(CommandLine:copy\ procdump* OR CommandLine:move\ procdump*) OR ((CommandLine:copy\ * CommandLine:.dmp\ *) (CommandLine:2.dmp* OR CommandLine:lsass* OR CommandLine:out.dmp*)) OR (CommandLine:copy\ lsass.exe_* OR CommandLine:move\ lsass.exe_*)