(CommandLine:reg.exe\ save\ hklm\\sam\ %temp%\\\~reg_sam.save* OR CommandLine:1q2w3e4r@#$@#$@#$* OR CommandLine:\ \-hp1q2w3e4\ * OR CommandLine:.dat\ data03\ 10000\ \-p\ *) OR (CommandLine:netstat\ \-aon\ |\ find\ * CommandLine:ESTA* CommandLine:\ >\ %temp%\\\~*) OR (CommandLine:.255\ 10\ C\:\\ProgramData\\IBM\\* CommandLine:.DAT*) OR ((CommandLine:\ \/c\ * CommandLine:\ \-p\ 0x*) (CommandLine:C\:\\ProgramData\\* OR CommandLine:C\:\\RECYCLER\\*)) OR ((CommandLine:rundll32\ * CommandLine:C\:\\ProgramData\\*) (CommandLine:.bin,* OR CommandLine:.tmp,* OR CommandLine:.dat,* OR CommandLine:.io,* OR CommandLine:.ini,* OR CommandLine:.db,*))