(ParentImage:\\spoolsv.exe (IntegrityLevel:System OR IntegrityLevel:S\-1\-16\-16384)) ((Image:\\gpupdate.exe OR Image:\\whoami.exe OR Image:\\nltest.exe OR Image:\\taskkill.exe OR Image:\\wmic.exe OR Image:\\taskmgr.exe OR Image:\\sc.exe OR Image:\\findstr.exe OR Image:\\curl.exe OR Image:\\wget.exe OR Image:\\certutil.exe OR Image:\\bitsadmin.exe OR Image:\\accesschk.exe OR Image:\\wevtutil.exe OR Image:\\bcdedit.exe OR Image:\\fsutil.exe OR Image:\\cipher.exe OR Image:\\schtasks.exe OR Image:\\write.exe OR Image:\\wuauclt.exe OR Image:\\systeminfo.exe OR Image:\\reg.exe OR Image:\\query.exe) OR ((Image:\\net.exe OR Image:\\net1.exe) (-CommandLine:start*)) OR (Image:\\cmd.exe (-(CommandLine:.spl* OR CommandLine:route\ add* OR CommandLine:program\ files*))) OR (Image:\\netsh.exe (-(CommandLine:add\ portopening* OR CommandLine:rule\ name*))) OR ((Image:\\powershell.exe OR Image:\\pwsh.exe) (-CommandLine:.spl*)) OR ((Image:\\rundll32.exe OR OriginalFileName:RUNDLL32.EXE) CommandLine:rundll32.exe))