From 86baa6617357c67553d6b14423661aa935fc0bf1 Mon Sep 17 00:00:00 2001
From: wagga40 <6437862+wagga40@users.noreply.github.com>
Date: Fri, 29 Mar 2024 19:00:16 +0100
Subject: [PATCH] Correct a bug in MiniGUI Update docs and rules

---
 README.md                                |   4 +-
 docs/Advanced.md                         |  28 +-
 docs/Usage.md                            |  14 +-
 docs/Zircolite_manual.pdf                | Bin 679391 -> 679450 bytes
 gui/zircogui.zip                         | Bin 6475035 -> 6475867 bytes
 rules/rules_windows_generic.json         | 251 ++++------
 rules/rules_windows_generic_full.json    | 454 ++++++++++-------
 rules/rules_windows_generic_high.json    | 251 ++++------
 rules/rules_windows_generic_medium.json  | 396 ++++++++-------
 rules/rules_windows_generic_pysigma.json | 596 +++++++++++++----------
 rules/rules_windows_sysmon.json          | 251 ++++------
 rules/rules_windows_sysmon_full.json     | 454 ++++++++++-------
 rules/rules_windows_sysmon_high.json     | 251 ++++------
 rules/rules_windows_sysmon_medium.json   | 396 ++++++++-------
 rules/rules_windows_sysmon_pysigma.json  | 596 +++++++++++++----------
 templates/exportForZircoGui.tmpl         |   2 +-
 16 files changed, 2114 insertions(+), 1830 deletions(-)

diff --git a/README.md b/README.md
index 8951e82..1fb50d5 100644
--- a/README.md
+++ b/README.md
@@ -32,7 +32,7 @@ Help is available with `zircolite.py -h`. If your EVTX files have the extension
 
 ```shell
 # python3 zircolite.py --evtx <EVTX FOLDER or EVTX FILE> --ruleset <SIGMA RULESET> [--ruleset <OTHER RULESET>]
-python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon.json
+python3 zircolite.py --evtx sysmon.evtx --ruleset rules/rules_windows_sysmon_pysigma.json
 ```
 
 The SYSMON ruleset employed is a default one, intended for analyzing logs from endpoints with SYSMON installed.
@@ -42,7 +42,7 @@ The SYSMON ruleset employed is a default one, intended for analyzing logs from e
 ```shell
 python3 zircolite.py --events auditd.log --ruleset rules/rules_linux.json --auditd
 python3 zircolite.py --events sysmon.log --ruleset rules/rules_linux.json --sysmon4linux
-python3 zircolite.py --events <JSON_FOLDER or JSON_FILE> --ruleset rules/rules_windows_sysmon.json --jsononly
+python3 zircolite.py --events <JSON_FOLDER or JSON_FILE> --ruleset rules/rules_windows_sysmon_pysigma.json --jsononly
 ```
 
 :information_source: If you want to try the tool you can test with [EVTX-ATTACK-SAMPLES](https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) (EVTX Files).
diff --git a/docs/Advanced.md b/docs/Advanced.md
index eddfd04..c2ea250 100755
--- a/docs/Advanced.md
+++ b/docs/Advanced.md
@@ -27,7 +27,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l
 	```shell
 	find <CASE_DIRECTORY> -maxdepth 1 -mindepth 1 -type d | \
 		parallel --bar python3 zircolite.py --evtx {} \
-		--ruleset rules/rules_windows_sysmon.json --outfile {/.}.json
+		--ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
 	```
 	
 	One downside of this mode is that if you have less computer evidences than CPU Cores, they all will not be used.
@@ -39,7 +39,7 @@ Except when `evtx_dump` is used, Zircolite only use one core. So if you have a l
 	```shell
 	find <CASE_DIRECTORY> -type f -name "*.| \
 		parallel -j -1 --progress python3 zircolite.py --evtx {} \
-		--ruleset rules/rules_windows_sysmon.json --outfile {/.}.json
+		--ruleset rules/rules_windows_sysmon_pysigma.json --outfile {/.}.json
 	```
 	
 	In this example the `-j -1` is for using all cores but one. You can adjust the number of used cores with this arguments.
@@ -70,20 +70,20 @@ To speed up the detection process, you may want to use Zircolite on files matchi
 - Only use EVTX files that contains "sysmon" in their names
 
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 		--select sysmon
 	```
 - Exclude "Microsoft-Windows-SystemDataArchiver%4Diagnostic.evtx" 
 
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 		--avoid systemdataarchiver
 	```
 
 - Only use EVTX files with "operational" in their names but exclude "defender" related logs
 	
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--select operational --avoid defender
 	```
 
@@ -92,7 +92,7 @@ For example, the **Sysmon** ruleset available in the `rules` directory only use
 So if you use the sysmon ruleset with the following rules, it should speed up `Zircolite`execution : 
 
 ```shell
-python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--select sysmon --select security.evtx --select system.evtx \
 	--select application.evtx --select Windows-NTLM --select DNS \
 	--select powershell --select defender --select applocker \
@@ -113,14 +113,14 @@ Examples :
 - Select all events between the 2021-06-02 22:40:00 and 2021-06-02 23:00:00 : 
 
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 		-A 2021-06-02T22:40:00 -B 2021-06-02T23:00:00
 	```
 
 - Select all events after the 2021-06-01 12:00:00 : 
 
 	```shell
-	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon.json \
+	python3 zircolite.py --evtx logs/ --ruleset rules/rules_windows_sysmon_pysigma.json \
 		-A 2021-06-01T12:00:00
 	```
 
@@ -132,7 +132,7 @@ The filter will apply on the rule title. To avoid unexpected side-effect **compa
 
 ```shell
 python3 zircolite.py --evtx logs/ \
-	--ruleset rules/rules_windows_sysmon.json \
+	--ruleset rules/rules_windows_sysmon_pysigma.json \
 	-R MSHTA
 ```
 
@@ -160,7 +160,7 @@ If you forward your events to a central collector you can disable local logging
 If you have multiple endpoints to scan, it is useful to send the detected events to a central collector. As of v1.2, Zircolite can forward detected events to an HTTP server :
 
 ```shell
-python3 zircolite.py --evtx sample.evtx  --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx sample.evtx  --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--remote "http://address:port/uri"
 ```
 An **example** server called is available in the [tools](https://github.com/wagga40/Zircolite/tree/master/tools/zircolite_server/) directory.
@@ -173,7 +173,7 @@ As of v1.3.5, Zircolite can forward detections to a Splunk instance with Splunk
 2. Get your token and you are ready to go : 
 
 ```shell
-python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--remote "https://x.x.x.x:8088" --token "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
 	[--index myindex]
 ```
@@ -187,7 +187,7 @@ Since Splunk HEC default to the first associated index, `--index` is optional bu
 As of version 2.8.0, Zircolite can forward events to an ELK stack using the ES client.
 
 ```shell
-python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx /sample.evtx  --ruleset rules/rules_windows_sysmon_pysigma.json \
 	--remote "https://x.x.x.x:8088" --index "zircolite-whatever" \
 	--eslogin "yourlogin" --espass "yourpass"
 ```
@@ -214,7 +214,7 @@ Zircolite provides a templating system based on Jinja 2. It allows you to change
 - `--templateOutput <output_filename>`
 
 ```shell
-python3 zircolite.py --evtx sample.evtx  --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --evtx sample.evtx  --ruleset rules/rules_windows_sysmon_pysigma.json \
 --template templates/exportForSplunk.tmpl --templateOutput exportForSplunk.json
 ```
 
@@ -237,7 +237,7 @@ You need to generate a `data.js` file with the `exportForZircoGui.tmpl` template
 
 ```shell
 python3 zircolite.py --evtx sample.evtx 
-	--ruleset rules/rules_windows_sysmon.json \
+	--ruleset rules/rules_windows_sysmon_pysigma.json \
 	--template templates/exportForZircoGui.tmpl --templateOutput data.js
 7z x gui/zircogui.zip
 mv data.js zircogui/
diff --git a/docs/Usage.md b/docs/Usage.md
index 5cf39f2..829fff2 100644
--- a/docs/Usage.md
+++ b/docs/Usage.md
@@ -86,10 +86,10 @@ Multiple rulesets can be specified, results can be per-ruleset or combined (with
 
 ```shell
 # Example with a Zircolite ruleset and a Sigma rule. Results will be displayed per-ruleset
-python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
     --ruleset schtasks.yml 
 # Example with a Zircolite ruleset and a Sigma rule. Results will be displayed combined 
-python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon.json \
+python3 zircolite.py --events sample.evtx --ruleset rules/rules_windows_sysmon_pysigma.json \
     --ruleset schtasks.yml --combine-rulesets 
 ```
 
@@ -107,7 +107,7 @@ If your evtx files have the extension ".evtx" :
 ```shell
 python3 zircolite.py --evtx <EVTX_FOLDER/EVTX_FILE> \
     --ruleset <Converted Sigma ruleset (JSON)/Directory with Sigma rules (YAML)/>
-python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon.json
+python3 zircolite.py --evtx ../Logs --ruleset rules/rules_windows_sysmon_pysigma.json
 ```
 
 ### XML logs
@@ -140,7 +140,7 @@ And it produces something like this (1 event per line):
 ```shell
 python3 zircolite.py --events <LOGS_FOLDER_OR_LOG_FILE>  --ruleset <RULESET> --xml
 python3 zircolite.py --events  Microsoft-Windows-SysmonOperational.xml \
-    --ruleset rules/rules_windows_sysmon_full.json --xml
+    --ruleset rules/rules_windows_sysmon_pysigma.json --xml
 ```
 
