((Image:\\reg.exe CommandLine:query* (CommandLine:\-v* OR CommandLine:\/v* OR CommandLine:–v* OR CommandLine:—v* OR CommandLine:―v*)) OR ((Image:\\powershell.exe OR Image:\\pwsh.exe) (CommandLine:Get\-ItemPropertyValue* OR CommandLine:gpv*))) (CommandLine:\\SOFTWARE\\Microsoft\\Windows\ Defender* OR CommandLine:\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion* OR CommandLine:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall* OR CommandLine:\\SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation* OR CommandLine:\\SYSTEM\\CurrentControlSet\\Services*)