(TargetImage:\\calc.exe OR TargetImage:\\calculator.exe OR TargetImage:\\mspaint.exe OR TargetImage:\\notepad.exe OR TargetImage:\\ping.exe OR TargetImage:\\sethc.exe OR TargetImage:\\spoolsv.exe OR TargetImage:\\wordpad.exe OR TargetImage:\\write.exe) (-(SourceImage:C\:\\Windows\\System32\\csrss.exe OR ((SourceImage:C\:\\Windows\\System32\\explorer.exe OR SourceImage:C\:\\Windows\\System32\\OpenWith.exe) TargetImage:C\:\\Windows\\System32\\notepad.exe) OR (SourceImage:C\:\\Windows\\System32\\AtBroker.exe TargetImage:C\:\\Windows\\System32\\Sethc.exe))) (-(StartFunction:EtwpNotificationThread OR SourceImage:unknown\ process* OR (SourceImage:C\:\\Program\ Files\\VMware\\VMware\ Tools\\vmtoolsd.exe StartFunction:GetCommandLineW (TargetImage:C\:\\Windows\\System32\\notepad.exe OR TargetImage:C\:\\Windows\\System32\\spoolsv.exe)) OR (SourceImage:C\:\\Program\ Files\\Xerox\\XeroxPrintExperience\\CommonFiles\\XeroxPrintJobEventManagerService.exe StartFunction:LoadLibraryW TargetImage:C\:\\Windows\\System32\\spoolsv.exe)))