 ### EVTXtract logs
@@ -552,7 +552,7 @@ docker build . -t <Image name>
 docker container run --tty \
     --volume <Logs folder>:/case
     wagga40/zircolite:latest \
-    --ruleset rules/rules_windows_sysmon.json \
+    --ruleset rules/rules_windows_sysmon_pysigma.json \
     --events /case \
     --outfile /case/detected_events.json
 ```
@@ -575,7 +575,7 @@ docker run --rm --tty \
     -v <EVTX folder>:/case/input:ro \
     -v <Results folder>:/case/output \
     wagga40/zircolite:latest \
-    --ruleset rules/rules_windows_sysmon.json \
+    --ruleset rules/rules_windows_sysmon_pysigma.json \
     --events /case/input \
     -o /case/output/detected_events.json
 ```
@@ -587,6 +587,6 @@ You can use the Docker image available on [Docker Hub](https://hub.docker.com/r/
 ```shell
 docker container run --tty \
     --volume <EVTX folder>:/case docker.io/wagga40/zircolite:lastest \
-    --ruleset rules/rules_windows_sysmon.json \
+    --ruleset rules/rules_windows_sysmon_pysigma.json \
     --evtx /case --outfile /case/detected_events.json
 ```
diff --git a/docs/Zircolite_manual.pdf b/docs/Zircolite_manual.pdf
index b9abfb1812b4b4ec09fd3366d480a904f7849ec0..a8da7ccb573b98ee57290de5550879a682fd0b46 100644
GIT binary patch
delta 32415
zcmY(IV_TpNqeZjrCQY^{+qP|Mvb%GWZQHhO+t%co?DKql&yU#GT6^!^PU?&<>N-ex
zfR&#g&e_Gu%*YPTW8+Fk#(}IIvFB9d1-VK5272z6xNio`8-7nGE@<;=M+NEiJM|9<
zwbJ9?8g_Gk*oHOc%L+8|h>w?~r(*%e6S39rDVc`HT))>Bci*?}uMa7K-bjm&&*#=u
zhuuXPCGw4ze{PkG3b%XuJ2l_DHUwQO0JSwi<jS>rZuH8RcJ8i$LVqYX$?@CB3Wv6h
zcRuO|QrY=UoF_#|1@a@jK)W>h#bter3{r0fJpUl_hu!YQyZ>%Mzk5#)JQM#s{w-@Y
zDw_Z(a2L@9s(|WuF!Me;5jM=%XHS2{8-8=!DFrp68*IuSvSf+m-p_mjZnn<{_=#k!
z0^OgWP8{OND3Z5zWOd+VKh;slWs`sPh|E7#@4VFB%5Pd7+&FBDuvzOO?@(-OzFi^i
z@0)wP6g5l_nSbDPLMXehle?<FN^>lNo7AcGDqx@Ia?zd1E?yDJ{hNU5)V^3=7k~G1
zI*~nRfC+$;<60jeGghSjkzoM?YzE;7z_<si^c5&%a@#SbJ%D9E?$z@LOKtsW4g3v8
zyonrWo8&yN>0d75;mX>zw<gL7_CtcnC7A*9Ehi?uZVy0jFf7(%kEPtsf_RelHzY=H
zG9M3cWR#_Z<DU~Px@wiv4R&POV+4PZ+iTK#;dzzP%D<Ujg!>VK*153)TylW-u#KZM
zu9P>7puI5O`r7oaoc82*zs4HC=|!)^OX-gbY43O23-{fPa=(L@>Dm-|e^f4Qd|M|q
z_SkJ&t5xY;`icsEUr6*h><0brDDBBFia2zEz^{>6_T_Q64{Qk!>c`v(^j5&y9Z+_)
z&YZPGe`zM(xkZT5a1!4Idhkd+#?&FfxiCr3*l?nVj3|Akyz7*3?RdJc=vuZL%adjh
zys2Y5_U4db3Q&V*zecun4=<M7!kKCr`OqbG%<c-gJt1g3+ykWVyaK1SB_fx$Iqp`-
z^7#%GW&Rn?uHEk8s$>&LG{sw*e+e=EDowK8jB~UT?MY2vi@=-&Bw^bYxh*0e!=KaX
zuQEPWyI3wguc^6G;MmmDkNSh4G2uotV;|z?ywqH@(b$pA#bFNcYXw+o%-9birH%Y2
zl;qb2mnjeOa9vaepqPTxTM!I`MsRWQXR?|t+!6=Ff><3}_M!gC4l0b(=|NIwm~Q38
z%Kt$L{qeVPT0x@$I2&;As+(bXC&$;Jy!!FVl{DX#Q$Z|U%i?iH+h_|iMNr0<wVr)U
zIl9z>EX}zrQQWO_M7xcyD}{&)WF(t*|C+Ql9~CnJvo}UeJ0GsP(_5!^To4(vZKg|+
z+>J{_yd5eNj%MODcs{`O73Oxo&C#XF+-gk{Atfk6!uR|E7*=Wv$0*ZBn;&0pZnf|<
zGvM+hVLg&Hh9h@JjQJK*V@bcps3j1j4^%<d!<}!PYV#zS)m(D2RmMr%k+$&>l^RFr
zUGQNP5dZeE%9DG+k`wPS6Ui`{fcZ0k%{Zun-RPW2_+TU&pX2QmvrKTNEYe+FtY2pT
zk9xL+t#DBv5KByDjRBDnK9y_G>8ofkstyT9wI>V<Hcg6sf+sd2xlDV`Onau?e0B@J
ze4_A}A%d#%f|c~x--;!mrMxt;ch+BPBK&t?Tbn=A*%<Y#bB|EkGt9MWW3a6NFKd^L
z!gM8Lu?~ZaLHth=PL<?%%`gRb@9#coWFh=tn-F^$piHwaad@<WN?CVmp=JXekM#su
zc37zkUVG$f%~@3G%gI4XFjt&i$m!UD=W|s24>MOql|+<PHppB`DVc=H0La&hAIU_1
zM#znX@Z-EAajXYLhKUL$)|GlFjb-N~@wc3}cS{4e>hX~FRuZa=h;DJ)3FK;X(%}k(
z$oi5HKqfoQVJB>eFd&6My8f8LRLMa@VK3b_yN?l=%hyu|--ZAaA5Y2Bgt{W3N8t^J
zM@1v0X5?<fYvAOq{$wYzL`}=MfQ9Bv&lnW3Lw7#atgBJ31&>l#q@y9<P2T~sfv+af
z9C57582v=6R^oH%&d#<9N?n08GbXXJ|Kzg+H0jKMv3CdR!#rBJX>}2<@VMW<l?4)D
z+=^Wjd?s`<oUS#Pa&Qnv{v8UBi7F(l+q^Viq9aS><XjS&{`JwA#2|Gqxv?LuqAwuH
zvmm~~jLwg;?<K-d#S<|HS|>~o{vl(&&|UJEAe!avg?2*3XaaNnU@y%en6-n!C|jch
z(4Hxj+K4nb@>|xQaNm^iWYNZrS$F*{A$uucixab0^7i67-h!Hg<yl)>EKZ3&of93W
zm*j4xJzz)OF+kSIBKD*NgRzct5IBlg8>llhx!+S}8LQp&R7l{}Se5S4S`jT)+{IWh
z3c^maD(xe>(_`#+01;%_29q(t8fpy=Na$kbMWZyd@!RFRQ=tDAK`qn?XF%fmU31PR
z-;)$A?i{IXCu_sgTX^`xp&Q+5LjqegO#$hT2~R4-00dKxdb30(7JZDq<D;ny5|iq%
z@E2>v8m3N~hpuFmHW@LWWldU152<^;8FOcjn3Ev~1Z;2rGhT&oo(}R2R7mj{fL7|2
zH9A^(Yb&OHm9i0V;nz{M6V__`PpX^hZzCnZ>+(`yJ7oYvfW99v*1qmf$M&=4K;j7>
z(kbl#y7vstQX#BB6lqpG{8D4PK=3VnmgOyVdFLHF2AZp?!_BCCxrdU{hRE?{cFdl?
zBK?h+DESrN>2`RxFs|x1-%>3Zz(zlV>)sVdzuz^Jw7$QIR=y1cAG5z972QUGOE}WX
zpD4YU-OgKJNN?+iD9_$ILdGa8OwT=s43d1+G>ld8|InK(#dx*35sEUwOhDlTu?qnk
zJ)fg0V7q3wYME*23P7+=GwhnHe}=q)?AtB3C9-~{n{8tHyXujluE-S($RDP9hO}F3
zcC+sMrHEwdRJV4kZkk@up|#V6)7-jSuT<c*=KyJ~Me%;JqBICST)%eg&4u<!_uNQL
zU#{QTA#BZ1wOU{5GnqjT3w-_k<U7{tP3H(@snX-H1areKeGstohc~gbA=19BxDv!_
z9<#Om&l97C&D3dPr9ABj0Pac}AKx-6z0@%%J20KD=$uZ?TtV0@p9d7$X%-Lu`*3d`
z@@;WnI6+fmF0@5it;0GNn+6-y)&C`UQH@4gMkP;*Yr?ON+|13vwP4vN!<NIie2Fim
zk{}S-VzA*^0<+d@$k~c?boTC)P2bwgcSEH(U`I4}f6WQEkc>(RytWj?lGYLm(o87g
zubLtS`rS~>_<fIlAAQZD`|g%{3-{hmX9Tqd6W%N)B5Xz{ZT{hoj^*^)>C@@77e-vU
zBL8lf%Qen_{`hS3Z=;(2ZkYI{t<)X63oC`WpXQ^LSFMvf6pe?6bv0?-6en`*f+n<6
z&ksJu!)4u1{ek;iAJ1kRx|Nv@Dc;T&^1ubsLDwvSi$4ZJu4$v>)>h>#!sHqTRbp#e
z+5{ipf#A%`EU*k2sAF!Q^a&_F#?XE8xdJ=e-o%<I%d=s}RZ-@8{`TE(DEb)P{eoX%
zz3NF+!sG@xnEux>kM*WwF1hV@PO0A@wMpZbh<^XZ0%ZX=P2IZ=q?32g%~8V|e`gf_
z)JiBmcWOS)7>9UfmrtHdp$aDvP$v8Qx661g_76B82K#0-*!hm^{S5j3%J}|T@VWW^
zJQdLYda(FB2;nf)|9bIJ`k7Rmx(fV;H28XXi6v6*+06ZZ9qsM;m?UZ?0!P!|_+tK~
zCJ#)a`0$mKiur!rf1lO(m2jhY^C1`7Ie<B=L03cz@v5J@kr(R(?Yet#Q=cn&ko#r3
zSx-fpC0fFX3K5dGMb*WY`^s_8<J;2Uq78G>&vYmH+89Argw#2nDDNL!JqSowURu#F
ziDZC#+0;TQ!%R%6vWT?qXRsa5a00H^w!RF!=;JP~3?@49Ki)}O!1j07&c#hU7?hi)
znYxPK!H%^*eX5cB*{^Crv~QPFHHw2*xseUJok?Nx;|+WOj}uni{<*Ab@PaL?&b_+r
zbeJg>!DHuFHl``|zFA!Kp8y<~!K!FUFK4A={SAxzI{H>ZW2_yVoc(i_V+j0@9SwHp
z$n~DPqv#-F(x{zK<Lyt#Sf7gphZpvJt;*nqnwE49Yx2rEJMDa@<|*&X*^o+xDpr=D
zVC2U;&e`<DNfHNme4-6EsZ~Ae{$wnEWm@yijBr|XAqupmTW3uZ6+k-%oN;MuSBHVc
zHV@iV3v)Nde3OVHOqY9H1d7i2M;L*7lyZt$;^tLa=N7`xs8w**Frk!X2lY1?6&u<r
z@2K+m_ibl&wUQVW($Cl~9Wx9(M=M*bOEbTg;&68ftNbG+P@J18<s#kk%SGjcA}=h{
zbYESgTn~xt_9pvVW+2n|4AN4CV^S}iXZ^P}-14vbT?tQyAL*rDuu^k%MmyWC;s+{<
zZAxzU8#i`ZCn4HwnK>nLlgHJ0ma4c?|7=DxfZ5Sc_WbN0QoTj(@=c1Z^AGXadx}(b
zgYtqpr|9_v`=-=ma8|VZbG+ZdHK+?}WGaNMB^_|M(54aZ%)o`xufO)55fE7jZtiRd
z<hJ1pLPssL!f89E`s*EoDPm4wp5am0Dc{pU!*zMCgG>Fv`3JQf<O57Bk8wHW3mi(O
zXXd-X`Y7vqr$Qv=eEjok@{$HZ7-MZLhv#?N0k`^QJFKm4Nh!PAO4^8(W$@P#wExzt
zOfO5?+ebMc_W}9-VOk@iIjVg9_y`R8N&SA~?M9`iVYe60YGBDR_^w2s#EMlAG^QAJ
z-oD}WZq7sVj7g0bLG^4lG~`ffIgb^&yfye?u=jy>8?#kmjV||CUgdhPWy;&$0WMz(
z*56O&jgwl7m80uRI*+2R(e{-^%LuG-4UZBed+rOB8c2YCU@J)&c+Dgs?D|kD?rSOJ
z0M)v-Oxl!e6(XLGy?DaZ+Jj{5gE%MGO7Nn$MEJ<jVpZcvWBcr2u5^%4hTxY4?I78Y
z;%<hry8THR<R*Q4{qkijDlRf>IeOi^l?q?<O9b-8IG`sl-K=CZ=cFJS%#5K?s-;@H
z8{MuzA21%4sosG#rS$G%E8w0>l5LuGJEmz^H`M8>)Su?wCp{06)g6p2t|eGCBUR8q
z?d})I<)1B)3sR-|u;HE#nkJLhr&krGrI{>Fz=vBHhsr*oc-UGn$!9yLt@v&AbHqOA
zJWeTP+z~87fEa;7Zt_Y>5?#OU->f;TQ7y;9C*VG>)1%^hpnw?=?dF~EGHTacLPHX@
z#UfyDPmlo${q<FOIa%mtWo@-NZMJ)3PWOHO44?MNwiTWtRo{10;P%4d{Qf0h?wdsT
zGXN)Upb_lc-7B9yBX4^HQx9J|U)JK*ElG>Ihm6#Fk)u*9*_<41xixtCp3&f`=sty5
z7O)$_^+4Vvj^>>j;)AEDT}JZam)DSqUB-k7#$|Xgtj97>d~Y=>^XQd1inojI{k(rp
zHFlG*bocsnFAQ#Ig7@7#c@AtmH21SHKXPZ)sWT|Zl%K#`K=shUQz<f8`)RcvVR|Wd
zP*a@k1M*8a1IthC4lO+9WI`gq#JLd17g+Yll*>)RUgB$dMcH{;a8?m50ZH6a;ITCc
zwlPe!;zbk_W9fR#R62&w$eFhdPF{9yk@E_gh0VChB>UbdY|nghYF3#JIfEyBn<(`f
zRMD<!nap|rey#A^D#>rqX9gNvN2~)OJUSP#d2?~w9IQ_oeFoEkyEKE<z`B}1U>#GJ
zqirY=s<$#Zv%YC3)!rp~r6n4~IociJ>9!)Tb3pB3Md%FFzqwmh?X?mNMgFx*xDHoK
zOL{kVu;4gBqxO%*#6vsjhF6U*`hi0(GB<r%#Qv+HWy-9Qzwt8j^X3(AQ3H1OW0u7?
zL{r6>g&K&O*zjXQcMN?eqwv}mV3XdxcR%*@Hk3*{_qII}9?@iAZP_Y$s4w@sw`!RR
z&!PcVpf~tlE#mr?60uM3`Oia2F55W2H9ncz(6elozliz%UKG~8B7KJ(<ZCMMJ^3~9
z{oz`Xs@SluPV8-1@f@S)K4XuoT{y=uBA-#)NVwJ^2>ou)J=A(%OoFHfG$d<wFqf}>
zO;njgg1waJjlPj?h&l3XGOffW9;ze+!}e_V<TjYW4L)Cgm<6e7!yYc#CW(29V+*C(
zXT?16=oV&~5QvM^-r)V&CW>)U@TRO<Aw6BDys7aYxE=xxaTf`i$6U=;&egRRq@P<0
zNNufFX8SHUh72`!n-~-V#*zy6eje`e6`n<T6?)JXboOOAExoGm8zn@my@>UO&Dy7m
zSBJXk9OJ!v%6L<K<j+383|UoIY=yyYy~*vK5>!i}Abi9SS-eQ#q1h)X_4m+<51sIN
zbSe~ZfFV?q&r6yIhyNPv2)ybyDirRWy%r~RXOnC(6mDgB605QY=zyFCuOTM)H8vQ|
zN_)I0)S$BVeh+O(PDSDMcxu2*R|U&#T9m5+4Ag=Z6J_`Erf<Y)rg4nJxdu_^sWa<B
zOMu&M*6~`fhH?klrZsIf#X@j<l>}C7@aA3AYex{v!W0U|$zDHM6=M*8Wxmpb4MM(d
zs@zkp>n@m0r1Au~$AaJ$EJF@!R$=qMewd;;_WbdiykFX8KUtr*vCC+k><7EuuUqZU
zb0n0%LY8R^zKU0r78n?C3$%YB9uQiw!9gH1lxlHN{VV&zr$7&?On*va+j-nddz8<j
zg~J604G*Z)i=*v9eZhW(!zkdf!t8^@N8L{)iF@bZ&0FUKd{qU>IGLWEIJeZw>L@YZ
z;-`FxcODnA%o2Z=_5HK2@A<4bxh9WXIrj`?d&TV$9q&wSoP?vHsvW!CxyAp^4E|E!
zM#afwd3zj{jf<~S+kr5_-~0%xGZWoPoE=WY{R&j#ey`fLtNJkjiM*$FEO_F7IP9;+
z#eTmH6Vf{iAfO-M;?`i{=o=%Ta`{8cEcEY1^Zh~ZR*O2DeiRP2G7ZJAKZFbd+p*kQ
zHXa9CsCV)=s-8S^$F8}0v+N97L&HD~qHXn~^k*Tyoi>p2;WcoLd<Fw)!>Q*m!Lycs
z7q~|KC<|i>hC^$wt=jgwjbqN75W<br4gK@8Dzxwm2w2=f7L-9KEouAZMU986^?cZI
z7y2S@^6@;%W2MXk)p#CAAcloYd*C^OAHG67lQ?ydT_oa?*2IcB7uu6dS`JQuZwZA9
zSK^|7dB$2&@L@b2D_j}w$ltoQ5~x_%?`D3De<4zdh37DJo>QOHNq#EhbL&>%G9>{W
zB_5mw@LV_)^xnty(_+AQJsNhc2&WJCFyD&9gR5-qjt5d~E@m`RHYnGJ#uc_6cE^%v
z)0M@aO64uUL$XPi;_B&v_-g)aR9B+JHh032NBBV06=K4BvL#^T9uj7!3?3Oqnw)FD
z-N6sI54ex8Rlj+Lg<{_?){|od2VL<GqI*pMS|nOYIgMcu6u2!!a%}hGN&--GeW^}z
zf=PAI5dTT$?imU{<OEy?MY5tzZEE1aM{<SXaFow0G^aRA>Wq}XX=RDTgkW!2)kzVe
z%Vw!aw1py)<u4PLF}d?5=XFZxDNuUO;SAos{6hX=0oiX&_-hC5l;K1Oo{Wq?8rp6Q
zKyXtb{FoTq$sH!zmnvP8cf5s=I{D=Y{YHn)Rk_ZoX$xB592yPoO^@vvTEuy<SJ^gJ
zi2e&Xv-6^YYm5)UIXEl#rRESn!4T5RJHc5p^yn1zD(4X2*oc-w{aAX0czll<!b%{_
zQIeY7YWu-II3w7Kx8_YU9&;p9qUtCSkS*km%v|IJkC4;oeId(9{wb3=@7<naCD_;$
z|3Fs)I=NuZ%MfmqRWiHVO<>{_l^%!SUR<-P6^sCNjC1lrg*_j=w(YDtlo@fuwCaSq
z$ndauK<dfaY8<fduBI~V`U5vieDwsCVqxrGz(b*5C!}mKA57gBoeFM<F>@LP08SOv
zzJe(j+VvYQcUU<Tw2<SC0l`|?9BITVF+|mS-&@}=&YJbF{rlU!-rMM^{(rNJN~4<v
zF(xI~Dl1CjZ*6=pDDWKhNRe5=sH5S7IaajAH?4!XXnX2QjQ$(G&*Loes<(Iy@bpSI
z-$>V1(btnGUKAz%*_h0k`W*EtAY5r*YGv`K6bJ)<_$pJZvi^h@9aYh9)7)V%V%pL7
zv+%|gwa*k1rmOG+!W-Yg!HRjR{J*gC9Ng+I^Vf71@lM8%<LMN)yzr~%CUV;Fx3deQ
z8CeH-4}AG6rJSXl=M0PwiiB!ZTu%^$3o|gUWkMVaHZ?E}%jSfpohji6K>pmd)x!7@
zi4#YfB^{df>}F3*s8dvZmC$~cUk;B*r|0EmA^wRXY^%037g&IX3^hmWMt4MimPImu
zs`5KZASuFO0OSxa(LR{@-3Xlf%JZ;#?_nu+W?BX_q{4UeDVunpxz3)}DH}ymk`*6c
ztra|+UHf-z?qZ$LX~=^DaO;UHrmg9@GR8`5H`!-Q8moq@lXtC6IvcF&-B)@H0UpHr
zAd!9=aEJ@uTG+iRLl6|@f2RcQL-r#c5`u0;>A&dzIIT6yigP{|7xTb8j8nBOkejuN
zvJu{*pwNcB+d%r<^Tsbphv=dTnYILBmz^0Qz?q)ISUSjpE@XoPOwP1J7gpe*PqYw*
zBciU5-S78m!zqSaeRcQfmLGA@?|Pz+PtC2`dn+@EQ}DS*l~Rmw))q-75-=xfv6R$x
zj2?zbCb(O4mlj2n63_UU8ddst*^03<v4`;YaYp?o$0<F+qD)X^&#T=3IG7OhcIZZE
z&=DLpyQSVCKzI8ADcfcryxDnKD@)H1Y+Q~uA_Y}V(sT83Wo)wMn52}|v!UWzm^7E0
z!~6a0SUe*(q`FncMKrmXxMo5ubw4$SO_4z;@Xqn5u5vONj2#K%zo~-qi32L{aqJ|k
zon7b?;5;oF^FAs$qx@09+9fzIGxOEhlYS}&D`043c)XVZjbG%I4$$+tdlYs`mH>T3
zgBM{kfXRVtNI-XoYOn2+WK5q3avd&<^$$)d*HuL8V*RBta$9jl3WE-@){F%j;byCG
zOL4_Yz5f9w)^`wf29al^>OoW-Zar)!N9=Zmhm>KgA0Cqm($iI_B@Mp)&&C|4Xy&ba
zq5}qLHp)2Q|HqumE-~Y(_VK!>?&a*@s@aFL>)VH%rk1$#(KyzGy#GD5{=tFPwgr)`
z24hWtsP9Dm>d@r5XV7EyHluP)=N+z6ThqteoI9f@n5$>G6%U_LGFSg`UA=hZ3b7^~
zuJI9?Ej(i5?Z-b&;&({bd|aH&s}Q5r<&f(RPjfxsZ_Oe6g|Pc4Z#TmO(?sb~$h9}0
zIyU!h*2+NHJ!ZZZ#9>c!`Ua<>BLZS8GkePJva;WmevNyEy@?jrdgX+s1L=83dtC(E
z^Pvfh;p+bPA<asBs&PoYU$H`ocg9P@tX|<RJ;+{r{9iY1Ns>YIeP}pFdSe2T7t@El
zhr>3YgxwitPi1FH^OF{P#mcO3@V)c1PFq6^#A<dyZ(98ILwg%tfXjj5N12Sn8u#h7
z*;pX-(fxjgvs>g75xZ6&$;qmx1}H4obsIWaCz@NYBHhy4*=K}r?@q&}@C!7{^qDSl
zOWHc!0{r-+G<+1L6}-iAkbLdo)_Cw}B!f2qmFUNvekvmpCPI%r7^I+b)*Y9yB2QAA
zi)}hG>{s`<L3I2irro}jc6_8m+&x3l1~Pp)@vr6#qRq#)*JLyAyWnBq!CZtUI2b+Y
zN&_*4hC-Rs&m!ETxAlVw5UQ>Yw)%QOV)eR@?B2%YPTW&Xr^-=1_`q6SvMm;(P=Z$=
zt6)J?p3`-Xq^+i`DTSg(?+t|NO9wldeFHYUj*y4OB;8q}-bu{WTqc5eW66az$@S^R
zcDJY4hO)JIdtjfDNS8CBeuiPEA_gx=sfLcurHU5?-4D{nb4Ani)NMR@I41eI59VIR
z`|I3zl<qCWMP(h$^PT>Vhk@E<iU1Zkw4#{HRr;$5defkE=3r7>JHl;cPkY^+Ml57k
zzcXn6X1}dN*!7cd*yr0&EJzAh=&!mwp#na5{IEDroKQaIRzmu2bz>#@=785ZdV85+
z-O7~CUJCM1qW^LY8dJjZ7(~9V78A}Cmdcj9mtDUhlaBu#)$Ko>2-lsiyJ`dA^<4>c
zY$Bd`9s9?t?w!Nngs}@Rut<PRtSK>I%!4Lehtw|e)elWd*Jnlj;N;aBaqy|GhpP)Q
zqm?ht>l)A6U9Q3Z`!&$3OD^Qjk@)D<_`>!uX5ejpAbH9z$`E^Vm&*C)RPt0{!XMBw
zKeWc54l<ye!~To+cB$ykXCBmmK4gm0r>cWpxg&pjXKPYBn7DijlY7<Mv6VfT6-1vg
zIw~$BJZr?naB&}O@SsKZA+e3-{^yn#x7Hl4XGaki#Nk&B95;H9kf(k@{V(*L8vgxS
z$Tr3!A^PtB$iiEu1TUjPsH-=(Zks<ICKriGJ|J^@OC8Fxa*N%}ZE6Zs^7s*pXhCsq
zEHvUw6j*3F5So=qSo7#OK;oYiHV*fD@=70QK{-)C+@1|19O1;ydDOJ01Y}t(^K^(Z
z&>|uItjZN{^<hMY?S2Y8!q|mk6j8JgH1IAPxEU_Qo6`;FV3+H&RSdZ!l>N@BroYCG
z@#Gx$D8hlw)AnIdfI|QZReh-s<Bgg2B*;9q933x0nw)_!n}4!9G;qi<QZOu`Zfc!K
zNtV@WbwtWxwAK==L%-39PJ^;SsD`bh#3ZG4t5B(%q6@pdF%9x9AbDY}EM+88f5rI>
zxYlh5s(^bZ+0L!1ONkx9RozfN`0QJb;2_P=jF<d-3@)BQEqeuGV4rwztVloA%C4yk
zWC*UH59cXEN^l4Ba;W++#0-E~$A^w_E-rLbaw;(Ml!^@ZhjKa)EI0-VwC89!*7}KV
zJ;Ib`He{PfN%v)`T$Av(588#OkEIlV&75_aw~``cIhnUS4SFclMYfw}T>r(BE`W+m
zw44YrVAJ_bXA_XJvXZShr~OSCxat4F|J@>2QlZt>nN;Fuq<@cJyv_iRj-vd~V4>XF
z*kw@6-{|_hLb_kRr0hxKC3{?*<$uMHdyzP9TN*0$l^yXNYO~);<)P+w_ccQq_3Hd=
z>&GChkeOrD;;rT*A)+XCv$;bG$|h8ehRNemizo)<OaPQ?MDIe^%H2oy?qAg>ZBZZR
zlK0RtK845?GwRf!IZGUpBXM;KsN7BVLP|5&f2?R5FM8kkT8SK9w)>(@u6L&sgjM>v
zZ|2gRL|kLe2z%=|qm41%F&N=q>lfG#I6V?%{55n<wHA2_d7Tm=CR@VPO?w(>OgYhb
z%|h$#uz;)z%&dLZR+=DHh`)<MVWLa36yYix;#(OTQ0f}0L-Ky_$9A^ep^u17VRI@(
zybgSi&?kS*BXfcgmUZ8-Oh~MY>WZ4}X-LkKuS-AVS{!xWt9H;H^(o5H&k|2<BD8R2
z-~Gb5n;l6ft$$;iZZRlz^Voe}t=n%*EKi6ZM*vssN?>H0U9M=giit_9B}it8r(I^K
z5{0&bevLHmm-CE154eL?3={LxxuhMB@AZ*9j?>Bmn<%o{gh6lW!AIa13kBYMAL@l7
zHUxiTma;j>$WP@I<GVnR?KUq8PrNzWH(A8HZdm$ngwhja^jXjrPv307#Mquc<3J|;
z&w+28w1HkcCN|jy8BOu-<6EoLfP{`uo|C;KP(was#pHktd|5yu?xrPnMg1q1R?&`M
z!Q1>~m?dwhtNU&9z?PZb#qExyDu6vn5VFElf*|l?eY@2YXeJC%x~hTgmFT_DgZWkJ
zM>76&fU=V*$K5>Xb)*%yMNwnQH=kyI1t`K!IwaiBXv>l@!k*fY$B9ow=}|Lc=p3}Z
zNpA_9fm3@)Zt$a7!(?oH{JjHXn~`_Yq95)gdG1z|9HA1sC^?ttN3KzY3s=BINqyeq
zkEB%fXrL^uMY2O*Dxr=<8@FV$6S%F8RfZDVNLQAs_HiNJsVx&RQ|S$3_4fZo{nNC;
z>b~2#h=3qZ8i~rpj&3qZWZUm5_oEefGq4^dUu<+_XygYt|Mw)h(w?j#WkcWjR*1*u
z<m>6ACol^b`dKf+%`;@2z;84h_`GYlI?T|y%>@e%^D-~%g4U|Xu=-f(l<UWLmN@bK
zK%MbnkX_SzWUzZYJNxh||8f28cklN0u%5e+5C~h^x+#?@CgJWyP5SiE^7&G+#0KO5
zUhiKISDSY%CfKR6t+KmS%0j2JDFWiuH%U&fwe5Qb2D#Y=|CYMqr%9Ev<>+?r5n8jS
zGkU|4dTZMT^gUW$0}IVcdQP+|c;{<H+rMb;C;m)&4_7PZ`C?YfMCW#qR>Nr=ZQ$yL
zzo$?t<!XrFi-%kU5YCVDo@G|*>H|U^x%@iRHGi?qlvBv1If*t{#s}09JlpSU+t`@Q
z<FY>>#-+}@TdDA9n%z)PtVJ_YsMhd^g2nI+?taF&Ss1lXmO+)A@kR9fnblM@+CLx8
zXoCQ}=DnnL(0S?{g}dJihP%S3FZ<(-R1eLsN!Sgf5LS8$X6S4N9y%IBEr2sxz{CbL
z#R$Td@*iW1luZUAq(}=4>r}O){kXNaO!;WfDbA(B3WJT$Nd8uWD*j44Z7!TA4Iv~=
zTm7$XY<x$fI^Cp+<XKT^jxx=M)P@Rcu@{6%AI1Qh%Jk^}h{^odI@ye?PCX?69C9#%
zTPON*F7W`_>mjUVBu@y$8Gy>xRt!tVXDRtAsGc-Gr?vSxi>IUfXh%8IO_1H)T8Wd1
zr#7i?g<zNbU(a5pe85m?Q!Y)-OT__ypH4-#<@a(sm|PdGsvj1zs>5NzW5$7zWlT^L
zZlIg(mLd&OwoUI>GjnFgx3IV9RmX}G50-R(g4O+N^elN%kPJ-l0bN>QuJa~_BSR$M
zvdx|Sua%&^rv}4jzp^6KDmCL>&A@DqPcQwjT}lsJjya%ccfL&$_kP1<q0moebmm2N
z%$*gdijD0`5VL?Hd?M2d+ccNm`edE2aK#4Ra=|OJ2psKPh?Tnj1bNejWmok~B@F<d
z0{eor2&{`(4~r)C2J{FaSv;0>-eEX+{N?TE*Mr{Cr-lVwz3d7>bcQkZ$9`0UcCpzQ
z3=N8?!!Z+KU7&jpfkV5Lzf=?+h4qTR9{%<99;G^5c-v?iT6)1FLTXkW&kJAN{}Wu8
zM?w&>cI$yNcj|SCg&R2(6(Jsvv(>zC%-6taEadd6=;%um0Zi&uYo{(}IBLw`dbCgu
z8Sc&}!A}_P9TAwzG_hEiE|py{(f3(O!DFffIb32~se}Da_6^_TjP@7MIM?ysYk|73
zgD#9{Fg%MWpa}7O!w;ELZ^W^%=1%GBAltuX(0v25y>#w~jGPcGH{P2whPbCWWIxy<
zd{-aSFmaD$1QfffNI)e(GbhH?z;)e+#mZsW#a*nqD@95FV1`dSUJ!0R;)qjJ!rg(`
z#1}M6$w-p#o$i@jCE{X`wW%#~ndVDRNmB7U+rf>AbFSM#GZs%<I$-1d2&HYHw++G#
zJrUn|fgR-hF}*qxFtBBaQ$naQ0<#%rrSh*jcB+&38h}9wDzD)=3_%64!yB}WY%#W3
z?o{$4Wn-yJsq-fB8@IyeY_`7J;U_brf(&zx`>34C7FNkKfE8M`M0#)`g;fl!$NODD
zv44i7Qcy+*2Np<Bb&{^!6s<K%?kC(zR)G@~rJaB~NM0LJkuF>I=#szp@;5&72aanT
z`zRJhKG27Xm!ZQf_arq?&szU6z9KjJQ|R`@C{8H3oT|Z2!jQeNj)MSjU=9SQQ6)Iw
za+9KxmEP_(!6}<<iy)g%LO8}ZA+&-VM3rE3?l_=A9#LNARa!AIt>jT@aV!DdAYJ(7
zHrG*h_Wk+itQ_O1ojt5}xXMeC(8$ieC`$k&5m3{^@Dy=vu4%z4wp;}*VnCVS(EcUL
z-9Y<?w4N1L|BMQ3;hJ7a4oyZna-3Yw4r!{}&fnL(p4nx5EPX$%oH*2tO#X&v#Ii_?
zF%;n*MttdmnZY*D(iqgVEn;h4CKYuETzS%yWHZ<?h#7m|alP-Nzg-K*DA*f)e+1uD
z1=!tz5G{Iu;jXKe63P!my4*m@4;}>JfeMc3YwYZ*L|AuJ6tVN@>mThFSr6np_h{|$
zu;T%tbbmAq)K7AAuX?VHK*jB(=ML@vd97V0Jut3gCHz&8d>fYcR^v9jfq&gT({D!B
zAKuE-+-At*$!Adq#PhmFwX-BbA{Efs0eQ8f{i`dao0DW&_K(zToVfaqzKbi9Se}fM
zMm~(}r66{r80K&O!yqN)$uf~99{#&JCI}0z7mZLwJJ>W0EjJAGRqJdwPjY=Z6wl!>
z5-Pn}ww2dZlfurpm5laa?J^o~w(i#Kq^PxBkuOx)O~xE)?~v&bS?+LjY(>xCfa23G
zwAuTq(vuJ&)k2`^i{CCTk@)C7?fhL%^^SRY@{&m?09s&<&d4x|O*i_yzwWGpjhX1(
zl$-72YCfM6Xb2+uGJ?zD*npRn!AP3U&__mDizYWIsJAxCcVy=G58XpuxC)$C@z~9Z
zdk;(eaBDU}xZycL_}t#bA8a)cV5pnB;9Z1EcGKn;;I=Pr2)EhToU4*aEP!F5c8T;R
z$}pDSK4$5Tyx-t2fJ$S7>)wO4*xwWS1(v+ktZ$3czB^;Z>3+ef61CHe8UMw;5CT=z
zQeZsvetj~x-3c}pnT!ZVc&rXmoU;Nfo3D7_&rGVCF632Sgd!AWJYH@Cq3UY*N4gE5
zxZu~N+dSi{#Mdu;)aoO*Wu`RrsMK31_TumFD%4`02{`T+`}FZPb~6C}viC_BliZ96
z{k9KcA&c`ba{<HK+(3k{-8Tn`mghb<%cSSA8Tw-d5me|^c>a>%m+j<+d|ER(jR|pG
zj)QH%PJ7<2{i$%8lb^?cif*8c1h&LPG^+k9^FSp*uz!4*y@X@XnH(AlHMW&UtNYWw
z+7jtOb@Q8-zf-MBx!dFOkJPe3k6X$#U%{4<67r)6n>C1g7AC7OcS0U5w>}ffeK=*+
zxMWL?u+5;N@cusL!i)A5hS?r7uCo;|lnUX$TMj^UC$gd*X4Q$*^2>{#ffOuLF9pJ@
zxdy$#bpP^WZ>jWGp|ba}H4SWpX^HFN*X=JW^K#{}v+E043VP|&TP*2LJH2&K8CChi
zbE2<jyy~tt<3trVZr~T&|I;ZQo><yW#Or(74`{c7)?fbnB!W%>E}$*&%2lhY<;q9j
z9H>%C1%xKET<z3o5Eh8uzq}NE{EA!{zPtWL{-;yq86Tw#yWe99y+^aVlc(5svb(@b
z*T<K_U4w%+)BeBLE}Z785ncYgVSRogpqmCb#_$F6A$)aLp2+yvOuG4e+K=w6@ecky
z_f@H!E`7Y0xSL+8tgnLC8+L>9cXRuU?;*r}C){0dJp1kM%?Cs6A%1ruvta%##t--R
z&C}fb9f77Dx0^6}Fh|rs+xM-Nn-i01ENpferH77nFt#Wo>zeGzrn8<g3s0sL3mgwX
zd2eo$TFC^KdcXJ9Mwi^$7LkBd&0E2?xgOKcwJwvJ7L4Zx6W?Af*J8GU4oGkE4Mhxh
z{qH9uQl~v7cm67W-6KrnjRNE5@VA!1sxiDh70ZDZ_ndS!kmsliVgr@^B$9qGqBF#~
zNQb9@)Um`EZpH_0^wv?itFBMYU<h~sXQhfvG60f3E*8DAz@#kmU-asS>E+d6Q6;|g
z!yWoxNEHN%#`8nHbcl5G3^%+@jEXAzqw}{+K!_1vFV&wCk2aeC{G!ayBGg?&v~NQ3
zJy0yUw1CbwcTONwho#P`!<RFR^*lynm#%CERVu)$@$7G(>}Sd;qw#ypWPm#0#ngI5
z69cX=j%UTcrr>AeEkZ?4N1c{D-BWSH;2jvM>0B+pXub5UW7jyPNk+ESNshsrPw%H@
z{M2xyS7z>OlI!HCUX&(&pu~nGUe6MM$bR9)_zS&-Z+KPso;KeVTu;q}wVcW$UVl21
zWs`?mr@rW4p@!j8r=6<9Om-fS8SWy!9QD&%5nZdHib;~~M-4S$Y#De(f1|~YxQ@l&
zfkItK@?NHY;{sScDC9WyHxGDvDpWO62FFR=4mgtF<&Ps~K^qD1T7SqRd}OL=(F%-|
zyIy_Qnr7OBN9|hii4AezZFTW@Pv@Lg`pqH-^iEN!+`(Y!VudEeUv$}l{t~J_Q4c)|
zegam%p<c*FatFTw)sBGu&U6pNy0(4(zB*|Lg!`eN2%SY$2A&#N=9N6{lT^13(A86E
z_$XV=!*+Kwa9nY5;VWYUiwfR2d(n-Vi<GZ{9XZeEJ;(apX2bcPB>2+Pbb8#n+uF^L
zd~`Lr*Ihq`5N4KUJ*Mn|J>yOZGVjJK(|9K^JZ%gUoQc1u)4~4b?v2OWbE+pg2$5jW
zJ37BzN}wO3Oy}Qe0z@0*5?G=62i;LdG@2#WVilMu$q+s>coTfV9-HY|;@-+f&~7gX
z583g0I$Ou)%nzxgSqX*Uye8wJsLTznd3wb^XWEDijOFuvv_&$2fZDG*MHxRHBoe)1
zDLNLIf*8aeGFHP8a;^!LOgdGS2Ch1G#LKq=NfV+-#eB6bU3?PRa3_pK8hK%hfClh1
zDFrbeO>9}|)w}R;3r}U6$mgQ!tQzyeQ$n7gaF^r_$I71B<UON=Auu7fat@lGH%4;c
zaz!hl(!rsap7T|JNssD(p9J!GuP~flHAngqv`o;_Pnh($mwVl`<n_}jR9)Cz;Y)UA
zg!)Wv&CxR}(I$R+K}o{;_Pol7DB)IaCx1_NcQ6?f)7ARXgSlVUf)|{}rN6R#*G!(M
ze`Ovi5la@>TrQGBkRLcI$8`qVs07bo3wS|i;KmfvxKxn>HcKPN)?gJ_x>QcJlXV~A
z%iVZmeF0cLaNQ1EW423Jfy?@kC+~vR-mxZKn_Wn?U>+G@9yFl%XK&#kNEhM}f5=gU
zsVAC!l^*<QMANF>pR#Z%-#d1DDnw^cY<PxqJzMwEXC*h+xFyu=8xrL;?x7n;Jg|z?
zClmeVMmSFZKE2+Rg&^U7y@d4LC9kGeC3{W>T0g%9p~kBvat76BjVNb@lGK+J?xVCY
ztGUe8m}6SBKIM~3m%gi>*=6!qzqNm?YmN5hZP84Qtem9jrlMlCpOH0A4*$^(H1gar
z!?#rm@`*-&C+6s{PK0<!Ix`kH^4dmLCxeHoP*>Cdgsjk~%U?w`79z*aLI@L)-K=?S
zrqLhHR4bh(__W8ZtBgVma%YT_)GrGiZL5Z>q_I_f!$T9i87GGgnots;LbuT-$g+5k
zaZ5s0)kTudF0$%sWC+6`BgFo=5TBk+AAU8}UivCa>L8du91@AYXMO%9?)<L46F83c
z-8RDlMC;2F(po;pHa?X?EaYJiMLgg#78$$v$Z~f^Cvcb?**7d-aE!_;AdS(CYb2nX
zj_CZe3~(>bxgS4@rWTq`471Z+ph@hKNJV`lLSQqWgb@eMesQ3;g(UfPWo#lYDafQl
znpdJY<>>xmGYBd}UoD$=k{w)&%XT(mpWL(o^gcy2nta(6$Yw207MQRiXwsBj!S<Wx
zefhn9L5B%0#IIW6Xqnkb$V?-dC~0k0?IKTDFM9`5c^GQvfYzG&i7HHLoBs*pQYPRq
z{Z;H5#YNl`@kZ?Q(LaA!zS*T5(nhT3ov2-H0D&GTXx8v!OCp91Kth(dwbPI*8eY%=
z=*xn9p<4yF#Cixm`12ExaJf)Lrf>e>dO5n7YAC;up|-;t?eR}D7c?yV&@s!@#;Ij0
zot=Y?2{ZO~63W7wTbpNV!A-aO=U-AM^K)A`6%DkrAf;oZa6g4@P-Abung)iFK?Fdi
zo$3}F&(oF*ZqtJAxKRs1K3`cTI@1UR+WM6281<j!_p!ykXkRV<O)o+D3L^Fm3+p^+
zf+j$p4X-g@c}+A$3X(lOnByNp;e6O5lo$oPHG_Mpc;g9dVfD$NnxG*R8u*v)2ZH<r
zo9Tv^^8t*o!ykfTp35X;Zv>h2K=aZ^Fi$HH+DOY5h7((f^$lKbzcI1-XLjcRkd<IT
z=X4K`PUAnlY8*wyE=&W=QI@B;h`G&sgM2pH7h40&$`{-zoea({le~3L`Q(>0!X_6+
z!EQcK8pqli-WTh2tL1GxO0hk0>hWQ!)nd;(KN>+ePM-dlW#PpKIy(<({t$QnYrE3Q
zKe8cP>DC=G%Frfv^EJBf$bqsCIMUUuVO5`4+><kMe~?l6-J~DI-#U7IL2)z27D7MZ
z;eM`U67~c)70lGou5sH+iM*XY^nekorfIGJK*T|1M8vrYhv96X)TkJC<x)B=P+KEz
z)7BUvllzJ5ooX2>jQf~#i#@Zp98VTeX=cpd_}iV(xx{Tz^OI%Y%Jq{3;P-4%yz%j1
z>`q6{%3|p@N9wlR=8y6i4^yMqAEdFko0KkgH|h3&>uz8s8j(Ki-}0-tjn-DS4fK-d
z$)w3$bExo9-W6)8ZBvWpuC6E50I+Z;k^)jp6gzxbBx;nQ@FH=aAdOR7e{<h>`>&1a
zurD5mK=oRzI)lVvw?6~G57OHD%4mWu>Qj+xhIfxVNlcG>9a3G&+z%hV6}INYn8^LX
zZ`8YQZW1@$7B%w_YfO!aLYt0F0{F7lR7|v_uFdk_i!!SZPD+zo9Q5b8(Il)GG=D~x
z#o*32L8Z;GM@{WYHHrK%MvG)m$6ne7=<5(3lQlz62GL#`VNQvG8Eo;I<gY_=A^s>V
zSAlEoMN~6&iz5ei?yQ_t*5*3uWGoA7=P?i0_n-@LFa`W=8RQ8EVisYSp6y4GqxLq<
znd-&R^4j9bdl%dD83N62&VNX_qZXsUSIxhw(HRGAwyRpHT*Kpa_@vV`21ZpkYIE34
zjEl+~!tMB6oGwm*bEkZ@qRKhz4Hg4)0oGHL=TXuMZpqjhwVgtP&(Y{>$qNbl;Ec<N
zq#1vbp|)Z#$pg7ZUE>D>zh}l^Lqwm%+5m2VjphG4^rSs)JL>i+?F0D1?X-R09EqU0
z|0S3QwyBYpo4VG24o!R^gtczlTy?QW(mxz!Se{9Tb>Uet=Kc0Op5^j2o0TyAeX;o7
z`>$5u-)Zi{tH^(&<k#!t!{*I?Qw7_Ghu0@BZl&zMQfJQt`P$ZApx5#<hvD1f^Wu!L
z_OpqsM5|Uk`^`%KaMbT4c5$QlWAkJ-p?7nVOVdES`c-2Jko!79W%zdG(5ySPWuAEN
z;zr}Rku38GY+p;tJ?_3pgWYtc?j_+zOgHRGF17i>)WA{b)y;`#iS0k7ghyU6TRYCu
zy2d)73<-W8;`@mUn34#zlYny~J$c!<(7=0|dJJx-FbmesL^$x)j8#|Z@1*vMh2CyX
z+?|b}O{=oT?zI2=rHj?M-qpR}cb=%o*|UGya6{K5;jZ<|Wky=+!iyWPa0Nw@Lk!u~
zBsV>;al2(Qalo|6&Y2EE1*?NZBwcRK&=cBNjJrsv2z0X-z%;r`WXW8HF&=2P<SE0*
zuehd%53}5S!ayj%qqW2<(y@G_t;pE1#9*W?tF}y+@!EVD#T+kqgq&Jf-o~b^xc|M&
zx|`MB<ZLaa@Z!P|o4p~ig_@QvQSN{AIpi9oPF$k5s~3FJkw@7RsZe<Wt_d4$rF+ET
zN5BSQ5?NdiEJes)s`YHQF;-!LK^3M^5A%|k_5Sf}XirevnG;)In0)@%GbQySmpnmM
z3tjg`x|ej}9tSFl8eddD-7e^=R|^!H@&kz-y+bjm7vEE7evyZpraaGm$yzo85gXxC
zDF{xg_!u_m{NxH3!!)w^(2A)d56ccYDnjj}NeJ>2pocR13PYH1fik0VkH;6#ZhOj*
zg~y!F#7cbN5c)x~W|)otc%4C#mcX?S*J5d4Q5CQH5Gu#T{=44>y!yutkM=^GixFSN
z6xb=F{FL?|`?JL6=!?iPq+_WHEB*-=Ef(k=@I=Xv9Q0?TR%7|-+LUEU+7YDrz86c#
z3?mr^V4$?0!z-Jei=XA>x4Pz#t8NF&NxYe+m!}bSUe%1@kZ{d=nNQ}dBwD~RjT0V1
zLe`6}FZ=sR=xJy$A!f3xFcU&(Ur4-SJ&If?elhW)mw$})+jYM%aeZzJ#~pMId*07z
z$lSX6Uvr=%j@6P18I5>TTy6MP+e2*rg~L~A08xGiAElJK8QGW<Gnr9@52~^Q(eA{e
zSzlRw4CKBISEprUvA;rw(_F-z)e7kZ*FQLr{)nL+Ca9CN2@DF9sB)Cgj*KO1z4F$y
zs}x+}$-jb|T0<1?T%gGc!kus&)?ccvlWK5vZepYsW((3SG_?xtUNDn!L~FHdQkxCU
zfTQm0WI9%qv@F#Px~HzE!BMtx&~1$EqTd5sWP8MiWIO$txnsVn5ADo7)+tC-58KY#
zlh8-ea0)WzSYJs|Rr%P@qY&E_%iDNSwGSFgfxF2(JquUYEpX}pain2nWx9!xXSTr$
z{sE_dwCvHO)b)Zf#q@|1WROC0o#T7NKsA!Bv$B#FYN%*<<hsXi6D1ov8r+@V3PPMS
zn*Z<%QO37;YorAO2zgTcZ9`J#Fh_6wa!g`dvuFva9z!`r?%o>n+bD{Dl+R9tC{t24
zb0bYT?vr$no%=oMM@{WS5;Ssj0aV_H2@>m@!jXnh*^bl|&NevWU#xqflo+A`0E?-&
