(ParentImage:\\cmd.exe ParentCommandLine:.bat) ((Image:\\xcopy.exe (CommandLine:powershell.exe* CommandLine:.bat.exe*)) OR (Image:\\xcopy.exe (CommandLine:pwsh.exe* CommandLine:.bat.exe*)) OR (Image:\\attrib.exe (CommandLine:\+s* CommandLine:\+h* CommandLine:.bat.exe*)))