(TargetObject:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run* OR TargetObject:\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run* OR TargetObject:\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run*) (Details:powershell* OR Details:pwsh\ * OR Details:FromBase64String* OR Details:.DownloadFile\(* OR Details:.DownloadString\(* OR Details:\ \-w\ hidden\ * OR Details:\ \-w\ 1\ * OR Details:\-windowstyle\ hidden* OR Details:\-window\ hidden* OR Details:\ \-nop\ * OR Details:\ \-encodedcommand\ * OR Details:\-ExecutionPolicy\ Bypass* OR Details:Invoke\-Expression* OR Details:IEX\ \(* OR Details:Invoke\-Command* OR Details:ICM\ \-* OR Details:Invoke\-WebRequest* OR Details:IWR\ * OR Details:Invoke\-RestMethod* OR Details:IRM\ * OR Details:\ \-noni\ * OR Details:\ \-noninteractive\ *)