(CommandLine:wevtutil\ cl\ Application\ &\ fsutil\ usn\ deletejournal\ \/D\ C\:* OR CommandLine:dllhost.dat\ %WINDIR%\\ransoms*) OR (Image:\\rundll32.exe (CommandLine:.dat,#1 OR CommandLine:.dat\ #1 OR CommandLine:.zip.dll\",#1)) OR "\\perfc.dat"