(((IntegrityLevel:System OR IntegrityLevel:S\-1\-16\-16384) (User:AUTHORI* OR User:AUTORI*)) ((Image:\\calc.exe OR Image:\\cscript.exe OR Image:\\forfiles.exe OR Image:\\hh.exe OR Image:\\mshta.exe OR Image:\\ping.exe OR Image:\\wscript.exe) OR CommandLine:net\\s+user\\s+ OR (CommandLine:\ \-NoP\ * OR CommandLine:\ \-W\ Hidden\ * OR CommandLine:\ \-decode\ * OR CommandLine:\ \/decode\ * OR CommandLine:\ \/urlcache\ * OR CommandLine:\ \-urlcache\ * OR CommandLine:\ \-e*\ JAB* OR CommandLine:\ \-e*\ SUVYI* OR CommandLine:\ \-e*\ SQBFAFgA* OR CommandLine:\ \-e*\ aWV4I* OR CommandLine:\ \-e*\ IAB* OR CommandLine:\ \-e*\ PAA* OR CommandLine:\ \-e*\ aQBlAHgA* OR CommandLine:vssadmin\ delete\ shadows* OR CommandLine:reg\ SAVE\ HKLM* OR CommandLine:\ \-ma\ * OR CommandLine:Microsoft\\Windows\\CurrentVersion\\Run* OR CommandLine:.downloadstring\(* OR CommandLine:.downloadfile\(* OR CommandLine:\ \/ticket\:* OR CommandLine:dpapi\:\:* OR CommandLine:event\:\:clear* OR CommandLine:event\:\:drop* OR CommandLine:id\:\:modify* OR CommandLine:kerberos\:\:* OR CommandLine:lsadump\:\:* OR CommandLine:misc\:\:* OR CommandLine:privilege\:\:* OR CommandLine:rpc\:\:* OR CommandLine:sekurlsa\:\:* OR CommandLine:sid\:\:* OR CommandLine:token\:\:* OR CommandLine:vault\:\:cred* OR CommandLine:vault\:\:list* OR CommandLine:\ p\:\:d\ * OR CommandLine:;iex\(* OR CommandLine:MiniDump*))) (-((CommandLine:ping* CommandLine:127.0.0.1* CommandLine:\ \-n\ *) OR (Image:\\PING.EXE ParentCommandLine:\\DismFoDInstall.cmd*) OR ParentImage:\:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\* OR ((ParentImage:\:\\Program\ Files\ \(x86\)\\Java\\* OR ParentImage:\:\\Program\ Files\\Java\\*) ParentImage:\\bin\\javaws.exe (Image:\:\\Program\ Files\ \(x86\)\\Java\\* OR Image:\:\\Program\ Files\\Java\\*) Image:\\bin\\jp2launcher.exe CommandLine:\ \-ma\ *)))