(ParentImage:\\wscript.exe Image:\\cmd.exe CommandLine:>>%APPDATA%\\Microsoft\\* (CommandLine:.xml OR CommandLine:.txt)) (CommandLine:ipconfig\\s+/all OR (CommandLine:dir* OR CommandLine:systeminfo* OR CommandLine:tasklist*))