(Image:windows\\system32\\Physmem.sys* OR Image:Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini* OR Image:Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini* OR Image:Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini*) OR (((Image:windows\\system32\\filepath2* OR Image:windows\\system32\\ime*) CommandLine:reg\ add*) (CommandLine:HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\\{7c857801\-7381\-11cf\-884d\-00aa004b2e24\}\\inprocserver32* OR CommandLine:HKEY_LOCAL_MACHINE\\software\\classes\\clsid\\\{cf4cc405\-e2c5\-4ddd\-b3ce\-5e7582d8c9fa\}\\inprocserver32*))