(Image:\\wbadmin.exe OR OriginalFileName:WBADMIN.EXE) (CommandLine:start* OR CommandLine:backup*) (CommandLine:\\config\\SAM* OR CommandLine:\\config\\SECURITY* OR CommandLine:\\config\\SYSTEM* OR CommandLine:\\Windows\\NTDS\\NTDS.dit*)