((Image:\\cscript.exe OR Image:\\mshta.exe OR Image:\\wscript.exe) OR (CommandLine:\ \-ep\ bypass\ * OR CommandLine:\ \-ExecutionPolicy\ bypass\ * OR CommandLine:\ \-w\ hidden\ * OR CommandLine:\/e\:javascript\ * OR CommandLine:\/e\:Jscript\ * OR CommandLine:\/e\:vbscript\ *) OR (OriginalFileName:cscript.exe OR OriginalFileName:mshta.exe OR OriginalFileName:wscript.exe)) ((CommandLine:\:\\Perflogs\\* OR CommandLine:\:\\Users\\Public\\* OR CommandLine:\\%Public%* OR CommandLine:\\AppData\\Local\\Temp* OR CommandLine:\\AppData\\Roaming\\Temp* OR CommandLine:\\Temporary\ Internet* OR CommandLine:\\Windows\\Temp* OR CommandLine:\\Start\ Menu\\Programs\\Startup\\* OR CommandLine:%TEMP%* OR CommandLine:%TMP%* OR CommandLine:%LocalAppData%\\Temp*) OR ((CommandLine:\:\\Users\\* CommandLine:\\Favorites\\*) OR (CommandLine:\:\\Users\\* CommandLine:\\Favourites\\*) OR (CommandLine:\:\\Users\\* CommandLine:\\Contacts\\*) OR (CommandLine:\:\\Users\\* CommandLine:\\Documents\\*) OR (CommandLine:\:\\Users\\* CommandLine:\\Music\\*) OR (CommandLine:\:\\Users\\* CommandLine:\\Pictures\\*) OR (CommandLine:\:\\Users\\* CommandLine:\\Videos\\*))) (-((ParentImage:C\:\\Windows\\System32\\Msiexec.exe OR ParentImage:C\:\\Windows\\SysWOW64\\Msiexec.exe) Image:\\powershell.exe (CommandLine:\-NoProfile\ \-ExecutionPolicy\ Bypass\ \-Command* CommandLine:AppData\\Local\\Temp\\* CommandLine:Install\-Chocolatey.ps1*)))