(OriginalFileName:whoami.exe OR Image:\\whoami.exe) (User:AUTHORI* OR User:AUTORI* OR User:TrustedInstaller*)