((Image:\\reg.exe OR OriginalFileName:reg.exe) (CommandLine:\ add\ * CommandLine:\\SYSTEM\\CurrentControlSet\\Control\\MiniNt*)) OR (((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\powershell_ise.exe) OR (OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll)) (CommandLine:New\-Item\ * OR CommandLine:ni\ *) CommandLine:\\SYSTEM\\CurrentControlSet\\Control\\MiniNt*)