((Image:\\powershell.exe OR Image:\\pwsh.exe) (CommandLine:\\Windows\\Temp* OR CommandLine:\\Temporary\ Internet* OR CommandLine:\\AppData\\Local\\Temp* OR CommandLine:\\AppData\\Roaming\\Temp* OR CommandLine:%TEMP%* OR CommandLine:%TMP%* OR CommandLine:%LocalAppData%\\Temp*)) (-(CommandLine:\-WindowStyle\ hidden\ \-Verb\ runAs* OR CommandLine:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Temp\\Amazon\\EC2\-Windows\\* OR (CommandLine:\ >* OR CommandLine:Out\-File* OR CommandLine:ConvertTo\-Json*) OR ((ParentImage:C\:\\Windows\\System32\\Msiexec.exe OR ParentImage:C\:\\Windows\\SysWOW64\\Msiexec.exe) Image:\\powershell.exe (CommandLine:\-NoProfile\ \-ExecutionPolicy\ Bypass\ \-Command* CommandLine:AppData\\Local\\Temp\\* CommandLine:Install\-Chocolatey.ps1*))))