((OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll) OR (Image:\\powershell.exe OR Image:\\pwsh.exe)) (CommandLine:\ Net.Sockets.TCPClient* CommandLine:.GetStream\(* CommandLine:.Write\(*)