((Image:\\GUP.exe OR OriginalFileName:gup.exe) (CommandLine:\ \-unzipTo\ * CommandLine:http*)) (-ParentImage:\\notepad\+\+.exe)