Create signature for DLL sideloading

[kevross33]

Initial signature for one behaviour that appears in some sideloading cases. For this to trigger either zip_compound needs to be used triggering the correct file that then sideloads the DLL or within the chain naturally (i.e. a loader/malicious script/doc etc. pulls down the elements needed itself and sideloads it.

Some other sigs will need investigated for anomalies on this which I am looking into but this should detect some cases.

APT28 sideload sample (dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027)