(CommandLine:AddSecurityPackage* OR CommandLine:AdjustTokenPrivileges* OR CommandLine:Advapi32* OR CommandLine:CloseHandle* OR CommandLine:CreateProcessWithToken* OR CommandLine:CreatePseudoConsole* OR CommandLine:CreateRemoteThread* OR CommandLine:CreateThread* OR CommandLine:CreateUserThread* OR CommandLine:DangerousGetHandle* OR CommandLine:DuplicateTokenEx* OR CommandLine:EnumerateSecurityPackages* OR CommandLine:FreeHGlobal* OR CommandLine:FreeLibrary* OR CommandLine:GetDelegateForFunctionPointer* OR CommandLine:GetLogonSessionData* OR CommandLine:GetModuleHandle* OR CommandLine:GetProcAddress* OR CommandLine:GetProcessHandle* OR CommandLine:GetTokenInformation* OR CommandLine:ImpersonateLoggedOnUser* OR CommandLine:kernel32* OR CommandLine:LoadLibrary* OR CommandLine:memcpy* OR CommandLine:MiniDumpWriteDump* OR CommandLine:ntdll* OR CommandLine:OpenDesktop* OR CommandLine:OpenProcess* OR CommandLine:OpenProcessToken* OR CommandLine:OpenThreadToken* OR CommandLine:OpenWindowStation* OR CommandLine:PtrToString* OR CommandLine:QueueUserApc* OR CommandLine:ReadProcessMemory* OR CommandLine:RevertToSelf* OR CommandLine:RtlCreateUserThread* OR CommandLine:secur32* OR CommandLine:SetThreadToken* OR CommandLine:VirtualAlloc* OR CommandLine:VirtualFree* OR CommandLine:VirtualProtect* OR CommandLine:WaitForSingleObject* OR CommandLine:WriteInt32* OR CommandLine:WriteProcessMemory* OR CommandLine:ZeroFreeGlobalAllocUnicode*) (-((Image:\\MpCmdRun.exe CommandLine:GetLoadLibraryWAddress32*) OR (ParentImage:\\CompatTelRunner.exe (CommandLine:FreeHGlobal* OR CommandLine:PtrToString* OR CommandLine:kernel32* OR CommandLine:CloseHandle*))))