(CommandLine:\\HarddiskVolumeShadowCopy* CommandLine:System32\\config\\sam*) (CommandLine:Copy\-Item* OR CommandLine:cp\ $_.* OR CommandLine:cpi\ $_.* OR CommandLine:copy\ $_.* OR CommandLine:.File\]\:\:Copy\(*)