((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) ((CommandLine:\ \-e* (CommandLine:\ JAB* OR CommandLine:\ SUVYI* OR CommandLine:\ SQBFAFgA* OR CommandLine:\ aQBlAHgA* OR CommandLine:\ aWV4I* OR CommandLine:\ IAA* OR CommandLine:\ IAB* OR CommandLine:\ UwB* OR CommandLine:\ cwB*)) OR (CommandLine:.exe\ \-ENCOD\ * OR CommandLine:\ BA\^J\ e\-*)) (-CommandLine:\ \-ExecutionPolicy\ remotesigned\ *)