((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\reg.exe) OR (OriginalFileName:powershell.exe OR OriginalFileName:pwsh.dll OR OriginalFileName:reg.exe)) (CommandLine:\ add\ * OR CommandLine:New\-ItemProperty* OR CommandLine:Set\-ItemProperty* OR CommandLine:si\ *) (CommandLine:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell\ Folders* OR CommandLine:\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User\ Shell\ Folders*) CommandLine:Startup*