(ParentImage:\\cmd.exe (Image:\\cool.exe OR Image:\\zero.exe) (CommandLine:Administrator* CommandLine:\-c*)) ((CommandLine:taskkill* CommandLine:\/f* CommandLine:\/im*) OR CommandLine:powershell*)