((Image:\\svchost.exe (CommandLine:C\:\\Users\\* CommandLine:\\Desktop\\*)) (-ParentImage:C\:\\Windows\\System32\\*)) OR ((ParentImage:\\excel.exe Image:\\regsvr32.exe (CommandLine:\ \-s\ * OR CommandLine:\\AppData\\Local\\Temp\\*)) (-CommandLine:.dll*)) OR (ParentImage:\\svchost.exe ((Image:\\whoami.exe CommandLine:\ \/all*) OR ((Image:\\net.exe OR Image:\\net1.exe) CommandLine:\ view*)))