zX>PpqwyfM<-;zih{7K7nTDTrbGau<+rj-Jl#nKscDaq@{KWN})8{1{$4a9%^IDY<z
zFj?Uams`7XB%B=>MNed0Js0;T+bG*jOy?u!enviobLJ37`LpJbC7!)}<l&jJ;XjI7
zQ%LZ?2D;o1vsi|oHxu~?uHW^nfpgo<L)oj^MU;A&&-L1&>6P$?8|2i974PC)s^m^j
zKZS{r@}v|BvtN<)KgPB+x4p`Ay;%E<i3aMJwML=Mj2F#!0Cq{JUUWG3dvP{bxKA@t
z@U_C(;qck3^^m3pm(>Z;(wUZl4ue5d{mRF{WSjA!{ULWoe;FyAEzL18;B}Ba5&psz
zRslzjV_u|k@4dQYj081U^laus0B{ZJ_W-pbreUalo`-lR5KsK-jXLQ%$Cs19FoN_+
zcUKB^dNHZ>6@wcXv;AQ@Ac8=fAlj<c9U#r=hLzpy$vJ@rvt%X0S8Kt)t-myW!+Za`
z3+?`BeX2=x2ys@iCxSNuct-W99PI+JrAl@=+#0j71F38gN$lV4;1^wcARdblgdk<H
zpOG~FjT{M@>73nq<)B!AdJVCb*>r>T^|{youWXv#o95WVPD%A;Tiz=N5m#}=DXSxf
zp{<xgX&|e>79XW~bFC*G0%vdlA7T&E*ugjZ@DTrMso?PQ0mb|j;MyJ%{M#U=%;SGw
zn;Ps)#=Qb;ky_5jsn^a-6F>o&h@!idziEFnkQ6z!xgK1zNlU9XgOv~b6KxTn<=}6V
zpHylNyn-uIHHVDn3!{MQy+T5g)&a6w?JOL}M@cP6C+_+lUc<_EDXR%*Fww>OI%&vx
za{Lc=x*gg}%HX(wrnRPe?ds-IRHDJ6u2E`**iLySI6~ib*N*VtOpSQ)YjL>_?c+L#
zvn|_YM*r3YLu}hWJl+xUop!Ug7~S8fuQ6i!--eR86Mxv}GKHqOI}y2eyQ=M!QtH-b
zzU+=^Z`#mCH88nGnj;bQ#;j%hK71xC*K2Ylg7q}cn3oL)nB{TE?if9e)LnS&i5%yS
z&Sx2c@A0o1cU@lr=l?709fLEAns(tN6K7)Ewr$(i#I|`)Y~zlTiEZ1qZDV5VoA-U{
zt2$4eAE#<}t*sxs*44G^TD`ij_6`t<tMWwK@`rA7uu7`#P0wy`NS|MFt*=PG+!|mk
z=NdM6Y4%CSC|XhKKw^nN*fp~B&^7}uzqDHLj#iWoi})g+x?6F+SVtta`(RkLM^(co
z8Fd);<GY(n8dd0+j{F4#3{aYe*!_WAZG@?{T9A^yqZqk#H(%id0UhOlUm5bX05{e}
zSGOv;6nbrdS0Kk7zK|b~Z%>IW`0x~2TF2{ta^tcdODc0uhj3W&JkiB{Y1xT6TTH2%
zCeX%TuQhxPG&Qf;UfnzXDLIHXGPlqPPud%&7bQ_8&4{Apewz%SvTe44fZHC!H7;y3
z(DO#74|MH|Qh@vx@sB)^leM{7K6G+K0HqGJGX(R{(pnjd+}5bXCz%BxKj94XO5uKC
zNYux?VZ9R-g2#{Z_CvN7zYjZL>=SI`yf#J)qc>mDRjuob&%$n+1fBObLes`w&WpWr
zu`*Cm+S3Q}$>{<b(vS(E-I<LsVzLovuIt$Y&j#nMYNGLH=wkRR_68o@7tuH+<#m-f
zxX030Tsm4T#do*D?33IGV&z9)O}DxzG%;B?JiI+-+&0#9(^8bDA<$Ji4qtj<&d6fO
zQ|cUw`ku58zU_RZ<VNrP`c<S`Y2I$&Za$O2W&}dso<0CJ@k>TCMGfi1Jo44YzUg0d
zf36ljiHZ0w>^8DVlL)ug=j_S_mV9H}WhHi0313KOnJVBBv^ot5eIu4jn}11U-O?NX
z9_0Q(RhA<E-g{`H3+qZUQ1H|zT0~pT<~T8}?Nu#W`{iRj+`1`>qndo{_UwrTwbk*0
zqfw#KVL%SJo)iFFvzsTRuRmN}ciB4}@89n7ba)j2wT(hdJQx)Avb>SZ56LUcUHI*a
zVNMoru1;A{5OG`bTOh;f)IyIBH;79+U8eQis_Gf=mu(IhB1^S}@&5|o4?u%h4a>$C
zul$Yo@Vg;%z9z$9EXge6PvO)sP&wEJ@#9?#tx5qrCU7_wKEs<G^l&f@z|;7$@OHI~
z#6VTtdpIeJaRk4BnDn%2rJ#B^4b43l4%C&RwOsV};5U69g>uh6mVaEtkLl3;mVQqG
z&l`%FQs&&C#ZK8(D9A%jUE$&aB7Achh1SUrubO9z*|_j`kGU9*Y7+;sTs<hHYY2>I
z#K+Or>BAi)Wzs(q`D)z2pY)BaoK)(kFgS-(mzim&Ws*!@aJ@SK-VlxDKhBd}W4Hm_
zOw9jH*r#F-TmOl9P@hAL(<=8s;<#!3@(9=jo1`E8v&EjGis1DvOQw=crCsgp;m#q2
zbcv(iOrE}fEve%2dLnM9_NHhER`|VibU=9ax5f3dORp#5{p)&Whe7c3oZ+J0`v&L`
z7ZoZF<<oXdd3<*T|FyzdB+!55u=C~ndX&T+D+-F!;1^2`2B6@&)psnbOgJ-lneb^z
z-DY+rhV9D-Q7P0H#vFJeK{~JcdzAb#w$Y<fH!S&^u?A47XW<tZ>gMzYr|>8D#iX+z
z{OEG;m{M+GY0e8=_9Uv<>dPVH8+pOikV78L+n4&o7_{`&9Ld);YEJzwE_2QyQ4^be
zl9gV~rmg-$698$Jnx|o;Fd7k~?#saFzaVPa5;j|k^;}O?TY884Jv>|J4=K?J+*xHf
zI&i|@omM*>y8mlbk<5p)-Pfaz=mpiCSDTuD>wSn;DR_wYl1!M+bQh<IG-~%R9fMp5
z&w_WyPFWL@CClC;r7Z<{RMs*wN42yZuT>q~zx|-O1W@OdaOY~5S(}MOBR$w4hIQoO
z+3A18RMEMdeJwZ6Pf@Ew`4s+8dpbckXDHOBkHbx4|8%Bj?U~W%-BSu(awii@z%Ybm
z6EoUo8wNByDejRp$Y5K6o9P`h2)aQTi?zxtm^^M5k!B}Dxnz;{(OUk)$&~C$hnM1N
zt2tlC3y7CjT-?2^+ypyWMw?DV15?VtD5FUlxoGi27#Dz9lce2_;`m`E#LGCKi>{id
z7;baudkr#1R;6ZC*L|i1KTCdK>}OP??bV2L2ChNN7K#q$MySIc7-1Sqj_?a4Jyoqy
z8;Ay-F-I)x)M}Bc(I8E8jd^tiVwfJ#fQIt79uPSXYc7qi#FvbyY2sPCz(SJzqOOMI
zq`{2EPzXcs(2zOhnyvwb<We1*cju!@+_m(m7L<vn>kXGRGQLB-;|$;`O%j5p;2yW>
zwfN2i$<2T&u8%R`RAS8e)f~KnQE)Ev=XC>T=76CnyzmHY$F4=El!`-_&yKDBINIYf
z7*MVg%Rn26S6ZDa2t^O&4Tcdj2UC4Yt(6sq#^%ms);P788i<91-kUJi%YYKNEiQsb
zw$Rpz7K*MU*^7E&y11gQeN(oUF>$z*k-`c?9i4n@%RwdUt2rcm5prx)zVpY4)Ec+b
zWdjLKOUvCbYgLC+kVk&A6*&LvS>hmW6F@#?;vv0p9}}x`n6owtja?O)&m!%?pI+Fj
z5z=BYU0|G8@vQZWA<O>4Li|sMDpgwO9RZvX>QB{S`NsOHUj$Y2o5Py@vfM!9>z5-D
z%Pr|!=z3+bPA{`*wr_Rmpk-K*u}PCn852cwB8*RL?!?S2$?7@vee~zpYO(YbdVpYp
z$*Ate<bVnVRNi{S1o)Q4sMy+21y#Zrfo2H#`SPtxv2-nQVW;*^AB;av@tqlD#`4l$
zT@qiZVG*@8mnq|`bj6ec*`5-r=nff`BAF0PLkC~Yq4#EJ@Q4({Gj8LwbT8IjMWSe~
z$qP;gnKXIES{=1o-3|q`MoNCfF5t19i@dh}AxPh-d#3G;H=V`E?V2HguqD4J`dJ?B
zOb|JMe;5x-K@%Iwu^d<Kn2&6tii%s()Q`C02f|o|td&@m;LC>fHji_Rzl43Q#V=7u
zFb*nE+z0B_cr>4g9DH%;8W3ChQ~^5y7F@G~Td(PjV99-=G%m~$mp|XUfdGjQA?&_o
zP9E}WU8~EaDUM9$bsRxMt!qm6(#0wV_(x-M)&k`k1uV&sir9@h_ZZfop`|z8L$t39
zV?Mn)o*ldR7tGQNq(4bl*Ep-1%Fr$*8<`iO$8#E4W?$(CHt;5IM&*%t!sJbhh`hX-
ze^Rk@Y<U&xOK|U^f0`|{WdVNu!Dw)?^26HaA^Gc=|HKA4YN7qPmjF_4iJj_!kgA#%
zTHf|zz5}hN)=AP<J&@sy2?+H`GNEvHB8mn1tt7sbF=Se+e@r6(&KxHjh&<h}D3<W2
z=1^qiDHkswgWCvIUxhnqg54Zu8k$s6Y#fCohkzl8=p~<(>J+$Fssb?aJQ)yhI~}6H
zw}rT!@vO1We=yknH1a%Z@iZol`ThJsc4@7DCD%LY^V{QcqY>lLTSvM)fNy+1z(Rw0
z7HB9&kU>hT$#$)d#>nf3TnF1iBi{XD^fv6mprdSGDH-`!3`Tk%gyp)5-6q4Sn^%Q2
z5HW>dB5m7n?+o3oVh_-!&e<vrdCfTR*UC*^Vd$c!)P}R}nnrXDA~jmi&CA!bR0IlA
z9!ftL(LJKd&(xswU?pI-JN^wt%|D+|5Udm-`<lzGG8AGDhz7Np_~3q8-og<!YBI^t
zKpop6$S6kEkBdnzTW-h=I&T6<9e7WIqEzI{4vSSN(IfHSlLJTyB3s8{4*qS!TK@Is
zg#7hE9b-Ubv1?G%V4>)RXVnmLD^xF~6Zvu^EX&3C6FRCXSMY0XY9n_jr-gWe`tn%p
z>5<?XgB;J9{)?4GqiWQ+r68%jT@amaQ>haEn=muVOnCWj6G8LKvd^%oPFAYSap$qF
z$W~6h44FmuNCChUATb43^`(|R>$aqf@KJ=u%`07{70vf9C*sp6DY*DPkt9jG6Q|X>
zc(dPoC!vC+qic=}=jN}2{kXug8PPtpZSAaLXS|v&Zzr#IM?v9ow8r1h?K19HiUVIo
zjX4EI5t*NW8!5q*p%uK6UBFU~<4}2oaLyY80d5U=Yy%`;I`LCe7omCG4kJ97WaSiP
zDe%j3J5867B&rU;d{<xnviP3ub+bbsp@huH2V$h(qm**fCyABhqBH7`IOD)2PQEo(
zoc3aeA3tFC=x92i<;~u%(2mSW@O$8qj~K2b9<(q5b8y>NAU1ilWEpVU=TS!nJer{A
zaM?n74*<r8Uux5BwGUx?yL0W6gY9C-cD-R;8#KOrfXxTVY`GgIL9zXP|4<D}yYGq<
zrM<j8jhRAQKh~&ex>nwZsB)kf)R!)rA|~XLWS@9_#}76HT?z3qC-|KMN)JGcoRPlT
zxLb`tFu4Q*uP4rvU)Cp3@Dr{a1<wiA%-+<+H3>GI4Zz0v-`t2h?vev#`jhqzu~80#
z5!uqUws*bP98Rv;k%>RUy|M4>+f-TuT|1eo>3EF^@8>qE4pdEhH_vF>$8|m<&F2CT
z<gBON_k)xFGoyOv>`k5T;978-LGXK@!6}m9<LJt(O@U%?g1v_c*m5MuSp;|xrS8}S
z_`GXc+lc92QT||#3A*}8g>Gy8ov>aaz_7K!-BZ%-OkhI^Rs8h$`?E{Nq?9)pS8%6h
zSjamNDu(aA^lXb2z<yRSWfze902LcA;ru1>3G#mA!{lbh=Kb342q0W&vCw}N+-dfm
zXO<g&h#ud{>NYg$KEll!xCX?5=22d}Gw(_dQjy&D9iX^;_)W{Yx^PyaMYZe2WFGg5
z;sE0QQiT5Y`NQo(B8bT_-HW2;QE(>URM<EPN41$P9B*a5&%WigW%?Jm$*Z5!LlUMu
z?-fjv1OY?mOjQ-wpK7OepI*(z(s_NC;JUm9<BKM<fku*K4<>jdjR!C#DCW3+v6+WZ
z2NkhY8HF=7($VQGBh_rG^pii;(nqT^VK2W=LgRaKo@Py6!)W^&cUIN5N6@xcsKc{@
z5MH?-8r4N&a?fdWf`>@#{D=m!sy963m^;CFT5#;tw5d1UPJ=*7<u_&TZ~iLP9%dM|
zN^`9R+Wdw=a}?xS!UW9Q(p0`J4^c9NxTZrn!&jx5F{o*unk{6RZiwr`mcc#0v6}uQ
z{I^)^2Vbs)@!o`sOsA9u&2=(HG7KMVpv%1~)c@7%>l<;TZ+JfqIY@iHM(GE25%)ON
zusXgwUVl<Yv>J}9i(MF{=#}a(8pMwHD%St<3M68Vj#xB`3<dn*o#1~tj;CQEgLjS>
z=AW#IhrNZD+&9qJ3;7*KA9Pf+T_9kG&uw&64%ASH5WZK5%vV`B-!RGkHJdNT<Ndux
z1X~m=26@Z>4XM-U2hHIJi!qO-jgczEi)upeZ=yPg9!Spu#xDMw42@s>M2ad=fz;e|
zWVhFRj-IN1pBF${O*->~P^@CalDfv|A#)=gtt2?S=hb;a=eK-AriMurAArE(dc5m<
z(xZl<<+w_x4*ggn6^$b_Wpa7)l5W~A%9Rl6@1Bks6+CT_HGbfq`DsZ<-EMazgY6rz
z`VB^C;Wu4J7)evQQbjb~`AnhMe%6e&QOh5dnP_UqMLK}`NgQrIuRLPKRM6Gmk4YLX
zZs}0AgkpcKRahIl|3!ymy`ze2M6jbbX=i>CyB;ZHN+{#zYloX#{hBYezl=$i;?nKl
zNHu!}7mODvW@1;wi?E6DjqmVGgf3SEITM|<tE|PVd`vSX2%<X(yHDkzu^HF1lP&jw
zOmd^sLBj=jDi6`?SJ5j+oadu-K^p3q%C~Xl*fB7)h)dy#4;>ThKQHTJK<FHLNZzUi
zt;riVjsJFyR%LpdpjOJ=G*xZk#&oPnM4YAm8R|&$9)D)%B1exAjDv%GIdcm6HU1H-
zB8<(@N2e<MBdD`5v*b3mh|XB8xe7z6-i<SRlQS8>*SwM_QJk}a<LPz}@~vdLld$Yj
z=q50a6Gp~9&+`Y5+!{=;!gW`eoyilMT-xvM5C^uKPY1c8jy$TMNVH&?RHcHoj^*ds
zsD8{w3!O<$%;2tQTIX+y<t%yS!v-s4MZ`m;*^sp=!1a`2iRogf-HS`_0zJEeJjFRr
zs1ykR3UxS`>;1m!g%7%Iv(S$dy<^UJAddc$J$&1|YJ^!QWRg}W?UI6=A6v#2PMrF<
zk*AR-!QKg;7cwd(v?ALAS$jSSn)(KQ16h}R1D6+(cSM(Qk|V>F`h_A49LI#In!<4-
zI~t^C`QM+N;$QI_b_lZ+n`J+$fbUeeoYD)xHdOhKnRb!@tg|#2e;#-w!TsXer|yZp
z2q6Lcs*GW0Y4U;Uh~%YJxQRBSK&yV!@@kmJYKb?5xzgD}O*9k#3|^&a6M84`71;p|
zO?dzJ?6`(hAZlPu?}27#p@v@ynk1dmC~8!8-(oZE$T|jnejRdafy9Bca}yfXXB`&c
zcy?LH6PUtTS!7*aq!V;1Y2vvb*A2s*O2OS_O*3(|XRxDAVRZkzy<HhEPd*nK(-q^?
zP9G$@`#Yt#;yH(2!6h?hHQFbHa1<heVL$rsvh#xuxAtrLGQbR5)M0WjhCDo;sCBU_
zZcBrGW>-&$o&RC>`Csj9vC5<rzTG;&*G^YbBk{s}pN11zm%Gw6i?Q#IlEJlB$e7La
z$|Y0`j;}iP{7N%onxF%_{jNaJm7be|Wsv~3oW%;ep`4!qx$M!@wz&em+M@NKkqm?Z
zOQUZEHG1>r7CE_FMHNm42eA~LU_Q3aTS0CP8qBDq214VKi=aQQmi!-}Lbe+KS^ejx
zdYUf$lnL^+jEJbueOA#~ww+Fbku$7{-@!p^rDEPh2vEaC1b0vD49eL7p^~N6NXxn-
zL#oG0zd}RLXrHgV<_*tw4S%Q;X&-#sR@Ps(;P+r7J5iFo?n>9oZAgG5Fz~NqJ5fXE
zSi34~(v{{e-|yzGe0iO?C5cNwLM}=<oQh@aRYOwTg-qhn8F^@HZShogf7EiEN6jXW
zN-<}%*T7RVD<NlYUmas*#YrDmD8=HPyFP>S5`x-+tNxLw%7B)p=E}8TT&KIiBtf*f
zuA4Q%pO6MojrCZq6$paIDI*?Oo+6K+huVeAZI0k(+o`2@7-PN^#_1}6T<YlbSqLk9
z+*%B$$mP7|FPzt^@;Zuk?dT+oAM^deD^#T2&Dbt7sCHY@WoQqt(zop13hC8`77`nN
zdv@AB9v#HVz79lJd9wOCkfaBJ8?t!YG1au3R(6vF3YTsq3qGIOs{qQUorq5l<L~TM
z&VbkJ!LK-qr?<dzL^MkPFFqx&uDi}XKa0s>EHGKk%&69e6AzCZ@t9+qMk~fC9)t_E
z*y~H=!$DSWV!mu+w~<rL<YZk1GrrQ(FYuRjSJL4A3f{lm-RM93;fGio+6%+Y&ARaE
zhm{3V(pNNaYxWN&QEpnc9hSMvR0s;SFO#Cqbsmg+vk8?hr4;snu^qPe(ResiAjPOL
zhVnH&X7u?o(=5n4<==zNKF~kVELPN49fif6|8~uBL~)DKYv<fG`wWjxdr1cZ3q-Xt
z9~!ER24srdFv=<UmP4HGkBKN_=In4&QfmCTyZDu^bZqmHdmLLKjzBsP9w%WwnINRh
z|El)ly9MP&W`)TDs)=`_23|TED!7i~D|5SZz^OqEfxj^$GkrCih~P5Qt>QaR&J2!M
zHMCJY3}G&32J;8(DFJmB`<g1*?PB{xZ=tOU9?#IcYDw$X;l7;+4LKDtAIT?#RAa=T
zwkqxSx+PbO4-+O+48_SbH-v<~!A2uYTnn2X$s;^*tKt>_;scoXcd;8&*@HrnV-Rz0
z`4Ua@yJ7$A>Fxt=9_AG+?huJ@gk`^wzdcKH7uN$qP+<lJnIXJKiSf1qB)a(?Tl>Zb
zL-z>9se<^C&arc2mxQWz9`6S>x^>S-hFU^dY69Qqq6m=|x0K8j)jr?vCEq{JEPgQm
zhk-hq0Y_(`eg>5lgq0P5{xh(D_T!&{|1*ex2H8?p0HsO?$_4zKfuaPHYHFdFg<=K;
zG>kcNzDc-^Yk7(a)n;8s!6_f1UCf<AsHlvk|0e3x!bIZ|g7$xV%rx+S^Led@+7Q>y
zojBZ0j=0>7f0>Q^lb3rT+A!<f*v=IxNylv#jx#IT@-Qa{nj<Y{oePGO5#VsJp;S;^
zgX?B6%BLxF+MDm$K%wa5RfyRycfK?QXmi;d4<~&MFyq9OTkZp)lSl=jzbHuOGlwnb
zExH)urf<CwGD!=RC8+yR5v{NxDxu3IcJ!P#9j3zEZ>%&7JL_6dm96hfF$j57wIu~R
zBn6UcJgUC*NJ}XAgQ@a;3#+!I11G45v%`MY%0e|8QXMN$PQPZk6WX5HPWH(dP~@OS
zr+)tTl37b>y0XHdWE|u7FxV`MDmQLBBz-FJ58@vSKTQ{DBqEi!K(vo2C8VNWni+O=
z#h@Fn(_oa>ZIR}WpP`G%CZwz!NE?Gh_{jQ27s8pv6iFTv2|BWK=HREm&O+)YSZm_^
zBC9V&IZISA*Ikkp{NVcIo_~BI0#qDnI&(G|AmZRXGOtk8#^ALJo%rT6W{Z)|nSGs_
zFR{UjrjXg9Q_@<S&q!O8j~WvQc=(G@hmY#=Tr|^v;+_#OfyB7(8$fKq7*~?5Kjog5
zT}VSQU9(!G^E|wKkjppCxuleFp}LvpPWJjVF7^wjk25dIv|GC$MN*O-0+Q-+#3F>o
znj4gP1HaR}U}ZzIELTpYRcVa>{0VXYH3POJeaJm}Eo`dqq6KxVvb>mo%;iGt!M)P3
zL@|`yME%^vGP@DWE9bGL$b2QMjw8t)y)3puG)Aej0_D^XRjG#^lXuv5blP+oKtC*I
zwzZpR0l}2W-TKkL6)g0~1K^1Z82E8;c9X_T@wlSx*GH2QQW-mbB!AUSnUOHNqs_)u
zk{E)LR<sVEbN@Vh>}teR&gIZh4RrPPwEQ7I=HL>taLezDcrgeP*FTzuB1z%TR6X%8
zopf2!{_5y<Fdy%ZjpwlhZMb)Nz$gfEm|7pVaXxI-K$bh1qw?ef4e-@z!1t2mnGuCX
zBd^CB&>ZPv0f84l$KyZYC6*s>WUG-!UX(WuVo_B@V8(SYkci0N3Ov9j&WZ-0r(Z~H
z<?W>wc8y%0vktSqUsl{uVj5gfaY@FzickWC8dL$LK7Y*xx-KovzZLOXxnB_7KQ7}(
zUfS^_#DsP{#3dS~0Z*b(zQ2h*C>xC9yG1vkh%%OVcHymGC_7{QbGb-gg5JwH&Nr#{
zXbTpVeK2EcyJL+jyRYP3{j8U4YF54B>xm_AXwDNJ$lbkb6Snc#!lV~`QnGhOxtkMk
zzRi_4bq53Jbj#+|dK!zp+J}Os%tTVS&Ek1fD!vzWC9L@i0VSc;O|S^UjgpUnLb8f3
zEqXh@b~iIN*~UWLLSytfU#qVTTx({T#;8{H2Om3f45U1k7g%;$r+Zzmgwgp@I=oS1
zZzwvXonIH7!(B~J#(Sd*x%5qz%H8ycvh+-fQVDd$x4gHypD4z^O<!jn3W%*7vVOks
z%xoXcMTu<{F|(;$lWt_D=lCjEgHkaQhzIbkhcC!JsVr05!6FA^$p%aw@f$#_Zk;m<
ze*B=czyl3?UV>_QUV_$W1pL>6TR%zHre6ptWapmtX-<U<Gf5u~WmYUoX~Q^KV8pZ$
zv;oG(_h!eV!Q$pm0JNbygGDT_fAdsJJ9hB5U3+<+a2BpUZo8X@Y690>(VPKRM0*(|
z#j|dc+4bvM^`+oMYB1o1o8azwC2p(RMiyUULEQsTRWdR_k(^)5DuNi7BR1GM6*Xd)
z=Uy?BtwqO2{LxkAi#sVQm+Iz`54_y~mW{E!kx-0OIvPg$>=>4j^N07!s%kO>H<wqO
zEd$ZhRSZXU!Jnjuj7@SEN%g;Z<1D0jvnzJyqxbg4L!pH6iep(MQP9M>qJ&tpn28mq
zh1viGR6nW`FoQV4!Kai|DTpGZU~~e}!g-mTQrZf*gnIDMNUq@r@zacFQId(AAw)dJ
z*r1F;)0!NimivRPj@FgI=x-sx=@Vgc){rD;^V5`6`!2xm$sINGi;ermU=3tTV`qg$
z+`v4pW*HJ;zRkgE$kk}$_YoWogx$bu(4V<YjF%h@{&WO(a10*x=?`^FwK~)g?ljzz
z#9rKQ=A7F{cTL-mZ01LMw9h^04Rl|O&^>>FRs|o~0zso;WB|H02TVv3JD;=<tMzEQ
z%T*yrQu|o__RsT;bbhY3<m`)>cqhc){&s$Z)V4$cq*jHjNk;oq3>!_4RQo%kntwm3
zV%>D%zc%$l=c9rIm+Z(?m6wjBV0+9|ACx=27~XQl55zxC{2sra-&+W081+>fS-iA7
za+d}+Y#6FaKLE&*hBaN7)Ly`=nv*%sj;Ga#Arcf4|8#qSxB>Oes`9_P*C$PeqDNuv
z{1F{3Qv#KjjDFu|xI3{V5vdc7*}=MN>R+3fMTC)0hXvv+eyPR@in(To8|OWKB}ndE
zsf0sJgush4&qT|%pN%l4!d8)8Xoa<s-ak#3^C*=db%4?_Fod9_K&u!SJWw!TXben&
zNc)<ZA#JDKdlO2#`1tEEo3v=~q&iVVmtIgk6Ac&Y@gL^6_KiYX#sQ|7945p8rOXq>
zt+$QQ%MSlo*d0Li05{G5Of4GlUqwD8C>yXO7KRuQgRa-yA!`Q^%80I3G6{d11@w&h
zLg{KKy-={Won&q5jSQJLSs?&TKT3GjHyowi!;1g*zq($P$9IN&{=qKNRv|2pqWaPp
zsmG6rDyjceClF;ZU|3dU6zu-?^%lUNpvc}74EucSy8LTsxLhWCUTg9^A&HwP*QsqM
zI1L0iZnAZ#vSh|2nr;&EW-)F_I=7T6I_z!KK6O-xdRRV<ZQ0bt&~DglbcdN(GK`tB
z<&JC=jaDeQakZGCx7V+Q&DqWaj>l}b0LKNhi{JXW3fxc46<?`awfy=|8<a_W*^)FQ
z+;cQ4$0TOhysV?Os%$Z)z}X*-ff!k=NRNQ5aBp+aG6PV4XNIultRT5@cDO&25lZI8
z@kcpaEU_+JEIBSDd{|o$h!T&7eWG_ni3&?e3RJmD*<{XT{=W-#g3q(ayccdWpb@#x
zjy)Yo_zq1|5Beesb(V^B#O_{6#qJb>NrPCT!hGTP`XX+ANv-Vv5k!JPG$=d~V!!|(
zrqk>alX^vk{iMf0)Ih)46*sjz6An{g6e%g1!Q<(Y!WRid$PO(zo3%QHq0DY|J9qZ(
zpCdL1Rw#fyWt$gS#sI`tc7<0~(TpN5b>T%ELT4Mqipk`-b|qr&jV3mYBw!|V7R~T|
zbxJva%*-%8RBvu$3VP}>hD8(*JPoM=`CAwsDrVHLd_MGy6q!#)Ly;F$GZcuS&=cm<
zY}+}MK#yi&>u1rNXGQUXGdu^R@XTNBk~LSVFQ9DjUYtx37anJWHvl3&)?uo*?}+jK
zW*h%;GWrA<N;!`IGw7+GBI~d&geLL)0n4bXj@*2bA_X0B6JMIqOf!}*J3>%e^h*~K
z<Mla&JGUMhMQY^W!e?gl)~tQAx>?_6x)_+30D}%dGh1$a)K2!lFkzP~o+z<?(Z)C7
z*!uYF)^X_h^z=UO=pMcP8XP$Kmw;!G!x=J@(Ry-x@=R=A<k_*_l{<agdiCVTktttq
z>kV(Ccyi1CUT^uf^780@wX!-`cZIM91RgQyujz;G(G!?>Oy7<9<`8Hq>Hm}TXH#>-
ztN05*qHOqhOSfp4dSuNVtbT3$ibs8FulZI#DA}k{<1?V1u>++?^_t^J(50lg7drx@
ziJ&DG%^F2%3D(Oex|=0M%R_fn%vvTOs-hpYAS!<%Dd#A+70(_I3u>AT<r+n+<c20?
z>>u3}#lp5`#!9(N>>Ks|-#e%2SlDJjfbwrsvi`o>dkKVcafEnv&C<#7Q_#c&XwnG=
z?dZ;b!?f=I4*ojPol+7c*ku^l5vK`5qx&b~FW5^FhSCoB{;3P+H}@nTKm8nE^nal2
zVTzq&`5fQSj-A}lo+S*_6taXFjwx_`WZnIH#1m95XA%G0x2HL;8<uMVm^#1|d*R;X
z_ZKc?9aZI%2z5C&6LYV54tF_rf+oR>&WQ+8cE`ix-TQYn1!fliV=V|z%sFqG2r9u_
zj4;rftbcSaC6AjpUov(9=LU}CU%=#yh4S4vJM>TSwjJH}@aqU$4da0)eznzcNu6J2
ztsSP|7e=Umt9a2hz~K_iocKTPHJSuN31Is#_ez?w9$-QWzV?U3*Oj^HSrlPvRR9Yu
zrk7vuAazg?CB+@$KD@HIrsG%pH9#5Tu2G?`wN$b0Rsg%>=itFsZgQfd2>d#yFZ+?r
zgE<&s&C3gWyOWbi3|(Qz+R0&|Vx(=~^K>*Y;l9x!5R37+`r!(2zirzY)M;`Jb_d`}
zk@r7Zdvrv*R&Uj5PMGDXy)cJ#M}HOn9d8z#{p5Q-*1gN-E$f)E9%1dcVEUL%-z?3~
zqvFzwKD6DLH?yRB9nPlGl31WxbY_hqAzJy;oguO1#k=x2u<-ie8!MoSf-8=c4oXC^
zp@x>BZyeScP96sSO@_e$tmMHb$H{32r_si@3I+`7LnCNIcn@aGqT&S)>Kl(+g(v}k
zwwaES3zIt^vdFU#W6~$H$fFcTk3kd5<S<!@F^hyJ4hSEJNkF5^?dCb<<2~m&k&p&g
zx@-nX@WYRW6Vf=4DXOjX_T>daqEE`&Q=MhCH63H#J`-Ioy_X4NyskN3%;>Lkzxim3
z3Ql&syhAWHZUX;<QdP?TjgtKT5V6qfS9G67w6W)E2pCH>=*8w2r&|op0{Ap}t%E+m
zj_FRHC?<-hyTEq3(eg}`y3x78i(vDT&-qXhM@o^;du_&GdUexnzm!_j-}FsGPP3EO
z*XGOa@zCHN{+#BLgZC5n6^<g9AgeiG3qVIPE=-<ETpW{&Fb6*(yiMyW_c<q{Ur&cQ
z*GJ@~gZR0tMUh!s?J9kHxWhp=p=wH9F7|bM>yl94qaaj{5sYy{uN`UWtU2FD)4IN>
zEs+y3G%4cMoGV?j_{}2D0-D$G!NE%M*^#>yN*KjF*7+Y1>!UE49al~cS`L>L0^oWE
z?n5UBlJSvC^$icg!VYSi$0mY!(<+725fW+q3JlZ>%!|*PHig7p0OOb*JC{4<*AAMk
z0xwbm;woKI!3#x@4uN+;JE8EGLI=}PA5+f-8H?ye!XU(O<D#BNbHmZ7rd1n5Osdv_
z9hYeZL|hEIqMH{p2}5*oIm!-fkT6%zv_92TtsvTjk-It!R6VywH2qn*KU=qtcHSYx
z<zCtR4_KkVe_;KW42XWxMr1$JKd|1>+FZ2@PsD^_br7N3J8V<Bs;^El*r@9aUY<6N
z2|HJX;0!6!1zqm$ube9~6<!RN)gavVH&55+xA<(u_r-t`K1O8c#ph|8J?$w~CnxXq
zpHvQHA2U-kMh)IOSI-ie`k0UhA#KZmg99Uc8RZ3R3&fe!f23I-W5!3arAh#oInztz
zWvA=H$0FC5t!64>JG4ttH_7fnJUZ5E&plFd!{AJ!9W?-GHmx5%qF!9=qpM*m>qqQ>
z@j#2(;MT(u=lVI5Bi8E9quEo09~<Tc;Da_zgGU?6gJ$zc9?XNVm7`rnnZ*HcDB<;|
z29m6%p-BZ6#~OE!{KHFtGB&YSxe>gsA8im;j@lM3J~#&ETpA&xcX;r;vKG7wuSiL8
znW$8j;;>S1pUSB)Ef1*<Q!JUJ14RHG)wg)GT1+ew26<>SJ$MF<J83k}SY*h!J1pE-
zL#Rk~QJ6$vXpk`|a39EgtIMQ>K6Lws26jzdb;Wj5U33F};SMMD+{kXH)4p(1>nHxE
zrMJAk&H7&I`xgjL;NJazptDQ=2i<>_OXw$T{SR~@|Dba@tCvcu)(BRaT^1339y$Lp
zXnGE5i!$%Ix8aZ!j>#L}%bCudm0qZ>+akjw)l+qh&vROYf+6YGg0~l_S%#7k5WmS!
zz3KalLb~DyYp$)3)J3j!&qnt(q9i|)_?T~nL%!Q3#Vg>$*V+;R?0wbI8!Py7%x;Tc
zB22Wx8(usCq;NzU;Q9pG5HpMEd*8-LJ1gTBvetGkQrv;-G60(LBQe=5zF>}c1x#{)
zOQ*Ox4b3zXCDJ^SMVS1ntHxxd=%i=z?YuI*9A*r&s3eYVo@Le;w=7moavefvUP`{O
zw0;uo=z>|OqO^@9!CA3!jB*@WAId|KaJyvZ)@JC#{))}+CA?NruwL!ujkX}>8ukP+
z&MM;Of9I}cEd$228jOP(s3;AK1)%6~9C|lH26x;ql*i??J7BXc@pi0qvhJ+|)1^)X
z^z0CG<4k)}$+~Z{6HSI3w)yj&#OKph8D~jXq&p&Lj-dftd5Y<~o+n>^+x$}4JLkH8
zxCBSln+KT)&dX6?HX;w@iN6bc!=ms~YVFe{=d-6vlCasF4a&!TfU9fx0Wb-PU1uVv
z3-u1q=aTU3OV+^JLswl^LVfd$QQl@jCrWyV*K|aB$g#rawJB~wCYq5>84a^i1P?L|
z6*Ym`i;kuPV}(tP7iL98M@Yq%!~y@OnM;KAvtd(3^_LP_z2kJ{{4N1sgH8fupmv2^
z;~zIH8vZx%KerOBBm7%f$AJ7)y}sgEA?r;n2>P}Wc)2JG+ES=Wdt#I{Zb~6T$4wzN
zS9gP6A*|gWF|LykqQyy*NhXcGOS4Erok|$x2e6dX&<8~UFm%-#@lENJ?7QMMqlmkQ
z>=}E$HT1~rlSw<tAnFqlQoZnR{cGC^-Y7x%moPP6h;4gFae{2WqyQkit$k2RWJKWA
zeULg30ZvSGbl~|a4ML&lOeXO+HHnsB&^M4lYGfx`vp0c6EbFM)n^;H~Vl(|WGCG?`
zS|B64QuZ%gp0)ihzdvC*H-8Hd!J8N6Q#9+KEaLse`-6Cjy!)fNwh}4S)`Y~yGiMj<
ztWU(K9-3NsC?4r|lM3KrxR*K&E)A*{wVKTd?Sq5}VK;!*3+^GA0vi<OCE_x?f->V*
z9yc|(DzyAP>SxIEF7;^)@i)%-5ePJv*eOU<uUJ2{%FrynFg6DA@V~w=xUzx0_x+w!
ze=PT5m5RCTikjKR97~LR<>-w944+QtE>CUUwgq_X6cxEw0$cza&VQMp@Jt(POZcS;
z$L?9ztEOibG2Xr&rf)xDtBbEuN3hS|J)04`Yb<u?<5C-fpfs<>&TYMJuN{hfUtVr6
zPYx!YjL}6gEPAH>tp#h0@dgGCM!s=iY~_p<g0DyQ<e9!->pyW3%lki`Cc&9~{N25p
z&PQhq2n?&xv-tt~{()FN&h$u1YS4qS3#(RVNO(zX*{0bu7-MnOOq$87cFC(hCrxBQ
zKVre+t(cZ7Wv=y4M9+QJL2GHkvysR$hf-8RA{T5CZT2^bPhwTt+SR(_$8YiN$YHf2
z2rh8RZr!9ss3TV86S;;asB2upwFXLPluKnA8@M@)G5rATTyB)7kFJ~9z4ak{>dzYc
zS1TT|45SIPB+6h?m=SX1C@I40W09QtsjX2_EH)KUz4Q$sir#R86@ROkYn`8Xx=Oe%
zZ>C-CszqhwZOCP$+5=GDz6*joD13|kG6X64;qMXd^5ioM`69PGYv!uUz{l+tN9f8W
zlu#u`?^OUP7|bbBGKp`d-s$>6i9D*7hwmOgc0E#INr^DoMl<Rd`8!OjGOP5KmY18l
zq9(2te;G{5X)Z&L5pPYZrKD>YTUt2O7}*+<0f&6D1&bXsuSOhl*_Mc`5DEzuq%{+|
z!SbCJ^)`C8wk;COb3&bDGRiT69*)Ox2Gy;Rwx$3!EK42Ru7g_dbd{CNi@t$I9GN>I
zM(U)7Bs0KKI9;_8_S!0&M_hRtxUcop5B;&7=MVKh!;5~1oE@S`s-Fwdvv$_k&azp^
z&aF5y*sbUJ!j_N5q9FWJjXUy%;42m`u!R@snv`+0=4A}#)vFxCr}Og$7^%~UYxDUl
zMS1}5m+^ini*Rw!m&V^gdX^ID#1?2SS@1-xu8Lvg3i!f0h<Lqlo@5TLIH$O<vq}Af
zLmdo4#lJOEjN@HCK!8os`BAGbKEw8bP8vJODrzJZ*k+ZwGJ6*)$!lXP`ODHqQA(Fg
zhp)A%l~eN=+U3y~WUn}Z#lY?I{cb(tRRI9)HWNTZU(|!OUWRpBuiQpeLF3<HsGy<W
z=cm2!S}WX+muUQQCNd>)k7mz(rRoTrf}Xz}h-$C>5!XeHoi1GVcY@p&={p*wSWDl{
z4SdK(yHW^>*W3<4v$!<2f0n9DuZD)6GFid?rx^&sojV3qQ*>gM(rmR%!TEf0AAqfN
zs|fp~(}p*ecS_RaJaN2+Xj2oBsF?1q!Db;#VYt&u0Z2`L3QtWQCaIZ<#D0%i<YJZW
ztlqwL99Z{A$Coymf=*FomQB6f7nN|h#W7ZFHt9{RlHwd+ERs$rN*~VXtvVD=1UtAb
zpT<NiCsDgaBzFQ=o`q2sU4)_$2B0C;B&ngR56Wb?gZhH|arpWM$-U&9*{!jP_jyJ1
z7G_MF(p{9vA-PclOWNR(=^j{_^($WeCvNkncwO50GV6g|nXYDyI}*Ccb!O#*d^dAZ
z`k*}=5o_IPxQ{%?>zwPwA_I+@Nv8VJnxLyGJxeZvY*%$*M>nlTN?to`DIg<61OcMw
zaoQnaVr9*x%eE}l`skV0t1khcOG`6k9M*lecfCcCv%doI>_WhQb(_4_p3?LO*@RM#
z**Q2Hu6fU7AU+~?HD{Gu9e+a?lf6jV<;r>>!^4>;e#(ZiM-M`N{^j%`uVKcxz0}!+
z^N;+Ec`PLA`%Z}-i9uw!Q-CY;nehVousMYZkbCZ<sY}PdozJQ!O>UOw?XE6_>Yu!#
zkiJll*4}G*0&@KQ+SkyKvm1IGB^feqy65<y>KhD0q{9SxbgS!Lqq4G6@g$m83%QqB
z*rB-5Nlw<bhE7W1RPR~4p_~8NNRiy@!5WxJV#>UDgzGJSwge?RDgZ~znP)*&<|1QW
z<Y&>MNm0k_+9{PFD-16Mj7cK6g!~PgxonO^oTvM3DYJc~{c378;oOzEy-Cu;SqFJ)
zH-W`jl#_YMrA5UPt7wk9tzgG7HpS_&{&VJ8@zr^ty*6iTAK3^+#4nkhGu8{vy;-?^
zB}yNw+)g`If+?JcGXUI=R1S0Pbulw56JQ(lkjr?6(k3Fh;#`%IFaOwr`wv;#WM;1p
zdM{QoMoP*y#ErxYN(-IV`bHYO2%ybI=2;QD4sp)v?$a4oVz-a6RYyvZJZUOMp!D=%
zLp*LVN&RjU5#^E8wz5>}MH!t6PJV;Rt2G688$CCSK!%mdGoVtX6h%Krw&8aK+N9%D
zzAKE9TqH>|hIq6%vyHMCh8at4q_s$j`=D`_a*=MsD7E@w7LBRGp)-vqY!kaIyZKoQ
zEVp(^IDf(op5p2io~y`mn8kGwNj_?$gzQTe4{BmN(yDxwLig)st$r51ptisLC~K-h
z9YlJBK$mTtCSYR1IZ5lG18-Q-p}lSHuf!YAPxZqi=i9TwF5erk+vl~Bp|h}=%NeLd
z*<O`aK|%q!OC=Zryqa|=sBiJ4V;RW37|tg_J>P*>PQ)bB8i8ia_c~j-CQ#V!CBAb&
zt6pORr{-0KV#R#}T-rg&0is%c5suMv*IygS`nC1lIY6{xoaV^M#B-gTOL%k^_SLZr
zr>pgx4C_jHz?X|%h9_6@G|7I|UJSCez3V}1CT<*2X#(luW;x^)RqM}%G$<_AmTu)z
zRlfcn81KJi${D=!3u|-2Q*AD6mVdntl*f>;Yj7+?P0__f2Lgp}5M8-E2z(2ga^M(n
z&!bM~X8|yB@G>BB2MJSFM8yIzg{UKm3QhYVF@?WpSAX$CN}+nqBz^5#$%ViD;ME9e
zJC2Er1V3ixjYhKl{8?NlE5y)P8imI?EmrW$e?DOL<uvp6i)4$&erhbJ2_H+k2FE<H
zcBx0+kG|iv;$OY*rX-tCqG7)lxJX3Z>l2JWxX1tk*7H;^H|ai#C^Mqx5P@^<RG$B$
zjF*=6w?a|TlGVk1_`-4E(%zsIb0lP_wy8hk4aG=Rf<&V!3uc8b#8{}(kU*sq`)PTC
zLltNalHjkPEwiR6eOQ_Y_&A3X>lUmWX7G+H4RXJRS*_&sMN9(7tV#56&?U7BNU9^u
z3*i9hrPvs8mAeE*YJ4LyTQO22zW7_D!^oz$IdlZ4d=2@m%T`#*0XTIQ6bc`t;yl>6
zQ~CR+@g35N7#@fEJbViLqAG<2LSm%0XF^Q)l-GmPa%VW##JGGZm2+LE)f$yky+3!w
zjAtoj;ALU7vM*%~YGV(|7u1G*V%8G{*4hDUw2<b#7S*1pj4b-DE43G4SxvGYwDuEc
z-GVn54xuw|He)=JWHF%xJi-%S%N(LMD3?%Zz6%?1#y4pp6*}&JAqDbBH@3hASEk~b
zluHRs{=OL;x*Od!IZUt`j(7@tg&1=mp+}Nvan0)<qI*XnWtg)$%Z58hQNngXhdcmi
zp{<?j7>}z>P#i}#AE_*<?Ij5`rn~Zl3ln3K3<g)FK<7AI83_DpQxUCbU}2F_o*58C
z4(+0yl}U|JPs8vuM#%E*WJuOcQpW~^8)XfYq#td*OiT!i{fCQWOJAo$FaFAj>f@ZR
z%+ht8B(WtapiRMJ#n$!otgNLsyV3y4Dv5=|?OAK_2Vtcqlc(Y1mL+k?2}L<VOZ+6D
z-*AYe`|R%B#GmohPcI)!JSwz+om_bq*1HXqBbs)${NC@!r@I~BoqQi|uX`^dqg|8}
z_YjYMpGVe9{+>=w?a?XM?+q18M?k3esH2Xjz00Me{4Tx@&+pwKFo=`2^9g`x?d!{J
z=cmvkWr-gblAvXc0>jKd!L#U|(LC6*UHYrWsqNuh|DPATd*N$eOE7bHo71OuxN$Au
z{66qy{-V%`RE+}uJ2_q7v~KI)@1GkDL+6a(PJ~wcf684IO_;kRcZ`Q}<9<!;A2(o9
z%}y&kF>dF!M9<{p687}uqt=`CJ1TuUZ;RyT#xbU9UXgBpdI`MvWU&{X*BXmh`}@0Z
z&m;2PIipF~DQDXV{CQoM-*~a8VSV3zZm__loPf|{rrjnFqK_r+W3k^W)cLf0J>LJ>
zrJH<hl=O2!>GkOOb7$wP6<DJQO9*-noY92E0gQd!4-^o>D*ujDJQ)E#2Vk&DM0LRF
z*s@n+;mg$a()qZe{PxF^@F7WQHLl=d#&uL_GK4|r4UXIarD1>T$S2p6j9SH~p8<UD
z?XJN|xwLj_Z8K{1L(@svLSUeM@@o|)tN!{Uz^}!{*aybp(-?sdpd1a!9**4jouV`(
z1DNuLQ2R+JG&G8zr$XFAs}kIffZoQd_VkPh;9b8ik~Z&zDlEJ<mMKgFfKwBb4lOW>
z*ASa2o;q-+Zi2cQLg6^kE~@?14wOI?Ht_(NVtdSHW<@qw{F}z@dq1*A=n(nK1CWP}
z*><cTUS0R7$5!f87cAQrj^R8ier&#Y1JFGx%Al5A{TZd-AzP>W?+fe?#gGd;My4vR
zw+Z~7>4IL4&c9#{co{se+#zc2%fs3G%~p5qkZo?%retvHLcdOgquFU}sXT^4om&V@
zX)x$!jl&+Rw~Ds2i@RyHlDiQw8hEu3{Jq}p){>NO{Tu>@W1|dwO7b~Z-(aONS;Lw8
zQH@V~aAtd`kk+@bEPoSFKU87JX3FV^SZYCS=%4Sx)43aPMO<*5s~mrWl+i-J{A(+S
z1}xWx#TGGTXXR#RGUYVm<m52n<}xy3G2vigF*W95Hs|CtGvyNC`+vOwgwTPN0I+la
zpP_8_MQtTbGpv!@XW=VX1T2aCVxrVQxbZ}if8AFD;v>h3TZyPB7~&%X-&NX>bq*sf
zan(!{v~{eDn-%q!Vld@BQuIxq<ym9DW}dy;Und=Mp1B8ZzGhyzPd2-JlofniKxmoa
zfhO?PgXmguGveHsfGd)+SH+XG%Auu6h=N+gr=v#X73MR_>7mdWiMt<@tfK@1qozLu
zW(F}aKg{1j?<q&;4&_@Dq@!D3bT%$$eDhlyMLE2}$4s5+5PHLy6*d>uHhhDp@a}}7
zM})bs!oq2#YCk2{a%Bi;stbFM2htQtDSwe5jF90GS6jzj0R)G?e%>7%Vr<e?|25pe
z9wW=;gH2+FkUYS0f;WCQSp#J7A*c?qbFQ6vD!>h1b(tl>$eAZBFzIjZ+4D~AK43dj
zoI4=5oy78Oqz_KxIq83YTWgnc=F)G^<V?A&(h(~PcMa$*`Yddu#d_^;(KK4*9<Eu8
zu`(NW?zmh&0H_sY$KHA{e-TfkT;~dsT-QDuzEJphd?W0f#4J78BHIsH>xI_*Ld7^R
zw;jgV4BT+!J=eeL&0dX_yv3RxKJWxn+_T~ff^tHb9>S>{I%);GP;zi1Kj-X#y-@C1
z7Ue=*+0|LRZUn_uzSiy;d29uJ?AQpd;v#%J_Sm!E1O)lqLeLFh-jZ*Iz2AcTYsle=
z!dr_vvwxu#;INzdg3%qLzZ#m-3es_l?~A!JK%f_XeZc(zA~<Nk7p?w+oHG)43+5jf
zb)(uD4!nWxj;z@;{->vS%esAXdpI+;u4A}s))}aI%i9@hxbM~(z<Epifz#9Ha0~U3
z(}NPS4!9=~cIq~>I}<2{-$87e;g1$3Y-(w$Yf6X8b9bhT6~5Z$!V6!ozU6|3IzYmU
z6;*!c07YenX_A%9bGK!&2FCWI;l-4dPH`j9DrL&!vf#5ScTmAKIKdtpF({0XWJRni
zhiJtPap9gAV^0sf?zb$5$}ef)cpvIm`uJID0Z8`=d+@#Q%q=D3K2@6bJ%+Un{)q;W
zO}Hg&+PBGk5CWPyWj=E6=onGH6%vlv6MXybjA8OS=sBg37FO<1U{EILYT^#>Q-Lz^
zw^2tFFf0pnnzHe^rfuAbExHC2!pf^N!b^tJTTq{t6=?r|Qk;?9|C~7(Tf+iJ^<fcU
OIN4#z$;A~VVE;dH%w8S<

