(EventID:11 OR EventID:12) (ImageName:\\Users\\Public\\* OR ImageName:\\PerfLogs\\* OR ImageName:\\Desktop\\* OR ImageName:\\Downloads\\* OR ImageName:\\AppData\\Local\\Temp\\* OR ImageName:C\:\\Windows\\TEMP\\*)