ParentImage:\\WinRAR.exe CommandLine:\\AppData\\Local\\Temp\\Rar$* CommandLine:\\.[a-zA-Z0-9]{1,4} \\. ((Image:\\cmd.exe OR Image:\\cscript.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe OR Image:\\wscript.exe) OR (OriginalFileName:Cmd.Exe OR OriginalFileName:cscript.exe OR OriginalFileName:PowerShell.EXE OR OriginalFileName:pwsh.dll OR OriginalFileName:wscript.exe))