((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:join*split* OR CommandLine:\(\ $ShellId\[1\]\+$ShellId\[13\]\+'x'\)* OR CommandLine:\(\ $PSHome\[*\]\+$PSHOME\[*\]\+* OR CommandLine:\(\ $env\:Public\[13\]\+$env\:Public\[5\]\+'x'\)* OR CommandLine:\(\ $env\:ComSpec\[4,*,25\]\-Join''\)* OR CommandLine:\[1,3\]\+'x'\-Join''\)*)