(Image:\\csc.exe OR OriginalFileName:csc.exe) ((ParentImage:\\cscript.exe OR ParentImage:\\excel.exe OR ParentImage:\\mshta.exe OR ParentImage:\\onenote.exe OR ParentImage:\\outlook.exe OR ParentImage:\\powerpnt.exe OR ParentImage:\\winword.exe OR ParentImage:\\wscript.exe) OR ((ParentImage:\\powershell.exe OR ParentImage:\\pwsh.exe) (ParentCommandLine:\-Encoded\ * OR ParentCommandLine:FromBase64String*)) OR (ParentCommandLine:(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$ OR (ParentCommandLine:\:\\PerfLogs\\* OR ParentCommandLine:\:\\Users\\Public\\* OR ParentCommandLine:\:\\Windows\\Temp\\* OR ParentCommandLine:\\Temporary\ Internet*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Favorites\\*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Favourites\\*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Contacts\\*) OR (ParentCommandLine:\:\\Users\\* ParentCommandLine:\\Pictures\\*))) (-((ParentImage:C\:\\Program\ Files\ \(x86\)\\* OR ParentImage:C\:\\Program\ Files\\*) OR ParentImage:C\:\\Windows\\System32\\sdiagnhost.exe OR ParentImage:C\:\\Windows\\System32\\inetsrv\\w3wp.exe)) (-(ParentImage:C\:\\ProgramData\\chocolatey\\choco.exe OR ParentCommandLine:\\ProgramData\\Microsoft\\Windows\ Defender\ Advanced\ Threat\ Protection* OR (ParentCommandLine:JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw* OR ParentCommandLine:cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA* OR ParentCommandLine:nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA*)))