(OriginalFileName:wmic.exe OR Image:\\WMIC.exe) (CommandLine:\ service\ get\ * CommandLine:name,displayname,pathname,startmode*)