LoFP / applications could use this notation occasionally which might generate some false positives. in that case investigate the parent and child process.

condition: selection and not filter
filter:
- ParentImage|endswith:
  - \WebEx\WebexHost.exe
  - \thor\thor64.exe
- CommandLine|contains: C:\xampp\vcredist\VCREDI~1.EXE
selection:
  CommandLine|contains:
  - ~1.exe
  - ~1.bat
  - ~1.msi
  - ~1.vbe
  - ~1.vbs
  - ~1.dll
  - ~1.ps1
  - ~1.js
  - ~1.hta
  - ~2.exe
  - ~2.bat
  - ~2.msi
  - ~2.vbe
  - ~2.vbs
  - ~2.dll
  - ~2.ps1
  - ~2.js
  - ~2.hta

condition: selection and not 1 of filter*
filter1:
- ParentImage:
  - C:\Windows\System32\Dism.exe
  - C:\Windows\System32\cleanmgr.exe
- ParentImage|endswith:
  - \WebEx\WebexHost.exe
  - \thor\thor64.exe
- Product: InstallShield (R)
- Description: InstallShield (R) Setup Engine
- Company: InstallShield Software Corporation
filter_installers:
- Image|contains|all:
  - \AppData\
  - \Temp\
- Image|endswith:
  - ~1\unzip.exe
  - ~1\7zG.exe
selection:
  Image|contains:
  - ~1\
  - ~2\

condition: selection and not filter
filter:
- ParentImage:
  - C:\Windows\System32\Dism.exe
  - C:\Windows\System32\cleanmgr.exe
  - C:\Program Files\GPSoftware\Directory Opus\dopus.exe
- ParentImage|endswith:
  - \WebEx\WebexHost.exe
  - \thor\thor64.exe
  - \veam.backup.shell.exe
  - \winget.exe
  - \Everything\Everything.exe
- ParentImage|contains: \AppData\Local\Temp\WinGet\
- CommandLine|contains:
  - \appdata\local\webex\webex64\meetings\wbxreport.exe
  - C:\Program Files\Git\post-install.bat
  - C:\Program Files\Git\cmd\scalar.exe
selection:
  CommandLine|contains:
  - ~1\
  - ~2\