delta 32420
zcmY(KQ+p*0kc8t*Y}-ywY;$5vY}@9U*tR*bZQHhOoBKU`wR_n=pq_fWt1F|EW~YOu
z77`A~E+7Ew?BZl<XbbDHex)rFOV)<aeWLz~q*3?+4tPf<ZV<8qJ;pqowQF%6C;9n7
zRU)S-Cv<CLMzaYRk}vEi7Yip96!^#g^<g64{%tNlwhVlKysLSC)c$&-`ue2IxqHb4
zW_9~2loUue-aQ`Z>F4bAW&3S@`_1uqRH*<Lc`&QCx&-j5zN!Rzda?r%T*bzpqO0s1
zm!GA{UI`SJc1Rv%WmSpJvHYBpDVNub2~zR>*wuYPh+a3kS6)DS!~<`9e6b9C3b=R8
zwaBdez`pkpJi&8FKL@j4a+8rFz5i}$t$U*G?71hxN43F@`M{RV;a^7>PePCPdw&8$
z*zA8^@6_Wun9GBN0zxVL35Y@K0;mnki|z;_n(d#afx+(U@@PQdMNYZWf!8g^+3>u+
zA2Hu1JW}qT=JeGlBI8t{^XiVGX<Gd=GcN=9=JS^`kuTOzifqgFt-{}WYX<7pUECWM
zJJZuTQd^KDiup8D+G%3&wBn)<@P<Hd<OArv7zbF5M@y9w1gJzkp#~7X<xoI4@0}X5
zJh91#a9p$#BQ6}k^;eBuh&q1eFG-<;Um?}=|3r2cn9(pl?L{yv8z+w6iZT;>^<a?c
zO#+tbxdGR~XJUQO8DWiI&EXXQM5s?!kRF&U4mco{APwDPm#3C+p`wxcMh5W9toMZy
z$7q>Hby)-K2eRA#YUO>?y^-_hu0uq<(A6Y?(<x5PqoxDd;j?Y}8-#WR_l)p|vgx@8
z_o&i-qge~X8q1pqW%lQrY`5h`m}|><M^Smmkp~QM<==UCb_bjA#$ewrlzm?pRiwRP
z8Bfy`RwK;kI<mb7)G!@)p*?UX8imiKBEUZ@BK{E*emJ%kP2iY+wKS?Zd)p0j<9h9n
zw0THZlBBM~DKx~~uYPl&@pbi`t6hg!+Dd8;Oi@++t5P-}7)ED@&_55}0kf(?@$>6U
z59@^49LG`$&suXEkK3rS=@_zgDK^%hJgf{A>1Nx}Rt{3Zaao(82vcAY#HM9-!_fQS
z$7G7zlppOj_A}p06243@ZiVdqZeJj5@WGU%m$XF}Ee``sCNwJ<gk#J~E>1EF-ktbA
zfY1>&)#ctfn&T{dJB=ZDnlPO<RITtq6g;B&^g3L}*xo>2I@g8+xM%TRiAhRz0J<ED
z-K->)*e_9p$F<`UyfvW99w)zsdHNS>OjV*=^e6tf#rE_P@;`N)&c|d;4v=HSMZ)RJ
z>H9=us|{$1tc$|=ZHD{gYZ$wtkSM_^>3Y2kQ;vp%0%lOoIw;vEqvhA?%M`9N5|d^v
zOqnA4(J?3wqd)l)*f}-ccToZ)x;!2;jLCA>+T;20h|170d<ei=RR$8tvJ{C1r)OKc
zjcl#dC<5t7uY|S1P(AU(?s;^$e?B9$V==OZ%Yhn@uGh|01mi5~Zdn<sQvaG!HgjTC
zn1`yLP+;efxw_eADSaX-$#&{VrkG73#P%Xn_sSyI+T@Vl*$Sj)__;^UV_eGex0jWf
z{&2n}m~UjvS=Imx#wKti|5D^XP_8i;sIJv6_YeN!oDmga8JGMBjsu{$O@7Etek5Oc
zcZj)pqw$>}fva^vkas#<kHjRSJu|no(c5Stc{(<)D4uMI4}Vm7hN$f9XI(VaT$ex=
zH_QJ@d;S+`69gZD>`4wu8}DQTn1FY9yp124gM4ffX`ulAp<f-_H`YX_VKlQ;zY34W
zd4Mk7r{0ESIB>h<E}#aswUFm2kYy6L-M3_a8<P#D;j1o_4L8bzSWKuS6fzrv0Ida4
zjufZ*U&!*`Pg~<8`Ov27%3vei=tMCZw~pd|io3eBGzrR`j2P_3!~T&}E9*G-yD}WL
zviB)+xFQ2#R379qk+B0EPzR*kx+o^kqa(sIQLml3f_Kehna;r&!9`3C!{Kd%o|IC@
za{8enq?J`yb+KzwH*=DGcaUAj$0Hkq2X!VU@(MU3d7K$mRIQf52C2`MlU3{^8UJ!f
zE-6(RaWBafen}_O<bGt!O}Pq1ln1ij$Gf)j=W+tCQX2ls)#PD`d?o8*)`UJyZ*>Zk
z8$d()#CuEj9NJBAH`A|8MURm3I2Mo{ltN!}bl|YVjgccFJ}I&y{LufCndeJz^EgOa
zQJ9ZujCY$1QV?t1jzb!cA$0+%RGa|$Nl168q4AO|j1u^cxK~Vb5^v_>I>y?IvXjv`
zNiGAXOjsm5?_;&;H>KVWJS*o!sf8H35p1HMeIVh595j{*`03W$29=0!Us#vTjfpjw
zlbK*0>1L!jXh&27#;RrGebK?hIYL@@?}jUOG4GsOnP}GwF{{2TLbvIyDFrI6jFo6^
zB2T&hMvph462-UFr0H|@5#urj6yHbXulE8`)FCa%g6OLiGEch4AT|{TPt^({MG><q
zyrLVJObh2W3;y6OtWV#Zwhn9Gh-Ey_L82Tdg72?RQ}_cwqe@h-=8DB53)OY_ak9bT
zRqNt@qG;WQFewSuQ7bTiOCe>@6_?$N>RM<{R-4D;uObNd+uweLlp~)m4|E6{($oV7
z%Lq^I?kM@R<5fHUx$U;+GFH6oF=YBEGr_)Jju9adbW`I!V2O-~c@R6<aS+QOgjKx8
z^Go{U7r*w|w?nKi<Wt8FR49>tsJ2kY`5iYzeVaDDd<P#0BUV)FYFIVhjE${J;(xQ&
zXU19;`;AJP3WVbO+`Ukf)9D~R(ftO>MLG`?Fqz1-R<fG9y*7(ky$~6;Mf-u!@E!Cj
zZAK(|qWj_aJmLf^zbwZsKKSVPA0)c4KKky}hV^99vsA=NtlZOxe=q-MV;aHa5QswB
z`Mq^KY!MdGp>i2j4Gi|gfq0bIH7=LFL*Agb?z9`BS^^WS4Dj#lImH-%5c7cxucms2
zglld$QJn2#1(Vgu8M<_~4Ufyxc&T8R?mo}wXt5gzy;pRDIlk*-se2yH-kUckp!#Nd
z&!%Rsl`SnJRg|h)9PGDg50m)@0$IL9_g926S)l7lM0o7|9nlFMd7Pv(hh>)qcy?#B
zLRv0Ewu}W|6Kl8+Z~Ns75qChLEh&?tt2)%CYe1rdGv%U=nRHaSc@^5}js>3DSuNj>
zF5_L=Rd!>WnCc`o-XMFWxTjJ>FCY~QVb-f+@E2{wg4A$Y?2>5Jv|J1u?yYk4i3~fh
z<b2ZMOu<#En;s3=GZXf76}abnw~qOQt?djiY?8wc^kXM)On{5&;BR1e)#<@#1$0~l
z3;GCqdSKp8M|i`|&s|UJ&x6R$%TdlO@WO0LLg8(fA@Ahlmb}pI;837I`hX-RhvRms
zI#Cha)q6~k{x(%(mkcPth|MT{BUpL;Gk%Wg^nOO-*X?OO6#lDOGmBc8gv9RB?eYa>
z#Cvtl3`5$Z3xyfYugm}iw54p>*9LE3A9;0HZC6hHbXb)<z3@P4R;)q}c7`K4hwIoM
z*>P~7l4ZE>ZaKbEoignGnhGznV;W0QOTO21VukUqKqtdq6l}X$ATvd>^Un@awaj?W
z*O?&6`%ZtVFaa!Dq7eoakb~v_qUMqAL<~8v-PQ-)IkYrc{34viWB*@skQ<xL>^*UH
z)s@Q5+8?0dIYxrW`1mNS__RlqH(WLj4v7*fQ7HP5$J-6o6X~1alac>VD$~u+(9U;1
z5I6+{T6Vwud_NE|0pA<^?)vcnOhBJ*YUJ_x32R_$z<<N%2olZC)y&W5fxiCtQS3%6
zC=8SBPuh19s<1TLw?Gm3$j|%j*9jf&n0u-FH|2otUc^2f<~&A#PmO}@tYlkYyZznE
zssj0)0<if?BMC*GR3+<IfQX_U`gX?5XXabBfVL(N1H^+tnn%H>rZ}o{=+@zHDxv;m
zL*PHv=SIwPk}1%xCUtNc2valK^!yEnsSGFctR5csW&y06aFceP)VeCE=r0s)|66+-
z*Ft7KEShyQ?Cp79f2S(H?&VN}%x85FhS&3n3gv$5?9iI+Hk6>*QKoJ|z6YFY1B>Zp
zP^IfeU5C|cS%_nry!*CKTx>JE-IFL7WFVw}jWy|le%4a!s(X6JC`8NQrLjo<*i{Z|
zwS(}$$GDjt^9E;5rz5~5Xl_HXvZH4=-d^_|VTY2>I$3djiK8J;tsZux7=u=QqI2Y1
zr}ey_hm2L~Rgoz6A&a|>{=T{QE?-W%{aP8Wy74w%i#gMRvRW1*T}p9a#xPpW63C6%
zspzcVtYfk&gfv=D+f6V<NyHhd!!srdMemFoN<bk&GtoYFMSjf43I6Ngsdv&a&h#lW
zS)hM$9rl9I*y_>mB}+BA>|jyqhfJm-%8HCJdMcu8a;BN>?z)sAiLV^wAX_yui7we!
zOFBVqCW5{pmhKYmrj#{x89~6T0m#$^Vq0Fjxzvj0zo1-N9NvY0)Mnw5bIwjKJP@MU
zei1cTlIKu(dEAt0t9cx(#hRH@JT-2rq{x;LRrJ<mJkfJ<peJi#E-}w!S&hc92$LZ|
z3WFF7#w!K3&XfD=>KB!au$q+io&WJ0l}mI&HEsHREBlh_C>OEHW~^pxIZ)VrLWOPD
zq_(5NkXo2r8ajSM0M5{B!BgA?I$qof%riU+E9GY@aHuv<)!^KqU-3>IBODMV%U@((
z{w#;C*}le^k0s`|;yD|(7NbDlj5e>149QYG+3MA)M%<~M{xZoBK7ZeV`fsT=qJ6iz
zl{9xsde|-_(>qFq=o((96Nq~FR|4TF;!mT6<})m2#iYa**2dmR)3?$H%5bJvc+nIH
zB-gTpSjX7$i0Fagzkxq@0L6cTc$hI%s)5sdMcb(JNI&y6F6!vH#PqpG@+#N6&6D1C
z_OSWCVgBlo`(`ECq~qxUDHPFGHO0DR)zW$^pNC<Ds2YJ{k%yqZ(ZI4IhwtJDXeQtv
zhT7kc#l#Z?(T;d$9Mt6Rj$7TNaGkr5X+m8^GRifO(f&KE*2U*g4aNGLW=~gA5&fYw
zLh9sMN+rw02!w|wv+^)0F*i&SCTx#UZkOBRzHLI%tbhJ8VV=TeXqtOnS~4zED;~3C
zn(UM}@y=15v#WJ3t^>1$-0nxTsmj6S#>78t)T>D|5t@fO&X;V^1Pb^^2iZS0-q#&<
z-R@mf=kPus&K_*m*`)sU_Y^nqt;!Z0E{RYy7S!v|p5^Cd+tgaxiOewYVrr3nm&2w)
z8C`OeBI1~4<5T4gqV*fhH*V$xvF$<9{n(@+Kf94_0kOJ{c!5h)-+xe6En29;ftza9
zR;2x-3=apG%lSACyEi=%I)qO$Dl(aDSZzB~8sAGdSb!1hRy2l0L;szj%Uk>7=dWy~
z4{ClPFlORlbMQqOuY88~ysdQ%ZG5eKS@STrBu$z+ax(7~&P?%SGYZ<JmY}5vCjIB4
zhEe2Vj(zw}XrQAM84|1GOyIb6Q(#W)!qU94D<qg<2pqpgXYktLw=Fj9_6@41iS~*8
z&*#^_v@MkNY`vc??EK0rk)7tZuH8%ONqbibI|vec3qgZA_F{`3Vh~Hsh~o?0?dpHo
zpWwJ8a&R@}?_m&<?uUiFRc#BA-CB)P<_g0w<xw`w0l=0nw@vtHnqIP(1;h>PJzNcw
z3@H(2e|Y_`W45<|6mvE_L(}Le+r;f%`+(z*;<BC?jqBnrohw;;!}9?5?uhj5u%MKR
ztNN2~V0SrDi)ATCQ7h-#hY_m~Sm)Lnc+L#`Bq!^=X7?Vwp9j62wXlYI-#KhGp2+r?
z$WBxH6i{RRRGPDWn07-#xQ+51();z#to9zQ*G1kvNbR~_aq+t<=&uqVJ(AU|(#qhQ
z8N)gw8Y}fhCe!y#6l=bgYM8l}8R$$5oxWQi2l9!NQsTPxxQ{D06vefQ<@VSHAeffQ
zK|^_{RlvU2*mel!StK(1i<TMFAX~klK)C9!MxY-R*PP<B3_?{H+uj1i$%IyPyJK<Y
z?So9KUehU}{yfN}Yb=-jkW%7xAti{is?W?I47Ld-VxJib$CQ!ApE%&#OV4G^=Zt=d
z8w^E<DMkWxvDeM2E7oL6K0EA{(Phya&xL;%v`g(xv8YRj2F?5|g}47dyhN|7nn|8!
zYT#e{b=OM4f*rJ>wU9c$Ed1OAa@nx0=P&el8u*>ii&O+<ONuC!1|`e`98nO%c1ND|
z8;5A87+Y+Fu5No`*PgdI{;TX-t=KH}+|CX#*bV|n^lb!$VMXm0IA5nS&?X^cXuWN*
ze_G$-6L9cDmr0?42{hVW!Xtg&5)(Lg62K?5KkokArgRTg{R2gK759;j2)P5a(V7TX
z&BL6}4=E<ppZPN{uY;CVWt%0So9}WvCj?c$k>NjMh|FIl@lfp+mHL2mh=Z5}9vun=
zoM7-(6mwE$LE#(&?EzQA2F4;iGuIMi?(7!LyQD27kK&bf^uU~YuR(zODmyh-1<;N+
z2qmx-4{=WuZC41!RI>Op*-=h2i5=}|6c!?D>W`35Ll1bsQI>hK{jm<7*mFnL#hL(*
z?Tq8KP&HLbXcOsi(-Ds1OO=$!-0g=zd=BL3e$*t0@bpwgLWB|S0FM_&O-L_H3O9RA
z1f+rnYonEby>Ksh(0eToFFW|DJaDE`Ij00v9ksF%Q}1kubpmXHagMlguFv|af>$UH
zI^VGUv9B>VOG%MhswNL@mUUAP9t7P&qRUJSq#BHh1v;!D!Jk@}{B}3_Rymgf72_9l
zWO9j7BzZ5wC)z$5N)Cq|az7|3&Ph5=^fMo4!IFr#hBzHF$AcU5u1ZlQF%aKW!aRM<
zqZ6Sxjcm}0saO8UCl*(Jn#GfV;}&b7CSF@qhi@$-OR-SYT8Ah*2B-CbZ8A|9Vz@ZU
z?~57Bgxp4ztq*%d;D^Kp2j%6^Iou?qXE$kDz}g+JBE+Q^+(VT+jyvCj*+4aB%ZF2B
z?}l|C$U`Ee0wW|9TSW+Q7ue@iY7jO|I2gW7JN$U;MbXd3A{w)L7a$A@hwI*?(eT&B
z2H!yAqP}D6pK*sk<~4CMg!tg@cvUKdA|-kA8(nzpM}=J-J;>ik98cEfd^66U1H!&o
ziC?0$#PJ{F8&!BnI1Oc4E_Ku<VZZvVxNwQM2);lX2OX>;WQ>#Q=Ya95ge%dUhfKH!
zJ%Zc66W5v3RI#McHBBnRPH>#bwL<yiSt2QZhh8#Sn$zaV+0tn%L+fzO!n2^uo^^7~
zo6Cy74J8sKt0fNj*ws}*=1YWLO>S~GhpI8SZKo~q8`HSU%%pzq*h-#hL?L2F|Kdhk
z-Vp<ykOZnzBR`(^c>t?|St5;%ccU?(id%aYAg3(lt*5U?rH3#@V&-CA1R^c!3M6u<
z{H2-xEK+BixwwKp8U|0QiD&DijhS&V-*P%Y_Fb+vxOZBh!L4N@<6=S6i=Om*J3~xE
zPt&z)cI{AMuLh^Ov3J2ktb!r7AIhu~Vn{j+B4g(?&V=x-^#e)d(8vTn{!H-0NQ$8%
z+)L#m8;CsS_+JM`vZ7Az(?tajWr;>*E@GExO>h@69Q^sBpC%a@hr421Baell>?<SF
z89+>!JxBhN2Av~4zg3uDlE`NfW$59P0Ug~CV8D)qYai^4^^gaNikdqd$dUEwszUfV
zKDK=`M6~z2WEH63cncwS%;pIFPLIW1vBs@&30mMBk`3<7faMud#I?U$(K=d)#-@<j
zfmhBw$`9`xly&o3eSn`}0O{qO;4Bp~Fh#b`Kf*mYt|r?#o*X5b(5E6b?}vC0r+hiz
zeg*}@4qb59dPXL$hHX!Hm!QBBeP3xO{{T<zru(&@?E&NnsI(nEJ<=)$om!WeZ%Bip
zx6X9zATM^z`1ZNJ!cR1w3^Hk@bM2ZUH33kMu#HHzh1nfm=Nyn?(smE%Oo+>N%qmR8
z9`0?9Lx$`u$tKTQn&9J#W=f_>kzGK~#|~d%0+OGJd*2&mP0=HU3^L&J0LSZ!AUOB^
zG(MOzI6$bV?b8lGDL0EVKp~U9XdQMZ@;>lSrl>pba_-H%V0X-UY6I`npKJPm`{XBH
zP)4Zo6{0f+y$e>Zr#NBpof-sQ5=L5rG6eMt48hr?uf9b+mkmLxf=+`%$K^UZMq5|J
zJ`IwDVbr<i8*(Qa3UtkbrMKi4mT}}DST}>#X+U!tCR2VjbY-sk8KW)-+L4d5n1+<4
z&lFOotC)Sl8(*^i@;U1KQ<ybQ9yOb}YkKo|C!?q7bjn*kxRrHdIW4%`nfj58tbM#k
z{(s9vj`E(1TWzzVC#534>!@zy+$2UN3EJcJoW&EWI3CD1nq*CW1-mIM$Wvm4cl3!F
zqX1{ycb;9F5{;uw5nxXqANq0Dr<~1+jsT(3txH<tD8D+jWZFEJuT|lX`7$5dQr1h5
z@eQ$&Dv6IzP#6s`?JFJ3jrA{|c>TQUBFk`8ZXfkK^o_|ao*{FZ^o{%DS*l7t*lqjr
zt}cHLKG-g2JxRXMjPxYpG1YQh?`64~O@Rh=i6g~P{EF^XiRS%E-n}K+Fi=pQr?D(E
z;2W$^cIMtSD?Cs*pa+GBuTpHJbiXug3jY&7+qC`!*WP3@9>Sh#l&ErDB*#_>bM<e>
z%vKAEA?uCDz#GRjGt}DxG8+l-T4N`Un_i2M;ylb;Pk>e-Af?)r+P2HVAZJL?1~|I<
z<G{)JonfQwvvC4B9n(%|Oqw#G;b-SY|Kg6oI+!4O!ZpqU5ALlcu30bgwnRH_MHkhr
zA+9-+6X}%^;l$E)V%kji+Cg|WbPNfQ<Qit)b-IU{BRRl^NaVpI*xy(ku3=2w$FPR>
ztlBZ<8xXF^J#xnp6qHwVvp)C!3(R13v{osoY?Pj@ODbiTHNzmIs+uX5(8QoU-55IS
z<G^Gcwr16-G%BLaO~x@5W~n9C7&1Wup~O4KqrS@V)*0OABl}T;5)}ng&oyq`v&b&A
zj{n2u&hg)_A2IL?n<UOVXrMb?%TyEwO#D^M^<VgqWOg)@rY~>!Hw33;Bv9nTS}AGi
zq4Kk$bqr*~AUxJ#VZRF9Ivv76!KB`y8u@7rkkpiuE!e>YZ<;OEw|=Wd>D+re%}@8=
zXoe;md%MaBwzpYpJSnYUQsnSHyVme)+sk|q()?BgQd(F~*FkGCxFKwP7DFuab~?cx
zoh%!9>~ENv`8p;0hW^DC(AV&8VQ9np&B5d6P5O@>tJ}p8!H9Ig3zPQQj>Kvh0((CC
zsvuGCvD(#v@r%HK$I2~k#j5s4M7frRkGC05Mt2Z*_fiWMK9f|g-qD)czu_x{s&v?f
zC+H_+jHV~{!#a^?xN{L!0LKPgUv&lCmg~c0`>gH=)^hOmyQh~f@YFC#p$u;8#jBFh
zWtY1uSm}gLqycu=*P6A#F>fCm*Us36z9;hE=Xw|44cpdmy<@$4a^1GXqN}qZhV}Kx
z2zqbzz|V+kB^lEYtnrt0F5k7~{sf<Uv|kIz-xCR=RZEg^c!eM$>dwY6*U{ZX=79Ow
zgN*e_5`P6xR^z7{pom6EbTs14$@74fZZc>QzqLC%-qC}#tHS;vy$+jV>UN$h<K{#h
zB+}{00Q<>h%9Y?R&0f;ul{ZCD7;foJm;~M59r~r1R$q^PL*4rJYqm6>;OWPYnn=%S
zYYg*nV^7j>QM{IL=1YO{H5;2}K_iij-cX5tJn1JgqM>pOK&*v81(ma|xP)bS(wbZ>
zli?x1+S7WmvFn&N`T1lMbKOE-xzeV9$@AYXl_w$W-*#O`S~<RXj>3)>;x?fEDJa%!
zD2WwRf4Gt7;k~|W98E#c^|mrrHS&<@G`^>I*2cG@oax(^4yqyh)EQCjsEDA#edLua
zNvX1UPEmB!fq%4Q&~^xYLC}AyBBk-Jg2Xgp36kq3+X}VX3V0eQhLCN~+i}J@KHQ(}
zcjlWCjVxPSUMHZjnvE(OBE^>+jREJ$!ND=f&_?|=1`IQpk(ZlHZS|{l_k`GnerGfK
zx|eCHJ#lvB+NAb96n-NV!7*)QhI~`#@2s!{bOtnd!02xdwRfw^#N+1u?MNKd#gq$v
zsRj3o?fYHGGn(TMXgXZk@n0e>PWK-B*kSZ;>;CYtRl6zEpLW^03~N}+3u&X`kbzBR
z+h8p|#5oX^h{=EBZ6qjv9gPR{88m0@cQ07OK?Sa%Mo9*z?kHC_+zz++9o<M`5aUUP
znCNR90-c9?5bz?IZ$GCT_<~FbU?RVyevR=QA`U?lP1b^x{F|LP+oFwlDQIVD`<2xo
z676wbVBn=v<Fk7Y`Q(uadvG8!`Y^P-HbRj6R2WQ`zJcAx_}rs(ES5%>4oQImuJ}c6
zCX6Wq$~E+N;mbA^>3ZQ#xf7PY@V#tnJ!bd~9eBMRGl>Ckst;;2USLviMw21~!R!bd
z_0UXHQe|X>lqbd)uqHxU>xaEL*<Kh6m>ylAm?FV`aaWy9$A%w&z>RK7zjb>;1Tysc
zk|0@~{bw!*!qHk98TY&A0n=tOasroHmDDJD384ziNp&GTrAstq+FN&UIO8n6b16AP
zKt)Xc0j~#YQGVr(H7~kd08usr;`D(M>I_R9>wh9)G9w=G2paaCYJxxH%iLxrchYop
z05SYx>p1d0iJP@%l9Io(4P$|DhI(`jqW#n(Z3mr7_Ay={pM+AuzUh0sSzF)F*-Hye
zjFOCq2Pq%=xG(AjNH3+b5Yj+_`-vq0Q!%hw^rU!W-CK{d#<a!vNB}UxBeT_3EB>fe
zO|Z|R#}49G79rSns0TiA4aomAqU(PB4v%CY4Q_UPbg$W`d$jpWMT1~_cIpIAe&aw;
z$uYawOURD**rckA(gt?%0mHA)mBAbm*dS3~=EHAT<_uxgZ5+TqBe^aGOfL5ZMw}{3
ze)Rb~{?4}?29#1k0Zivsc8m$T?54A_#==n1L0PR;r%-**(Lv}Sv5-(-qU98flD#{e
zHI|p1HMAw#D}>*(WEOLKNT)^>Y)@*27i6EZRGovClAV?B@R51v?@m>@FN1SO5Rrqy
zmChwacb|3Mm)(@LaFJA>Fj~=oeYPTg!0%>$SyhF->ln5txQC1r>M1wPw7+piN&JcJ
zS4Us8Pw7=1Erc)%|5C<Pn2l)dvtd@R@7n~@C;hC_4tL64?OQSZA|up~kZ*1}2hs%H
zXO2%u9~;kb%sSME+}R+K4}3Sg$@2&mE5wEnx2;8)b4u<JpGW-SItulGPE^^z3T{TS
z9-f6ye}*0G!14xF>AzGD2no#Om$APHv|0?P&D{r$=^8G2ywf*gIX~@ohdEwu`0R<I
z@jHU(<>YYQG9)#EC6>a!>KI|ojs98xaR?(!Evjy<ttUK-;u)1gRBh&Ow7O58A`*>5
zCSZ*+Z>axMRS%!rri#M`BoP8axN!Nrui<YdH7nH>H~X`HqTeO#_<7=K*Od8yUy*Dr
zhFWMVeED;?uN6>{h(e}z4|%+@DQm>k+nJH9CtR0&$~CuXeI#~LEOf~#mkd+QtQeb`
z0<L%|&KD&pla|I9En0O8yxdV=uGZ|<$Ct(>jv}rgsQlw>w|N+V>ZQM-tXci*xi>nq
z@nd3EA@0l`p4Q0pUQZQZO4_J5XujHJt9D{_tHZ5RP`5)M=I^l=IZ29I)!otCTe|Go
z$r_jauBEobh35S`VNesW4D#eU1<rA9jys#9G_N}rc3yU6xCQm(Ns4ElRv?1TJzqp&
z=>toDj6q<3>_8TQfHB5Btfv%}V%=uV^XHp1G-W8oCq86VC@UwhF9PvyG@`01A^LWy
zt}n5t!WE=BL->p9UF*O$UdyV14pOBrU3&LFS_5e;pB66eJI7y3Ug$hc%4mMEb;}*d
z7V=+WiC0S`otz>(PeWdfnzI|l)h1g*X%TLven*^Bp5_cd%8b;Yho*PQLet^uB&>+8
z8*N{T>)c0w^g>cwA{cfE8C$<c5C04hsy3UHeckwvZCY~Uqykr!v%+0y_42^M64<Z_
zmR7+wv~r%c#0B-xW*V!7B$05F#*}8F*JVi>U(&0|(jqm1_Qq@V#r%x2oq=?Ip$v4U
zwaPaE;`tbCM8$u3iFF()M&oC;J<kf?8-ia<nyUDW|C^9BL@?$F00I9uA-U3;iXr1f
z>^`CS1k)u`0#fAd4S?~2U)uV2LvlyyUS&Cre(00N7l@VpvExmI7$cU#HLj3G|9OkQ
zKU+x@D0|EmfRy^FSa?c(ypnnUX#4a<+4%teJh;6-u4V6|^1m)@TooD4_2uZ@M{sx9
z3U<>1T@g-lx4+%rZ#M2Y0FlwNwhNqvNh@deGQhl~2I;j&CY@7#_1tXz`HC~*M701O
z(b3!mJU8Bf41td{fttnvombme>54ZwUpf1-Pq7}%@h5FRrkYh3wN;j2r)t^{qXVjJ
z4YxNsM_Yfl`L?&;vnLp^p~7>1Me3*IIge97HO89KPKDg)Kk5#V0ckG3apgtuDAU(q
z1#DZclVc=?|E~U42+LaRZir;*R<;hvQwE=73l3<jBd*-Pl@3^S;-Q<+lVAnNok%@t
z`WnmzrB`5q8{S<%7CfP5(_QZN#a~|6V=Umrt%=4vsxBBllOpOz;zoH=Wa2bKJT|ie
zd+pEYfJXMhDUOi7RJWYZzrm+M`Ox(TId_-2IESpg70Qfu;NWAZj8oY8&=lRmY2iOE
zlmC(CIEm%M*j37XB&$^t@ufC8nWjg~`NPZHCAh0rgryl~->@sXvOhRx`|x?_cCpw?
zF5h#&6C>G_Hp~smdnOzR$KK68gK$FtS)kDu19+|vlbEBiY;BxW)HOwYw^tLbY_v&U
z+{nFe)JYlv<vCp`?DtDXo{g;nN<~7)(%E{QdLp;@oce;dZ@XM!Oy+@Y!-pUYk!${I
z;d8>bPnDV!Y!mOB9c;|hODWhos!ry+e9pWbP4z--U}hN&k=P<gp^`dSRhufny*&eh
zXGqELbl6B)z|u{~ZVlpRPWMsV95qI!S{=#7blCRz4EHA^x;*#ky}PuU&-Vyp-x)GD
zO(VSawFrrouX(B-mVhr|@+buLlc3G7s-=R@2hZ{ia{`+Ff3zAAZzM1BOgz=#pp7e9
z2BJ&um@wc5DYs0Il(cjmT{~RBhLtN};y}s5rWprTP?yF?d6Z2Vfcg*HX%h^Xjj6g=
zJi8~jgmr!QXlQ7qiP1FEuy{-uG(;owNIAn$Y<Ki~$<oKSyyo!mQ<G+R*&P*TOy!@k
zxJax$SQzbu2>8<e5HiEroC`+{a(Yx$T3l5y7ps30=H#wHQHKeNhQ74G$O)Bbt<<Gn
z584&@gew^KG<T<?sCsNJZkeTo&dGpDTvwuGNS!Iud?Tx<=<NI}Ef5`3eNrw)GVGb;
z_hrJ>sy?rUzET_d&Gv-y$UXsIL=j6mdV~BFW0*>3l;<1LBBs&d?&6KwQivp4sAmRA
zKn;sM+VoYOeXtL^d&?&<U}}OE)&aSeMy48fx4oiTIpWqpq-55Uf?K#$$|gqpWwm+)
zP_LmH7OGK!ttG1CGYKO|L1dg$nOE9Z)jmxEr)o@`|4QE|BLanD(n8RgBv6>G8D)>n
zc)`&SZFj1T&Fz2|V#(gya_m33xr?nhl+4}#Xo>68<?8Pl+OG=)9Xu_+nD%sp6y6vH
ztjE=)tv}iQ>&9SZsZFW%F7O+(#O7kRa{Mn0GPQw(=8pKTn64sKr`{p;ubv|qU#POk
zL&t6)DX~h(xdu>VjN1^Cul8B_sgyS}Tel6xqNfDY9uX_b1TpL0SLbC+ysj&l!={KM
z@h#?6iZ*h$#K8g~V^&AE>aCq*G4Xj-CUP&g#G?v+32Y+ql=5K6HJ|;O+#bD@TiMZ$
z*$s-&4fT*$Nl2g!zH)}FPhpO3yeICrkYJR|8k)l?$Dtbbh_XRgQI?};>-7?AuOx_~
zwDJTB8hMom`!dL#S^BFY4fWL^IGDWgvuI8!u~gLLFFpaM3zjY^eN4wyENmGzPzbo6
z3X^BsAZ{8d29g)FNixu5u(6~VWNg1r=Gc09G-Pje>*@euIC!KMq>gXf%xY>{Zbnjo
z8O7iX-eF%k6gh^lPc<bxuPYW24<YL^MDkn^UM^=f!WPI*qQKPTJxMN3B|E9#Y|jTW
zVtmrEc>%!T6pB;2(!8?EI9e`92Ll7z+fO%jbqsXDXRFgMM6Op44r<9tNwh1Dmuh3k
z!^3KV-V1R{?-B2xa{Tz(wSqt*{Qc_Ca_WH2CPE6mM%24qRl%lejf@5E7v{z)3kTFI
zHHPI(dHosgOZ_4R0+I7h6L8Ve-{8|%TyGh)^=&}e`7^cL6i~_ms%!mqKW?xa44SN)
zp(510DUJR-1r2z`49zxIF2<k7|9(VkU2UBIC@g+Rh&^9#{R{Hna<CITys*5-FWo(4
zL1OAwRY<ZW(iy&v2<3a8Z{pa<&VeT{NOngcN={s!^lII4_$}mF;;$^~`GY0?<Ez-{
zO(+f|TJ*1Epbx%z3A{6Ox$Hq9xLG^*ZH|iYn!F_-wsO0}ck=Of^4ZBI<#f|zUY9&s
znp-l!JfM<=k_xg<Izy%_>8cxIi9bV?ZM-i>)`C2r7sw`Ix+u)-ZOAfW*!M4Qk!b*p
zrN%w6Q$sIkQ%5&)Hx5Mim^9$0>*|KCQnCcj*MFk7CXZ8A8`=*5809laD~q@gu8l1s
zxLwsJ9vNq>AHr~MtCY@g6f^<@yqQl`?ialrLGL?tXC1DV4b8B-@bFN-Y>Ohn)ojH^
zq+Zq-@;Y|FkeMV9K|GSRzm&b!eN+c*YPm)y{+P^Bt1lqnNU>h5*<)#`J1ROyB8>v^
z9eOUeX^JBpMs8^8SVEyGWGttpz9k%3({}WwWm5h-U7yi?!yamd-Vm8T<#1E!BwlFH
zaqje&R^msmAz^=(5C`7acDo&FBjHQRyT@K`qJ6U^IXLj|is<xSRR`tkz+5;{!0)%m
znSETf-`<9>U=+k9#6=q3aS-Z$Qu6}M9FB(JtKE=6)d}0TiolCGg{8>#gXXq2*WT3U
z?8Ef4mo9uw^-Hv_-Y?kcg+G*TsnUFfS`7C0RV3N*MO?Ac*#_(}d3D`-jY{@lMUqmp
z&0Y{=e<CQLpi3gEPSiU1KIq2A*f9O&RYkD;KCD-L!Oq)t*l(Igc216xVsC_30*Ha>
zsv9a?tzO@L?Yn~IF6!0A8Pw_U>y4L4Oo0HpU=am(U<`z#63;)*+!4!*anQ5|Cw%vx
zpU@qUaF%kjL_;?oAS>7Z!zk^E7_tt8trNOWaNRj=)xUe<e-FXdAWwDU#5;VmRWaXw
z<iwPVsFTO5(>Fn2kY(}Q${zDx`HI+5fqIuiNx<g>-8a_M8(>n2{`kqw(?g_J@r|I5
zp5IT2&sqvYo6DPzUX~`u2_w<$K2vUNj~*}@CPV;6AokvyeYoR(W9jDV8AZ2s+PlbQ
z_Pc^PSQ>3tWxK6}c}^LxC-f%kly~!t|1sJ$2e~wR{cnH<wZq<X%Zy-Zm#;>L4Kt$l
z-yv4yhU6P!lT-?w^liU~Vh<id=*V6ugRGh4Q`MKv8KsS!N%Hp)f%}i&8z$vGrjWqS
zk*cc}n9Pp@s<A0O8x0>RL<n^^{DJ!8s_WHl`)wV|XdAmR{csMGr|gv;-`6O7kJ0H+
zjJU{75xrC!4TkzITL9fX)N4`(;49nQ4CNrlk^k^QiyN}zKSV!6n2oe=_D>y6jA<`@
zY({Q58nWs9(g}uu<66#AjR%ACA_fvsaXf~&sPu%V<Yx8wwmy}IqWXS9c=e$N{+@gv
zRHPCvR+S4)&bEhDRd@Gt{g~>>!-`3v*c~&^Z!pe_I(I+za94$>grCQvFBecXHT($t
z=H60+rmJa*MRt(bxI52;T;j%M09;^Zf~Q&PjDM=y?0E9bS|eekOdUGz(f~clrl3D)
z?0xNjH3d^ZHq@_0zT34^S%kT(J4S35eD4%Zu^Pw6x!j}xZiAX%DF$s^$2yedJP&fc
z9My_CV+ISY@S}`O!SHOBpY$vk88$NX;TWcamJ#3!hV4oUPLFNve;Zl4D>qyHev+)|
zy>#Cw-Ol0_=0rP-D#sDN%L6htm}nZtS+VJ;^AjpT{|Pi_>YUOuJMGWagQO5-zRw0$
z`jAKivbN7S+l&9`CU%|Ec<%t>pp-A7C#V`KNiay3sqd?rs-?q1EbmfYEbE$gp)yma
zoP++Fel|GT-e!qTXhN&g!@BEA<ZZ$b*YZKp@E$p@L1Y$ypzXP4zXDw*Ur~NiHtQu`
z(2C~~WOt?pDSG!qK0pR&;{lUsfq=_|dcR~{&ontVrxm5$9Yn2QW(wjU>&T7sY;`AM
z611xHVDsE>KySxxs)52iq-)nDyU#_J#7u<fhd5UwM+5xD-uZSW#hRhx2mHwrF_wdw
z->|V8IMoI}DR;Xm88C7Y?RBvLdq7b_(4G=PwyW*mWk|8pj+KTQ*X?$Iu>(RQYaSN8
zEjlWLh*lu)Elyn^KxvWCP*9*Ri#f{rUg{ZUaiwKc=-eDvrng2iYQyGrZ<|y!GrEv^
z$^(MtltB_VFU{BU@)P%o_rT96nmhS^3wIs9;B`Qn;q8hq4Cs<VSvN`?2F3B3G5Hr~
z<*-!tDne0rYPolvzV;%LG#V%?63p%i;~55EA6Jq^%L<wXGld2u=9IhDGPb&Q#VE+~
zO(be*cT(9Nxin()zpP@*R;pJKaNhamLm{<T(Z|UqdKH4*6E3sOidor~idkwTV@>fK
z%eXefeCK_$0*hvsy%K->*0M<<BqYFu_e=(BrUS3J1L*d&!?qYpNZeH5F1Yxk!#JwZ
zkd-CqNi>z>l}@+K5CJpC@&=YsmmDt|_!$xi76k5ZGzjKI&#NEk8FCM$s6}(^&u6Fs
zxOZGM)VlLcG$JRFL|xzv@FPlK1g1q|wmR~timZDgz~m14fqN>o7rQ(VXsz3_$L=Fy
z@4{!~N)8l_OYpKA{+LL^aE>n6-3!LQHSB-MbOlj*4Yy=b>YzlZ*@K&zA_x_OrMxe;
zyr%;a3ol!0XyaK2*X5tgnPojN;pW}+j**WjdCy#$d;r#y=ECI~InRLtC(Jiz?@cL$
z=m|g3K#Q}4<HV+ph>39X@K10Y@)kl*M5dg98$M_y+S1%(oCaDg=gD#>LR*#3m{FAr
z;GDO9(d<P}k_5*xGoTbOQD4`@T|8?Vq-y83w02|?lw_ch<4ypry-2K&w&*u1=Wrnp
z=9YS9BzV|<2~C%P0UnMqN=t29;Atzsy!c28boMeFISkCkouTy%;Lo;#Dd{gvt{lcS
zD}Tq~ldv2Rz#TE8F@w=ne4@a$y5?uV0?vs@;bObVP^%vu(#$w8bT;D_$m_qrTy!2f
zYUHH_jmAmmZ1Y_!e2i~X{c{}~i}w2*SktH{;x&2cVgD}atgGp`gjBLEr!2M=Y<B|!
z|Lm=m1ij_+K~CXNZ4)NUU^f7uWV50<cm*WV%B_Oag3^vo|E6rh<sGU|Lu*P-OP<rq
zStBm5B@zl1MLPwB-IO|5)+v<<^JE`mf~7WA3+hc>L9LgROoBD2{^C|(%xJF>UZh(o
zopaI|SdGheHf$c{)uQ{(r&|}uq?$hgvVP11Fe4yjangmjZC!F>38(r<;@l2d5XdSD
zt}M!i3}tDpBV#v&HRU=b$0MMtk8p0KPb44Ns!WT0(#XbINeauVj3<A;sV*v{A0WjL
zDr`N|!3@e>G;x-#y{iIfX#Nye^!Xm9J)GP+K<v0JiD}vRRzR|FxjDcM>K<(X`)<%^
zapK~6jY{7Lm_?alVlJg=bJ<9dXb?6_xF!CmX**ZgsK6ay96#dl^xY}i=!+_sK(e{H
zMB7T3WeWU9zsgcA^QM1#F&9a#`Ec#hS$&`gx61>Z_IVy(YWugelVppR#KJO_XMJmE
zeH1xszAbuK1|egtw4d7DVSA{7_xfXkiT1@Dr{Go~jF{_AgRpS|QZ>UdmMbbHx)7vg
z<}L?mfZknqV*rB8VhzD8@7dM9gEj~gf7EY4lpknL2prhoUtBNMY{6b^b!B4j!Xw^`
zWHmQJ0A0|$^kIw_bsPst#eWl2_M)BLvnW4wj4oL{{-D|l;m1yIx6gw>WPS1HbyS`-
zWNgaDhlr3KEr-3Fgys-{qt7Bw>{9*&`~cfbqCjI%uDF2>e^jsk%&M4O{krx{aF_hh
z62a5yg$0K1uO%&;n`o4yP-b_@O4R-^2$5CEpt61U&~ZDz3ggPIMyqA*S3G5nOH3gC
zw;MRh_wl)v?~;|DoBlhHbU-0s`z1$`=#8*s$3E}wvDH(kC4H`H^DvCvMAa2hSD3?K
zf~Uy6&yF=tI5;)EYVI$}-2C6UoUp%S-mp!$^b=+Om9qK~Nu;*069K`0K6MK*U{x2r
zLu(v{tL2N7GLrn?WJxzYC)3wujh`lhikGe`ULV)|H_yV9yc^PhTyG{`TLO&*t|M&w
z`Dte9BC-ux<nna!%u!Du=P%>KM!0n0(9R>ekoJoSR%naPEe*P+XdhR!nTzgmS9Esa
zN;S?lqf6Ppq3S097tB;!jBAqBTF1DN7~hbjD=juWH{O3oN3_{GCSVZsZggirL2?e4
ze=OnoMv4X89ZGV5KS3SWX#S)sdsFt&27!JN9~U+GW!Y{z@I>FS9zQE6_Pg~Jj;xDT
zt@GKU3scpV_S<?K8u=z$@~)ZN!Nu;0T8GUVsy#O7ZTYi8Y}1S)iaUq^TtV(*E8d~^
z>p~vF10Knt5d^~k)zX?_S~jAT+FVsGBv%1|Q`IvO)7u@;u)ci5QT;b(RA#ng&)TWO
zyY9^3ywM~NH`+#Mka`Pe>viF6|6JF-$$kP0SugU2F27hxV&vXt`v&0Y$>l9OhJT<9
zyaY>fxor1we|2Vuefz>OERtRBgQ85OlFu9T9)IB}c$6`?(lFhq?euJp;DsQNN>Y`i
zDWd+D+<XGpm+2#`Goqs}pHYHvGeNVm@9&+!+^><yYpHWdJD2wTh$x1?BuAZ<PNOK<
z9*peoOg$f1tq8Bq|G_g_;)*{Nkd5{K19V3WT^q{O7sflN<C_^LK+&ML<1Z_CA`YTN
zVR|(F>knGu6LF+XvsNK5XRTu$UDTo+X5<r}>LLHviHSVV&wr)B<DaLqubsCQqPGVs
z-*4oej~<{e|JSoOSCv&XM~<GL!Z2;(=b27U>%zrVE|5v9r(~i>@5k?b!&;Cb+;X`>
zwZt!D<+U#N?V!<(=BN3s;qd0!32`}9$@&}PK|fK@GiU<1g@Ad<tsQkQP!lsa#fwUt
zYrx2HWbS#xW7hAcJ6;o}AWDgCe{_}s9Ksl0U`jPFnl!$B8|x2r#c|^{Pw5DL{Y|nb
z;D{sz1xz1Rs2&B03GCX&%^nva#MyReF@>M4XxPV#rE{XINPRi7k0<$TcJgVj6JuSP
zEOf8tLr5L6<FK!3%zY<EkFn?Kxa5Vqn$yKZ$Zk-cZ_k+?E@g+9mzxvaS~aIUwQ0G!
zF9P7$Zs5c9B?VWHDw?6OX>9vz#3NcFTlPNN1I0Byizdz31JWEA))8sNOUu0{`bpNC
z`5^;Ohhf*D&M-5+Bg%_8afc>gt?0Cl6Sg_N9mVS{d_fyrTwjL5&-pfACOOR+ud=k}
z(FC@pj7y$T+#$?PlxT@P1s%8YRKqM++_CmL7*E4*_7}?EK-5Hxak1W_^(7JdR*fv_
zflUQy-pTfy*KifVfBUG-q?u!-)|iZPY^qI?IbD>RAMd+5nVb`b&BMu6mLagZ=WoIu
z`9eUAVWH#I%{B}^?A3bvV0r?lf*2QfnIyN>9v@?3q-jqHns5`%1|UU&i+Li-mY)52
z?VjFHkZVR~9=K7orQ#dlg+>^Hwu-_)V5D&R4@n?PwlL1PF8N3-W_1_kf{6HI@eui!
zTwKU64h<^Fu8!hg#U}Et0SxOaIM(DCU4|+#2s*dxLKVXwF)3{1x*D;x4ZUxXXbqSJ
z+V3W|2k)fyqMiv>8L=$7DU<#;z2vApCxcxBRcR^*6{hU-5p|+$00Aw3v(<!1;H~9t
zv|fo^Ol%Z)76zsxL27lBrwLAqp57`Xbp<PSUEGBL?anc4f|x;D#3ocAIhBBV?o@Z%
zUK>fiq_}A|GJGJ3gCY4Jda*<jNz2hj!o0$aZtq$}smqcpxljKR1ZpYcJ}Mh}1ed>#
zI&|}i$Cpsfh>Vh2oQ?>)7LL5fK*>_OncoSjI571(@W0bY^@A2SMq2J&Z~#`7#=@^!
z(~RpzG`oq#_>D$B8BbwOF`ZySwWM{NQU2V;EWt1k#<XHR)s#(I>gNn*9i}0(EIhMr
zm~~@*@<K<6v(^348G=h!PRU@Ex^ttN>5U0h;}<H`g#9ds(9hO#^UXH4K>U>lr((!L
zRJ8FAF+%liEYFfv;!d)SMk3!SqiRw?WjmR6O&w~Cors6dA#RXD`)JN)Ut~ecx}yOY
zmRcGbYg(3Ho+O#<xIW}c7(KA-3ZE<%E1J3lFGA9J@uGKu=#lkzzEijDv9(#B5poAo
z()4l0mNJ1XzlD(>?N~gdfEC~yS%3bh1(7K28*vbBYAkAHN{4W6svyU(rtpnWi?MLV
zR-h{8jl@t8Yv)tA3^8}+o~#})oJ2rNcacmhc7EGXSHqM^oHsb-FOL1LiUD`lX_aEC
zZ_n+*B5Qat8o5NcAsXLqJyd#bo+V8aHrI(b-^2}x|ABAagMn1a1H!Knu9+7pbE=?m
z0iKYr1KMm^&5Tl|Y-fJ)L^YkRKbAd+p(c3q7YqueyK!38+x#lnK?p<7Bu<QDB=FHL
z2M^%{`?D=7fwe`zfJe6BHiYjfdn<z!=p}2IrQ&5v@`UJdDq6>C#Y~FM*)RYW4XD}T
zDv`bWdNxrA{qRf80P<`+bE$k>u!+%&0H5g`8(a%6KL-BQKk1!ONgvte>?GDZ(*FDR
z8)wQW5{iXWt%Z;_bsN5RH56bYyL=~{zS@}nl8cbgcN5gV)u|+xEds=u19?7mcHDRN
zb|a~x-)dr+D{H8#y<Tw$TCwUfIMQNq<ht8}+f|;&<ivDR0)E#{9rk<a_M=HG$UV-|
zzWP<r)Js8-D7CZx%;;|!0Q7{k!XjiYeA)W^Lg$Kpm<qXTcqA84#5F+mk9Cvs@xNEC
z_2UBoESXU0x5xt#<a4%a_Iao=+2ZE5gfaCHV6N+mGZ*O!Em*Giyfb|GHG_Pf9IOl|
zjsvVoHKeioKwpTRb7m$GJZXw8F3x)`yx#JwS(DqAY9tg6-(U5l$bDf^nXC!en*&C@
z$2uprA9zU?LA;>Plvf?WKtYdMKC6bQ9BFPnZFCI3mc$%$QK+OQ{F3TIIJ>gnNq`b+
