(((Image:\\NTDSDump.exe OR Image:\\NTDSDumpEx.exe) OR (CommandLine:ntds.dit* CommandLine:system.hiv*) OR CommandLine:NTDSgrab.ps1*) OR (CommandLine:ac\ i\ ntds* CommandLine:create\ full*) OR (CommandLine:\/c\ copy\ * CommandLine:\\windows\\ntds\\ntds.dit*) OR (CommandLine:activate\ instance\ ntds* CommandLine:create\ full*) OR (CommandLine:powershell* CommandLine:ntds.dit*)) OR (CommandLine:ntds.dit* ((ParentImage:\\apache* OR ParentImage:\\tomcat* OR ParentImage:\\AppData\\* OR ParentImage:\\Temp\\* OR ParentImage:\\Public\\* OR ParentImage:\\PerfLogs\\*) OR (Image:\\apache* OR Image:\\tomcat* OR Image:\\AppData\\* OR Image:\\Temp\\* OR Image:\\Public\\* OR Image:\\PerfLogs\\*)))