((ParentImage:\\caddy.exe OR ParentImage:\\httpd.exe OR ParentImage:\\nginx.exe OR ParentImage:\\php\-cgi.exe OR ParentImage:\\w3wp.exe OR ParentImage:\\ws_tomcatservice.exe) OR ((ParentImage:\\java.exe OR ParentImage:\\javaw.exe) (ParentImage:\-tomcat\-* OR ParentImage:\\tomcat*)) OR ((ParentImage:\\java.exe OR ParentImage:\\javaw.exe) (CommandLine:catalina.jar* OR CommandLine:CATALINA_HOME*))) ((CommandLine:rundll32* CommandLine:comsvcs*) OR (CommandLine:\ \-hp* CommandLine:\ a\ * CommandLine:\ \-m*) OR (CommandLine:net* CommandLine:\ user\ * CommandLine:\ \/add*) OR (CommandLine:net* CommandLine:\ localgroup\ * CommandLine:\ administrators\ * CommandLine:\/add*) OR (Image:\\ntdsutil.exe OR Image:\\ldifde.exe OR Image:\\adfind.exe OR Image:\\procdump.exe OR Image:\\Nanodump.exe OR Image:\\vssadmin.exe OR Image:\\fsutil.exe) OR (CommandLine:\ \-decode\ * OR CommandLine:\ \-NoP\ * OR CommandLine:\ \-W\ Hidden\ * OR CommandLine:\ \/decode\ * OR CommandLine:\ \/ticket\:* OR CommandLine:\ sekurlsa* OR CommandLine:.dmp\ full* OR CommandLine:.downloadfile\(* OR CommandLine:.downloadstring\(* OR CommandLine:FromBase64String* OR CommandLine:process\ call\ create* OR CommandLine:reg\ save\ * OR CommandLine:whoami\ \/priv*))