zJZP~ij%IsG(BWDDG^mIFs<!^gE0-j1)2W9bf6$sIP@a<+x!opy5pnnPf?^LpJm!h$
z<(C#)(Ncx8b7-HwIQZNP?Ivti<gYS(yX;o)=mb>NDxvaPzWA!ShiIhg1*bn%1|48D
z$(q6@Gx_0t_8ozN^UFjhwi}u{_jjXfVNQGi-*1xhm){kk&O>4-wVXHFj5Os!i1Zw$
zm1@>kK+VAs0M(6Q`|&|FN>qTPzFV{%DSqdr1U|>&iMG}Ka({y@yH%JE$1Jfnt>CsE
zc<6>Z*2{#hUqnZcaV@`N^0Z0F23Zv7arWwnuC;FR%NfkdIpud$WkZ)+KQ)X>jm7Zo
z-C0;P%!{u=!kReTOMDbnF-~+6_I^+w%1?kK(2k<z;2vc}w)*<>{v`Ku#%m<`g*6w8
z`fgQPa_%xT>?4J(Y<=dkF<UOFx-e09#N_6G3VWyUOoFyudtxUO+qSJqCbn(c))U*d
zZQHhO+va5DTkpT|ziVx*jk~M6kKXCJ>ZrcE>a45qWaNbzp37Udh8iilg4ao7#qGrY
z{pB8~>S!Du<lXqABiw|tAMqzgvO`~0GInt*Kx{$V$vPgk;tT1zmYKU;V~L2{0s#k}
zklG4{72sPe{YyGSL^PhA)})2Jqa6>FV1q)d<vt5OR9ji8XsZsSX@-p>$qJ(eAC7%X
zg^TX~07}8~@9VnjUMY!e^tv%}=MV8|YrVeX!(ObY+RWu?<ZL$Ja|9Ea*5y$UoI#Fr
zr+_0W`@j_Wi{F8Ey^*Y4jA3m^F~4@T7?sAA96%o$ckE$*CY*SC=8ql+`!DDdc_b})
zdADlpU>yfo0d%7q^xC(!Isvt-M2(vx_nYXFHPSVZ?UOcA2>XfgSwIYmAjvfl%r5FV
zYKLZ!x0ChW95aB*YE4z+=dU;ywG{&Vbh{CfI%aWR=#7J!j)L6g%a2D&vmq4`f7O}M
z0Du;i1y6NT&uVcd^s_`d5_bkAiU(qE;MxTRg<VuYbC#9UJZ;6WqeV-2cPqps!5J@F
zdi2d`tBXttor%rW#&t$}V@)kJNnjcbRiPvBwHNA`B#Jbt&bp}YS^ePK+A~yg^xnH)
zLA;gf{T62SD-n2#FX;UF(=>KSU$(Fz3_$oURXyyL_K!yYYT=78m-~WtBa1i!e`|ft
zx|lD?E6PQZZ71OS3y~sK{~HAD=HQ!t4r>W*GL*Pm7&aEe^cP7}y&1lnm$jsyjF8(R
zA4jRvP!h0B87K9OGGsGARvIJ4Q_LWosQVfZ;ULo!U3S1i*<vN*Fl*`LCTp06380u!
z|JAi{HKoRrt!c`x`^ZF{X?Hn2M4G9HkRRE3xM)>fGR3l&iP4R#4Zg2`pz^r<D=uh!
zHq(ncFwwO;t)hBqX+FNQ`6@p&9kp@qdVx{u*Kd<fP<@Xpc=Z(sS>P8L!Jmb~Y3qva
zhDW4~)n8{Dd2CiynK6xi#9g)&SOD9Pj6HB<zO=0Dje}wTrMHgOQbKG#uijc+p33pC
zj@tcG_xV0GrSJ{s-5s0te-3>(qaMotoQI8Q(RvHLC4gu5hYw3Lu989}>`D-4Atx+R
zG9^O*I1B@`WQJx9GWktycsqq{^oNzP0%<NDC6d(m##19Bqt!uoV^i@SzlnIMPlF#;
z4=ya1t0mAm2NM_TX(pu+kDW8WVtPK&S2lL<6XK&d0UVtF%?oHwMISaJ{_q0tU>al*
zJ;31Jkb2m+w7uK@I3f!hd`Gb_J%N=5al+x}%Tk>pz@W_xv|)wePan#tFZVSO-KCE?
z-Jn0fz{Cju!dA`MdzV&E_{YB+-5zb9_aW_N<ELHv9Xxcn2>54*DcQ-R4Y;oxTM6&L
z4gT&gm$$bB)#$%KNDUd$l)!*xj<^>ST3%B#K@?wM@Dj0hf4blc;oJqyqNhZ+v5X#t
zykT-*`WiqbkEylJKs(15SiueXKa7f;+*IDo&%m=bF0L58Gq1VF$#3bKkksst`m;Q_
z1Iax!IMFG#0KEdu$m)3S%}Aew&QW<lHf7%Wc#?Jx6Ga1P6SSj%j1{1=-_iXx0}r@^
z7gVHgXCl8hf7JF9`)|ZMCdQqHk6}k*)QGb$r(zuXOh-tS!o8Ur*tZJr0q(1RzDD@a
zMckYwV3hNgvWHRs5Wj{XcE!mhRMMAY+NFCVzZ%wvWAmEIk(xL*C1@bDHcAeDlM0x9
z%YI{FwNuQ!y;*uy8WNC1vae1QInT|b-Q$pos&g^zN_K>YtX7HaDdeI0Xq;S1pSwv1
zhl9%gVMT|^GxeuSS1C}@olq1a#UQjv<WQ=4prgidf}f~HD*YnJbl0d#z%EQ^gk@UZ
z#6df+5E^OBIW3o$W?~i_LxKq{T7s#WdTbR}teD)w&PBz>&k<k<ttt);L@^bvq&#-;
zw80l*loNPafO;dG;m4Gkm9keAPB}~7$ja31>T4K}R$i;N<5UU08_!tRUAt1rqY>o<
zT!D%;0PWX~P?g>*#595g!Qd+;Nwi)m2@N`R8e7D%$t+p1Mw0Xr@$BMTGTEyR4e6>5
zW)4<U2v31GZVISi<XJVxM3nfXqVnaaz<@>X4@_=Zn=)yaDg*K5ToIXl?JA4iKKCf^
z6OX3t0-H8G!cU}c<Hv0jCjd>rIb_Xk_?GsSnF5g|Y)Ii9|AHcubhBbCuSQAdue#&9
zR`3_opt;>}sR#-*NEk{GA-3#y8<8n4-#U%YAJsp%cmp`jI;4{8&0=KjhGzTsxsU!a
z1XmQ<kg}#!%bWX!lLmT8gnO!8I3U1;J0YpR`pX%V#$HCmSsN8JC%vjoNT*7jF(I~J
z2y@27uYS-~8K+Ul46pDV6^lK;zVD+MPQcIG_+?1E%K4!{aWKl063#`J<=-goJdaCA
zBk#^Bg)rbWEh;j0ww!`0#Azi#9NJ3R&GQ(C>bTV-25h(gtl38erJXy-!JOiz?l)T>
zh4H2k^#=6u995sS7injrCS`N9E?wYq7D@~OHs@f5>ao;=ZW4)E6+z-8&u|sXvk|y~
ze0CgR+nBo%mNu!5{mrQaiu&3;GG{PP(-aSlu@&G~Ib4U-tamU^qIPFElKZ8-qFTNU
zE~jZaC^qnT#uKjAZizmXu1T)BHaZ^nnB%*0dVcWV=lGn)^-Ccncvi+o;m>;^;9RDT
zi316`5o<xW$U_JIKNqm~Be6P3IPW<9E32g9RCANj(i!1bYy!3ADAJ%cD?^liK}GnN
z&?f+InWdevM92z9SE$QYWg6p7TL-c4FvttW<5s(N2@YS`pB(Z8Q{6^*jFadBMjh8q
zOh;P+*}}VTN9AET&hnAjA%GVI+aI}B0BSW?wlBDFRr2wYLeLFN&a&>o+%a~I0y|*F
zah;3@2|{47jUyZ8iyx6?A42d`b0;*h(-u%vBg-~mHEd@2>80P9vzn*S(#^UUku)AD
z(#55ZgIdjHld{e_4U49FaTBZfY8ifKH+1gRBCxNUTm3gsrn$sYPggi^BFfsl8YW#-
z(>{64G`fa0@+_o`${##wQGx&Rax*}~z^v|yBP`oyl$j|}de5OhP@{Lc=t)2HA{5X%
z5Vk&#L6Bp76+-J-Z-$xd3ZJZ)8eHDiYO({VrPN8(Ry~mJfDQ=uOfV#Hu_w@YBv6uX
zGNHq?N@){Y@R>Y_*9&~0VU-s;rEZ#SIwBWMG?7^qN>Q3Vbcj^<XYL<GjH?d}EeV+*
zf$Tnog?=~YC||_beyf$mm8cVk&;;~-FmG36P;{ZY0WfslXtPVjh<ADUp*l2FF4kr`
zA>2l~r7h)SN|Fk(MhnRB+)PkGyx)Wm^Em67gdcQ-@9G!O5i9H}6b>Wsi*0#M@==cl
zJq}M~5@Si=2_CjJ8j3MbI*93sUggZ|BG0~1v+3kpu(CCs12Xh(|1n)=s{mFGl{){0
zx4R&JR5K)M>y3>nr;LPnQaS0(I?a;4>ZPo%|2+=k^1+3?f+?aGI3j;PBlbO?eT!Bc
zu~7T%BW~YID{dQ7?Ph5h$}@b)l(Fyj@xUWQ)M-CgSNNWUOu+kW%Gt@!X?G7g?|ypf
zG)}sYKCSeKocC-eaG4#U4+kj5M_-%CsXqmC0Kb0X@_bGlj$_lrK!A-XEDF`d3k-bd
z_pMd?csoej>ikkabI+*DjJJ_7(!IH}k?$v5+2<oRTneXg;pP&r_)zTVhZ|a-{jO_M
zLo=eCxw1QoLHkt3?g&hTe$mF&93NIn!Xj)?z6M1$TkM=Ymra7wRt4Z5_3BE*H6%=j
z4~;g=kTi;VKK||M;c;)g{|XI~grkS2u_X!0b2e_SlRGI%lIN!#$ST#mtRf>{A`8x1
zTU-_*wKZT;&E6u;WG<NvDW987cbKEm%csC<%QFKl2orYO;-o4lzZ=%L&h1`M`;+^u
znj<-ew~`RAAQ6XddkN6vA3jqbKU-`_L_W!+BI0Dt?7dlscX>tt(ppim_ae%r^e~U(
zr1wi-U=nwFSHGKgrYWf-7^{@+2#3$~Gn2`=t8ji20fNQ_bUENyFFKCMJA69Ra{7EY
zoVDe7YWG$JG#%#WQS;jJXsJg0?h;Uh<e?L}mfgyPkpy7D;{mEBq$(v*=D@vHJF5Ce
z9!7)#i(?=N4}Xd1u1(E?mY;h(qEX<nES{vsmf0&#rTjY*I7+$1rTPId`)B>RZxpSf
zF1EhI`jVv-jMaOdUWeB;apaW|5^a}DA+>{}`e3pR-7yW{&nW<q{jFc_(8e}K|DS`|
z&zY@(MFL+MC4l+=FgD|ip=m*!exg1`kg8Dc^y>o!rvaLVwKCyY-Cnal?EU6v94jY^
zxHR<00Tu8?yJ0Ox&~f&5j`e)o5!OC_l-1@b{C+q(=s7!Earz3W)*WL0_wVZJ{(=4(
zspPa*dpkSjqR_ij>jB2w-ShK;Z3bYGX8O?j{c(j~R)uDrl)*B{0^hvAFtc6wj9=z`
zZn)3|^~U>@^nk&vKHF3Sa(Q#iGVBEbI5_!GwiJ`CogMWPmA=V-tB}!^wt@L9<g*K8
ziFal{hghZG38<znn44IEcyVR)_FPW-{<5ATNBt^vo+;g&D*r(3r`_4bu>k;Jf3ae&
z!~n?>nUEo&<E5k?TocmI1>2}mCcil>xj<)!EMDVXNy7rY2s$1M`Os;>_9A88Xv}%<
zi<zgP%e7+vi7f-UOTW&vU~-Mw<kpVvAqtV7cMl{=fIw0^l+$>_)NGc2GHst9z3rY5
zomaOcvy-Q=Rt%MDfBsA)uLH!or>=J%)X1PKf!%hC6Vk^9nVa3UM{6zBKQDC~I?E46
zFO^QqD%`G4aL&k?c#b})CSQy@c#k@GhaZViL$+tri|7RSvgs?Vv!RIHI{?vFRG5_U
zPVJ-JPFr>BI#yU5WC2+bgejPW=k>`oL~6$>GEmymsUjdx_I~Xu=>o(WrhHB{(Q{f4
z7mCmiu{0Pbv`Xt|CyF`8nj@M~6!14MUSb)&E(2yS$r(II%-YaV7G#rw`3?pNx_^h6
zs^d)-R+{!|br0TG*Z7!%?4v$iCUgfpjkF%COBvf4uRW;!wi=A8f}I~K;gRf-4p@rt
zBGUi-j7Y&47NX)8o&wBf9bIcXilJi0gR76`UJp<g3VIF1wWg%q3HFX8Z{Mn($mJ|Y
zXVyBL7MXBI2s|i+=PN9nZy09j6$qy}U3{4aP$VKDoejNwUYO6Bm|KlUu!8S2l<h(H
zqG0y&2>T8?u?ky;oyEh`iWu#-=+&FyQN-_K6EjiHfZz*73;@h1YV<GITNWtc?+^hG
z#`p!k>BnqULul^*c&4|LJioJVbhKR#uXt)v1&Jl0kq1OfEKOX{j@pIWW3X=lRZNM&
z2?7o9eR5{~h?&VXxI!uHoxYdLFu<`sXq$bAYs(kNL(z}J3B-1hDr8LQzb?qYqTI`Z
zX=+5kW%0}s$N@2M3_u5DtRd$}2&>(QX)_Brxlc!<>vl?-EZ&gH3`{jV3xT~!qS~oK
z)}bbZ>7pPJBF=`kg+hJl>rHhu6C)jPlt$2s4})<W7Keh@yW&KpsR;9;ryI@v4h+kN
z(K>APq4?91=cScD>3_1)3oMyor8)|>oBYs~RurZD2w+nf*8)^k!$`V}L&ut~(zn9k
zgj=M`Bd*&03O)ju_s~`HP9b1Td7s6IgKBup^63brL{_K1ECc6aLv;+S6y?~TKS_J^
zF)0&iR1Lx6^lvTxEZk?@8$^)@6OKQDA}<`ayC}Qt0j{L_V6K%Wt)9_^4Og2jg}YS=
zNt6_C4PfcvydV5u-e@;**^St_@~Av<8FD|pJmRiKQNXh!^K*)P>>|48tnRI$xp3)l
zGEI2$v{lnKQ4<#o@jztsrv7HPG3J9+AsBvtA=qPTk$oApg%=y`{+S;RcsoVI^G=t0
zMWPf|54<hBTYK^FbV77_G+}&i6qKQ0;@2BEAHX(H$wi?$BYexKZq69a63%}`{lp$t
zh42n~m%KrOQZ^X+LQpoGGU~o+x<F&Izt^@_!H$(MbTlqoXw=tsHF}k5ZF`k7^|x&o
z!-m<s@ovWDJ?gNU7Tj(#HzL1Jl^>j^FmyvTP*7c**lZxV*W+lYRP47^uzcPTV|+L2
zARr#p<If!m?r~XzC;RetARi5Ds)TN4sndbti0EZmn4vm7U#oW0@@k0fYKaG!iQL&j
zO(X;F%w?2O6Jlq|8v^=!1cCh@Gh=d+KIlHxU3(DvGG*PPK}5;SyFr7Zm8Pp*j*Wcb
z#wM`q(z(`5tt(IoTi9SmrS+GadWYa9Ie>7JTmj;j8La51JUij=JV}YHv~e5n=0(Ri
ziPgXDjSR&4G7_ww`WEX<n~7Z{Ha*gt^Gw4C#Z41ZHf!BI2nT_}0FHvLCY(+c5pe#6
zcZB4+v#2shl`~*OBv5?k3xgKrDPoT0oD4j!(~kx*PGm|G7JTb=FKbN^75@v5eL$>d
zXcdME*L29P97T<5=I0^GiQ#d8$WwJW%9-WH$VAQxR?8k=*O`{Hj9L+&xs>WiI&Cpq
zO?=+Hi7j(68j(fQ9)mG3Ii^PUQX-V*^|eEM`;rRWk5wE=GX5MaZI`^PXgKI0F*U^c
zc^iJuQ)Th2WXbgVZ)NCBRLClkV?eE#D`{R{7w2^U;xt>uC;{hJX}3Km-30QfgMQIc
z;;aY<;=A8wJ1IX-a(eagoGsT%If`m5$J$i|7lfvbC?owVhu^|Q{C0u-9|H~SSecfp
z3!Tr`{@wy<ffjykJ52rh>qgM}FX&8&*=E&5@e4+Y2;OT&!6qH(sd{ghdqAD`SRGH-
z;O`63^-Ic5voE)ovFJFaF2*VB=9a9tRXgyJ?%L{Xhz&-TykurW&QTTaRP2%qDs*u;
zLv3yC9zf?&(}TgY9?M2~)&QD@TEm#c0-|L{Z$USwl&C<_qYW|d<zsORTpq2ZqqB`a
zhU`&9UQ!>@8fRB+`yOM*9Y7@1{Sh@)#HYd{QiwgGZr<RJM(Qn=@!$$ufvkCc88>N?
zKOaA3w@6UpSvw=M#?3|b#B#?5RQI7L_WX1CVwN#Oy|$cZ*g(ge^ATB9)Y?E;mxK{l
zNjLJx&EP-ox^J1w9^?-)hL^0>@8v<AADF}s*t%lh$X~w%^*Rod7~tAiSV#rag}GJR
zlE`zq@vPFvFf0J9*OVjpD)?zDp*1mIwz1jBu4H(!u7Da_>E`XPXVH}~xW9tK-P9VH
zw-s@Sv4OcY%vP)kmu4g<Usz}|D!7dOwrT(yA&q{ufHl+yiI$^7g6{dUkAORt`j^#S
z@?Y^<3v3(1-5jX;B!H;A>%hmpn-zAk_g~nDny1|_3V$gLi4VFmO54d=dBtP(*xIVA
zYX6>wB9I7Jm}GeMs`;7bU{q?;qIx;py*jE$n2LZ@7LgWfB^ADR2M^EO^`=!JVxPTR
z=y4zy-19W#XP^7n$;~2P?s9N`R8E8xt-rnKA!n|pIR}Y<>j6IR9`gmDUfRGq6gKy`
z76RZZ%nJnWGYj35byHSio8F|g{0rgm9a)=0*<rfk&gV#B0jJpesn^$tE~R8mOJw(V
zT#p>8*l(0G>~iscfz^tfPFiF(%1%;7;;p49lTP^YUT-sSzlPHey9;=l-3RHoE-++Q
zcgX$8HL=K1nE(*8F$+%Z>asE!H4AI5Jfh^sSei0<b3Fmhx_KY6&Q9<2_N%5haub$K
zEhSp;@k63ol1|kcn-y7Z+kKPwCA{*}b<XwgBT6gVJ|FAg&)uIekf95iGc{Z}0ow%s
zjD$z(Uibm;{LQh~6#rKO3eCt6uw4+cT>$hGz&`=<6QDl<_7mVO+XWDcG(Zd~OtTQ=
zz^N83nzIm$K!A0lR&4JAE@PTbLISnvm!Y6ihwvw}M_|gbL#aQ%bt++?aR@;9zuu+k
z`M<in)&j2bD`$)y?8b#$?8LmxhU8{vp7PYqI5o6!hKQ3hnS|g@^EBVhihs?J5H-mH
z!A<qH+*y~(udGCI(Hmt`lRD|icd93pwDQcu=#xF29|JZyZHx!wK6~pkV8|}?exVUd
z`X)ckN#QYrEoIF=?PsECx#coS^^wM``YDT)ToD$~;^g0Z%ANcz!_a4>Fa$GepIe@$
z<3lzGxL>v*2{Iu0CCPYLe*T^mlLLgY{AB~Xx}Y7^x09jGe%jbjCKEsfD^OgmYN-R-
zlG;q_SqGSBr%I-Bc74X6p)g%uYEd+X`C|xVmR6PtryYPc5$hN0XAaI}fl547YU5jZ
zk4#)B?4^l*OG^a0?m8JrVa*0<{@@9!7;jwI*n+q&K!}I5muEhRkxw4yAs(|OGjkej
z;`i9UdX%;@!Y8cyoR_gs26NRmcGeBHH}c{44+22RfvO{Glj1)T+%feGRel&uGtYr%
zE^Vd=`GnEUq4^B!H-8L?H7p^ewec9YQR=WRhLDv#4|Q;_HrrMq6&&S+fZ;2`Wnbfe
z4a%s3Wc?xgxcF2ElKPU?AcgDU^)J47{j_adDKm_#LDpoKSHog2SLz7Ef>fKe!(j*+
z=^h}i4wo;KYqYUeirWX6<Ow4EE7NHCSV)OlH#;lHU2E!hPI8ZP_(D)$%~=WJNNH&y
z@0i&Z`#&Z%76}I9>xmy4n5WhwxWygUB|o00R8a+3B9{4<v4_Z27Xci5AS%_7B69be
z4v!koy=aE{^)_~64Zs*<I9fh?HiEexxPYvY-aWrNC$~wAg!hZeZoQ;&K^4)X`(l?J
z<SDV!8yc)k#W6vsNrfx$nKw@}$94t`<;)iK6-h2$o<_go!<M%Gvsb+C5N88lQGFw+
zFk)nWjFqDjUf2ubmgjpn19^CNtgLrMXhXe=y;=c~gT!h$jkCX2HAOfQ*vpPS&;Z>U
zbcBB-*~dgbg!GC`Zq@##I*=$qMD&gWUYwa8X9lX7IAtkQuexQKDCYEQ?cra9>mxT2
zNb&<f_@r}z&8(f|{PuzC6XrqNi4(lP%&HMR3-@D4`+?2y!bGIW^7o*9M!=Vz=nTAj
zWX{B17(`@k^=K&Bn9Zp#0>kdL5kLjD-_`8n7fFK#MCTv4ufUPH8Dw%$fF1slNESA!
zhjApA#ZCU)(u%y*QcIV3wQLpF6{>m-BikW_jxcY0`=AH{+k8gAF$1MXP5lEl=LnmE
z;SNo>X9P#AafMR)amq4^Y>QKE8%-%w39P)Rg>#OFq*ztZ<Kk?SN*iJ5GoVE0m)V*5
zb?^l?Y^G*H23cF}bZy-QS<cf|#5F1w875dqM6*xI0?g60g~l=R3TAROYpGy~gNkiG
z;<izX7+sDAbezp)=3AGT#{#QzmBa{G-x#a1#aWH=WL3(QrEPwvY%;<Z8&>r5@R)DS
z!=*M}m)M}T#8vVNUwxPR8Rgg!$;#ibI|}ICIkHTh{FHiWbHz}CK{aSSx}CbEmX0M|
zpH~PLeN>PTmSu<*mSsql#{V`C*G|xm@c)AneDj6sxK=M@!L=X=Sp+6%Es4+H`?v_r
zIc|pj^?`fB>s068caRzL(m9n@<eq%t@w)+kA(<R&uxdFeuiHC4elY2}>DgaS$(fU(
zZKs}+%QpEs;=03Z)Z`>&;`+611An7<R)9mhCB_2a!D$OZN!3pH_<1fCIO*=<@dU!!
z*4<>#_86FoYklOyK+mYIe3isEYzv_nSN5bWMRzvl&B@zwEdX~W@TwEv>HyT3WG(Ei
znrH;=O>TR(L5?_4<&6~M^mN0MPJHD-4S-<|hOorG{*aI5kiZp}!`P<*ow6Se<l%%c
zj_wDbGz#c|t`i}#h)QDykPwlYfhiDN_YNwfMHAtFG0FLM(*JhV3;#nc7dgrbxkb7F
z9EeG@+>fgUgIt`1Ey~y^r1`s1jLgmCFOEQjfuJ;4jo~EvfOc4VI21Ca8*Lt!5Cqf`
z<7U&}4l%ON493o6xvD?m+`aB#ON^Z=n=xVR$^-5}*U;DNzf&MwQ9p?Gy1RV5W`-j;
zs%Jbs$4eNWxjJwiBbc_&G!{JJI-0Q?Ha{S8GLOvu_lnaL#YiZ2fVSlZ!~aM|?X<=i
zPJ2-i^jmBn1Ned~J=i)Wy2>c{9b}|!v?r(Pg)|5p$&Cc}jFUVB+16#Px=IxB8>`*n
zM%2E1!{RpOnk!KU=c~<zI4!)KPE_HQHX}b~e@b%hn+A)1e+Tg0d5y3G=<IZso*O^3
z-||+933<`dkbeUpM|bad&@0^2ZS2q$*t%SmAx8+42z|0`d0~cRxTz^`%>go2bV9}v
zoITMHLZ<jCFKfKN_po=OiNca6?6Lwi*OdRwqZi?aKVKFIGkGT)#L4CuA8wpabSpw~
zXO9Dh81Pdr&fMb7+F%=@j0DWXyHE;iMLnR6mUB(zz%^2SX2J1+kW)&dpm2b|Q--3T
z3ZOdHjB}_vtv}jQ?4zNu@jeQvYX%sivKbHt<T6fVx86TSFFSmqp?AJ%hdKZLrz*Rm
zp(udZQjVjc2m#pC)K;!3>vWHd(juy*j6&Y0Jv&C-0op2ZuVl<^Cz+dCBSRi-HqR$U
zpB3CH8Fn(wAH~=GXKrWZv7JF%-Izt{3O5xE6#rC0>T#nYM(V%h@dTN4zW+7*cz?Zr
z-JQ8nWH>o|ptz*G)OUEh>lD$I4J2>P;9H9^-FdXVaR9Og^tY^H#;n*R;_U%e04`Vj
zv8jB%?jZVs^_gn;t?o5acKRW*YAZVH4?OrhPV$5~FFe~6q8hH{y~SkZ({U4Ykp}Va
zH1Y=J@3a^}#cx+{uA|kB=66Mxf#=8W9lo@~Gad!Rv9RPgCUnY))ii<NtbB74PlPQ2
zNwYpq5P<wlSg9#m>^bTz$ccm55a(#2R>SY{Oh{uBX!Ywb;scHl;sZ|d{(w2{TRkON
zJRTARqBAAlv%q_(C2^vZb8fM6;nHdGe0JQLu-n)Kn`j8~{=YINoOqdH<;vRS!X!ET
ze@JeGIDV%4+(uP@<7Gl31Uu2<y@SNv?h1Rr9|8>SV#|Q>nBrU9MrRG~^pt@RbcB|Z
z@tjT{iJUavC-W8}770mCXU*Nx;j@CX?dHQYOXy0-ad7vAPg%-+Wr%5wtnW@n*CR&P
z%l&cWw<hAmqG!*J#0n3^SE$_)qiNJVaoiEdG~Xu=W+EQJZ$Cc;Z^oaz?*c}az8LHm
z2b8;CO=p^5zV02BKk)ceR~2Eo>h%X76N?o`1%wM($TF&7mHu!x2GXzu;W(i~<dJPN
zAcd&=;2td%UA*^ULHOXT4LEJF@4e^D;%)3Hef|T>4={oHPct)*gQ5Vi|Nq%c?Ic;-
z^*_HwZ@i%KHI)&YUv!BGNr1(J78{kt>AE<d1!=)HnCwPdYSvy9;RS%t+<CLzxi9p)
zw{4oWJ*SU*M!L6$9Gh)BOd?DEF)cHCMujwIpc*eXKB*`ATo|%W9$%DLysG0GvVH%1
zdGmR>zZwB7DDFH7`#g~2(b+D!J=}k)y;g>K+W7e38>oc0WNdw$;lym%?3hLj(M%jG
zs(Et7+^nT2FZ2x8tXTF8lSNy*j&^rex}J?+Gr`*4VRSeq&m>Pgw)&r+cZZeal^>`%
zhj3^fE|{j#;+4!epmiKCylcy>UUdIcjmojfDQyMhP|R2ZRUy02{Uv&dEuBP8qAn$=
z4urKQlH9~{2=gEP`y%JdHcM--(Gk$tOqAnSx*k!wURn?5Oob1>EEqE=P^>p4fZ>iP
za*WnLDi_gLYLo&ivi$dd?ug6`j#6|)0+SFU!Ut!uJIK*G_*S+H8mox7#zqQZsJo0A
z90G)Y%58(gpW=Dpr(i-F6Kfh36N;e`LF1?IpDC63l<>H?ZOBv!$wA*UJq;MJg%%6c
z{at2wnKn>Ek~2_KC<@;bKaS%=%Ds2%I3A+=`wX`HhjrYB2+<X{#r271jnVzRcVhSQ
z3Klm_AbW>_Ih~e*xYo5zJe@W|7;0q4;6Vm2vSx308TfO_0+T2JZ-n6Rd(4k307vK?
z(HrtS4w6_@)&Dp!6pvHJvX?&830$#cBJ;8$gawxMsoL<4Yns2<-5YbnytOzjXZYE<
zzghe9RTJZV4=btr8%QMAMEF0=4J7fWx&7BLx^{xD<NyQ8(9Q?teQD?;AfExc!BMT2
zYC5k*+k+j3j#mAp*4EZ@W(Wd=_A@@g)5gZ8zg|PR8e94G*s~)~{)&6WgX_uER{ZL8
zwv9kWX=6=3^!s@gRzPie>UJJSJm~4<`K+Sbz4~JN$=*pbYDyMhYTJT;p;nRnJnN$c
zt`KI|w5}yXj7!~evt)osf!ZybCtJ`{T4B6#bLx@p`9%9Rjk~ziym>o$%md5sM8aN9
zK>-bqPRzN{;)I1I*=-L2jW)*u-J~X406E(9z1#q~;o|wR^{S4?FLh5bzVBaVG@ok}
z)`S9Dgyu1*F`Nh(&c#XmLz&1-8k%N7!8-bflEeqR(Le%Uz>?x7wH}gDmB79SBCO*#
zPCb%S2y31v2V_{sVB!LF9v!B`SgfSK#NnuMx{)BA28D4ti4<l6qF^GA{(PuG;BV59
zfZ?#n-&Co+0tZ5z*FOglNcEFeh$s)NSVVrMZL#dqYCqZl0WdhKRQk5OLdWCfblt(7
zfLha=67VC_fhvAi^OMsXW4JGdoBbQ~uG7td|LAs-^rPE<A>7&t8x{e7eh1%phj&>~
z4n5dF6OoYlKcb``15I)j3u+k~(%nBVeTC>a3G8ifelibK>MCuFJ0;w{xXePN3vHwg
z&pWrOOYaMvOuOlmq|3-kUDtegJbvzX;qjkm2lmiad|hlTY<#TDu8_fISCn--0p8zU
zwSyH{7W>~m_~JuTE3Wo@vPx^DxI<|k0&jbcH&@2ChX&d)Wgc5Mz1M@SOsDtv)NnSZ
z_SmA)&&Q;QZtpjXVC1v#u-c=W$TTyU-PIX#w2Y3t9Acy%X7Fl$yI4HQTBE<%F?T=+
zARR|Tiz1=)kr~b|%PaZ*&>DY80Xzcspb`Q|*+_+Yh6Z3@`!v*|;=j6RDTI>Ie^WCE
z2-y6Q6O%Ko_m47%!#*)`CVR}j{Bx?}uTVOHgu*QWBDXKbC_pcmDTF`;Oeh)dF7cR~
z`a8wI-_dY-IFQS5+J79SxIzu+L8;Q$ok~S-pNmmDD2-A|PJkYMbN<$ahVY`H@@r@L
zBBSX6sl8=y*>i1hdUodlGsHg3VTWE0b0y<HTJ@#;UtM~FbVNVHk5*r(ob5F8H$no?
z8mQ3c<K-c|%PvkZ>4|Cx|30iA;PKdI`xC^Er@Y?W>u8)7pa8bg&bcyLSlXH%sU=ln
znP=-}^pQeaO1KFhsxS3VpI(~H9rrT*-)ra@Q`e3STUgd?+8B}O$0{)Z*%4<7VQKVC
z-fj&fM8`UwPCVQ#7;i=cw*QgJb0ucFd(ccLgV`I_Q@5FH<Fo=J>pozElV{^u#C1Lk
zvXjQ~T9BujiIsP~o=EeY+PxuHH!Zd5Bgwt+0`N@I-}F%QPJ3m?Gx>2KKrmpHO93vN
z+g3mVPOE3A(U<JITnq5q|J{s&(l=cA2Z_ZQ<$+g4j^LToJ`prJpEMM;m_S8OLSNID
z#7as|)?pTujZDQfh}7(eBFLj2TtJ(N(DVyYG>mu%G$^!-ARlEd>9#C&ms!|_lt@7;
zltN^h#H)BTO$ZznnF{TJR|us6m?|qD9_fyf%m)(%r6)3M$Dh8OA{s$iezZEh-Q=Je
zYuzR_`K4A#*7D=nnfPef;B;4H!Sh^W0lsDP1wxm9@85rvD@*%Pj^)2T#&PnNKgx~#
z^p4kajD_MQsCg*G+M)tmwe58ysao2-WQ0)&J|C=MueAZ7J}Dji-yMY)#TJQ9u|678
znohIgq%`pF7M%T1GYX_EAcSolimmQ5Qt{O-lb32SvH!fT*miDaGOl!9q~w{j&mzol
zIsjsPym%Jr0ljo=I5yyf9gd1kEq(esr80lzNq(LAEaGQ&^&KjoBJ;g%hM<}iaSa@{
z+Wal<!gB1xO9F{cG>$EpBU}N77~s$-o=!zEibM+ch-4BV{ntfrxKeh|Gx>gAiB|zN
zW?EE|LNm`ZYlT`Ct|aUM!%`A=E+%iB4aPj4;)f>hC_r?SZI%_2h}aH$ea+V?+jB4y
z{<gGkzkZ9TALC<Gc6+BPg1v(}jelt$PV>KOuLU^+%DEcA`d`V+kd~$`HanWnj&5Iz
zbhF*ihcP0kUAna8VjDq9@md)kj^!nmU1hII_~Fitt5|d}Gv0VSt}7g*BcXdW{tRa!
zg=7VW>AVG5=72KO5NUO^x#SHmGv6*&s$whGG!HL#A7~0oFB4&DiK3KRSRQ;~Cm@$E
zSR4<<=2itN2797#4vYOU_Z0j~@ba=(Ew6x03MwKGFP|bBQHP-jRm5#5k##YUPscE^
zMG9<`g!d2?2eivnV|Y5<+!}P$QGxVce;v7xAZ>3}O^}0_IHEVwpVVk}QYa|EcsLHc
zj}e&!5`2KBWf27fC5R@Ixq_t?;>QwLrO;1rnF`t33^!OJhEKq(b8gaJmOZ$wlvK5r
zk|h?4T|_|g+8$(Ke+~K^s6sOo)MOfJ79EHEH(XX0I>T@9*FVI#j(xFbBoBuew05j4
zLX7l@LFcXg;?VtW=6b*p6{tqm$Kr5qbJX`B9PUvj96OehLU0d<?4*B|8~{W}b^+aX
z&8~&ngL)92{g&H*Z8!!G5a2M7df{zufl#0z{VZ$!R0Q;JU}0eVN*8Hj^}!}FNIok_
z(tiPW_7R|taiXzw5`;!R3xTtP2ZGHtFm%SFv4f)ZGIGRY^TFd)-s0#1fa%$D5yS#8
z%Sywll0jKRxJ6GvJV0N4sR1<9frJ~WqgdJGt$#df<x*(`CFB@MK=rCnx)|-CkAaVY
zE(58halm>YLqXhjCANWii^N6#0Q(Se@1KW}VVKE4_n`<bd<p^bSlysK3`cu{Jve^>
zgClbF5;4Rv_$x6wiOK~F2QvO_4>KH3aNEg%Cqa?k3Y=&zqgh5P%>>vq$G}&VRNGDA
z^<eSzZ054X&uSzm&%Eeuv*vV71%YSMSY5y?i8*}3yiz$awSe&kc$~QTh^j8UgdM;>
zdGl;Q?65cFq}Zl3lps{EA1tli@9XkQyxra%tW^|DJR6|?MKi52rC+b9z!<r`eZAus
z0me>9Mc(6PQbnHB)dn;J_5_quce2w6OlGF(YE*FF*7oL>H0IW1C+L40%2tB`heP|h
znPYL&;`$rL7bjFctP#D<p&o}LbwnX$__<qA`tHd8VuCA9S3c{y@DlTu<@%)pR)_3w
z)X=I>E@z*9r7xYyeYh!4rJ6F1uE5z{P$dLJJ!j}0K+;VoP5~fA><~vPapOF4hDWq~
zRU(B}4s&4}5xLBlMK8Gq?aGesKvrvxEjizo==}OOJ!eefAWS0h>x?L_Oemj8j9dM#
zcmm1QUf#so8L`#4`PSan&uyuT6<lRnr{o1C1a~{FddgX>%)CknN}OFz@Eee5w-Pwh
zD0_d>TB6S<hzDpiPe>H4!@gl%XHELk7WJMgyaZ{{59zK`K2KDPBrdLyBSqf;Bc@;q
z9p&}oA@(_~pbvWJ53bJqTx6P3>D-W1vA*8k>}vn^1vMFwb~cVh$XS??R?fscfpT?u
z#Tt1PaaiwG^Du&9)A03rl~9aDGUfL;KzT+rulk22Ivrs7(X#PDGe5b&AS150WDvWp
zr5?~K0hiz5E?xY-nh}j*nG=-68k{c6FlqA8!BA;&D0%pX<gOoa-U#08T;)?BZrrE4
z5#K}o_L1E~^=hfz+WUYVh#91xj@T}JrEL?&EC{dqml8x(n+38;#|ko+JneZTEOGbU
zO2*HrYaeiaXg@@=G&G62F^r+Du|Cm1|3;{(@z|ayiJ+^FaRysQ@hb<-E*55rg84Ag
zAi5sNDENA;cCd_C?7|Pk4JhU?N(RLHFOY{;YOC7{*eJ?vxdN<1H2!Wqo46CAr_Ic&
zG{f|HhC;Z65o<xDvm~XLb~qFFo5ms+ofTp@ZZLoce>uKMeVs@$$v%rj_wVfEyr%MI
z3N`44=@9m@Y^mj`jfjf*aE7F__4t^@_}KZxSUGhoy(Jeun^?+U1z3LV(lxW}ep+&G
z=<9k+0WKdmd32ZEI(AZGW{M^6wm`W38~J{eii+y!TsPVX)Kk5Y%Bj6^lqGo#EYhS4
z<s!gQ;QUxr9&E3`_B3!&vV6QD^t!USl6E>%DtJ=|%R#2A^@x4Ro0*ih!W(Yj$2HJk
zqOgyPb^5|sD*MzKQxRwvVbS63={Qop$-jIjx+=wLiIxp5hUV-b2;{c<{=%k8<{>UO
z#`w++vbDxYb$a1)1^9U-iU-3|usdPfatr{Xkl$(t6f#-h7-Tbc;F*^|(gIOZol^g~
zobjQ=VUn<m-GcDHUVy$YkM0gZiH6O>3Uo$653bO+oK?|$i_^lf*@v>e(X;)6Ol%S|
zY<;-?KywcTn&Os+NhhuI#rYC^zTl~MLQ?k_dofGGsx^=i85*vA%@`Sfx=q%)a1g-4
zs-c|gBP6;~_&7noY$eHQ#dWA0Nl6t*xj}9;Z?|Rpjn?6f%d<L#c1fY?(}$d%qaFm}
zqFheB4<1MD<M~X)?TOHPYXo7V19bT+(8|{cbG$(+%hzP!GDW?%fN<ccxQVXWv>AO^
z8ZzNaLvuEW54WbkLG$u@ML;QWD-GavBB{6rN9nC@^T$aO3xvoxd*yT`l*1n?i;hg&
zs(o;E(&&<jJiTV4;wWX};5mE@w5nx?ujThq;}zT@*kc50b`2IL5NFPnt`?1|>YbY)
zQe9kFi4;#!&Tjr|vsQnoB)SYXDwy%ORGh13ysC?s4vNe5*qL>aviLe|W;NhL`6R_h
zYdo<ho0fr0ol-kd41H(L+)05s&yTc(nYXC1nv!-<PJ&mZ9VRO(`kpzV)-axdOk8gf
zRMxQh(EKsf6g>v(p!hV{`s^KX%jTGkO+2St)8OpFKDisi)MebK*@B<>(0t^%!7^Ll
z-)7snC(UNPn(j2&`2a)8!3q!$S^SvA*WiN;KScuXT%Ynhw!wBVR~eVu&7fy)m|P^S
zl+5OmmZ88?QVBKmC3lCi1wFKqz+=r`+bD>c(6SNF{`cO&A^xM5w#~<(IEY%ZqCd{9
zt+^{rN236BKMc+$Cz|lAgFLxeQ+=Jqz??AkP>K(xO`nPgMhC`0AsTRq8)Vd$Jx)|a
z$VHu0V-laR5udPIkVfV_Lls0dchtrLlPcB+yFw$8@@uG&!oX5~Pz|L4P1s1D?4hib
zOvzl7W*Aesoi!p;L3p}M@K}hh#J@yNvq8x)*{32l!8v>t8EWP(aBEtC+{oMQS%-><
zOTe-*aHfozunfj;Yw@T5$(YG*iD)PwpQwRzAD*XdCSab+q1z}}y070PLHnW$xm(Dv
zv1#mx>xTb}>fWa1#c4y2@1_0e{OoRje@6Xr;CF~ri*g+kf`H7e<S!eeaurbWEs}67
z0lpW6`VWHc-`E>JKG~R#j}85^;aaK%2#QyQ`{MVT!`$??b`yZUr*e9RPA?i=G^f-^
zlC{6mb898qsG+H^029Eafty7yYnXQY8<UfHeJaW3bTL24q*@u|>tvnf&W<8Wcu;cy
zn|N{abl9Gq9Zx`xShTcF8E#$P4zrjMfx*PayFjkQEf9eGxGA2`;+kIEP!N#rcw#oY
z`7m4%PspUhIt>UOr3wuW1`F85KefB&c@?qbMb~0mM4v0lLr%p?{FORPoU!mn${S0Z
zJeoAiVh9FX94N1@&jU7=>^__Pt8XFo_Y;ImCA8xdHYzIAq@fE2;p#i4lwpdmmYF;{
zr%7g*NZ)56NZ#EXJJ4N>P1PVRF37N(5mS{_;oo|>n?C>ue<1ycPrsKjp;m-o_`YI$
zq2Nm+;-Oc2F|Wl!`P)6_mu!+BP!9&Q;7ab+tT1SG&gj4o4KqedI)K|B4=Vl<SfxN%
zjBJ$#lb|P5q!2s=LslfuZ#m3Jj)4$3o+L=s2@)<#X_y>)9dVW;OZM5wD#YC;lGLzd
zVLO|1QXSC6_Z4M2pV}Tc3@pAV)XG8?T`MB2^)ugxP9?`ogQwodD^cbaoz#vU7yZW7
zE*eQZy3ec5GwW_5Y+AX%kPpmiFe8=uDjM#@#Fj2RG)L%~kWF(v+TrAu=@DEgCh8X|
zvO4dl$0f5JmX$Woy8V~UjY_@1b56TTEyEA9Hw-YCE1QUwj8x0DmeQ$*JEB}t7WsnJ
zMCx7d+@K0O={uu!N2X)cep;=+g1~8+a;>tNyx<MkrQL?jd3uR=juyj$<8|^+{;IML
zUM5*Zpm;5A!5`XXgi&p}+=TNIificr3$4i@)X$gWAKrZG8ola2wA@KH?T)_lzlR=j
z7za?J2-n&bwv19gq7kx8nH?to-ieh#@j!$=Q~kZTZ=gG=Jwmb@-F6{AtFRf(Q<>>0
z5Fkd1P2Lq+7YCegeX7Otu1AYMuY`g^L~^Z-6F9noag;AINH&YWSs5)Zw2>&(I6{*U
z24$YonHzt;@;NfhC-oI6nIiX)1-G)577S=-S**!Z_n09!C(EKp$7aAW1ORFpn61y0
z6x9Fv|K2ju;|@iQO{L7j#;b~9li&-sf|dP<{Qb!KC*FVK_#*rovwU_fgC1YCj*in!
zVrH?|R5rSLef9l(_o!oFg&&6x(Dmu$M0mKJaP;Q?-u>p%WWkTCl}TfG<mutk)DHN3
z)&taiuJUDeb!s)Hn4*^;z@t%c%&6?(`A?n9oLrHY^K)Je_`NPXpTFK;GF$Y%M!=TG
zW_OolHLrcVF2v~L^58IT^l*`BWN%=0Ss&ab=bG9QEZIWt0R=6e=&m;`@GF*l^~mhx
z(5e84LO;YVpp=U|u_DfR-_fZ5c>zEz(b#ivbN_I2Z})KU+G6JLa`SU_<s;Yk+sS>q
zYzyYAilR?cJR{!x<H7&royJmdR%0Y&<>%(MJ%hk==Y%e3E}dr0nf1CVw*G8bN%Ou*
zSp(2Tr@*utsB}t#YvKs_8*lcDH@$Bhbwn^f+Q@f@NHa<OJ^BjS(d~9`K})$*g~kKA
zPJvN_#sciN=)&`PQ3wH1b!XyhZ$oHIV$fdGnbj?|8aPq(0XJOEiT`@n$G8ep+7GYV
zAGGQfU-BVUy8KP$15vtodJ~>(hf8bV+W7go(;`b`mqSmV`~s8A037kNl^d8a00E8i
z2t}<_76ENqvetJB&)Q&Q2g*Ueq;CHQJyWVvXaMK{p$<UEF*-n$DvjQRqvTcp6~2Z~
zI=R{Ty8n34NjDny{3G#BS1c6%rWuRGq`>o~@Q9`G9QZHJa12-O#W@$TMNoPumelO=
zH;W6ztd!yoCNuJ$@Kto$mnlSz4=;`X)|a1&)?qp~YTNL#<6Q3W5E9)Hk;W(?dRm73
zfGr>?#iE!-pP9zxif+gz=(D;t4p}&I8<!nl2Nwsgdz64rYfHD!as;eqt9sX22enS5
z6&Aab)&MTMTwR=adG?zpv`!=l?x=cI?s_>uYRDf<<Fa<UsbjHYVbK*VVt%F1zy>IJ
zM+c|-+g-_PM>DtXAb(}M>=drKTW}uCAo9nH3*)^8{E;3y(1jfwD_0cSyJBdbEFt+f
z)^eXq3YQy5L>9WtK38;m;v4^kEp*3!Mqy6Xp|J!F4H!7tnT*+)OxO*XSxgMsjPx0q
z*;q`N*bSIC*;&~6c>Z5cqzGw1ivZaEYtWQ+SyN8g8D-?|dw<^CmOu(Du9v#hk5H-D
zATXAKWE)i&jQ)?#pT9$f@+QZ$HATgs8Y&w5th84;7U)<WrD=HQMdTwRUUlTd=4LlH
z8r@#U>=!-HcF$ZVJ>Vyq7gtgC`)y!qLGG=<Df%GGdsJS0fZ;Y!^g^=|M<pzKR_8v9
z$RQ4y6@BC+H+woxFSbzxxfycNTLG$zJ20wjj&IwGmok1C8G@EwaH_C<h4V`0uy^GB
z`)17}LMqv~ggOMiNbez36HQZou91WfL+IlDUsA}b$rfKAXY?c`5gGDUPoky#($l?C
zIDrB7p{?gCfD3$yZ{|b&!>LwrtuO5hOqrs@%%C+6V9|XFd+C?TZ~1rf1V;u{t;RkX
zQAZ6jn+@p-9uZ?IPK1$A?%D~N2Tt#3E#G%-P)C~{{wVUZG8EVINaf*t8J|ocpYMV5
zgR@M5Y+tT{uu{hba}@nLp?{B;YvMfI5nBF5NNvvFfU2A$CwTRpF4&S?rLavXz6>D`
zADFKjg;&pQhQ(~!k(64rl>LlWL~1)^5qswD(5hFa^GcmQS~tj;-3<=7n0-bs2<}_Z
zZoecB+>|{BEk9?q7_KGoMeYtH)t`Nbc{z|*^oY-SwIeR%PAXsOFjoq;JJ2>G8sy2p
zsceQ;0Cw2j(T?`q*S%S-Fs=uDnIYDz(Ia=-UI-@#;$A-#1Hv83^$3-gZ^<3;C&r8(
zIo)7`8~n@xSZ63iEf)PAxf^E9Zb>U7|3HNs9Kyb)8wUCTQf1%F8*dC5Kw!D*3C<@>
zcW>pD*(YLW@5K$*c31in2r!s)i+;IZGnjh~a7XMRGEi@EqB#$a5#2gLloCR4w!Ii$
zp4x<PCMQ3jSlrq`|0u9oL6I5)N(~NRz;)g+(fgSU+A8`h=W4}vPB+z$$bsZ2&u$7o
zExKjZPB@|mbWVpAabO3Gb|6I4??5B4C9i0Qr?ShE`SYS=(`dG~Dy?PDFEG5Vq>pj{
zo71@J*@Bb58!my(?Cb1JTAk57H1sGpf-y%PcXTT1)o3*zg-1#IUs$H@ac<uv>N?1W
zrAI^i<dw~xY@=JrDWN%OCT*Ofw8@r(GyEp*hOysGTGT#c))Vq~lH}?-R6cKOyR@I@
gyMV}VAb8nI`Tr*8QogmJk)Rlvph-!EWksO>7v@<$-2eap

