ParentImage:\\code.exe ((Image:\\calc.exe OR Image:\\regsvr32.exe OR Image:\\rundll32.exe OR Image:\\cscript.exe OR Image:\\wscript.exe) OR ((Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\cmd.exe) (CommandLine:Invoke\-Expressions* OR CommandLine:IEX* OR CommandLine:Invoke\-Command* OR CommandLine:ICM* OR CommandLine:DownloadString* OR CommandLine:rundll32* OR CommandLine:regsvr32* OR CommandLine:wscript* OR CommandLine:cscript*)) OR (Image:\:\\Users\\Public\\* OR Image:\:\\Windows\\Temp\\* OR Image:\:\\Temp\\*))