* OR CommandLine:\\Desktop\\* OR CommandLine:\\Downloads\\* OR CommandLine:\\Temporary\ Internet* OR CommandLine:C\:\\ProgramData\\* OR CommandLine:C\:\\Perflogs\\* OR CommandLine:%ProgramData%* OR CommandLine:%appdata%* OR CommandLine:%comspec%* OR CommandLine:%localappdata%*) (CommandLine:regsvr32* OR CommandLine:rundll32* OR CommandLine:cmd\ \/c\ * OR CommandLine:cmd\ \/k\ * OR CommandLine:cmd\ \/r\ * OR CommandLine:cmd.exe\ \/c\ * OR CommandLine:cmd.exe\ \/k\ * OR CommandLine:cmd.exe\ \/r\ * OR CommandLine:powershell* OR CommandLine:mshta* OR CommandLine:wscript* OR CommandLine:cscript* OR CommandLine:certutil* OR CommandLine:bitsadmin* OR CommandLine:bash.exe* OR CommandLine:bash\ * OR CommandLine:scrcons* OR CommandLine:wmic\ * OR CommandLine:wmic.exe* OR CommandLine:forfiles* OR CommandLine:scriptrunner* OR CommandLine:hh.exe* OR CommandLine:hh\ *)