ParentImage:\\w3wp.exe (CommandLine:appcmd.exe\ add\ module* OR (CommandLine:\ system.enterpriseservices.internal.publish* Image:\\powershell.exe) OR (CommandLine:gacutil* CommandLine:\ \/I*))