diff --git a/gui/zircogui.zip b/gui/zircogui.zip
index b90a92cac4e74ad8351b7fcd4fb89445b667866f..0f800a09044ec69863c7ee3ef50b054144f889a2 100644
GIT binary patch
delta 195866
zcmZrY2RPN=``6xkWnJ#QD0}N}H0@AQ5tq^~w4`CBBqb{+NjnV{Dn7`rq=mLkC7MQ3
zN#lP$_ujtF{XPHR^W5L_eLL@d-}9dLjE~%-DIy&wQ$*yw-9<!I3Hbj84)0o&F0U)i
zg9@&^UyvR~mVyJ4gr^7B`xd9=3iF`X0Us7zw-d<~;(<%^SNL9U70qAG14D5zX@f$j
zGMBU}d)J~GnJrqOQ-uhPyDzk07g~fKkYWoKZ`9gb7j>LGuh!tvjJ8)dZY*8WYT+K+
zTO04%QIy-}@ZQdtWmU<@R=X2fqdv7G;FC+KnftZA+u3HO>e8Fix-DG;=Nj+nw0mWx
z_^tTfnZ+g{r~SsOPktIQ+;V<yy}{^UO|^nzU26XD8w<C?MYbK49b3L$$h3TRh#7D7
z!69~9Zq2(#nsu{`HyoNGs+FwjS)KnhdE-XwMe_+?A6SlAID|CZc&Hde%m~)~II~wJ
zJLY1o$EDxoH_L)D&VG)mS=_p@OKQ2t=NO5iX(wH!EZ4sIT+$L5sa@(Yt6am?HcrxL
z&!4d44~JZb)g&^r%De(EyLPNEU3h(+=JTlMKkhz_ZQFfUdzI@7`kPPN<otz?ze#F7
z-n1cRx?V|elvCY47tJ>jF3xeMuF1b$tEA!88TN5@hTGacBaje%z3Zy`tCAZ(E_H~j
zy_5N+@%@*PYP~VD>%FeI7;BUrCS$iP)T!llq<&OFyz{gbXTqFruT{SBti00j`zmqc
zoOg!}NZAkG#F{nj2|qMEpyQ+@vnnay=G>~J0R7Wd7oUvm@+Z2NTJ9T5mzP_=_A?{y
zu`pH9$+WfY;fei?6RN*cw_UXRDfIAC&%o4-jVsQrk-YNSBH`HQjJKm?(@N{V3j@PE
zF75sq-rBzC^2?`rnNK&nxCZ1058ZgSXs=1xx8Q_++epKJITvG<7B74EE|;n0dj7)x
zom%NvW*v6e+4S()X6j8JJH68jPANa{**<fut@2dPr>W!DUk2Ruspwgf(e~VQ==Do>
z@RLJt)C~_5&<}#X&ySwYnqafajYk@1+IT$=-+E~I>&F4Fi|vKgm9oZ9+@`O3-fQ5!
z{zk<)n~wEK=k`YToVd0sGd2y|rT=Y#1Zi~drjg-a)R@lqd#*YjP0d?WlerK0s+r$*
zTW&V<F|Bm>M}uA8jP9qKg&L+Y&iQ0LlDq8FLL90Hys-b*J!*i%w5u21Tr>-Po3H;d
zFX5$gV1{yYlpA|}-e+R^carhOT~}nx*WXURUMxhSS9`^)mPH=R{JM*t96Q?jZL7<Q
zLlX6$DBsJor|PUo+T9dc_{M#~hl39srysg-S4pPp+NbF6*Z+Lo5^Faqo^}26fgN_*
zJ<+$eRfT<Q%uGD)w#j>L0Y@)4e(xja9y^K84#HI%<L<5L^f3?0Yf;@VG~3fD<F-@h
z*BcQ%FP^>+m=Y?Hn}1Ydw3RvA>Vs?S+RcI0UE@k0yTpgu-y~YT8(4~2%U`=4eW)gE
z*6LXrJ%6`8Dc{^ByXEN5IpA#I6lD%ICB5#gT<EGn`elXV-YLtf4w&SY&;EL3bm7%c
z>hGsMj<678zgXt_jZywgs?Sx<RlmZYpcmnK;Dn!akwJ&wlP|Psw(5y@m7j{ATk}gO
zmU+)h9?UvYZlH3{FnQBSQD$0|lt!W0liqQ)lF(r>w^epN(>JDsX}S^aol`7J*6DRp
zylWaCf5u#mGm<%lbLwOJbUV_P{9S!HtM)hUJ-F=MsqR3ET%N4~@#?Dsb=BV@U)<i3
z)qOH}U2vt{)4SF|lGhS!NbKh5D>8r2oLHI`OC2G5&HvPE(L^;rTf1e+S3)M3mNq+X
zhU?s_lD=~`S@(>pJztNxEq?G5Jo++bvRM7C(0j+&o|=r;3R?!(<eXcb)fatMcZHZ$
z@g>QJb9z&PVy?bZi70(uZF^=UrTXH_vg7`@yq+XhM`U5t)s;&ABQx$zu}@sIRm|>_
zlN(`b?91Hy`a}=S5W{P~G@oLLE=Q-62An<=Q?_ig^V&oQT5l6x4pa#F3+-RNz4UI^
zoA&E7r)x%)D;Ns}MvH$wf6SQ@Ar)>=;e7Pn>$_q0UxNH*xpbHJn$`Szb=arukI~Yx
zGIc9MP?E!*AOG7Rcm0j!ujl?$(!ciFxO;V+<yX<6x!;ZRe!sce|LefR`|=M@d?E}v
zjF_~AfBje-BPv-@IIBkQlEgOC*h;G%_k~k!&n@siDq;Ap@tNc=$I10#C0rDM#Sb9^
zUft*HS?`Ml{17_pgTRt*!a4I0_)?Crp+5q*4hsi!VFH0m@8lw~a4s@_;*iL|0t7zP
zC$icPfraRzbxRQVL6+!GF3jiGG$h*Vii~44F<q2j*FmuhsD7zkV(i5T{&NTMY%a{_
zw>eFGKgv&{U3|wP1V6<_Lf&76yYS)m6cvq~D_=?=v|a&9?c!EgXR<`yQUpDJK*A{q
zhxzP>W=nQ@Op@O--4>a!kU)5`5Y*Acj6fV)N)(gKl-$1%;gS1Z@-k|YH(M$oV3Nnz
zAEVc70|<o80ief0oX_K3jubNhk!wCCwZVOoW|`k5h7Y7E2*A}g0ujfgrLk@&>BU?c
zNq(q~N#9>ONi*2`dX6%OKxiyRXgq&PYjF@=BbLbQ<idP=$0}qR=S}j^f8WJY@*@!Z
z{CM^jZ4VN~eoD(~q9NDe$Sy?f-%%<Xw`7us*Cy@P;Y$dFlS_E^;yi%<PRNL<B)1vO
zjq<f}O>T&CX{B<_XfCZ%lAjWcj3-CPKS1H7E%H*RG2vDU252rFi&a>N=K917g`H@w
z#91l|1tR?Srzno0LD@H;IL8ASe`%}q1I2GmQ`*9rG~DuJTQfO?KybMMUfC*HVQC{u
zCLxo<B{w*oG&md=0*VGCjKH=V%JP`dd}VeBE`lEqmmA8Tyb+NsF_j5aW#=H3E9mt2
zj;SOfIZ)6p+n<W3`%<3ogZ2bTVwGyDncSS`%UHBYHN$gKuWOdJ`}`nH{!(7vv?K*d
zW9D_LOPAt(C@<GclvcU?<q!xZMnWKDM9C0vkscA%B)H1+6S6B-tp_nU_2`9=m(XB?
zP@ch%MjjJ+t=5Se{BEZDPPAUFKddf-=0Nn2dN&Gl+%z_#InZ%YBZmv~joT$PCBzGH
z;DG;>05o~suT1&uJ2_tBtVu@MuUn$&!G-zk>TYNT@l({_&&3a$_E%F>h8Hi|RY^Z!
zFRex5x$@&l8Nc7-K@TiM34|F+V70UsF}BKoeZf;J)jxxU`<z#$ELC&#Dol_j|8Six
z=5w$8y1A|Unv9^rz;8V)*V6p8gI!rPnPr|EyPG#14;%G*k!|X_M#y7eO{q!am~KL|
z;nTzi;#Y&FJ-%XCuK)d4<Z~OjCr6L98=9L~W@sGBYw|j+em|}_df{RRl{B^II(IfM
zp~X(!XfsfsFlQ-e%w~wvSamTYE^dn?nYpu?Mb^-`wQsLYUHQ_D^A`Y*zQz3%H-#(x
zDPr%K1;E3CGp%$aT)VTav;67YFnikvi@<2#k%k!Np!S(O)2bEUO8Q>Rjb5p}ao=mA
z_}Z3D>#<j1hRzq$oPrj(bL1+f?a#O!w=7F2R(VWaF38sGi{kP_VtN73BrRAm*M?JL
zs%B)#?7g&i@!t5&8Gqje&YH72cdGq5w`*F{9j9Df)FHf;wBz&=%apNCy$LJ&*sF&#
zAD{pIF;l|1|6)Pd8k5y~3dc62_xl>RO<%d7=A?b%Xi=9~c}iJ!p5g@Uj_~QMf*^YZ
zvF$_cez9A!Q=~l}E!id`Q`U~rBzG(b74cYRpZ92`!NiCA@k3YjzuVXt<~*1i6=!S}
z!dbp@CSm%$v5+_KzwUXgH9g?^iSeTRzsi@42{l*RK3GY9=X9^WyHRiF`!n(0T?-7|
zM70`)OViZsE<ZmfqZvti=CRVmK>AT#o5`-!_bMibe&33fQq(zWmfn80X>RJ@h+n@v
z4#y{FW=tKUT4lVlPdyi$e<qrFC~|k`XaiN};OO9vhZ%vTT{*5BXBjoUVS}AX!AspY
ztjJ3A{?>2ly??sj_)+!c7a~6X=x)82_b9$Z`|Z!jttpvCKaEDQv#}p;oZsE*nzBaW
zOsi{O+NJg_DQkRU`!|zmDyMX&X3yLmE&N#LK)-`J{cM)O554y$yMzgiv%MWn^z@_u
z#;7tE{;YY^@TSy((%@m47r1fa%dYMVW7E5{&W6csHrCj>c*Dd7w`(?T)wi!^Mm&EX
zp5G{ay=jTzqq7S?7iQc(SFUq;$)j_+S98ZXV*d7$$CO^!S&G^k#Wt^4m@&5Qi)26s
zwf%{r%4vf)o)--|*If7;{Pj!KKz3TBPgQ5v{V$UC%v`eFD%%{HGIBxFBKF@su5L0<
zyjE~xg<a}JgBzu=qJ{%P&33zHJRVqn%J1cqfq4V-O5UzlUz~oe>C&OfVt2Y6xUq5D
z!5A60=_k*>Qr9S1a%GLx-q;6Xo=v4oPd{xf{G%AV*W+|=Kk%B!m){*wY|1>fxoG8@
zD~Ug{emws$U<%%51u}LIZ9b@Wy;Hi;!N<f-a@h}$UAe1Wr-km0(cCs{JYQ9F16`+j
zgnBzu@_uo<jADJI|N15BNgp-VbV(OEooAE{h+n>Av%z_3;N8E0zkSXHxzAsgb6IFS
zabR{aX(CEauJoyLWS^0-=DDa&+V79?^wg#f=gm`024>#6=lONXlr=7IK7Dq-`Ca>8
zgC|M&oFMPlcDbo>y9|NgJe5Fz1sT+)2C2n%Enc75VW;?~sZcS2)D(COtFEo;Tj3UP
zQudr|)bQK>{!6WHmlqcAHkhhG|K8Jf_;h1xUdxm49~mj;pV>E;e0ICJ(YLQ%@ywB?
zpgLAgTGO7ONB4fu=-)oWc3Jky-F4fm1`GAZWbE}0B;9&Nm^N*3%CqGvbfRxYq;>Ow
zo551C)qkqXPPC9TGe(yE@U~I$^;#9wcT9Qxf|29%R{5IT*)&?2w&%;0;=7&pF6pC*
z=2I7_g&lu!v`3BHQ!+JUbxTx3&b=~nM^CG~8S&|ZlrYlt#@X4mE8@N?MY|oZjbf7L
zor>+1ic{U@N<URN_k7>`HD8Y$ymzE`)g0^2-(S~{#nOm>$2X7cll^<yTWQs!OU)6O
z)*0DZ)s;nSIu99b7VU5E9om;MG4f3_wq|yyL4mSkHzlUipdq>Z)6Q2$_C9-F{Jra1
zbx7ru^1YDG!Mz42+a!lG4^H^4a<@zQT)227`TFaNwy%xb6$1ifW3;B3Cr@2}WXBy<
zty>XePsct6Uyd!AU;L$AJ0|>f;y{bsu>)rx7PYF5miM(RR(-P1aLX0<d&<=W-%oLK
zD6+~`y&2loYQ@*352U;;UVGrY(RrY|(KqL-iubZwwmUg<<2;=kcC*^26eR1^4qGw?
z)NWPY2j|9}BXR~kmfI+p7pa8gC4Zt==Nd*e$i#SGm@T`pHa5WEqWlSEM(X7><D`p!
z>nL(&s=tn2zS^XAz>;?1P-&Gj>HDvqlA>Q*>}7M^{!E=exVr9u^7n5eDT{Na&WW=g
z4_)nGc_bv;;X}-igxaw!vuf&dZZ<Sf-<X~2sx~}WF<`Fxl-#9rKH`3?tS8e{dNeX|
z)#9awyDl6s^IKP?-5MM2W|pXAN+jKH_79KwtUP^zbxLJUBgmABH;ixAAM{--9TlCx
z_DbAe@jL5H=<AYO1tBgkM>&7bjOF;=43fKQWxmHFM9fs9Jhi{GJX!w3;y8UR>MV<g
zDIYJW$Uc6b{y3twVA=P5cO^?dPOmTPu>2xf?`bf!y17F(zvp1f^4J+sdRo6o7KcJx
zz1MSg+M8zh-j$mF&g0vwcUik?qEj1vtarUMtTPX*^G$DFR;3!ff#tUHPJ2hd#+lut
zaybNZn{PSRCa1~goO%a3UVCp$$QnM;Fs{mpP}*1VLgHQ8-ZsZ~E@bQ0og&k)n2JLe
za+0%#6sG8y?<#*?J{~i=Bepo^@RAmy&z+xMXQ^w3SUSluwZEnJW&>Y(ba?)de*Z+v
zdC`~I+MWeL*9=llhc(y@W!!tK-Y9osmY-G9in-br54PD>$a!anDO?hYo|*Uh>sFh{
zsC^xkYtBR}3|!f~KiBu|qw1t3GCvo+8!?ZsArBUfx!)^{^#5W@Xs)mpif#Y6bJIuB
zR@KIwkNa&8FK?au;McC8%bVIM3)I*CT0FcUOQ!OHen(x;EGdez(fiLUJ(kao2<}TZ
zo8P-7b9&|Hg$H|7Uk#K^jAX7ms4Tj8qf^<bt&ZotLPsyPU#&6QQu^jo%%5lC?<nrc
zd40i&4(ZRozRAv{oQiFUOe>vxOffF@$BjEDFK+BR{qFi$)#}T(&TUurb<A6cm9IQ?
zJVt5jj_bF+{$|V@osw>~Q|VZP^{f7EFD*BHijrdu-7I>t=I-uxhpM{tm(MN_T_=WL
z{Ndr`P}AW`G8oI4nsDy~)xG?Q${DvHU2kFb3hLmkTcaYm+ZSmZI~J=Qp4YXfL83s#
zFm|Qr>K%zQ9O~VqO5|Od<+gfDKiWTV(ug%t;rL+UX2{p2qgyQt<{awz(%JZG@6Q{l
z=Ac&fu}q_Oy71f38c&1OakY6*wO@tKnA4XV{%u|V+^ycrS&=f=0-nB|^X|=^bNwf#
zimgq&H6wLq=_1nw%RO^TW`=B^kXrFQHEQFN{x9~i8XJ!vilO<>E}xb3aQx`y#6ij<
zwds!!zWwc_JmA&qQM0M6Ij805Td9V4ms5V9v8zYS#x*s^0^`4!1`Hc%M!zfR{djtT
z)KtqK`yYfRhjG$g{~UbMqOts7!L|0}0K@A0dz3sfR=U=ge7lyowrW|ay-W0h^d|;u
z<71<nGnLP@#Zor)C_3rAbP}1Z-5nmd`jlMZqFBwN!u^@jEAsNy{E`o+?QD{IDV2Ho
z((se-U3;qa2Uh!enXb>R)Y#du>CwFhYERXCF0L0}@lxmP&VckMC)XYx4jjoEFt^S9
zk=oxE<DdED>^j}#7T4m}Yp!eW4wo!DZ{O+kc<*-^+raoIh4HbcKm2-9(qq1Jhvc;o
zwQAS4HF-1KjxShAlQI{Iwu}++Wb}vDeaT|(9@-S8s#LrFrEZMMOTTpAgPmJnf2*y(
zv!HnUx;>@)<F>cFxY)ih@lJ*z<Ce^K)s{7nKTLE)bobVsOfvp7)9K=!^Fs}uZ`IwK
z3(u&U1Rbl|5FDAkVTNy9?Bcx-w4`T~{e3w;<$J0P?_6H2SN8QvMx>s_nvaLq1b^AN
z;o8!=ih}){N|iUQkbZ7y@88_7FSGG?R!>dN?63PD9Z^<&uuQq*%HL_@qaJE9@_i}>
zJ@YrN`SN4v^rFPdYcJN{PIyzd@<4^&$;DDjZH)hv+NRpAAcdIb1qFrYxGst9)1CQZ
z&-QsQ>X+Y^>kYM9zpi<3k(tB8cK77*W2Ui}im&_HexD*Mxxr2}KWE!vZ0T|F`LjN<
zJo+3qeYI#gv1!!z%O1~0lJ?NEhNsRKg-9ope%Zt&oxSnGTE#8*^B;xz&6MrZ{!Fb~
zNeA@uShPI~T`C4`#O8NjJ3^Q`bxE?ZNh`nYW*&c^=1(jPyd@<vN4jxT?Bn>#W6p^N
z$#y?|r#!GPRCwffa@FEo=^6V<7gjbM0E~Tu65)$_HvVb3zsfV(=T+t>Y5+B?$Vm2s
zPEpA@*}bLqM=;M(>Ds>ACUu{Te=b<Mb&1=s`m$|$n`gTf$OfwYW`1?ip1sI5k9~7@
ztVm#?i^sY>KR<|NQ~PdbuG2R6k@(}aB)uodD#Mta+fukyV!WtH@kfJJ=CiDe2X`qC
z6AoWd-J3ziLfG%0rGk#^`0Vy$)njgZH(9QVmU))v?tSfdMT>j(4mlr<(4NlAwjtYo
zEq4)FX^IVBw#~nH;EqT9yG5@|?Iw&~@9Pzcb^GIT$7yQq&4kQ7%hvr+?_Xb7;;x;~
zIsX0Dx*ZNrUc~!rXBC7s)$fmN#Ok}XT{?{2*YCg6_NP<#;O=3a!L@6rW{0mA0}98a
zhd6O<&paNwgW}%ma7?Kt`gvT6;S<8<eV;hl(@ow=*WWRczQGRsI<T@~nzgyy%awik
zlqXHG>+>2azHb>x5--s78`S(1BobizV*V*>Y5n$<9v{>xH;?`}=vS#$x1DkPuJg)?
zbvDmldaXV`m)=3W6Ck^B`u_es$G6X62AC#OpZslk^7W2V!e@rpl$rMpJC3E36zz7`
ze!eqCJbr%V)|+zjVt*ElD&EO?mDE)~;dkdPbLkCtTI_Z`;`Z+N1d+XW0ymAGVHxkc
zJYDy6v{?1$rmiK%E9z&pb{~K3oX|0H-9LKnf`J&x_ZMQ{Br3{;s5%~a{IjC5X6w)I
zPdyB%v($F{7N%Y3&+lJ+G{e|^;Ml%nm8EUVTzW<>c(?A9jj`CLTj%h0Z+2$p)$c#F
z?lSI<G;QjXJaImD<}!}-)w`Ky8nK6|zmLD_?^@q8xK`=lYAk(T$imRp%8fBKBCBaw
z;prD)y+KPm%;-((-(o9OeK&;9&u%XN5ZHce{If#>L%b`%Z>HonjSG96p4VIW6;{ht
zC4_o@xuA0G$MBLHF<;kCDf2wNBXObY>SpuMuH)LvzE@gYDE!<Jdw5^FPn_+^W?Hzy
z@vCM1Mq9Izs!EbIdx;<Rok&&tDibFk+3aw;_vX*k*+z_asjjBNl38a<W(>^Tu+Q-A
z>WHcj8~eI}y-e28Gven|EW&14`MSO&2F>l-`!VKp$BPFm2lty^K9&=o6Whc3+WkZ+
z!Ntr^<ZHa$lEZ&ac5jUNq#JN~$uM!deOU4L<};DRkqL##o_)+3v(V6Trtr=fF5g_?
zgKeX0J>lQnapCzatu?~Z((rVJK#(ff?VD~tRgw$L+Ls0z9JP#i2Mpe^8+^f-qn0HP
z48y?<zXJ4ur<0a4!hV&L)*k+m2F^a|TZR_)EkirpmPhws7f#op%?Hi*tn>w!8nm5x
zqdzKF_=3M;6ble>S6g|?q#Y}wTzzbM7X_t?5D2*n;DqfAbzmi}qXWFNf;2I3S36Tg
z9V#tJz!9%ue{B39qLLhe;0lE9YTE+KW^E<Fk=7Bzk{@U<72)ZN<6=Wi+P_73hbB1O
z`6S`=YDjxt4#XP~4RAduz%n~X3Y+&-djo=)xGdcGh6I7I&JsM{LNNeNAjlBYe5qY2
zfiUmx)^?YeWZoq?zy23weng2&gK_$`jYTJi2b_$rR>9%h@?6<i?Fa2aR8?$H+f5AN
zF8x*enkesD6<58qdHl$2Nd5w}Y@rwer=vmBFzs>ednk*~zqETrCQ004*ACbT5eQx&
z($ral=TWP>+M<}ckj^ZjNzHTzB9_g8M@jOEAl;PCcRd&JjIho^Q6zX0OJMM<By`jf
zJ?Ba2l<_l;>vBbDo#`m-EvxfUcv4uw>WMGH!UTefD5z~B8Gxc{9ZgV`7bJzpK^!}(
zpd*D+Uslq2D~?DzIz?vzS0i3BVBd9g#>^(Umvi>*veY6Fa#n!ic|2350>@K9vY3mT
zj-A#dV!h$6^~<0;mq>!TL2Vllr=TN)JzTD{1@))fDxEWk>d~0ToTa7&!nP|wNLPo2
zvDWIWF-3GM%GNQ`Lg1bvotwgw;c)oD)OZWS@dgOJAsg}xuRa^3fQ?_*`5=VQeJas8
zC^@O>W7&oCqhNUcNb+o|Jr`t)J+Ic;iTYv5EuC6KmTmsxx2;gt6+mLqxS^j4cIF4k
z0H@zD{?QFOJ*dEtMx7OQhypFYbT)AfArJ)Sti1B3s1=ri^A<a*q5JnIPD~(h=Q}q?
zT9k?09N{s@K18wr-a16J{~jPn683J6_W@2S#P2-0NnB8sI4IAZ=s37a`;H_47Mes?
zkg7tI0;y`mQ*h41GJua>YIKwYmRdwN-rym1;t_<Cl?L$#0$NWY4k4hiCUG1AO|^(a
zJa^-ak7X^C0Z`0y0zOaeLBtfI0*KIo3T)RVo|wdYfAp{Zeu!5>0Fhf@B18LXcue=<
zwoK6_e&fX+2bVV<ez*@JUjxqS#MwaG2J+lYB&Oj6d?(B45&4&4I03d)kNA-vBQESi
zBBrA7J2LST3U?V0(}j4>!|@H;nk$n)w<Xa9gqH-#VULZ72asW#hUBUg-mpw59Il;4
zOhdUXHi7V@`ghJmo9>0_<ikrRjtWr^q>+g7n4=jn8>Q<uhhlI#0s+^8`ycrKftn_g
zA>fn+nII{^wX4li(2gc+Xvd@<u~oLjHO2_s5lAdk;<-%|UtSy=U~Zk<O;q`hG2fpb
zHxT)!>4|ePd@y!6(U(7AxNy!Uq7c72<8Z)Uxm&t$k`Xj`(S#hyptlO%A_#3Gl2Jml
zokS;u@V&LnNII-%cV+$~G{;)vh&lYifiw4i;McYW;;fYhA<-lQ3^G5%FLGR6JoXYj
zrFfZz!*5PWZ#RUibO8;Jh(rUd<q$EDUk~u%kE0B|9LR0|q(n0KG)9!c(vA>Mp?vAN
z#7ijrIghA|$Qc>k`{xT><d#qWPjwBj>lR#cBhM4Rb5}aPFCz<~g3vjV1Y7}dxA0$X
z<DjmP>-lszm<7^fV35;p2a$oxogg{jaf3(%&c(!SxM>6~=_#4_f9}EmzDMA%@_&dV
zV0oP=3ly#qUmzj|ul=hGT#19%iC=j^=N6>nMtIO~6V-ub36Z~O;&>RVgt(T!M04Td
zN@5v*iN@ih<2My7p~a!fz*!A?7P1IM(PbVIJ5YG&De<!SWMFPS+!kXElVpV?H!!#c
zB*1<KJ^!bj$V8IDYwZ;eU2y_ouM)4%;36K|OO(QLdx!@7^^B`v<6EL1qM+32Bj4p<
z=$llz3i2dyV;lFGs46+>AS`c;xCVif6#o!0#Xov$&+~55aOV3&j6GZ<2m~=-Az=NP
zNCT^zf|RlLbNUM+c#Ogh`1)e!>nX1(JR%(4m{rYrY9LQI^@##nbjXyX+J5|J0Dp$?
zX9Ry!;cpuJ8N;6m{F%a^8T^^Up9TC`!k-mZ+i(5Ofd9UXyD)HPY73F{|IJhj00%Vw
zo5GTWwOe5gY*Qxzel6g_(NjnVP*`4zbQOi~Xp>H(aD*<&nBV8%^w+>}Susq$bRp2J
zO>zP6p9U!daXnHguh8Kr&x6lZ)j^a9;Ej<?K*X~kb6}`XYT)Gnj=?%<eYgx_m<#im
z9C`*<)knLD5?~RDRK@cvjt7Wj(gy@oqLAK9g4k~g$rDjc^YB55Hpq3W7?0~b1Ck6V
zG9<mlN%)fxCO!W(0?r>BHX>cLnA9sc>g{p;DFgz|8?P~Ru%j)Ah>0#F8BUqRiCQHd
zaS)bqe-Y491k<0hfmDb3%Opb3-}fU)U-+v4F7j}8;U*hMZUZ>c(0v>&k_<-LOk(lZ
z6&yuw?3hb32#F$j;NF$NZfzm`TUWSB2S!1Tyj2Q^=PPeYw*Vt?5S{BsIE}=y@@SGR
zA~k&7YUvaxbuo+{42gF~5D`R>Nw8(#LCQe2|FDyEm<z)~3weWmF{IE*QGL!=-4F6K
z!<~!GizQ{D)Su!=NBGp-Y{mB}*;ORv|8jCN3buf=o1_Hvc9Zy}CuIL@U(9?rNrcZZ
z6vBX(NaD6dk_0a3l}z#mwXb2Hdw372fR_o}fq?!022Nlkad2TT=@>HVnMC@-3m}gC
z<b2dOyyuXCSL4wnV-S}_ng$B@k+LT#FepeA)dTXMm>dSdDZHfOtL1rs)P{^&9whZ4
zpiU~O0|$Aw!#2)kauD-5L=sj-;J`B^KY0YMC?*XeieSap`SIb2#^#lfhS2f37|cFi
zz?MN<Gv=82B!iv`k{ifNf&p_b|1XvBVXVCZlJjOR4*Nb6+h7jU#1x;ob3n^bkP?8I
zq=wC{BI)wQaOu`plis6na4qQ&7bXz!aqzv4#DB%YMd#H2X9XAbzs=7Ze!J^5O11!L
zcS#EWn<%i{&Ea|D#tvU!klH|cz|$57@2$8oB@DXtV|G2hWZoqK1l6jM^pMx+;;4@4
zuWf<XLuk{yd!(I{EUG>2riViozwzG68KixOb;$TWDGFh9@jmI+Btb){^k0Oa<^d@I
z!F78`YCu5EN2L1*_~{X;4gpJ>NcSc+Y^<F-0j}I9&B<<tRm*WANCM<PB(VXxg~aXL
z_%nyQ^KWS(p*w%vz^A^K&YmX|2oJaM_RSFG8F^9|c4d^bNezLGrO5wwFE}}-BtuT(
z2b2q+k|n=F;S_mtG79S|lG_ouRGHk(Pdl8PWpJE14HS)#jRCGJa8f3#0<$WTBsNo(
zY|2kK9C7B;ds(|-!nuMGD%@hF2?g6>57fx}5Y||r204)n69_m7c;yH8&s?^>!olcn
zh^x4VCb<{U#DT5nk7@!*<iUxbaFd*@O|}u@AL?9P0*_p{uI-hv(ZJn=?!%mP$x8o|
znB2`6{CECl_@<|!Z_1aWoF=##exm|}>fu(V*N|+CRp^pm@;Adc4tA78R^YcdI84uR
ztA7t^a#exSUAUb+DHc2plQJTY@=sB4oCE2>;kO`8xDu~lf_zP}AQN&kg0u6P;$S7j
zIi|wn)50d}0hVO2JeFZWu0s_Fv?2dH%fXo|oHmub3kh2hLafMv+>S8+8dleQ65>=V
z@)SsOAe-_Q>v0lU88q3Dl`#zlIUW^ricQu=>^!PlTW|!jNLA!D$<PLUFvKQHVLCI(
zXHmj?bI4}=jRMzUf85B5T$rE#aD!(7@PH_-*@SGOxwtFmk$o(9InIUac9HeD!IUI$
z;SX8lC{)&(BV-|dV~UUW+t2V<gGxS<0Fm>^RPa|RSO&09li`uZak36dIC2USB7!E)
zlRNlZ1g@Z-OJoLr=YqrH3w@t^!o5b6Sav-Ovi@l@5sSD&UW%ZIcz%hy1m}Ui2rqy*
z4uCjPm{}3Igg+a2Mii4Hkl^?x+|k-CMj+J6@jQ#W21KX^>tS^z<bB+w6|J#xH_6=9
zhVM;oH>qDmp6n(i30OjbH~4gu{F}F8;$U>v^^i<BCE|p5sSPRa@XY5T4_1-?AmHzM
zvKw%$AzwoN4WhUKW-a*!@^4%`_-``6N;6mjEWSnNA3pqJ>IR(Z|CfThf#ECp^A`CR
z!td{G@|Q^v`+0{f$}a>s!}sg53v$4pTJmgQsRIMs)lA~bl!ND&<aC@4t+3Ef3W6Di
z^S~B0k_+V!8Hz8+94Q2j?jgTMWZDhve_;;fT_~{0fDD16Ua&f-RSy;g92bf#cJ~!|
z8b7pL?mu3W`w;4|Rg3SyRZ$)m(SOuxU`Rh$5_5b@wnY#(DWw@E0w2wPh$r8XWpQWA
zV9ovH6a?`>@{@{vlZY5Z%tsZN_W`2w);e4v70Fg@{J?@=oULBKNqgu6SqgYjf@QGj
zp9FX(9aMU23PLpgDWU&~tcK|hk{$S^8)wKX-CSe1I>s0T%l=nbc|pZ$hRAPFoeD<C
zyzR<l8qYwY#m!)=sljLluZ^+s!P-a3C;#mYAT0K$G}r>#vP_tl!jQxW3{4G|z`Dnv
zGkG!O5^8-HAZ$$ju@i5JwhMDNli9|>7MR{RTskI6K&LRp4X}PehZp`NGZ3k5&9!WO
zNX+0711MDogNV}+YHZhUvNj5z`a@Ph;i|vn)c>C+_xPR5^SBVj9;JaArTzaj_?Dfg
zM~x_jr^jUC&z>|2^Ax9i;UCO${o-Ond91?U3P6XRKF5el1Qt?ok@KEIDME!yxls0^
z@DW$aD<NK|gLCS9F?tOgk|&#BMedXUetO~q6ZvX;<9O)_S!!cTJt-N;@JzP9CO^&b
zVQ|0{W}(MCN(w5g*PHUMkKt+^;Y;a2WUpTRH4bnz$Z!jUOUPS5VQ{J8ZU-uW=jW11
zMfWdrFaqA1|Bw$Zr2My$hRB%tA_}ih;b&&`Vu}-zneYgA7O#X_M?25+SI@eB7p?&c
z%DnUEmemv^P|cx8VP}?5TKJ0xj)?7CN*P7rZ5#@jU-0qqix(KnjzC6qMc&c>Fg2J2
zoan()*u*kQ9!hv>1x1{{YH=ACt)_JFPq%T{rDn9c0Ww+v;yDx+*1nF?hEi9CQ^ruZ
zVk1Qq<#u<AApXT|6b*Fz-VVwzm!6+p7kyazps18W%#Nk-cYIu}<YOtGq)9*hsz{jo
z0cM%FHQvWsV<%2hq!lKISB}Xk<Ncze2pIXxQpXt@f(OpQ(wI;YWj{aTalYT?<%CRw
zh*N}lXJr2n6|wil6mx#Ya23$I4l`s@LRqj{gfS%466Pw9JvUey7a)cESRC^&p;)2B
zX{D5BD7?Om(u%@f6_j`sZoNr)jtCRC(%o#x69z9(V9!`c(Ez=(gB398YKjR;$f^-!
zOsu2CamNV+vzQIO*|IhcyxjAJ5O9>Wq4P|_FBo0^QfiNz69_E>ptzo*o;^W@ErP6#
zD2B<}Ts7yB;do#J-G<FO#KOVXdB@L1R|^w#jU_;Fs^e5}l5QiBG)T9BKU-{&Znv+R
zS1xd5EOy*Ze9I)9l)Awl{v5E>4bwjk;TMmvxq+&2|AYU3M&R*ss_}md0D-_&0`3L%
zp^Ccy{ktUh-!Y|NstrHExB@*wsp0%|#^F6N>M}E6I!l7|W=C_Nc!Vm635QXA`8mub
zS-O(CA7wGThPsv?4SYQKRcEsVYyg|YKpl~0i=A3Wox;Bf#D`-n{r$pWuw207yL<_y
z5!5~WC~*a(Mp928Ivq*YinoP2Il_-KocTI!-b|f=>Qu9px)Oygqp2O@yfqkSDZ6j=
zR&mH85eRKz^I7=BQB_fr4GB~&6i!d1=Al|m-%DMLnw^tOjpH}xxQLclIX5+-U1x;A
z<I_|-jFU?J*OqXNN<Tz(MT{bGLTxpnM)E)?n{J2cXHZS~jVz8W=h1)O2KsP|1R&*7
z9k8q{Dhrj}4ybmBPknap|9A$<#=xrzh8?ybms*T!E}uu;#cxP(=2mCdSxtqai$KVf
znLK9z{UyP2SkG~)8KUCm%S$8!AXhT*sixY2%Q#BVDJlnHwcDjQ^#Mfr0)*E6OBb;-
z)PH+guHo;_QsWVl{QG?(^^jzUM^bx%DuZ3mr#7Jq@4rBu&ELLoS+riJ`tz$D7p7jL
zIwKjkZ`nj!4(#6Rr148*Tdd|f^|IJx@GHa4kCLFhw?Li#46eNrz_OAm0i=TA(s!$z
zYJ?cw_s~Lv0FgOBsE(Ix5*S2Q6y~kjxcIs8ZQvl#)0tz9&kqTp%Ylx`sHXlq0pzM^
zUQ3Ndtj<&LT|5HWI)ikBe{8?hQH9W;{<=-|LUJHE=0NoyILE_;fb(9eEtYnds)#!2
zVk7k#BEh7vD|kMXK;<SB2wn!2YPnBcgr>ChBPtP<xTuAC6lFQ_n0g+C3!Xy5Cmk7a
z^O&O+6mbcz@VsbCU_vjT`z8w(X4Oj7Mo2D3zCNY}qn!#Km$LZ2H(431ik)kx>Y<_@
zbx;dXKJneu1aw@sm%0%hPkK$g%-=k6{mpz&jYB3p?dIk(VK{-x;U;u8l)DzLKPhXV
zOO%JH63EQ4lFA9W3iXra=f>J#c;hrmy^e}DAEPo*uSNc#u0U1k{Yl-8WM|1b+DU$=
zfoqo7zj;guYEmi24I}7S548vurTuFvxY}=!pp~O6t)yu!s0vcDw6*B?E_s?X3a2U3
z?jsZ8{rOynG8ianG2VnYsZ4u-1V!`i+0FPAgc}XK09b7dmIFnRa7R?5M!SoOJ)}Vk
zM_~y~+DgQECb`?@eSm!O_;Y0~WKp6+8%MG-#q3_}6^QZ(gmmC}4^cq(reK*;J=!&t
z^G$u45|aDbpDM`pa7Opb0;L{jGalWy&B02T0flxKncEfCQ?_7`e<vWV=kv#GjA?fe
z-le9rU^INIENF)ixYULwgZM_RWO&E{y6zLu^PtTJ%~7x=Tx&;Tpx!QYpjn~tJ1Q+4
zg*gmbA)){_g+-f&j=MV2*eIOlOmjlvwwW|#6#hD!_7jD_yU^4T3ovyL8U-<dK&-LC
zA6$6gk2^F#ku%K#OY@?=MOBLNrtLud9h-K!VmfTu({(`lYq)qh&8K<DO-}rYqPgFF
zAjc8ld=0JyvT?z(ST~2Z5aq}Ur3E4>xNv9juoEQtBg9L=o@KQ8C^{pIc9DO*$(;e8
z*U>^GCnZKD#(%1W<n17&1xjp4fX&>QEwq1EL|l^fQM7-X7A`ClP20!c=-}|LltbR9
zK~SHgHE20Rlf+uK(*&mVft@rV#A~Jv!ahPU@XL6~%q4jiLsLW@|2d8phQa~6X&aDa
zcU^hIjtW^!@aiL%h2kFCOq3)riS`op12dT>P=b5*(<%^_F_~s9ry<L&ymbSzl*RfE
z(5|2?j~=3BAS6}4o;<LGuB!o&8)lhvZ3lt-VH)pDr`e&R%QI-Ahy%V$re)&GWDR)C
zg3BbXJ=l;Etca-|rWql*qHsZ|Z#l&C6a}yD!~QM~&~_rjb$ZJ218`W6*Zu)GEQz@t
zr41uE`Ym=PI#9(A++GQ?$fKDd7KluIG*X8wFkZLD_2cMqngMFG{wdlP)R^O^X&(G1
zYIyLs?!R=Q1hV)Ignq-NO8+n{P1fgWbtsF8i?m+|i_*(9I#RbWUnU(tvG~bfe&Y&h
zjtDl^SVX&k!qL}gMrhA+p_C?r!j%<*`0FcaPf>c;YC-<#H8f{b+m1TgM-*<pO<RLB
zB}+Dv7EXhgfi!CNJ(?7@?=H;-@#vjFkbNB*(+%o2;mdFiEW>ekVPK^0!CE;v?UKq$
zNRALs90)n!<@7&1-3K%;1g~&mJlhN6$@0rOA5Q`+e@OF3t<r3w{o8iqVL77ra>`5?
zmH`pGueHVEAJcqLqdK0_+EJ%fx6<5Dc1rEEfA1J^cH+BNu8@L{ARMHCwG!P9%xkBK
zV@cgKWu!0Pe_Vxa3fJGO;&{5+VZE<uGtlB`+E3F(VW0Q3NL1v5545!??D&aBL*e+(
zv=G#Uk3+OzWLDjCQq6n>JvAG=dgWvePM&~ASLeRao}et^zS3SI4FtydDY(Am{GyQ%
zmaiK}V+SBhJCNQ7H#3l>3?}-QHilH+a`JDfGPr)~Dc~D?GaN?>#GMXS#^wvrt58{*
z5_D^XckG9!m7S2cE>Nn5eG^WHWk}IKBC-GBe5vLIM4|Ay2QF*#vv5UtEJOcy1b_$U
zsK{SS{30M*jK7BCNm70muHmBcbS<Qf*dC>#UjrFR^4ka;&+QyMj0jhv-$wn!RH6TS
zbAb!M9;?#--O6y`+$r=zq&K)89HG1p@(sk_oSFkCC%Pn-PNc^mYea>=wwx!>FK1AJ
z;sw~3h3eCNQHfO~`U(^_qtL&iu(2WC5lx=RX>>Wnvi5KGUo2s|8-RE!(+*T$f>%jT
zOzC!Lz9?AGm!T|nSkq^s@LfB)AHp(YQG<~SG)kS<@NkV<Mx`%A0u<BvsA2+c9JcZn
z034;1PM1P3M(=Fm;05*)&*NMs-VC}Ss#gq)z8i(5o#+ox)4QGNK}g~}9gQBefGm4>
zN!j8_mj)*b;aN}0Ec(AUxZEH;m_uKN@|o^Jzk`(B-!sEEFra;~?1pTCtIG@z`aBf<
zs3#p=wDj#)HfBNed|qLLVpXu=dGs?V$uS@LztbeH2D|3d(djh4Ij?6XWHG^CFFomU
z*attl2g<_HpMDUTUd-wTcUHjER+IojW=va5c`<zx8ne_uIvZK;{OSV?ir^l}2nG$W
zddk7{YW{r(SE065^fw6ip#4EMLU8hSNprb_P7E$y(rfAB0`oS4ei7C1K_pD<$wHnV
zrYtfKhT|{4#or2ZKW!6Tpi=$ZLSK$#)}rQwojV{&J9tHgmC9->T?!nlfPGg<G(8T@
z1olok1%=nd(A`k$tK#YZ&N#W|-A|;SMOBU3OSeN*Jz+_I%!K}b0OI!2?XfRObXR2b
zkjdv#yes+2OI4_qBnYa8#o<6QU0~yRGlh;G8jZfQKdJ=j&H<lKaPs$7!=e&V11~Br
zq|()qynX!5+Yje|m{;&{JWMPd)<k4a>zGL|Lg62W>6;N2GX9QPw$OkwUUz)54%Wiz
zBXlZi^WPkLHxlBZ;oONBD0QhQ2oYzS@zlfW;l7x93{JbrI0n>5{QLrW2T!U8+;72x
zFL#3e9TgyViY|xHeGVAO9^{(OJ#UD(1M7I`8Tu~-g{CLndLOcO10!!?PXJNmz|d`o
zcRiopjIvI-K+i(WpH@IOLh`0~l@$Fw<delqwYY|0HSF|N`oH%!+!V+uqR-{O5ahz|
z%jnUlh_w~;Bd7@3D*9_gRSiQnc?61B&nqrY_o0>!wR9nr#HpUHhQdL&={J#vFrhi2
z!Wpvo!kgv#FW`jW+!L%VW%uci5yMVoIalJd{0xY+fQ>_Q6aC+de69_iPw2%+qQ-0>
zHYP&>@W~mzWBKzC&Ybzr=&7igAD+|y-F<Lb?0-q`KxfW|4*ERAY(}E;f+vtAi`NI&
zzNAZGV%_wAFHX2DKKIc7T^Mj-xi|C_l;x>@`XSUUwD<I@s7k{h==~_%^NBtWrJp`b
ze~+HC7=NeJQGV;j>Dy8Ip`Y|#6u(u75hsJpr4TuWfD42a7_(4*UP=ssv*1o;hQKtJ
zQDYoN@h@sH?xXT|YBB_lFg&ywfhc~lE+Y)>F!jicQz-pC3d04(*D_+LqcCk6Ltq;a
zZ_Gfqy+gl9*~TzuRK&T5-@v>J76VIDhK0!F`QbN%bG3<J<lRhbaIzCtvV051Ayfsn
z731H1GB3o|40M;7Bu|xM!K`TKWwN&sLlQe}%Wy|>adFyj(O5Y9_x*QbE&<wlVAWvT
zGZIm29!zHl91E1w7;UI3xeSIXnhj-a#&faBE0M3c=Lb}vD%XU-t0;yo_H-6Q;81U3
zHscfO>|r;Cz$rb)lTnPSqvg$*kL3T+u7(G<A$xb;j?~+mp^DY|G9Dp?basr&1{zc-
z$qXoI(rm$tw{XMyW&wk(g5;dZD#jVaJ90}42Jp>`Ft3H;tYXMu8fzGfQNyFxGWrlP
z(iS)8xWc#4Gga{O5nJrcdPXo>&t$eTZlUBaqZoIP20&s(PXPnQqm{Sq0Vm$W0`_q`
z!wE6=%F2mX7ok?~c&F`CKfrc0W*6fsqPUQ&l@flw@P}6q^glo@n`0TX5lMMtURkn`
z%PIcO`fof#2jSp(v-rqUIBbq^Shkzdi|X#NhvARL{PI4=zfXd=>3Cv4L*U+|@&MyH
z8pLgf7)#Mkr8|qEf+oSwBZ4zBIG6DYsk&ZX6IsnrMScE>>{*5~cKHOO1648Y6hmNd
z+<t~}9kEj3taBE=Low#9NQ!3}N?6x9Mh}9L)U8}l2vJ6P)jDky&O_M?jB->;(?y0m
z5};ESvSU9X$#LEy1i4B9xl0TQY}I9k2!b~zAARHp#9PQ)SFLgwlA!1-?EGu5GJYc}
z9JbL_qC&i1VB{=ZFj!+Sb5)8NEL4TX*BFwhZ`a&lL?Y21aCt}Qhb$N{ucYu}Qv5oi
z`y1@Kr(%qcC?oB1#tjs1tzgKbjE5>2W(eckw)vk`;l~Ll6o7LNyip3RVNBzH8i413
zgmJ!Z39NDy3H+|h7Her>+(A?3_<hC?GzCtyFm9pKWo;Wn0+qg_gYoZ6J8p^{?1Dvk
zvI)u_JAVt`Tfj$)dtfi8KfsXAe$5cYcJwfqD4W_>j2t8o`^Htb;`fGW;8iT#%i?6%
z={|-dO7fwfVT{5$?-}UXG4|mDL*Sr({4-+*BI2mV+N5e2fG+N&#VUpwEr{OtogY4m
zg`?p>ND`j2Lj~ZMg+d%L?By3mB2rzZhuIg1KzB-rbI(eFlQ2gVJNK2LjQX_pJL4!q
z^YlgWvvT-Z#}5VG7UbkOqXAiWOTw9wD0Q3&vkX0Mb(UfJBk0&EC1yVA2X9rTz|B#y
zI&%v;ZmG!(MNXgE?1VNt1J1Nr)>w-+(;vmOA~Lt4nOCUC3_&&1q%eJu>7Qz<dG;ps
z8GONqA3#8ElE7VxBZE~MF>4XuHpj7=qafZr-UNOw#ZkZ>Ph;*xP$)rL4!c7XP2No-
z&I-#iVJ<;Xv^Avc@VPq3+a++N4N7w)Fs2z3ovW#g+!#EPUc4oP%PP)-c@SacwZ&pK
z-lGCU@jo(9@n9?FH`D<^HcSsBh4f?VSK@sm#w%7_)+2VzT!i&Z!{D4l5aktkWdrkw
ztL1SyjwIIMz|2BfZ=*8TqrM-cGdq#Jb@w{UU%7BXeB+<oDmpR+D)&QY<_na(U>4H@
zsobTmOmvHR_FS&lN2rx0|G*rN)D9(%G}i3K97eTj^kCjZ;R9ZRxg_nwJdM<z1!K}y
z){t+n5bxY*cm-1mTv6dDVxkL}4#*UEXGxF3H|{+sB3l(AX818(5dVFz&tE}-b~o@U
zH<w|vDh!ReKU3ghCTKC!8wt&uuLH;RAl(QU>4zujT)K!LrWp9F#*xBA1DOIR($+yt
zThx2&IWQQLy^{Yiua2E?l50qSx&Wp<NY&uTV^+(U@#tizSiuxH@044`yn<MKFtfhp
z4OD2E7%29m+m^0jenBNptYc~*@OkZUCSuKmjL_c%=&pR;jOo;ZGbSRE`R|<<UU*A4
zF-y@%)of;_B6Cx|NN*gkQ&qsa0KQqs+{RQymA|}$c@n{%d)M>Z7*uvX|LOvtewndM
z^l0Gx$pj|K;o=^qz-5R>60-o&r!<-Q3Gv35f$ZG|_~!&3P2u)_m`w_^Lwa)6n0Myp
zYy&9&0xv&@;inXsUpCVQ@euq<ktvBTRHyQo97G@{eFCOD(n+SDWG0{r>zoxRN-sbe
z9Y4wR<SqS9C*YJYHGpxp&SwgoWd1qN6h`%sy2N~h%IPT(hzk~eg~>ufxldMN8-BW@
z&Fk;Eay}WssrS2(xd7$6<QnrDG7+x#$x!fjUvc1Z5zP+#o(gNok{e9k`#b&vp^qiZ
zOq4}Z8FLxJV$Sdj&RQsX_vF?Bv#MaCiy}BBJ^B!$!~v(hu(8oI;mBcsDw&T_uB|o9
zP86=H7l<?#d7H^Xq_$`!%rAm0)hC}%01q=bga6)PmI&}^WG+Kt;|EN46yEiSDbRTw
zY-Vbp>)@5=Oo1~pjaFtDqDTJMVK*PBhcWkzEZd4R1$)}YT!@5b{)g8y@TTJ}uftBW
z;wWL!olGjKL`66AD4In}Uo*wf@wI)-b~GEj`URB^ddKWT$K5}`te#B#uAuSA1{h@t
z&>IDNw_Bf>0=Esv2buGbSro2SA2u5*>?n%=^#OIjnP3tzyJ02=)hO=^a}0%Z$Cyos
z#5L*nFK&lCj`0>KD;mtJq94p8l*DO*8HB>;e=~a#xFn5r6RDQJ*VJ~ufE<sD@s3Q>
zMOb|ZHWnk!T8+ZPlB@v4sA9ved*hHiPK>uPO_yegp&maW$5P^dAI5Ds%e7f5$U^CM
zOZG=AyjKd8p7aUW$>gYG#(JzSWJ$yn3|J>nJuoBI3&b(?S$p2#JCSd^D+sP*o*A>=
zAt|L)v_s?|M1e0=@LLKT1yr-)lu<NeWuQ?mFlPxPtc5q(czlE=M)0Ntm-Sam)=vaw
zHkGc8hb5MG3Ci6a1UbRjFl||}2;TO_?T7J46#UEfw@z?nP;_8bB3deJ7}%H!QDV83
z15>85&<5ptl)WQ<4zP!}mHFum*I*GkYYGyPi?t_X@LTC7cvLW#1$Pt-78Bv`-JMzW
z2M(|0O&cpmmK4^{WXYhu{mEvzq7LzJV#Om8PJ7+RoeEbcD!jbJ59L*6u<X#7d(URY
zAV%L2SGj);O049)nNxLP)uPP1Tv-Bh?7lloU`}4~WQ}sU^WR&-hq*H+k9brLkBA=y
zq`_I%fD_D;1e;x;M`rr6PM{(_&S#<b&)BdZYawdyyhSW@@s~@R{~15FuoMRR9yBu^
z<9Y6|zARV*lOI{7$^uvd?@uC@vIO1(ngp{_P(jrpEOhg?WXvyH0}470`>OLWRMyK`
z(~wZjOp$HJJ8u#o-C)^cC&O3*>xcD9)_nw9ced_B{F9uS;MGm|DmTrGGZk}R%_>9n
