((Image:\\reg.exe OR OriginalFileName:reg.exe) (CommandLine:\\Control\\WMI\\Autologger\\DefenderApiLogger\\Start* OR CommandLine:\\Control\\WMI\\Autologger\\DefenderAuditLogger\\Start*) (CommandLine:add* CommandLine:0*)) (-CommandLine:0x00000001*)