(CommandLine:ldifde* CommandLine:\-f\ \-n* CommandLine:eprod.ldf*) OR ((CommandLine:copy\ \\\\* CommandLine:c$*) (CommandLine:\\aaaa\\procdump64.exe* OR CommandLine:\\aaaa\\netsess.exe* OR CommandLine:\\aaaa\\7za.exe* OR CommandLine:\\c$\\aaaa\\*))