zm0imccy?B~j#Yt<$8KPKKv>q#{!PKp+m*m81GYU@6v3K>V*ie0T|?orO|0uknryyZ
z?hpv6slvRu4K>mStoa;OtZ@q~1QBBzb?$mFM4XO4U9-m`qF7NV+u?1jas+!-sU!iP
zAmd=<CH}~84@}^Z?W}*_fOD(Nv7M~Ph$h2Y8s)-}<QVs?2JYT*nvxinz$?F|Sk_HM
z%(RZeisg{Tg|`vW_lMzci)XDyHFMw1`uE`gS8RJCOBqT0ozYq&o{$9*ygJNs04<AP
ze=;M9C2;SVw~wWVki3*tv^x(;D)`s^fgEWtycqUV@+qv#h<3;Khks7s792b^K=UGw
z1c+M#H@tEOSpthe-XWI2xnoK?3q747xoG^7g?w)F4{!oGYFKq9O9@Td*264;mgy>B
zji6q*ki&{YVe4F$G_t^G-U-~%4MmvpZ>KruSW=++BufHx1VO_x^H^_CX|X3+T8KkV
zkex~R#jYxTv1<+>u?+U+G)v%Bm&rL6`aYBT+P~re^x-vb)`GMUjyUFi9v<x@6Zhi<
z7W$Cu$KTFv_~j1=Zzt`6ekhF8vI5q3#N#wQwy8N(M4YEcQ4_SHFq9*UUA@AxK{n_a
zhd!%(1CBpuSOYE&a~WJ=?2A|vsCe2n)(aG#a)WgqbwXn)OW@F`r;H_nj(@CRC8O}J
zD%O6KpJEM5;0<R=oj}x+7KGghh2|RIiD?fu++m4h*ezBB%EIanD;9;z8d$Ap1E2Gd
zC2-ffy@~Y+#Sd>`g(7iGwo_6`f+9EK%bGc+_*7t7v!lHazX3=0^0xGFR0<n?#u7N`
zt$D#3M+MZivPw}O#B~THj<%mkm^_TvRo<2oXPMo`62<zvSh^^gY%ePw*-I^a+v)Hf
zYEmjl2Ilp$#LxG<VWFh&-m)xFSpOYM;D*TQBkK_|5$a#Rr=&uS-f^!Y?Lce<Ow1*N
ztW$`a%2kXU@V9a8lj1>K1V;?8Hp02$Gr|%_1#(7Nb5OW&jP(FX*|Q3PMEo%PCVyAG
znIi{!H^I$I%XgN*Gf2&!tU{E}<6kWFafNVBW6u-FhXP0<Y^M?{b`Od?MTG5uuKxbw
zY&)dG)1u~UJ%hy4_|t!QGe;iiZH1+(OA0cY+_q<|5c^&Q5lzH_&pfsraEgMO%E_@C
zQDNN*Y=H-wuawyesPJ($w!l4KmnK^giEgujdT1hy?h|en0;r1=X0OW@xD<LsWcMOY
zTwaym{tA+GaTj55X$MEPl*AUe$r~a=3Z%HS8nF8i4jZV+AP;ij-z;<6lzF@0mP&pq
zTVT~HpT<TH-ik{J<7to%zB9)k$m4WatqEJ8vsq=veus))Y{5on-K~qX(woqyzIf#9
zfp{E81yi$T*9y4QmW@6=Ptjy~zkyPld8M#09wsTnfjx{Eq@*Vt`x2t8;@uW;4T5-z
zSOS&ZiQqjgP%G$zc(FWIjtQ`;UZ=C)BPi0kgoWu41wQZC0u_W@#IScvw!qm$3Y%Sq
zD(vCRMlawGn_s2Pf;P(XR|woqCugz+8oa-=+33V*Pw;$<e@yY6mj+zVD!H&<qMjUa
zW$!=~?Yz3%3V+Ex$a`JJwK-=m>}Bq{v+p8!^^2B>E`@lBldOSx5<KVZ^kj!3c%9Sc
z4B|(oX1p$jtHPdnY!0fzpf{U{Ob~aC{vG!qi46B{i`SN7^XIc)AZ$$<QeWYg!H?v)
z%O&oN2tRfgg5n{ZYl7EW7vAd=t|cFnVf4=Wv&)gD>EOVpmlq%&eA*75^YOdj9s4=T
zSm|Q+6;#i40qkx>fQUas8Gl%`oM)PTFk1@brNEuesikZul<q?i``_Oi!`r9$k6ybu
zkS>e2D&0H)Nm@AUFqDKH%0~B7GfGuTzd@1=UWRoYgc+tB#-2d5p&jrm9ET|IJ`w-U
zN<W<=1=gj)(h|Iq{RhFT`t6>M@8w;2N0&Grc5XFv?qr3U(&l~t3PkxA04~n0wa{ym
zM*@~@_ajfhY|P_%mn%*t4O;SaJ^L)0#c>gA^vv+L(%wsLkoQuaCDjpZabS@ScaTb(
zpmUMp@?$fMCIWYFWt$`Ac46G{N<GNuHow*7D)1-+8WXskZGaLc?_i@Rl9=W$w!mYQ
zkr+4)Ck>kxuau4dT}hY?c+c=Ni=zO>9?w?5hU3^K2;Q-WS5xt;({=p!z_=en6WB9R
z+pi|Fk0B)QZ@YD0ge1+pTc;ubLzI^dLwRy9`zo?H9;|I*9fx?0{1yzygLx^7ola(-
zLHT<fU>70$ReS5_;3-hbEi%~bRJH`d)keIobSE4g=N${+(y^>G_CeHFCK+sjw-Jl8
z1d9bNn=P<s)j7gmhtj9#u-PcwdX&A93-kB1@Xw{{gS01X9dPIv8|||4j<Ew!%Y;q{
zE<M91**{RmBd6H{+Y67gY=Lw4UHNR@pG)GOL26%M3mk)QxX2dR(fqyy7stsY*vh(K
znh$+-3ZG22*yGFWGGx>xq+b-@=ttpQoGsRLm3<r4Ew_lBkDlnbm9TfAwzXjFY!pAd
zoGs9^E8JwKBGNL;3!?Dv9(LiMH`)TH^Bi#yewHHvtn%TKHCD-<jZ9rLrGO3zh+GdJ
zJLWsuaIvvH)ofJ+=TX|jP6dclJBcHYeX4;t$aIscWBa4<>U#DP6n=P%JsUMjtAX8s
zj=#SP3mC#L^1fjAA@xvjR^~inXCOK*)!r<GKS>!A!aozX!6KU3=xLm(I%NXC=^lc!
ze+xw&Pbt_qxWkM#dCV5L?~ZsPC|B|s`v&6Nl`@NN1VBc!fzmU!6DI$Hy$ZD=_9gq@
zANk;Jd|7Sm%ZQennio*%kop(jlTb@>%&vny7r`-`w@Z2YBo0>F2{Umr(-e)bsL<fB
z5I!qy0hfbcw*UvPLw+$h%3p}{o^1=fyV+u(yBG%la}S(ulf1$d&2>E>;(QPpGshN-
zc*PDujcI?)K8M2l`q*N~va4<)zh@P!I$~n@Ut-|;R2RtH;1IEqe)f8#kc`buSoa%>
zslod-_;TevTVM}Y@sa%$!3JXw7veVyOYu5si#-`+FGcf$I>J^*CyW0WI|m&f|ISWC
z8rvnObLZcIvS;G0zAb#n3QsGZPO#DQA*H`gmnERUt@t-HcG#QWY!#H@-@j~u2T8Al
z92cNoVT(8lw2cztj!|f(N|JHhfp+3D3XYX1{}v_3T*Rv(7hWvJ?~Keu505z6U`48q
z0y~m%bw`1>%rs3$flq{cv>XM_!Xk7WbC8G!9{!VoKh9Z<zX!0zyoipPs4WqCj%eVh
zhp#_Sg}RjD4`FOUYAx)N?a7XsNVHb1ef;hmWN5~99?-9Y9bK-0<0X`<myzTDarPZx
zQ6$aZfG9bt2uMZ+6+wauDsEoIfMAZhfM-^~oCVAQ6%%b1bIxJRV9tVf=A6@+BL?)V
z-q~}j@&7^d@;v+8jWhL|s_N?M>gwvAVfZ@FPr?kaaaCEK-&K>OqYe?2uMVMo_np4)
zzV(w-63zrjnj^V7Wal1{z%!xbey}`L&;&|wF`C(+KCKDdg~Tsy;Wt4NraF6Jumsn9
zC6&(}NAqYibvh#UCm`6U7bcmFUiUd`<}q4`<3;+-0T-Kj0-{9U+LB*b%Ie{g)A+g|
zLUITh=7HlE`t<^cLp1pdzUUAr&bWbOD0<7WvLok?hewW*ek$lUha{4D7*H#dY({{0
z<E=|?)B)-&{h!ld>0MM3Chh9pP|_aTUP_eYGKTEjM8Yh`yF^QviM=)ktj!Sj)v=s@
zf(Epgjfr;`Nf@y^4?ZTUg+z*;v3gSB=|^}b+En+9kk^t`)3w$Ty!+$f)?+P#!Q{Ts
zrm8K(wv*ID)^@^bdq_>V+e0_ZlC8NgE4tEw<<YIPM8GoL(nw6P%+KQ_l@Vm-t+xw@
z1AqI()&@vZp=}q*SR}&CaLf76U^hbyWTVSKb9;4_=#Nv@`FQVck~a8-sof=0P%FN^
z+at&YUQkMBD?;<0l0bB~`K|oE&Ttnj30yF-xdfK<cQ1)M2F&j*DT_F+n5wX74<t23
zvxrHQ^g+z7XnbomtulTBZDJt{5sZ^1&CvTIBc3PF(uOf4I0d@GoPH7}{<_&;!h{wh
z21=M(+e3pTOrp2uP{~Tn>g{15I~v84M@Y6{=jWdyDT72gaDVGuIv$pz+|&{VrAgF?
z*ND^$+x?-ndy;oc6rsDvN|;?Mk>lBRE|?(cj@!BKWC;^BSx=P=$E?jrm)Ih|JE8Hw
z9aDgnZn{FY5aGdemOL#(;)UVY&yp}BeUCYkqlkAOzvrHN0d6!+1;EgnDPeX~N6nKg
z!pyv$&$`TI3ne(`u1Z)maSotCk`T}cpjnWE4<LHkv6yl1wuzPe8pCrj#KDRN2lTmS
z55a#eUkdILwad3Gww<Oe2NOg0*R7PSLYtIU&pLc=AUWJvRY#b;8l1Nwgz&aI_na2C
zsOX-5SUX%MF&E<3vMse_y~Gwds%7h!jJyO)mJ`E)cbg<kBL40cNfc%!c)R2PvhVMy
z9!r|S!f3KNiG2d`LFi6NXB-dA-y?a5_`Cd}?fizoUpbu(35WNAt4DIWAC#=ddO3Fp
z^ki^wRfT24>8j#NUAzWMhB*>usyO4YM1vl;UN&P?HF*363^X3nP%`=@<Utx9l?35e
zq#OeuYEYnR&en;vgvgc1J_3pTE67D|eFaTB<b<RVraN^~vJhYQIW6goa7fg3yAAZ+
z;&`HK2>Y`VW|iyWImu=${iIw8Q<?AeH@H%R^lL1irPC25MBgQrUjjG-=kfk)-cx6+
z5NDn6Ml&JniiDZazP!c`f`@K^^F{i9c?(87blvxkgy8!&_a(T(t$L0{BwY|&pqogM
zypJ&6JboZyc1N~<1omX$GHk(yyL9da#cemCOXx@@Kam{5Z;g2-S%OF!nH+db^DSdV
zpZxPPyd~m=Bngvj`xiP0VqE)5!tB|+{#wG!9|PV>p5x~|-b-$xS6-d)rU?z%!*o8K
z<bDEOsy<3o=n?l$(z;9Gky~Q04v#S9wCP_MvkE_XxHrvrHKOZRp%kzT8T|vyYSdTo
zL<aSQ_PKhEdW>GbUtC6*_g%tF<???>S|g`j?quKenm}Tq-^ptdZ%e#>LMCV3FG(!~
zz1O8tbl{)QnUMoO!6Vf*mWHCPlQiCXJRO(H=+{J(pGiE))}N5WIBX)7V9i;WO7USX
zlO|RsH1eycS4(Lr6P*W`Ne5%<4dzljSKd^v>fHuF4Z|;lSR}W!)SP&j#Fr7$Eu{)f
zcg;%5#I#dwq_6P(G&?EdKo>hm{qX(sj#4HOvbCI)@p?;~q|9FI;m%SfdTi<{osaQe
zSClgL*27)e4d1`&A^m{bBBlAei8M^#A$pmZU}+gr(<0tpsO-(kb<Ic0Y&4r$S=s}&
zz2!zB@&n+sqsc&+Spv=)r9U%6X;w{o6?0M}K>CHb4wT+Oi06-*gw_WyQl5r%VZ`2B
zT3TomENz4y`LI0t%rYJG#<ii5bj)wEiMJKLgi2Q<A=d^s+CpvFgxt51>Yz-8r?sRl
z(IbsM*2-BAkK~ZpWNDa?T1SeHI@r8!Q~A4aca5&o2q_VuL)6Dd)RQtto=lIFil287
zb4JVWe(ezklE4w(5UvPXiImaHTAB0_8U_CullNs8ysHAO`wb;;9pWv78!BK2y>M|u
zDN|Kp93{o2!;5ZwJ3SI!xPqos!{Eyw@eacF#?mzGK<hV?Zp4u9qNU6c6q{nCOohwg
z7E<QWo2IR#$%yM@VqNDjaQ#K6KhhvdT1GH$CuO$f-f9nOK~nVVD9y&#5uK$4_*$Zs
z;%ekPtAV3wcv~R8V!cbem2fLwszI%|NoIVU_W2;1NDmcKx=5J-{LWue=J1lQ-K6D^
zIUW4V`Z8UKfMYi39JobKX)lC*XtA=wJ-90qhZv1pyp3Sno9(PW`bak+lGsxupXQz#
z>QgfA@peK%qEwEBY?Lg;CuA%>{G&l{AXy^v;Mrfw41-w%r0p=Z@gQk+B*7!?sGW3I
zk{_KU!F<Fk-dq?qgmoBAhOt_X9U;Arc%D4cxGWvxs)-CFjgt07ch^lkU?afYE~0VP
z^8w?mmLffXcv|x&l`-%9G19f@wy<uT6z@<if9H^CE3nnev{o!sNSG+?ip?}{vUE5a
z4H~vE9&j8Asn(m5`?Vw?!i=fX8^{VPE&S)2J%CBXZ0qJ3QXdR<eWsLI3%xZ*nvYq#
zohcoHuRG6^4#d|t=1c!V%BVX&?psw*1{6v_`ikUKjV~=sS}4Us-L-~$YkI;X9mQb;
z9<ded7fYE~F>(pm8R`~Wmr5Vu>&45YH}Q4a3MsSf(0-MaDdAkOMw*Pctg&gfbq`>{
zU)N+p^L6aFcVWGB0@hLIP119Sdcl#Cr>S4>EPB4gEmAZ5^yqEiMGQehrNQUM-h`){
zitkF=A!TBl_+8R$OkH&kjJZhioW0VM_&Q_1v^BndeL(7gtbNVaY1Kx++YS-qvEZ{?
zWJ{+aQ)#-O^MP4l3qwrFwoqvZDF}@(C)7SHB?!S`RB-F@@Jv%$92!bygvDD5ZpWlk
zFq2zONSVqJ*=cD{1Q9;t!}cG*#3Wsp6W*MaT3~A93(`+mgkQN*98tb=UY<{@lG5oy
zPAJK~1YyRlI?$;;T$D~kZ^>yQl$r%^$rVM-xg=%Q!FykUZh#aSeM9;Uzcu!jv@*U<
zxeZ(x;`xTI$EVO!8EzYs!(U;pVNoyMW=-;4X6bR*J=T|AyANtWuWbAXG>fiZJdrZ9
zwffJcUoi^}{$=B+DKDj2$dbNf4ANErf#IBiJ}{X}dM)+G)LCz&hmd+kH8Pb9fv0DP
zvEGXJ>_8L#5o{XqX7gG46TK_KO=3pF13R6Y7Gm<5F=g1$E+KUO1cyb@$mWzBy0Gy#
z=~fK5@4J+#RytGw_YK`5@>tdSw63osT^k4`Ny_;0!l_?UT+z4piI79HO)0Pg19rTp
zK9ZV|WM#Y!u~)(SrWniciG71Ak4{g6hu4V=N0*Y##oW9!l?}#C(c4Uh_n2PqG+=WU
zP=6CsqAe|COdw!xCCk8Q%dBP0%3d8?8Iz@twwK{)>))%FCoKT<*_5|1@;nOImpICn
zB6XOKSXp}sJhGY=3Wf=l%E_3;@f+o3%p`1C1=)E-efYZFO*%l`*I5P$3X_!<_PEIU
zV4iDKlrd#L_1$I6qF!H5SqH44JZ~9O&NHc!>=3@++)wrp<JYSytAy|Os4lyLvLds0
zdiS44JWSPf$c)%{Ghs>%*-9jVUDgPJR(8Q5DAi@*!q6ZYlaHzpEW^tlQ<^>Yp!U~+
z7;lEC1mw-ZtmM~{G5zXW9T}5;+7lsLg?ftTp;5i)dgLx~4N%)Ez6^QO3PPD(^<{WJ
zi_o)ytQi(DTPkCY0ZdcK?qEK8sAMnjb;pJ>CZQrk$rADXz$UU#jNhx7%nqd(l1?Uk
z8vuMZf}^^kWVM9D&1Iu7dBa#)D!$HZA)AY{J&A2)pYi>^?PYOD4XrNse9#Ku;Y$t>
z>XD325Gc8JlC{SqBRk8ORGha~wj1BS7bm-cAb;cyZZ#ELIh;W0BMlXPb&)N{@~!VC
z8;`HUd&+zewdn|VH(FpANE4o+!qVO{rnb<zuWSi^cXlExexqd8DjfRD2IJ>52FMyC
zhyQf5q{#?4#-*FJxa#>fA>M;zc8PZu>`z9fqH~J&1;?+YiF`P(kA}oQhs&7MQ}dB*
zze*h~i^H#do+9gwh3-6tRiWEB88hj)HeU7-DJ9G~s<joUbRm)2f}?PpEOSA1qnmF|
ztsFpN#zqEbK9HG_5j|k=9x+uGjC$JU?Xmg$f&B;KDDo~{hGUym16uBx4|ns#V0Kzh
z7<a8^fT9had(Dxs4sGF)a-y$%ogwRj<?Ap@))ZfFnJvSGLsJ(YeMxt6e-^E5V{fps
z>vLsz+1S40j|~Sv#0a`?tp*iD_=m_&BPG=JJavVhY<fi3|H<Ay@%F^zlFV7KSSVv+
zF_*<MycDIp`DuJ*opi8=TZatid&0!tWT~tgl5k_pi(nskOrZNC#K(Fi!ee8yWPZqE
zX3n>G;0=NIlhWi}Sy_nidYLR3M;!jEWYPFKWvy%nzOJ`X_TLw0b!#Kbw#a&+z<u|-
zjbp2VkWa+GF=mI1S<KAXCBtQMRV#e$*avtXPJ%1L+U?o?FcUl=$oe6%?$w@9m#*FR
z5)<RC2E;oG<Mzs|u{F-$FJn?QGY-n|kp}nc@2f$lgP-Xz6)KF$mi0wG{?L+tAI~Jq
z{K3b2jex*E;xG(@D8{&ZMAikrtjTfNd&FO>uV41lI;?mx4M!nJ-63GXGf&EJG1jO%
zr9W*1Ijm?sB5fWEa`&9foSdi6J~=JJXH=}oI>#J6u<nA)9kY;|C%cBPxBeqzLbjMI
zvW>{_rYBfd{{}3s_|2l75OZDj3n^h;9iO$U$bF4OuY~zGWq42D{GU$g@qmyfdXJ3T
zFa#L-mVH*Xf>xMp5f_n@M}rm{-IcjwE%v@AYlE-P+?T2GwaY^plYO1}NXAS)Z#<Dr
z!q4}9CfkFr1766O>|CRlGJIY_?mrDI&j5>1!gU{fdd6!Rlbaj;R>sV4lHbd|A_YdY
z{d$pBza12FYd~!y?EfU&j~Ph$0@nteY+Zj~G~G^}s*CIhkd!9V$3at1|0<h<>8gKc
z$G2()vYP1CrK?C!tpuDS;=EIbQ*Q$Jw@ts`>-NY@wZ`%>*d|_-f@=dmSrO-8J1G4a
zuee3#z08|r8OtGNm<V9U%g7mnv$K#-#9&LU<bUIr4Y!dq3882^`Fngn%0Ye)Iry@5
z^P~NVM-ycoog#z*<>a*yZ|erEh^9$7E3twjV>)!9^Hbxkg<no`W&-`vS?+>;k*%AY
zS?o^skV`Pzd%Wb`(0e+64SLlEbWl%RTZZ@82+6+kj_8rbt>p7*3Ew?(_zWy|#T7s|
z^_T$~a;qZ83n%vy4{W46%|7c2a6*J7{&Fd5{d#wN@4tiFupuc$1>ft=0KXPkP0j=|
zH3H;#?&4;1&67?HGj$CuBnQe@VU2p!lr!u6*Mj9c@%_1>a%Sh_k6Q9)`2MRpawbFa
zIzo<*<R6lkRN4mKK1JsuNzhzicvF43BZfE?DSwHt4@%@r+V`ML&TO8!s*n?;6OTn#
z>rj>bL;AVH)bw8hT0NkWhaoTYxL@tR7m)ag5y9l%EVv!sP|n!+i$-$hjO4&3avTOs
zI9s7sZ)m&*x+H)gX(k_zns&PVl*=@wCZQu!nDDE){34d-daRtOPK$3P$7e2;ty@j^
zEstb4VLM0`Lh3Do6re*J`C{}2RU_YYIvsc}ddUy%<V;V`=pgsS)_I_ld=<X#rIq8o
zJlAc<XL<mdg&5$cE(L|8$IELVmEMhbZ$ooBkHw?|JmMhObzvLYzN`ERmh)FPd0YHe
zZBO|^B*TjHH3QcGWM^F%L$b7Tb3xWe&IES_edVVx<b@>pFT|Ba=)Dg#;@>SY9<w68
ztWdeX9M`>6Khx!Fb9iKcxMY{J9Ax`<fSk#QHXS5q3KM1wk>i|E<iZ}xM$p&;bX`n%
zKTO^ZiE(L7`cPVA@=#oXo-tA`$3ov2EyrsHA0Pi*LRV;E2W_G<ROp`ycadwokOtn&
z;7V)vHQ6y6p57tGq94Y|SK_C$CdmIq+UVF|?I)UO9ia<xguF>|CNq{bMQ)Bc+m<e$
zhp7LW?QtOys85S)zA-1DnsEAb`6%?rx=R;U&}@1gal#RkA@7da$(boXhOej1mXAc#
zqlaqtjsohXqA<~O<#_Qdd&-+rG-}r607A*MO<?pj33LpDHr|{Zn-B(%z*Y@9vA8%-
zF2k>@xIoSX*2xRyHB1fE$_6c>yFfc7>q-I1<}K6^mdblzm2_Gz4@4x}hulo2n;w3M
z)q}aK<t^~j)z-;zb-*m;zTF*wy$gDWzD^DYG;EOfKoN0DQ}<q{AtHvUhs+kbcE{~7
zOj~b~UqE5)hxw)Np8}YRVtudYHu(*NknuKWbTY7%WlB#I2_bO1G%*WqU?;TLAs>jj
z%iYC#oppkoDFhDMC*OjUJLaE@S7rh*9H|@uS;YmrU{DM?AkV~*7Y@l?@b%jqIdeQi
zv!ilm$;tk>99N(ZQ7w2xx7xt!9L<Wg-2-W!Unk^D9%}I^Flp2wW}cBh#n)-)<TLQK
z%LR61aLI%4!O-Z|p@*tcx1|;52sQtf8)E_LUXs7YXu((H%xQwpuF7{Kw9NDsHeCVD
zS6s_Ka}ee{AFj*sicjlmb}eY0YN5E|)9w%q{9A6ynG(T{x52#_GN~aME7Gom<{y?O
z@s(hG;?Q0B6U^kM2Xa?@o%cx2ByvYQk^e*ykjs+jzOePvzd<m0`$`TQR&(M_g`>~q
z<*=alUdWkAchpO;Q>6BNujC8ywdReS$qn3oE1!Vx_jxa$jIV!wkdMdL>7V4O$ci6~
ztJnWLi0lj^L!r13`vu${dVSq*awZoY`9mIoqp_4<a%KU-)<nU?2ezh)1E}4~&dqea
z0F9C$b}73uihG#3d^5!qd_C1d!E6V3W2LB%+N*`hyZfPlmJiw82jKxE$3tOGYFI1G
zgkiP{{2iB1qq1+7g$Gwb!A}FIIkQ((#;*x<P%vZN3r7W$5Pn@wF%dsM+DXBL5$&86
z_)9NF$;*=IYV<F$T<df$jL?@{6<aVwx|@PoS(xIXU?w9Yy%bDgfQJwJ%6wl1-uO0U
zd+izn;FS;*(6Uodgqe_4MUjSIS<PS38edPUsyK+RqpK?z%Q_#RU;?p}Kt*Y68q;bj
znDO;mh+;V!F*}~AlobUm1&XVA*|ik7a{p0eQ17N-cTM$&gXBGkcNgO7D40RuVuXUJ
z@w`({k&NE3?#lJW^nfb}E@_pAwvGZ$hQ1DcY*_;ZvoaMfRWMO_9l4@2mVB{7(H~zs
zs}%L|b!W8#d(REK;=k30_d1JFdxJ&_TwLb*?!ZhtxVsaM_opKZ+%6+ri&8ja#IKDN
z0a%xT%@h@pVJFWGt3-p^DE-)y*G5r>BsWu72#cF5n6bsRg<>xTzSUB(1*xcO)%BxN
zff*Z`1qdTG@4+Z{vyFoB5PjQ$9T-lS$d-R09Z7+iB3wxBpkTs^dmR<bjPGV=;2JrL
zUs{D78b3QFeQP6!ms{w<jLb(cj%m9n8e(?0{G|}^by7El5?>$at|*1yaH^+bD83)n
zo3&xPzKUV^{>((hQGDGwS%Ft0zO_&Bqk+&1T~8H~`YUGRr>zDmjv&okX}QrcfxKNC
z8BAzQM!r3Vv{a?Rpd-UDch;?r|0_Uju8;hNC<>6b?R(zON)Ay6l<9ak_tEXGa1$Jd
zE1F@K+G7;-D+6Lqlax`kYqu8>-=rwUVjf4NDF))}{4oj>ME%t5NJZKPZN;@U$#_Lu
z{PfZZ3T8lTGD*Q?Ty9NfZ6$H4Vl{3L_vx&=ch3O7YvA2{OMXM@11gF$%=C9K!`wVm
z5sj33zQ*Iza&j<2R!5M{RxpbWi{~oF;#GmF3lz8n&^N<2)Cs^H#28@r2Z#Z>EK*cN
z??3eB@C{pd1WvSt>8EgXvBC{Y|7?kZIl{NuGQ~}NKX`@WZ+vaNN^t^T-(0Q0MR(SD
z+EcW%O&0ya+qJAUrLR{E$JBNk3k`mo6cJdrb+;-S;_E5f72()U&hAot#dzlh1rziy
z*sEBJ?>E`cx{gx^70lA0CR@QwRi_+Q;BDP=*FHEq7o^)Ks(bEFQ1{WJ3cP3X)b5*8
zu7cZ|NrG3&LWSkW6)%w~*0vq5E6{Nl=Pdu6QuIbm<+v{-na1o5bot7;;R$xatTPHN
z7U0`i1wO>uwN9rr>i*Y@c+)Q^2!1*+k7=CyM{GRl92d$BXth~alZ0|Y+rJeXF^Tmh
z1wITdw)E7<7eFG@r8tG@SD<GhZ#VxMj7|ny&o_EIkS@$F6WMuiL%{^F^KU7bxX$v9
zq8Wa7++78ZUX_<##L&dP6O;@n!UX&Kidy*T=m%^>a_1pCw%32GSc7fl<ulf641J*(
zkCg8&Z2*xio!!!%jO4pTf{oDprNR@7JLI*ZF}^<YR>9Ot+<LEIrW{K@G7-+2#h(>O
zTQ};}8np-HyFt=kfP4@0S=-(EO~D*?kyHRJWzhA^s>;;?Kpm|AID?7OeC`{irO@XW
zGjQ+Prewm)1t!YtSc@Y~l}ubPqKpzRAN5>P;XO5(0d(yqjKo<gP02=w1S=uYT#31H
zyIrrtJb3Onxp)v{f#=pCUMtuZ44{elNjemvxwR7SPjHG}Fuf|=g`*~Q(L!|D1WRF~
ztuhcHyv`luMG^XocIauZWa{ARIw~t6&63wC>u4?CcU_uASW!;-50*K_NjU{!xA}SD
zRxNmXfG%Y%L^~^^@Y7i?${gJ2J>8T{Kz`ms>5kt0q+Fv?bhUdf9jn5Gn%+uWhxt9#
zYv_HryOJ&l!dkem@-2Rse`VzXeEq75vMavs=&xkHmbbLJlKEKLwHnGS{CrxF(hu{#
zEm(=i{&J@GYJ320U{eL%y?ZoN$wapoYblRow54^F!5Hm&gc94co2g4GJ<$_(s?p?c
zT~9ERKJ}qtu)}De#LE+xjlOJH1`KQ=_iKQ%9!Ql;A;mnovK3P8=@nZuhr`n!MfVb{
zQcgn6Xm>s9B0U_?Ld=5xR4bX#JSs|g5)0$fMA;IBn`0+Ts{IkLCyF}))@*C0#C-2-
zu4GC&(qff()x*47NIx&29w~a(U#*m7h*#wVTVZZXWo5+U(#^TY>3FRY%RAvYoYw5t
z$#%|cxEm)f=fd66!r(T_MVRf1?UZ<byyf&+i)emEs>@;swjGr>(d(xEaPhqZclV2N
zQ($N1YjoFaf#*-!XQ3pERw%`5q0br;0ZZF<zpw|?X$+q^go$NlwFGnW%0Izgh>uqu
zM2*rQ-)Q+{c<#2ixX?UaX(9CaOF0WY((YCbr#bMVgJP;o(OtO=i}b1o*aWhXuf3GZ
z5u0=0oeNI}YLz&zOC6~+6Ylp>j>Zr@5|z>TIy*^efqnnQ{z@i}@E)XmgrBz^qGYC`
z*29$R@%`-KN~U(W@kr$eeE-5I<y?H-Cq?Oi6wp%pt1ca;&%xn&Dk$F$PB0hFrYUjR
z?Dmc~N>u?h5^<5-E;yl#uy(An7D7??T<tg%P-HsuC-6vV!Eb_+nc!}ls9cM5cSWZD
z8UrL|VmP*Bva$<i({ie^A9}&h#z8CWfQN%(C1B1pr5n0ie)cAhrGPb`u2zMSq*`DL
zAsNb*81U{)r4MdO%Q-Nbpr+k6S6LN7cI~<;=^Q}1=^zEKdCL3vY0CvlJl8!{?TPNg
z+7HF0#T*(RU04J@0KGuFM7aSO@%|xS-_S#K2^{|Ist6I9XDOM5w0<j;OiH5aDrFxG
zw`4WgnPJTB7`bcB6X3VD=r7~fD)Z6ZT%VkRrf?TxFz8Ptqke+5uztNV7CrKC=lT&e
zXD4pS6r>xK%%pq&Cgp1U`d(X<OdZ_wZOUm_y(v4DZ01Q&CgA(S_9}BRUhIA)Gf}#5
zKxu}bzjFu%Mx@PtIZ6xET$YvY58n#hUl*+@`-t)=n#G*1y|Ch6#Cx2q4uLzRg>%Q0
zeUa$Pmt_A-7l~X%;~ITJ$t)68Jf&=bUe)PhdE4vo^evs|B7rIxOAek<;?MkSyK?YS
zGq6@TuUWSp^xipTdxY@d^nNlCZZ8!#r;g55E<*0!WbVZRdP>siG9>sfSo(<jTX_!M
zzSC#?)2?v4JDgzkjjoJbRx&AvH&>ON(Yx%9Bv~Z@x06K&H}i%v39HfK7OQ5LJ4)sx
z@fr7&&bS%2K2SR0>)c05=1ZB+o+xeb{h!a2n~|p9-6;EkE?#(xOWt`8ls-iITnVQN
zHcc=UO8=|ugqiF065Kv&bGO$@W;%T8jgm=6lz*pWrf6+HutCAhPvEo=UhWrV5K>j8
z^z|VHP^sI4E;)q>%5O?*{Py<W!9y7ap_casm-z&uG!;i>lG-A{OfWA{GWl4mUrJ^x
zcdW6BslAz5O0^!PWHz=p)6zW+YH?6ZHB&W1%DWZd8<+=opNlm!jut8=eEx2!VscFf
ztyN_)|JQ9)zQ~S7%!pX@0i^9~Ok$-FVae@P#`y834yya;<@u9*%DRKuohNZ0z{PIu
zkYGxNwgW#qv8>7mW!2{``ugD+iSDhaL*7<Yl_pm0!PWdKuX=^Bt`GG!p`pesa`BBG
zOQ`Lv@<oqS?L%U|z#|!=M~By$39DUHrBQS3K7Gu82Rss{8<qrk+bPWdVRscX?rA+$
zBT)1C4Ab~l0qXt6;${a=Z&f|?{!bO!n3n=^hl=$%_d0<?-|VAe)&;XGF^K<u`ZAJc
z7B?G{w1%M2)G8_;%+LluRegN@)?f7tTVsB86*K+0QA357a0>z-<kC84*gF!Ss!jIA
z!AzujO%<+l4%{>?NexVUh<iir169_-)nFBlQ@zi;_;vtLBE)r`<S^A4Bz4<`od&zW
zU8NY$0D!rWR$EmCv%R&BDgd=Yuht=*w*g6v*ie1C(4n`kYBwf%S5Gwskz`IRU5-|m
zd5J?+P6HJaFg28_USjI{au)5oLd7H*N2*lsk*^mv&kyQFUdKV%RK4!dYDXHX7>`#s
zN;M3_A84#%@-mZ~s;=N>>Cs%p%&E@Bs+h7%X)Dz<B-~(+s*=4R+z@dracrw%a#Hu(
zshDW)ZU?4kIBD-Jr#&NAEXc5rQ<WB+I;%V}!wobl{7pjFITvr+1BpJNEdUMkczC?(
zD<-eoMYROWcfYHOS%FIGu6mB2kMF6Pfv>;zQoThcGoft7Uw^~v7mD%*_Ep_Qcdb@!
ze0~M)eit{Yr}j^<BER}2SO{@RDm)vI&MAP6Vf1tHy5nb3`>9spcLoknRmMDb8U!c&
zBS$`Yhzg%(H*!SuMVgbHE6yHj4pWW8Xa|R@@WF<fVK)x+hNt!G6c+};+$e9PiYXC}
z8m*duA+DvURw8F&c5$8Mc!1af<2_9rd#zQu3rEse#dR2~x`>WOi<<xaEmfRjDH8vw
z0i2yQ5zO8Y&v_YdUtIvVJBcGDMI;4NRaV4v7)0p1CaaiaSI$%wlbdy$u4;!BG%7>I
zL|@Nlsdk{3P4D<Lke>eID>{zkE-Ewfc?9U;%^dI^NYPD+DhoM#ufObk$BD&3IvU$i
z;OrYLP%#S_c?(tZu<rUThGPp5ro&QJw^>;#9NGDL#re_9qrVuyyk4$i7Ckg8RbMcg
zX0>WQy57B3#Uv?vtWz;NXZCGSF>8s3HmR7L)4?sOX9!N%yiKJ=y*=(;ouBlujI*LU
zZLw2T8>?&PZWaD8(Z#2-sCFPqh8UzK?N#+gM&wi`?Ry?z?bBBQd+t{;YrW=&R7@pZ
zOpfXXYQrvTI;xigxK<2H?@ffTbodd~8q9sQW2#&D+U|tvHsZk5>s$u?JgldFU2E{<
zgtCJ2l!{qJ>T!m3&z;YKnH%i3ck;{mBY}-Y;&vR*sR`u;^#v6(6U@t1UBzr{y{H<3
zuWSCJYKD}2e)ja|&jGTLE-^)-r@_c~?y?H!3j#N`e7X@HIU}y=+Giw`CO4;nG1^~K
z;TpX)XRfPIy!H9kke4)sfZPad{~$WDuhT(sp0`zdFh}?9fD<(cIYoQ#O+TQ^5vRLA
zXCe6AR}DswOiilVwmUqcA4+NW5FS2I4Z^7Lk5v9BA`^y{+w1@&*Nu@E$$g@#h+sc8
zX}!S&nkZI0;UwspiYYXSeZe})l$R<z(K&I->)KOzLnU!j<@wp5p~%;a-|@MVG?rH7
zdW!x$@h#g_(eG6`sA;?s*ECOprx)lfnk3BypAr8_#mwaHd{$M%ox<TOJK)~=#`IVr
z^#>cs#r{;`?AR`E^+c@1ZN_RXhIcVl<8_hV3+89g9h%+5nR%*%x-{vq04ylBj2f#Z
zAbm$!8pl`?2M=|)U~aC?#&5~9P&Y+}6Y|r$I^9S9RxFm&p%yFz$DC-RX434zc4|wc
zuXffQZqhxRo-|s55Ya*X4!>o1SvAfoc$|zKJq(`KpQ1tEB7`}qCm?%B7&EPIJ+KEG
zF|ny*<j@jG&{#UFrN~nouYFUHL_AwSSgwPa<EkEo-|Xt9evGfpJ=CAjYnnyJ^_T#h
zTr|ilH1tyAEfK@rwhrwEoT$YyB*sl`B~<cJ4?@y=t#35*5}<gALA8#Nhn3V1@r!e-
zsF`qVk-xeI>LU@4lWsHu2=SD?5K)-2)zz&qMsk1}m;0@+9%D`ySxv<eBr8ze96y~O
zq&|QXatA}zqY%^1hq4oH0rey?^9f9w3S(=lpCIiB-<LXuz$3SH+dK$}ZYFFAS2x6O
z`4ypNCd$tB)m!lWyht@Obl6GN@z|_~$<+(-^X^LZI($D@t;VVTwWUs#?+7dfh%yI9
zse2%XO`lzELeoJRqW{X?0RHP~V|6Tkfvl<e79#oerRksuAbBgU)h0xPcm{{qrHj#v
z({Q)5xOVWmx%wK$%8gZD!pv@LrS?H8&Qgz?y%tQT5&hsUd~a)Wf`j1ER=o*5l4!Cj
z+Z<l7gH9Pk1^W(aSM>V*#seSHLm<A0OE5_t)%a|K8o8C{(NZ(rmsUb|Yt-8@Z~L|C
zTr>v8?MSzzNr0hHiv$%{nHp%zEAeUzO!6#2eFuw^+m-Fcr@O0}pnqOZ^;jfJ{Y4u-
zH3ojFpaRmkKI-;JpqO86(g(sL<;5w|&%V&<QOE?-yfT=9Mg5?8(S4f%>hlQgMvu&4
zIe=y?wvOi@kl4_6u0vMr(t`4!4ul>irK_FTD1alE4N?Dv-?Dj_x;(x<H$pudU-uZT
zUX8h^kgD#DucxM|nRLyyF>1WZsUCi)Qwnf-NL=e$J`UUqlBvN2)-hO3QZsuhvnQ)F
zF*llY=%a|f*>v?seBC%heFt9$&r&bdUF#3Qy*^tlF_2I6o}(7L=QQk?P!5bkJbGk>
z%a<{}>q;59^spi`t?E|E>=j*M;`z@F;nxU$QNsDpjjOLi7{*ym1mmoxS@G!K)*Cky
z)*DB=^`QSIzItMA&uAgHXY&gohHTU7=Wcc5q)@Ikfy57r@Pk)blb~lY*20@b&3i}<
zctYIm=Ith->%(1R2H^XVt7A6GD6aUf_!Vm`UWOSNy$qvEDLPyMa7}6%ASTvzj}_{=
zx9F6P{%z^H7894QYYD$r!qRoEqv&Vu^=g^;u6-NfUHi6Ir=owm__(cb@o~FMg8nUe
zRC^(LREJX$^xt5eC?&B4kqI3F437xT`#bm!Lf6Wg9lg(qk9VPuC(@IO-<(RYb&hFL
z%GA&_zWapFPLN!GWFdx9+S3U>!bhP)MV+IE&Ei5gApX%YM8tMV@76+C_oHJkHxWC2
z+4ENPwin4hn_y#Wz`hsN!AfZB(#cx?5h;2-v5#LT_;nWg_-Q)oRBdGRbnd8jB(J+B
z)IY$brnm8!8(`P$UrZBY6G<t`v60b+P4K!IJv6Syeq?<QjhlbfaP@^tv#%9FWN!4&
zw7xCKYf98&=3<u^OCv8Gma&mDeB5MOlE3rSBFP_ge9@}&Mb~A?@KiO}t?Fb{Nk<Q(
zbLz^p&nBdQPfaENH}{PE8qF!1k<P0@mxp=+BMZp&o|@`@1+U8-aV+}n36!RKFO927
zR3f<nw6nJ)nvtGXS{wPeF_y(qAIu!pF57C5Yl5G#(W$YejqDlT<B8Bq<LMvTzlEbo
zF^ca_b@-FA@$L(8?X7Y5PhH*VlV35aiyIGA+TI%1QXWv+8sAq_xmDMsflLD|xHi?3
z17-4nM)x~6hXOYk+WZ(H&PJK&kcn#_jlCZy9Et4%O!b{FlGYhGu-pH_6gfjt7QWS?
zR3-L(H8%1h8GuhQ!XMSj^pn=<&JCgT5`I+~c}fv&UrhwJAlZGPO%i61I8bh8qNV~j
zVS_{<Z1LznLNl^vb3DKP4gz(lV-coQ^_AegW~6jd3DjRd3CO3<LF6|kY8;B@-Jm>j
zfRfLAgUCBf(l{1PF1kFOMMfqA`S1w%MCfF*N@R4h#-ZqDGmw7$H|9(qFvIN@h0QRF
zTuj!~;btMIAFvR6ThBsrKaGR3NXs#>;F6ntq<woMqj~W2XDnx4?J}Z7&--Z{i-t4k
zGIMQf_oh*>I0HY{5bI><;kxwKl;sv|aeol(%yk`Ub#iS|35>#R0FXw9m{B3Bm&_a&
zQqr!Ib)<pBJV|52&9Li0Ano~7|JHj?%}mLiiN(<y^hXv@`t2%nk!u~jW|GF1`~4LM
zK|dt3$ksucDx~uujXkd|-Y1LVl3PJO8J1F5m#86I29>}TZ3cq`W#MBV+XiVWljei@
zS@@X$VS8vtBcp-vV{LH=SvFV`UbGSnO3WMr9K8Lg=ismYCFsi|C~0@8C1t)6IWVLI
z9`G9_EwxBbT5qVPLeZVZ&<9^%d!TlVgAZD4Gcu~d^ua4%^>F)204J%vYDWaXjf7ty
z0~gxCN)#+&n8vwi?hM+z=rC#gIB-(*7sSBr*{6rwJ51wJG@L<LujjWT9a<Y1wT2&S
zXOk`A+dU(|X6g;s*z>}TST?Y}Ya1gY+j51?_O4bBw-exsHXQ?Z<lo`YiVb$_No$PY
zx8CRh6(1yZfQ@hPW3BfjNg2U!z2wda=)xm=lhhHKYNSVhjje*ymm8%7E}RB$zXLzk
zj#}=fXq8Duo~@bAi}I@XbB#@HuV|o335sr6$m$NZw6!XUm|mm!o9yz(bN44}p~7c-
zVK$p4W6Y(1$?LtU4NBa90x*sKuz4@?Zj`1$(KrTU&+0g5%DrgV^A11O*h8ScTO;As
z+wJW)C9Z9ueiVMJm1|S%$i*?BH|Lb%LKI|{F)3h{hpy;JcMRtr;72};3pfrA_1LDu
zoG60qMNTYJ`QZ}IuJ+vnaL%0yTY0modbqKv#W`GqzR7`95Uj~lJ!wIzrYx_uJDMG=
zwi~!8-?^|EEeIvCV>AIIC5_*J&UE~$2nFLg>RZ^*7m|x<n#iIJ$k0+jS=V!Y;vuEB
zvoKdKBxVdh&aRztw;}*16@IJ}pFncQ@Ei2X4g+hhje(D{!;dv+E7E+dM#3xC)W<fj
zv)jR{Da47aK^u|0u_Xu(0>^=OGu4obV<A9E9;dPAZSPTz0h<~@TW{T3n1g+Si1r-N
zxE;OMc;KU9c@jJU{9=hrb^)cVI6$PlIbKtiSBKk!LMOEb30D7MvAapl3H-KE&7nu5
zUtp`dppJ%h%5BINz~R;Cn5(an7E>GBRoGUuQpnZ`(1SWo<Zqwp3)aS81++>Dg)Mf{
zeG!dL%8GWN2FFmQ?$G|>v9OgMeyrVYP&koo6ExKcoum~FXXut2D&4(t3{2M&hQ?}4
z5L0um6InJz<6pALh23OuTlL@QNlP@>ok~f48&?qDnm3t$;Cvk4A*VeIa`WI<oe^Tm
zIvpGw95#hNY2elEW2hI5bMzO$z)8u{DVqAcx^@5JP^%(DbMf$F*;?P$na*RpiFB&Q
znY(AEOa%qmZZeRXljBoM(6fI~dQ&JW{qNQ0t^UW1%sAn!s})#GEBLV*3hIF1Np?EF
zVSoM7J<hE$L_hFjJMXxi7&CI3#xaE>@N3(;QR@qNzMF4B-+3g5!~alAzDoP|r;E|>
zp8dNdbsy9-sAu9|U55tt7}&QDPET!{&@1-ajsG*%X!AQ$8nM~DH7x9FT;uaCTn&i5
z1_WWKOsA(^du;eWq4Y@RM*n76wJ!LoIU5LHwU9eNAc6Q@ndW2ZN)jzyT}aY&jkPkm
zz-jKTO-19q8e`k~`o;^VhFd`uydNBDhwxsdO|T`|(=|S-{7BWgcUy`^`V@Sojq9C)
zCQiPv+6J>=jI=T>#MPBZD!7&>^=4?S{of7zI={oh>&6gqGJl5bvba=1l4ihQF+7q?
zouTpf8y?><eJ3r;V*maix<QFrODT~HvCDvbNs*MI*R<F$7E-&Amo9Z$?n)Z<(0HXB
zCoN9;7nKl(GKonUFncom8B)6Tsjp;T<*2a-cTM~&sXx=;lc&``J2LtIrv^*vf1yH=
zE*Nac0LJ_juB5)ywPF}Hnp9QKlm|uTY>kY%Qiz#n6I@GaMF@{r3}F<yHnV65u{CC#
ze$}Ra3nQaFu#z3d*vSGtENM7PQ-Sof)!G!Ta&cs#hyD@kSs<BzrcN>sO3%^GP`ES-
zBszQwB+5EnkvN#Sd9q4zYkKZpF-oa1zIzMOZ&93UsaqlhtRc<@+f0=nYSp7`(aoNJ
z0M-HQ+_kPIRn8DEq6uNvF;e$OExKOJN<z0GQL!QS+G(c4YR^JD*ouSnxiW2_4z(_s
zK38KwPCtN|PX3C{$|XhHK7}NU=YZ{Zy+E1LlgC-Ql_o)-AQIuk7*w^??d8Ch${wmB
z7`D9s{*7Cao1?tBz>(jT-;`El(<4neZt^~vK%Re{lB>x1Onx!;-Mtw5vW$^YWAJK?
z88Pf1P_*{kEMyU2;jia<3Fc|6NI^9%w>qCnt8P9B>O5v!n2%$xenWclHcog}@S1nv
z`)fIY^I@cV{!T>8nGZHoH&ScQEnlzsAYc72zscQsnc1EDb>1-$?Ftw$Ybjs8i)c1q
zE83DsH}D6X#zz({0A@Um$o++y5E7JI(VPH=6_FNHG$T3BH8#AwHBRaMGz`XyXebe=
z$0*9&R0N-}P~*&t=KeIfiyG8!3w?q`n+xYaF4QzGUOqTbhI)-9b--(cS(4!8nqabY
z5e(D3?qbfFtov~w&1_iqR4@{y>EI&B!NnR&Qu~I+j#sS1ryi!#x~_fDhz%J?xeet|
z2kBnCZ01Hf=VQDC+HQ>9Z%PZ2W$k84B=%bFX4}y7`+Hg_SQeDsh~a3kBf<^J)RZA{
zzchB-yag`>-tNG+<ET^<mTH`Mb#(4bqv_v4KVu<6Vtd@ViXxhGmd2GA&7@n^$;$%Z
zRC-8oNErF5dQr5xM7m5<x^}Mt%mB^Xd0qe~CVtI+137c6CuJE>3f(EClH6U!Z$gb)
z#}&}c8^8W&Fv!6IT3c=wwk!u0{1Yir1c~hJW=^bEz|s$|?9vrL{$RdHK6i!2g||tf
z_fGHj7f6r+{YuU>iNj9vZiOb67pQiA{R)qvH$4PvVcp^7-4sYpBJV;l$}5oZDiFwH
zuP9KPRhsg=d|b3{({czj$4~RZj$-Fw5$*ILH*0cjCcih$uldi}?x3S|&=K1S(ocwx
zBUfu&xkWn&51X_;{hLzf-%ZK1a$0WJ6)>((u1y#Oqj`lnnthhy29vB)Zsp0|H6<{i
zS8E^^H8FCh0cA}}UzRjm%hO_d-%caKQlnjU^fg)!7}AZ2_Idq$u8-fd4d0;H=SN`|
zaZV3Su2gU@%LKee#Tpe%mubMO8-6aq34P}^UL?=a!-0X}j(zW#!YBrxan`}axOtQ(
zeb&?1nIrO@Ffc8aWUU7S=x?C+f)7%8*pTxNptTYUUOzcmbf`O#VnlAB7!`i=02t*w
z97ys*z*rdgmJ8z!#pvmbG0J*a5UWR!gXhH<xe+jWxfI5j;RHaxDnRJN3*@m0fD&90
zP>QpMl`iP5&WZ7S!7ne8x>4g~(xoDc<49hamw*?|X5gix8^W;Ktq**8d9m8R>72+*
zXZON5=f`@Ok*s+oXsIPzfT7kNzk#ZXF)pWGNZqYK-pcbgc}<cxpYQFHsIA?g<c+<4
zlY5bhA<#5+-C!PYO8c%jTca3%otk@Y63pje+0H128D^rqSzJ4E@Hr&xipAA?o!i#X
z7bQL-hF5?`Inrx8XJ6FGwq!fVHbYOpbtmL<Yu$ipR<W-)H=^XH%gT2Iz@SIB6E$PR
z8e2(ZNe8)jho&4a<ju>wUrYnYSQtmynVV~s-;mXa_7y}aoLoM8=K^0+hU7JH8O?BM
z=l>frk{7Mg_1pt=<9+lW46dsxqQ&fjsxeO9$ktuZ0Q0Jgl+b{l1p1mQH+fTd*mx>g
zCTOIT5N4;hVa(!v`AeWSsTB14<<-cjw-6U_l0VmM7*JiW*QShK?Sp?q`V+TW+OkDM
zib*(XP&DWD-yb^zSQR2d#_fRxGfoD{p*<j<Rp@U@Khm_e)-iySe1Ko$K7k~5x2C*_
