(ParentImage:\\wscript.exe OR ParentImage:\\cscript.exe) (Image:\\rundll32.exe OR ((Image:\\cmd.exe OR Image:\\powershell.exe OR Image:\\pwsh.exe) ((CommandLine:mshta* CommandLine:http*) OR (CommandLine:rundll32* OR CommandLine:regsvr32* OR CommandLine:msiexec*)))) (-(Image:\\rundll32.exe (CommandLine:UpdatePerUserSystemParameters* OR CommandLine:PrintUIEntry* OR CommandLine:ClearMyTracksByProcess*)))