zQ7wdVaIeORn}u(CfrSONf9s<haqsNmMB?`G+wZQES8ue2bZ@&_h3(fSj>UD;#dXE=
z2FFI|5@1!pd0gm6F+$lSmQ$33Ck^&rQ_=s{`fUL;`{~|ahf2&3XzaNngK_Fvu|#?R
zl$ER}opC@@)$dr{EsmFqjt6v<cPZuB!Qx9(k~~~U!5nZpoa7xR*c^3-pxLNGVGUm%
z{u|O+7a8zEnyl$J@jAGOWJq_m_^ldRr>sdqke+8?F1z(_SZwEH^?9(>J9?D!Ntltc
z&TI`y%hp7bpltBpoM3Iww!YpAz<NUuWSLw!;Wv|Zq`@T^?sBssamR^EEOVeaMo&f<
zizawjlgLO&25@3LTxL1EGE8DNL=+w}FU?|cEr{0>4^xsG0BJ8yaMJiNFxY(|0($vL
zKc;hIyr39;marK5@tc>A=|=#=bD4+{xCHDrFB3u&Uh-;3fn2rzH@Op;ag?W-^wGl^
zO1@&dNFKBU!ZNR8oJlF#>oiX$$1a9mlLbF^V))g7X-&2q<6+6%NY{~H90Qi}cl>6_
zny8Lz+>16Ear~g<%dDRNJPq8?ADdPGxD!FzZTB!IFOQc%(OxHjEw9}oM$!q5chMY)
zYaEoL4|N{QnhD&@f*;#oy#zf+J3ZW)iI`Ebt*>vsTlaw}_dOJ*Hd%L)Gw#!=`SwX5
zP12FdG7ox)nL}=~8-5C?A7;}RQ)+t>__GAMtauuzSDyTj+Je-x*E;a(Q#$;RX0RC)
z<-mZ*M$(bF21IbH<+-Klcn0|KzN(|9zRredZ$lJRY%7QsyZ_wK(ZMiwbOT?-GIRyb
za03O2?(^pjk1{0C7-nIdxMbm3U~A9=5d++(1sU-cf(B0VBVmV1y@wT$qp)v^wYzW6
z5F~icGUTnmFRsP%d0%Wm)C*wZY|z*4EyZn0B<K0LwD&sTT^i8LfJ;_+x%m`LtK<~-
zg|~X4?HXgFM|a8;N*&9MJ;}vw9wC{zn)2k}Eyx;kLXvG4AS1MUt=E6#{ydaj(_6G4
z%^N~s)zgK%y90@qoF~3^<b^p5P6P5wmn&1$;-a~cj{G7eZx#8Q+<|yB0>demT%YFY
z2Vq^QfeArmTWjwSvLshyt>Vq?fRp<D#|Csq|HI4pTVu+sAoJvXdJj&EwYoH+d?-v8
zrbBx-XCfk}E_z-8+f`ih?D?0?^J4Nq6q9_*qiysTrvEVq`aUoH(u+Xfq?>`>jo3Vb
z`8O}U3^*=j(!)SsQ^`px3%oV-7%2M)sDw5BO+5{84&?biFsq|$pS-}^$=f~K0C*+<
zw_@~sw^t!xPi{GbE>SuA=;^&KYut3}pxpEqDSdEX13kB%)Q1;cnF!)of;g-r>zIhe
zN%rv;1592$&55XbVI%;*g&!OIMkf^lwjiljAco;=S+f5M2wOK9gEX(?tzQe}1?hYh
zKr;Fj0<j`nD|?HJp~bU<!h}*c`|FTu{ZC!@_FvKo>OeRGZ-3!7s4+kX+pJ}wMJrAz
zwL=~+@q*2t5iy0^;O;UVa7!}(I)oOSaOC`TP+HPHQB;yO#M_3%xq4gZl3Ls#eQp3q
z_XB@`{99AYZv%EW0mST3ArLDPX|J{8=41;6G0FJ@q~MjNEU%f{d|K3q9+uh$CZlZs
zS$P-(>--EIA9;Z*|K+}T#{UUC|EK}jRToV0VzzV~Fq5Y0f?!h0_Q^TN4Vcd4cQnNd
zoYbeM<x~J}4_aWumXMPMU>gEn#DXln!>@%JC&taI3BV!1G3&<tPX7T6Uc{8V7K%d`
z=QDJC1K0HXk4>;1Kch#lnda?C?u-Vfu<xD5hF2etWSg7NH0z&MQS+<;*qNl>D~?%l
zszaF_n6mSE@c-F(RnHqRJ;;o55X=<YqxHdzZdvWjg&-3D2$uEM-Y-d!7M&lJa?aJ!
z)*^uqXduL~NEJUt)newZPd%4`>glmitm1o#c#Xw4Wog#p8{do0PbB~xF@6ZF49?TB
z(wJ2H1R=_~i%Ymj1D*isu!}m<rebu$OL~ryPWW3#8mHu>irMj{(?Srv0f^2zj4A)<
zkYr@>L>SFzqJkIm?=?d{PXSCTz-0UN%u5DLE26CiE|!x|qEpP&%X<1Hlf7*-tAl0n
zlIxT+?}~vO!mQsbQ@kL_PeH?ruIfRyOx4FA+)UU$1Nte~4D=S{Y(NQgu$9vHxvr;A
znf70l!OMTlbD(d3!$5CEl06^~M60ce7eXIk&;{XAkvDZ9!L14vHuLm2+C`%F-2Si(
zrh)5Jg+26iJu+Fe!rQfQpus8V;7+eEzqNs4CnyMH-Sqr7BHt9<OP4?AHR_h%27Q_i
z2Hg_IlqO7|{iQ&UnRUe5E_0{1CGmO*ew35f@69Gor+zd5h7@+9^!gWzD<)oeapmU=
znoxdQ|1k!p8`l*5tDavA()ksX<#Y18^voH1dX!Y)A4A}{QiXAs3f|`A-cCNx(FM$6
zmO3DohA%DtV7gLi1WsL&6<PWkwEWd1t2n<(fiI^GhEIC^U%(a2FmT=*n16M?t+5N>
z1a5JubYcxM^S!2gDLacoNFKc0jXbl*V~W15*k#c5mKYN}j+htn<K&KPdrLi*^&cQ~
znXYIMF)X3FBeCxQB+S+TQjY9+2QwsICSFte#faXGyeSL5o0mTQJ<!jwH@x4K<m`oo
z&tmEIQAOYfpbvJeNw(#A2a;hQN)lD*(kmnXqs{-oxxlq^1SE!PeuVd){f~C(N$(2e
z%mbL(FF!cSq?pVQr9a(mr*l^rM*oE$>v5Kr)yo2y9=b9ZUQCOQvH3}WR{%eD$+d4e
z1E!N$7Q@MB=4TL7ULKQos^+7wh~dN_ODKqglL5qrWPH)*LaK9uG&)*4pWOSVaVqts
zFpwv&f=(n@{`$Waw7mjmF8i!L0O90~B<F*G6P*iTfEPOl!Mv_Mh8M~9D<HLT!AL*9
zLM3?8SAN@~s!9MGcm_Y#<5YDm1nkbMy0HoWr1t?lC}=BWTOTlHX6}Ds3$MVpzJb8U
zD<ZxC!-`10gAXbeLm##1W)?G{)(?C@Fgf*|bNNKqkAHlJ_umz18<MymFrF3rT5}^x
z+HqAm^K#{ljE2=OtmYRI9V;sG`3HD1PB>Dt066K^S}(=cpBhJ!QJ}F8;H01TH37<2
z;ytzHOGUTEAdBp@<#=WK^to(pdeUYTjL~fE>z#H6OkZx9zWoH5PIWMlmLqp<eah(K
z242Ckdo0?MLTY-0U>!Q?k))2`gI@iD@)}O<%nhW0t;Rs^q|0XT@(@{RNqv73=L0-c
ziZg(e(-rCPDp&E(={aNd%4HW>cgFvxA!DsKuSX279C?rAglU~h&F^9$cO;uDfP(2l
zP|<veF#t7W=+eLc*rnDgUG>2COte0{d|lX-?M&X)0=_0Aa$B<W8x%;qDho+7&Nd^5
zOF^Uc?{45h58}S2xNap1x48psF9YY`WJaqsOnTNNhpj@OqL?nh9BXxUKhM@OT4`G<
z21w)g`#`B}10Q>`-c(zH{bjl-)nWutjs%s~^5rk~H>=!Y>iY$87oa;ngc%hZDZKs<
zG^?~W!teZ;8j^=a=PxK+W*LyDa-v=ypsY%&e*$02Nlung`pEtUdVevV;H8(C0e!|`
zOm7G%ctP${ki)|bjp9in&9xP|g-9_6`lq7{(OZ$9XJEY671;7};%xy)uf|}ct+jo`
z^aU?QHpTFmSO^2>FnE#TEdeQDssX9Gu26?tF9no7W`=>@U(8|fzJIY5(6^dxp!X!B
z%W1^|TW%)mK_P6Z$)pg7z8a@kPV^xGt)?xte4!rX?I@qJq=pUcwj5bQ+D%Bj4FJ4H
z09DCJ8}MDlGGK0`qc5QJP0tt@2og8c^3pH11^Pkv_4HoLef)GwA4*R8)djs8E`?nl
z&0)JDoAvzk2xI2V^D)!aeDDH4sU>e)9^BD+sN7(K%U>@Hz*TjtBfOYp6OPte0?al8
zX4yRD$k%$zt@hgbym0S7&RshaG8q2=B+KH2k9xQm2W>caQ*Lp9rs(y>Kw4F-&E;$g
z(%cc~H-9x~2c~tKe5`a8y1X)#YW6;LJ;V-Pe<V-he-r|?AkE5Z%klz~6Hli(0BG<Z
z?K$YD9yqQX3=(wU=EZC==C~^yjB1nvX*#w&UmFLD11VtEFTMfr9RIeNjx><imM_Wh
ztDEEdo9k)qowOw{c@V~Ii0R*CRf}a1CDHFSuv;vLAZ$NB?{W{;_!T`0Q#hh=0-G3R
zVPLBQ$#H^gF)#ghN<Yj}Pk*n1)|qH3Kw%0m{ds4gPqi}82XK?>UOmd%z`6~opW`F0
zB5;G~-apQ!5Qr72=~7Z9q}l30Vq8H97hFoJgh_S=`T!-T{;)Z)^Q7@mF%O|)AOTae
zAptL8o}$~u%?V8ERfL9_;_wH^qKevb0h}Oj`$)3aWLAL5%6LZ%6yydm5+?@f=LU?-
zDqDyiwk0fpXt7ujJTsqLP7l(-U2DfR0_(cSOu7y4;eWKvuJ}|aykbx+7v@G3>Br&<
zx^K%JhsioS9xU|Ha|Y<{;)($$W;Mq{zLTgg0N2URnM?!zQ<<l>a`B21StOl2LD)An
z45UufADEK2HNow2@^oXFsT)nO|2cUd8)N{6vs<7@lbf*_Ucgv#Fs6Uwr7h1*U)>w%
z%Y^Fbv!3}_Q*U9VtKZ|b=d+Xl-Zx3i0K5(}Ai3zK@Z6kq^Z`z8)Hcvp5NGe4+AV8-
zt>S;F5q9>T7_P_kdg)U^H>z{<G|d-yYE#!hU!J`3g~7W>p2W#5wd~*1cK9FG3ZK?9
z$Z1VRSJJw0^K_^Z@YJ|Irr%T<f_SgWT07nrTj2G@zlNAEsokIul1K5J;Bo(~1hybG
z@eL%ARZ2YWJ4u7deSd8T$pKofih<svLt?{Q4op`<Ke`ApBs<o374ei}#Xu|xI6JNA
zv7W+_X?~zkTe*%EC3)=!y@!{ynm>@PQs_w4x{3iMC+Vrl`6Fw95W_(TwoE2krGx9h
zi)6m(jUTP{%mO5KS>dr-hg6S5{(v4$D;v25%c=o_jc#P1*Kcg)l#VQ@2K45Q_4Mi0
z!9M9}F1#|0eth5`-40HWi`7m*69c9vFC1188xAyTs)t)*?5mFictz|L03zOPW}vs%
zZFc=%cw(EadviTzwyCdvZqCb-uGx%Y4fKv;eL=DGI3AeNLf4~%NqQjXj9k}^a%c+o
z+JCgRL0Vs4Rg51n@k@V5pSjg5902??TF(l=l_UFt!1Wd@in$SGXZfmnspG(U{tN&%
z&C+2ibo2E9PB@aXrK-P}y`M8jPfs`7^0IR<ZDPiMqZ4a^zL`2Wm2RUgcmF&T49d2d
zrz345rt3K+`M$dRgj8{`UOHb#Uzc=l=4(T;Z)t3*bAl)uv~?jt-jG8cyHJmz>*KoB
zdrpjy<t-2BbN0O#8$j&H+faz9I6>ma`>YrP%}iq|cGUmAM2|TtOzX_8*8^d+Q)lT(
z7q@~91-evyk?e>AKDE04|A60TxgK*<Eg0*Igwxmg(V^*8Enp}2KhkM!pqc3EJ+IY9
z?D_j@RdJZ#vr_+l0I?#v41KXo=!bc4nqrSyt)urMUUlKf@?LdHGS=&I^s^9vJ^5D$
zz>(|=9wuu}Ji}?LAOJ5iGF<DR^nG|ee&}Ure)bO^RY>Vmy_c6JFgn(;FB~wKtv5*J
zB^C>EVv=SNz*DJB26`WH{O6=!x3*rFdB9U$;E8qrfm;ojwf#8Z$f&x&PQVTWX$A7M
zo3FlhkQ3xphrgXh15eR#&=|{8z1<kNdp)fuH)EUX0b`zfG5w7`zPb!NZ~OIIUu8Gd
zRr(*gYIvX!F3!qxN=<Ip2M$%)2q|-bueig3TgrZsfYIUzi(x@7M8euGCm-K>?!0;k
zq#Wf~*p-DHN4Vt8P-s@&VQ-wkWN8CnuGJ|FVmH!P3=N9sP7Doj4-5QVf=4%?H#@5b
zz9-k(m3Y$w?Vk;7!XrO>LAhK?;iIAEV{Fni#kU-Bk;3XAujI|7Ao-h@h(QYCNH$0z
zlHdgC{>jFXE(=Rwh>`u4oUT|#{xAT0is^q&%+Jl|$NK}OGqg85G4%Y2F?AauI5CNx
z9E4r}%RuifX8Aek_h`!}R|TG2fhRUZnQk0Hr+8ijS~!eb_w^LOPQ_9NQYSJU{)wAD
zm(u5(VtQ~KVuc`Y+XXk#oPhJkjVk;h)Acfc0593+tKT@vsWI|h2`qLo$4K{7T78)y
zFUT|%fXFNhfw%>5(${c2*d&ce6_8ClWraa38^WYZw=BSk6lF8;T;=~$S?g>H0edKl
z#e}Nb(TPm$g7@#vL)}IQL{^QoL8{b>C&TX-v(n$95K?6Zsh?d4xtJ90Lz1mSOv#ie
z8k!_+>rynR{^a9BQK0;t41jTCh!=}I%9sXd`tLwW8v}h-q>ce!lG+%u<HeHdU%j7_
zKK+k0t1f&5>UG@^OJdyw92_r*v<ZN0`w>PJ0Pk<2^;B|_dad3#eB~PxqbA=hj6#0v
z(<}8=T28-OB3w>lEqivqe6iTD0tRhG8aIV~wL9a<%+^|eGQBBnkzYfr72P6wjnaZq
zlYAX%5V2`i0$s?O!Alhh^rb;0S{rV`oU~$8Ebn5wv?-gfbAkK8-Aft0jP6RIYmzAm
z;f};Fx&)kcjMlmue<sGwA=R}uT3bQE$&2l@6BgBh4_|t~F2l==ULr3GyNA1x=;m<P
z2Pb69Ppc-uXL5|P;m4jX?UN`%UT6-d2yvom@88Nb0|qa^YGMS#U}lnt)+$Ep%!@WU
zsBLTdz3@iht?{XyuhKsD*P&%5hdYqBG5pd>M~}SR63|M+u>o}${&EJ2{3XX~ow$43
zrdY7B9z#URud)0MsW>;XYenE=G3bir<J~Y3tzdAt1xasF0;9@l0nEgY6v_Jz3%4OD
zJxf5|tR;}E#){<gTWXznTj|Jit9lopmFTK8D@)dR5pClbkfnO75-_7}1<V|sNXdgq
z-nej!=FGvYoYuI)+3bxaaODc!r7qLjJxNAuZ78YJn!m|L?JPU52AEAt*hJre0Xv&c
z`E16kue|&7_q%|;R=_Wu0ctgqc(>6u<Tk$<ZK#%JiAv6$5f0PnHYHH9XImgIKleAe
zIk^;{;K2R%4U~KW5y`)_)t2W~z=jI_Z61U1cK|2BHj6bJ3q(C?N;}Aja5gf@ZU=ls
z!C^p@(yBc_A1kITNTVtD<M6|$OTS8!W{GG`7eg<~YR~UqYOd^4(+@=33RcHLo`92v
zD1%-dAmrs0Egl{=QLhv!H+3k1QeIKYud77Lh>rYbzQe?7XAmglEc_xF>vUZ!qE%TH
zZbyXP{7PAU=20nn)&c|<g$#b>IuUZ~>TpZasZ$ATH=`5CcVL4^eybC|w~|LZC}RtT
zx6h*RcxSm)MC;law&U=&(9+JpN3UI!GKjqBT!I#=rUA;GaIO)h%-#`hONQ)B;2yRQ
zbY1ho8}xY;42>NcS04}|gARn75eqH<X#40~U<D(9i~~s4FI9r`hA5W+X+@T3`CGnW
z+I2$rI?o4Kwx<t2EJC`+m7qIl;9(Q(QIWD&4)o1u-U<A%@e4}+^q5FqE1q97v19t5
zHU$wjfMyJ5v(V5u@RW#_9S@6yyf*Va9{3o4Mx@L*8E*4G#icj=p7_%Rjdp*ynww{T
zLzgE1o`SLWUIKrcRoik~OGBh^80*+J+jCyT)pjXCn`ObnCSCG=Q<{+-y`h|eS69{k
z0`e*Uh~$I*(z@{uGC64v!`gv*s{CPkH7<*2;eUex*>~mFjQdiu>M%e$g2q|R+`b}0
z&gfbK&E&zuFbU|_4MH5ZZu~KJ!1?fwxxmI)V1tdf5^joY^t}e|bVIiixYN7cK+O~2
z)GXS~t993U^Qzh5Yht|)pkiyVmio+a@#~I=cCfqFjkmcodjK0d?u&$n?to8h-=hRl
zOrzut9*X2q_rfcXH$cuS%Kmi&{o6yN=nPe@Y=F1-u?U&iQ|rNt=5WfcYAB!uLro>?
zO%q>=Xg_=M<Q4SEfyiDU+L!kt<)mI(cV3l}bCj~xXOU9-0j8=|VeIB6@7x>6wQwXD
zwG1FHO_Dx=b<y#k8{=P!vEsXku{j^erG5C@#nPv)rY4Nosn&(t#qp;IncauKUAnJr
zv!0%CoC)=_Y$sk)io_>Fgcj4c1fzIHUl6UKnMir7B$RH6(EYQ>;Y8^E8_gmtBmS2e
zPOjzGzf+0v#)R@F2{s}ViIx#I<X0lUe$RL8+S3!du<DOFaXmW`G9{@5bK(O@pph*O
zl(H7dv5heOpGLRZi@kD&gOkey#@ImmNLdQqn71E3U$e0G9sscf3u1xhmKUY-=vM-#
zt%Zk8Ry&K78%jd?l2RUa6)DeGfJX8=9LMdPhHagCn3nOE0hhvt<q>Wo<njLegJZRY
zLz}+<?b7rE>zvkkifF9{@J|`02AodW1Zd|$&1}-=xwnXRXFv&Do%=vg)GJ?+vL{?{
z`<eBW(yWR|`FWt$gPXG6AfT)gAW}{o#6O*wmwKnSHE8h=m=`-}ganFc_Jg(VyvEx8
zay5+t(3(IivqSp=D9WSGDQj>Ey5jA@AXP{$a(Jj#N}@v|$`HvAe!ozD*V{L>p-Eo?
zL%6K&RhqgEg_M(vLrRd|wjK)1+>a0`f7OmK`=9*6lSz;Nb^@jr08_ZW<5ik#eG1)@
zzsZLIKeHN8A{p6IFQPPAJgfv`+C@s<SW3yIq{eV<1@0I39uAZv<RazC;U$=C8jk?V
zBTA9-jx55Wgvoe)EU|#XSTz)3K948?12sniWtAws(4(~GWX{ME*yBY?UbX3Oa{e4o
z-%&u>sJTdadK7>EH1f!<Nk5?36zl~rV!lcn7%QS>L`RsDUZYFU^h-tqGh16yatZl5
zx&*VC;1r+?YeOl6$><dRz?dASlqb80PQWI$1n#tHDo`eM6)ESXYRmCDqc$VAy_JIM
ze!`C(IWKh+(e8DDQ7j;>1geWm17`a6AhF}Ymu*ZdfroxaDLs=#%E&P#=x-y&0OjPN
zBIU_3+KRjiIFy-U9|^*LgdaPuEgdeRZ5R?^MdHTt`_#%mR`;t9aCH5db?~7hDP%B_
z4g+(14v^gb#C;sdcWjhM-fJ9xTBBY;{ejzo8KXaD`iD|Pw6h~YzB<$S<*R<eB-R*Y
z>jK@44J=NjQAqyWcJ_GM-s4F81Xv@pnE=OBbEXV7j)+?20a9&+A8WSLCQvl)$T6z>
z&aiNhg?@#OT^Tc-L}jT-?8irx`JYBHhxLbB(w!d*0G_q1=~G1L1rtH@TPE^rK6kGP
zi2=wkfMj!2iRmI_(4-QK*1aZy`W>c=l<rd_O1kc=A8Ni)m`gK6n0x6FmLz5}zf1*L
zo3j)klNHFs&ehJ%5+U;@mtd}DKLwcSK1ZbNG=+Z<kzKP`wg>oV0+zt`+JEPYXpc*P
z_QgD7Hcj1T0~#AL<`WSuaVmevXt&n*5&eu_Gw8(Z^7NnuB3eee){K-+=l2VTJss1Y
z0;DIzw5)a3S^OK4qa;Fa1G(v-_CZ-9WyNXy^NLd6|E)q}J>d_vKV2rGt(wN)h?`A%
zeWm40v?19>Y_U>A3!GkpSf=-MkScE#={E-)!L8*H|63Aw@RapycY%ln(0XjIt-M}@
zR?a9vuT7Z&Ox4&VQl6awy9YU)Cb7u?%8)H0WrK|oW+X0yzoQB*>er<!Y2V<-cGN-J
zMaX*@CFrPLGl7|JJ4DJpGx<Z7gifbB-vn!s!5VFCCL6h7mx%UZW(gAYL9>958+%2{
z5wrMhEmHGS-U)Q!15L}?+UtWNn(6Ek*qUrMq>7f3<T(%@Oe+cD86Y$nahSd`m{gd<
z-}N4yvb^&J1ZWJ(WbN|k5sIedHmqB7fCZc5qSP)&U{uRL#&1|xXKlVoYa$0j|6tP|
z#-~I`o8u97|I--Up}%(<T5|bkoB*EzkDUh!%gY4E**H_{$Qybbe@!y!hVwhXG5%EW
ztF%vNe?xl9Is4?qJ-fUmfK~?3SkG=jV&*|qq~p*1EDWlhHk2S<Tu-1yR_Fd^s0=9}
z{NYuF2@YjW0Y`o?IN(avS7}WyQpi@^mT_(#@G<xjC8|lB=ku@I%grBpPX~h-0!z4T
z@3OfnqGio5LGQXfANY8ClcX(xHZQpLKPDy`XY4z333`hX^2%&$DQ;8f=DbE!W^DIv
z79d@1kd6(Z2i>PYwMo>%5==SM7J_t_9#hH?lDm*Uuo&$8$nzXD^mJ%wc4epY^WSLZ
zr01d%FtcnCFf;b0Nd9I~31+c@i-EG>mDs$)7xTN~si!rkU%(uP#>VW>)bEXmHtJ=B
zHL+X5@09BPKhC~7s_N!jUlBwa>_lt@Bosv&#6}c5P&o%X!EQlcJHUdmuv@_n3>3Q%
zumeRbOt2gIJ==LNzjwappBe93=dSzS<@50DJ$v@-$xkJ#NJ>h}(A?t0VBb4V8NFJ5
zJFi&vrN%~Jdrae&FlJTy$k~!ULEyag3Uxq_HSpGq&;NnPeZaKx*cyd2@s2q5el6g@
z?d^f`>(%}0IL~?rmxsYBF>x=><CLp^{AJ<}d-ie)?SGcnp}w5Ysc--KOX|lLK1O7N
z+6B~NuzW7ehHpTA__R*Gj!vwaXLK07r!ub3h%M`)Pi*zr)b;WkSFy{cBxOR|E}fw;
zz?idjGj#vEDm3EN^<x>Jt^~8if`5i7QMZuJ>5n!bXbzimU)9~HQ1cDl2xPV;A)Q#_
zMunB3--PT|k|SGfk}q<8?sfE{0oD+`Pt3H#N^`aeCEShK!%ZP(vSW7Kd{e7I@Zwi2
z;Q#ld=5MDKVac0A+*rTOA?0L80$csWhjd2H2_GC3hm@2GENct=WKqh!82hnV-sF8D
z;l+o*<Q_0tTpXEEg;P%75>j5)+9O>mm<58Z4cNr)(u%#`ir!+iRUrb}ZAClgRwo(G
zZ1q<8lBDVPyXEl#szO(F+Obznmb?@FY)Ccu$$pzc_S0;GnBdwRp0G_}q<Txp4R##q
zv0dJbdtVxSps#OKM+X<%CeeYjC2yD45xWC2{G2(kt%JL{T9LSr;PEaT{&0u<6s%;e
zv~oq!1AZfL#hCbxT_b9Y{yXL4b#d2oHCv!*X&FE)^}2WvTQlj*<PZ;oK4FiDBut8z
zH|XQpksA8*+hLTLC7O8iE)(Q|EMb<Q5M6!=5VPC20IttYdb$7IM)|o#-%muqLql{t
z<mu1(OYM@cmfrmw8fXTlSuj>C`YfArw$-~7RuvxYf}LZV7a)r<m)#2G;*i~d=e6W;
zqvq}w?EG#8FaIR?zyJ<!zDGW<<@tvV^MFrjIYaaULU=E-c*Y+2`flL8j01Z>lm)kn
z%Y9dZxU_ri5I;lq%2V1j=zn1;C^v&roM+x`{~yZSw(i)SFjP1p>9G$UyV|jU!<>zK
zCtvgJ%$xn4E&|Yzd(qNeojK*v4(^sp$6UXUip!)G;Gg)3{r_%PPPu8nd~^>!HDoUh
z__RYI);Ytwb2f(q@)?#5JpgYR_Tb3G1M(@w&9_R{JLu>KM~OO4hHy6Dg9<t#4w8;g
zj=X$Oej**#`lDGabj*T3#MEXogtK)xq_EMp=n!;#9m<gp4$1qYq@P9CcF<w26VCx7
zsStBy(Ief9vL4}x9;Ky@_`^_?H|jqezYi;{40t30K7C99+?*X6F5ew)jG6hG<|uTg
zP+UW^AI~XE98p+|Y<mP^mQUiy6-N{b<V-?_M{uO=QTh1z5b7VCk2aYG3&iErRZ}_J
zo}&ux%sC1jxzjoF$5eMyR%^WciT8-^p?&E<Z*d3`Q^BuUobt>u`NHDUx*OwOVp*Uu
z7)8^z&Eaf;#}!PQdmN@cpUaUqft0QBqix?Fq|KmD2o$jkj+xKddL}8Pf>lY-@ivML
zPsZ%vMUs3|e|*tkg%xycf(|iQV-|6?@DmCP5Ias_#rivIcM`?cw-fTsGTqZ~G94#Q
zMhz@ZnTN-c3>P-@r2H|rchANit^u~yU=wRm+vS|CT(Z22OuG0irFXSx14+!<TUHXA
z!Ynx%t>hd>AZO;i0;9j{DTTUb@F~E{uHo>*r$TI`i{N}hep$zntxqfD_PM8l^w~&A
zCl;^{k{_LxUom?d{602^q6?D(G0Hn_=9HQ<3Sw5DftcmnIP%pQg@V-nERe@{aOAkN
z^8NHu(5ROgu%JCG5c@~>1eShQVME0893;%yLm($M8~-7jDrTK5>G%Vy%iHk%ZPAIB
z_i?sT=jD4^sq1xa&^<3&QW6cSaE!C9Ij_*+@12KLamP8b<^}m)wYYqtH?eSRT{u=u
z>)t0hTfzl}MEv>!bksS`k**iz7h9UU<oc$-7iEwD>kG@UBhGTR(-%XEOZT*27olU}
zd5&Cl28DPnKdtm>-)X7Sj`%^$2mC~*biBexg^-Krf*F?-vWDelD0-E`;lY;`29*_r
zJd@6msaNrbb1%#H{YCxu$Mu38wb97ptRUhhryO=geid}eFzX9+a%K+L#HpFvZO-=l
zio&rvzZ95O@h(TsPf^H0mk4?69;=d$Ze04Re8-DjdujDASP+9i6aBIFA!l2AReqPo
zV|ww9*TCilHZfAZJ>qOmsS4d^Xez9#{DdRz9=RL;)z<2!A{XoVLC{lVD>1kDJm=K@
zX$rYzN*aoZ>&zw{H@2^&$#2It_x1AV3Ew#B#LD0|BqKmJ^V+Y!Znz9YJ3%Cl{8e*^
z$dx@$S6J4tz6K{-y(45jR{5>FA?sQ~z7DQYtI)vJD9AVBnvz(#4*bX|KVMTg((8B~
zVuF7V(uqyHE<b5o=d53j&V0~CVR1NG{fqafZQqghOm8UUDBl|pQ{^{@+y8VoW6M<F
zR|sxwzzW|&T~+R;!p(v1_{VxnEID$mnTIi3K3aaJ7niuC$QQU_Fk)VekNU-lQob?_
zzXctUCAp5{x8#S>SDyA09za4}ND%iV%}W!T6Ki@~Au1wnLx)#cmV6hUymDK<PBIKN
ze>Dj@+Uaza`{g-X=R5MbvW@3AHW6$c!6s(6go>Ok>yE+{y3$=(HN~1E2i=vAb%R&O
z63bx{QB3E=!4n%|Q&@(+2MO(Ja0$Jtdi-62%?-UZj20)C>IB?R?08U{6}>O-<(Tc+
zbI*gVHrT{zQtLX*>LJ*=)$}l7tL`iG<h1*+bFdwUSISVRHhN?LxzC;>PuB4;U<n!W
z)kf~GDzSB7M+sy|u`8B!;FOLJ6h`@>4<H7ws{Zl9kq7b-v*-5hG2P+QfjW^JUZ2?H
zBWB7&NT}R^Rmns{Tz)9ON<7QFkr5qVzlWdLd14z9o4kamOh~BRh-sf7kKD_YkF1jO
za`ac?&ku$d#6lp?owN0Mq)-T~c?2D=Jvs9ABl)ak;vN6-JT&;~%s*4SIoqf#d8>-H
z?h!f<Oj)>)Dq8i*kF)*Gl8=;6E4O5qfRE@TzL>c$H0NwH9xG(-6OZAex-B`<<cWN^
z6uNMJ80~XKq34K|b=5Y+CS5H#^w|8iCy4UU4aKJ^76-B9=Ln(7Pvr~#As;VfeTQrI
zgH1ed)*3f(h;8@Nkm}O&vY$`ko~@k<kf!Wpdk=lq<(WcmoA(SH7rJnc+s_oH8|9w^
z*<&yv>$8E+LrTf+w43$Zk=+Jf(1TyazFdr@XQPb#05WMOIAlY{j$tGNd!gC#F=Fg+
zv{_4>t@X#_+~VA2SvavdvrR*BX?Q?)`Kj)L@-Cal!Ll$|CYG~a<GF_yzfdsk>I;}=
zG?63Azmzx4uwUj54`{f9I1_c;p3D}#L!7OBsh}g{C3N(Q<jC5u<kukzw{)_iTPMGv
zLu~2((>UAyR|*rl_phMi)AT>c*lDP1zctdzUoD#W8tBe5`QJVNT0Y^Pxa?5F02cH^
zniP+JO_|Nvg5Jol<1TU5^Nd4`tOlbv)p$6Mvt_<f7}P7hg;nVbIP$?<57WPz<T^dr
zI42Yhbr^M_m@jjpIrWeE9_FmYO!=wZ!R~<-io#>zctBh{J+vK<d{GP@jP@wWSdK!n
zx|{=JEthe4#Tbtg%r;j6-YXYy`&AsiJy*Uzoxk^>%T~0PC)NPOQD70C>UtOA&fMS0
z50Y)#{9H<B{^)aRB3tZwVrwHim3R95wqFj2=>D*n!A{|sEt1vay}XgbcP?#1=ltpU
z1hK(Pw{W&M?-c^m_5+-K0nco`!x@8!5AsKcW<4yvV;6LMgbpzlziwyRk6<(XD8Ftp
z{al|DpTRaBJ`y)!3dIv!kgT)UIhcN?X$tjQabnSN7ZEjL_Mha9{A@mc**CCt2AgQ)
z<~`&xR05ymFL%b&t7O#(Y_t?7W~gubIGgupg^_*gXEfbByaPr$Qa&qWXyY$Ht~$h#
zoxjNE*z6WB3O$E<5BNh|u`Ydtru>fV;TQQ(K4rSNVPCN6p5+TX#@V_idYG~Bukv%T
zz4?32od)GQM5Q>S8Ygke+^-6bvi}B0Rl%mfZ@9Sb@xM&lXX<Z$TM{{G4G!gs?cVtm
zr`G>2KQbBC*<9%W{9g@>;>dLNB4=CjT_FLae}{=_DTH)p)<5L)<Ni_3w@08bt6utl
z`$qb8&h{`3t>-aZzA&5nH9zbqTJJu_H?a_j%ixqQKNSk1@SiX({vk&m|0!=;>b?tA
z+CxViqDV|4CmwOOD-W<b5%fzwFk?S&Iqd+t_ApJ1fq{=Xr6w=LfKANwFk+bsyj!$|
zw>JYX?Ouz6%ZH~0ywWe2&Hi3;OntB|)M<dF*_`cNo<alI|3(8;e8rLDf6Ff|o{l&C
zJ{}Da1TA79w0T2p^6LoR`6MBSOPH50FClPY$KG}D=O3Y~i4A7=p0hQ|L9OMwN50lt
zQD*S0Bv|zTv|?E8`p7Adz4I`MNswO!zT|f$g-&A9Oh%l@pZ&}k9SduU%g*>*`!?87
z1m+rIIxe0Dj%Aj58W(n`utxgb=rJn>4x)qFbdg$2Qy+dXD?N?;wfqP@O?kbTUu2IH
zyR4^?eoZ2F>iNWD`12i*Da9ySSA?Y-Xq;l=J&jm!5sm!pB)SN+>@E5S&60|E;yFka
zctw4{N1AhZgo&pi3)7cx?TisME7M7pk~+QfdPz>1tFMuNN!s23Vy2bh$f%N@fA>~-
z%Mzi}t3%W_1ddoDJt;@j(rY*u{Hv5N38D`m5|>f66^Y21Ei9^$fAZ#PQCN4ynj<S1
zYNVeEu6X82>FNmF1pLH~A6kX8g;{%=v)jw%JO0u_QT`S%>jgTNNSRfYEh+}naw>b8
z|J9W6!d$od`k=n6v&<M!lc?ppS$;7%Y*QTq)n{#tH1caZbB%yJWJk_%Vz-Pm(yyIV
z>oqzi0B$aaW*2kB?7Ez-kFk8lsZhqqg^KkYxI<hct>ehqa*XAZN0i6PDU@2NI2Dt}
zC}++V>45Ap#YDdUwi)fv^gSq<PK39p&nbVKXyhL`@G^zl7veh!<n~qdJd6ER0NF&G
z>QAQ|=*0su=|6L2S*9B4w@dtMge;E+Q5Le3SbCp#BO(`eeYwI@-}lU5-F6Q`I<s2l
z8tE%cXL}8>nGIv6ptFhdb{lW*D|-)5tH1Kq!y%5pRw5q0z(nzOlmT8Qqh<hgG1l5b
zAy3V<fStdaaJX?}Pdt8eKt80VM^$h13&#3lmr!iI2hEwYrF`o(iMr?RfYzhcUXiF?
zYa*)0-dQTdrlS?CN(|&yO|+8l#EDxj#SDZFx?3Wq${%exThTyI3#IHETj@$WItfI(
zsbZE%YR4%rwed7&tBcFKeZeUsE81@EgsdwLdY&CQrF997{7V>`67W`bXO7%iLL>i(
z;Cn)j?#hu~B{kA-#eO}txnDI{a1OyE)}p1lbGEA`HS&+8nU{i&g*`ZORX5Z{{Yxp7
zRVxYpvKNPk_3|vr-j-6RWNb?V-dkG$|GU>2Z1i%+R)tHb;ujOxn%<n+pp3$(=vM}!
zO7-K&1!XkSFA}pfLcSTukrm5oq)&DSRT%U*1f7SbaAFDNGnlhEmD3oopaF33?y?Hu
zzT{Ne6L9uMxQk=q=OG2W@`dNna<H#%I7cRyQ}E0$LI#fD$Oq*$#;kpLg{-uwJm8&2
z6~N_tXypn()*Hi--Xl@}jjx~(-|+;0KbFJuMxky{Ihtv{yYhFMmmP=u#lmLxL{2%a
zqDKCsPsb}l%)==hX;ewRGH!l8@XKd}K?j{$bJjGbt)x(ErdEQ4YcoiKBYQ9n>7tgk
zf;)q)0lz<+!#7)NDobxez9Hn4xg0rXmZvGJV<lh5yV>WtFGv5{2q%b(E%oMeO0PM8
zSz3IqZhHP4_Fz)V{_nU~D~eOMx6w#H>e_b0(WW#hqumg3$ZN5jvt`*R^c$Nh@Y<=B
z9GS8V%{8uyLUZjT`1Q3M{xA;1_tzE*Hw4|Q0`9q<!)H{LuO+HCO4?x$50pkFC~hj8
z-oV++t7)X4o!`>@^p8<!{AKW~m;~Ew;cV-wDb#(L)nHYbZ5(M^T_Fh$t*$9w*om#H
zfx_5xtEb}qv^=2oJmUG^ZBawso0nVGvGjobSMU?<x7x+oD(*xXb-#u}WLVUMn0323
zd}q98akaa4YYCpcm&0GzRETKXT0qV}z>%YC$q%vno|;tq2Ofw-6o|RF`614hS4%#l
zS{$mmvpJXs>a6HgO5|+QYs<G#N|lp(Wua{ieqsTWc$Bl5)lsObTGfG%YT$kaC26N4
zn3=4tBVRMHb;cj*EuTnqKC!@jeu7h0w$;eLv#r5D)-%Q>3lg)#R-wD(5Hc4RDhTOj
zC*RZtk8ga<#eKbQaHm*JZNMc9VoNxK0VKsvA>a$!L(Izy9NyYqA!6qdGWRk^-m+I1
z@2%<r8GMx^d(@R*0x{}w-{&}tf2$MgyV5w@<GKn3v9$wqoVdo3mr~)nTG8@*Lz`>6
zy)OkJdyvq@^pkmqy?4Ug`}IxKRlgnNL)6@HttIuBwfKpnWXt<R>C7S=75d9DN7#2L
zgCmWc6hgGM6Oer}IdZv^eEw*7d_;-1a7bTtGO@?M$s)F<(uGk^XGn;C#wDzJi~?8b
z*7F;J$7OT4TRr(sw)$q)u4C{&9U~Aeh<wS}7Cgr?`K5Xao$Pl#h*|iW!vpGTq(3DY
zT<xF(eWRc+Tq<sFPkzhR)z>tZcBiomBpl8q2~MoDi$?zIUJD7C_MRg%T;yXRto*6I
zP2oi!j3weT^|kS+S3~IN(?C;A+Jb}zs4`MnP(yTs9}VP_M#|5W+tVOpqt1|)@{MH3
zZ`~y|go2Gs>x%VgQ&;&`OnBC^Cf(Q`prc^KZ&HA6{S&KnD_s>rD%BOOa<>pG?2TQc
zt6qleO&-R>x{VYlw2eS<s>uIQn6Set=r@F(S@aK@HFA>=i+`ri>`yPp9Y;)yOI5p#
zINM1#`4#(xlb^OWM-Q2&lQOHCa<(?^3PtdIce2WiBk#D&xADCu3#|{~Ge;3N|9eC?
z9XD#wNUWEKrn>B*q2p!;hhKz`f^{a?udO-TXAgw|*U1xB8CK=UNuHW&vN{|K&n({(
zI>sV$#R-dFEzTBL-K)f(wFB8b-EFVVe4@8D^kJG<hP{mSMppn~F&6Kok$&s^)Y2JG
zZlU$RfK*&4zF<!prS}W0c26v_07Qv8L|+|<$eEq+R#<_|_lDCSIB{faANdhTZ)CmJ
zuc0AaXI0}xJ<fJZfvssH_X-oh7J()d=LdBf5}PCI<*O-WFZmwpgbNd54zb8-A*J-b
zG~)1Qz8dM{92Uc}M?}HJ5fCJbG4$YUBmEQ#xLtlo$S+t{W3<grKZW|nyD{3Pvp1{K
z3>|ZBWBKG2^l-`X-!On~xrs&JT_4U?++U$WYwHgk_Ki7mrN4ZF==#aCO#|q-il3-s
zia%$o*F-@_SQ9w17_({$M;>h=KeoPKZr6Yw+y4%Ci0wJ81(y-k6k}7%rV7K-<fhPK
z#P&497SE-o@>*t(3Ru4o?l=WK;x?N_AZd|49-Dc8-7Lxj_dq08;lJ7tQA75knMVHW
zjW*5E#+gApyazXz$pieW@0jTo{EtJyZG6kfw|@8WI#oN3(_eiptwhZGqAOT(AikDX
ztJ5DEHmZgELf)Y5{(0NroCvhIxZ+r;3umj-(aVwrua=+nym0c(Fov(6>h!6q-8iK~
zXD=fb*HR&f(p$pmQ-e9YZGgs#IkZwpEQ4AB?%MM|@YxCSNn%Z(mYH-~kFGGZC}=qP
zRO+i<1(da<3*Wc^h*_^GKw7aAJ-v#?wwCv>Td9*v+#%*NJS>)6J@8@{B8f$|mM^)|
z4qo||1@q{-y*NX9*QbC@KQ`1$pOrnQ&}OXyVP}p0oFX<*euLeAp6R`@5L5+2oLEvU
z9l+Vv_VqGl4sGN;X4&UjC87)lr5NVD2N7jGw!4j{f^5xGscEGv+rdVkH50e#8#3o0
zjXMh%hyV|2E3dE9vtV}$u@Puhk<oitfj&cax2;UN;oqnTo^-QoKTuNI6Z2<I*ncPo
z2Wg~lY&AW*u3ro&-E{2U!ydK6EDBCEWWR#sMV@M!SB>5uqGy`KrrtQRKx9$2pq+gE
z_}g!`4c$_u4kA7z=s21v+e>%U?(Gr4uf`C_i&c87kZ*Dcxp^E%o*0c_xW7d{80^Mw
z+DE&ruCPF?()&zc>pEzHWUIRxKdc@PWNkZOY^XYkC3i%aJB{};VFN$Qiy3gRSRpF$
zzC(=IbDmBn%0St<N9Em`2U9?_Rfp&*zRc7~p6FfqGKqR1T7{oDo^PGXvN|d361MG(
z(xecJ?1IoWkA!1P3>7YtWdN;rW;&ZnaJw$@bIZm(Myzm$cnv%u7JHLt5}W)AMot$<
zFrCdMcy-lOmTinl<IBIN!?V_qAfAG$HJ73mAByNIKY~o(w%MC@Z5AOfh%u5nuYk>v
z_3I`-=H527bfNc;k3gWfHvV-%0cBD4xtl`eR<}F6^*Q=K@W}2O=?`J-KI*)iK@nX6
z6cwc|=9C%HUdGHaSiWz?+5YmUH%|+JQXF}YFXfbrf)$npt^~urO|cwVu7~`9`(yIj
zmJ^}ls7^E(FXwD!V!g~+L?!vv^sb+Sj5dL?8U|c3#viR9N+<S)AuW3KR46Eh_k?}-
zR&n_8o(kum@(I~{HAjZ6#EQhXJo&2?<<9n)NS{Bk!vtO&Nyn`HSIk;a-tQ$p?$tLl
zUrdk8d;qOD?(Nx7KxxXtL*#>LO;x`t^wc&T-WJzQZfxR|??M#z!<;p6S&yw8Iawn=
zZ)^0p%aQpoZLf}LZn(GC563i%Y31_(JDO*Z2DZ{Vsio3R&Q^CDYQeQyc}IQA&lvXs
zlp0Wq)pN@PPFX!veoxe`vbSAbm|9fF?J>JK+ul%xnR{+1++JZHNBZ<uSn8bI8_2;2
zI5I^AY0?MCR);t;xQ~3}9PMM>@i07j4)%+M%8x|OW_-xYg8k~KFsj=2g&3=296q71
zd_%k*ZhG7eLQHfTqEZrPt9#Vz@2((ZMR#!Xft^qB6Z7=0lSD1Q3zpIk)-}fGruw56
z3p(NTcb{6EIr`w1MbNTNXDB*;hN$J=W_r{gdN!RSBb-^-SuX?jO{<kZXcsmB@X!kd
za3gjnO}-;$C-?+RL{9C8H%I<wUVV{Mem&=<_KB8PeUk6Zf@jhZ2x8y9oXRO54OB>i
zRR+Pno#_Qg{YDNW$MpZ3kJ_{CM78cZr%FikGKw9nk^Th792ct+WEM>i#dSGTrX7M%
znmSlv2k_`%NO^vnO&yBD)p&?}e{XBhW)aPMrz7sfQS1F(Vr#(I5KT$hS@hI-$*-sc
zE`$&ev&TmkITW+#T0`Y~f478(A1^`L3rG`3zr7Dhn)I$gg-*78&7mp*L}F!p^AWev
zf0#m6o;nOu3~%NfrtxGcW3^>u3-r#<G8)py>JIA2xbU1Mhhfn&=n;DB&@lOl@rwoQ
z%|lSqw_nA+QT`=S2FPkFalcb_O8J>+IFYFRYwn`y;R-`uayY_qL=H#(^V-XbSx%5I
zG*3N#SuF};ULfs@&lR+I&ndg*U<^7kQDF>vJsgS}e&TS?5em&cVFZwizi{N`5%OKD
z>P(Xbk!YN2Fhv|<vc3_U3+pmcVX6~75;_k2;MJS&Sd9UDG*ZC~>rsFQ<Q2e+vhYy~
z%O5)lUZfCPHx_aFTLtMp8pv`*2<grij#h}G6hgKt%8{BP-bT!RjKbVPGY0TEMjXDT
zsJAgY3Ak)3E8l2y`5S1t+B!3Yb8PKcjR$KrR=$8<+|S_aagf>K%#Apk{%S$`q*q+>
z9~?Nj9YplaTQMhEmSE1~<a6T3n_I$ZZdgjkyb`5JQ3LjIocwIl`RnX^bCHAofqi27
zuq(&eJWHeb7K~SDzU1*}K8s2OcVU&w10ENp(Ba!m0KB#h!JXO43Gz!h0d2iCG=pCa
z?}*df{3`7I1cjxXUK1hVMKvyA$3%sLd#?ytr6xx@RP#1vIUD5jXYW=SwzQ^8#}mXc
z-MBVUI<eD}<lA;wqdAOTH3~udii;#)>u|QVlNC&hnheuk+i~PcTW<rFIaz+d+jFqc
zciKU01To@5;r_Y>l*Vl66oo)rHwB7TICA*gDGKKY>P7%L&zU2~<3FU=p^p&qOMQ+k
z8mW<g8$U1-NK03atmxuhjBObt9~$$@c?CUz|59}dhB|KSeWZNBU{zT!;x>o|fJn?}
z{XB@MAv-WtzSO(Eqtp(XiP4s&m_L?#akjCETKUVxQ>Vd4w|xlN;P1<O<A1<%+>cnC
zS(kt02mXgua)Rg#Yz(Xslk}7(obAy+3Q=Y=9Xgga<H(`Y6_D|SbZ*I!-p#yC*u0bS
zv2t%(U^*>meMK4(XD9{%Jp5+NP*}=5IRj#<1#+ZgD{nKl>bgQc51a}3mNp!|e5R&~
zbYIIN<i#M4tUF6nQg*K;qjs~L02VeICuzpF|JUNS-u&)_Y+-#0U)H<`Ck7%G#9cs}
zj-1lIop*7T|3JYNb7#Y#=AAkG)@=E}v^^J<MJ?J-XFa7)SI!pR3GFg?jzacaGY4X3
zcjxfeb2OEt+r@D%kjr{-<ixoOH?oomxw;oen$1%<RTMN2$Qc@rTs2QY?IS`~4CP4s
z`3iqCY(9_&dUNDa736P1hWF*jNuk~)SkLkbO|xhL;NSXl_=5!si|du6fNU{{BL_z*
z4DZ_sxoikWeu>hQlkIF}?*?6pXVHjey@SIzd|I@^1SKgNfA~;1M;b3wXxTOkf!sTi
zBa_0t&2ijJ;i_2%!M~0!fEQ&BixhMZS_HW5I1WF!NPfTJ%Z6ch=vAOEsJX>a#u8h~
zROR_BR;WlK@sIVIP3Fieixp;;#!G-aI)x+8PecMqRQO(2`njft(~*-#!4z?p91zJV
zpDa;uXXT|3Q*9bYI!1U~ut_}?8Z&|5=l<dFA4?T_xmOI3on~<4oEZ7JVJnL|mb7m>
z5)Kfn^+&Tfn`NxRm>(1i9W&;zb<0q-#KkIf`b<L3na`2-OyO@1VL(PkbL4{gaQe=9
z3VG@m!QB>dc*|w-<5|6;$p<IFb##zH>;kiv5S#Q0;lYcw7u*05jnd)@VUHNz2ECRm
z#KOAeFlZj*$hXVo4Jx#A^CDUlriXvTs(SEp&X&5|+mKC(#cX(%y?iOx@kB$D(%{{Q
zpSUjDW@Q0yF=n<>A=9^B2_sLhDu9<@J60+*dM3e*R~NtyS*4XIP`y^kaPZTYZ1^g0
z%vi&;n=}sWs1%YPq++>*O#Op&WbSeDM+UCm8~>8#)^ub*oT=1bPdXe~Qk+7h6kZJ-
zRdHd3klt(1wjEY0WV>j<3s+;wYmn_7HhBNtR+vGtluvXz-&H60r)=TE=4?dOduXuy
z_IkW)!~IP_c^@59^wO?voHAl97BEk2_BM`PE5EyxH{q+-H|#Eq1FhIi19ueAN?&;Y
zUOmy?6(Z@C3Ni7n#XdAO$RClrw_%Q5VVz7^{u^9v*P&4zvGH8Mv1XmZvS$Xt&*SA;
zg4bFvzf#je`&@r73>u4u6jy4_?BQ&w30O)>S}*VMw46t^yfIs-i?@P02<K!|u%S%?
zy*6m-%T9*UN?2{FM{Ng2ajc(onAn`ylMM>dUwI><Uyo@vVIyYDM)@oo=gSy<wrmol
zh}m!*HmNsZZP#d%JX=zS(>*DSrhrY{t?<Jp^(IX_*%jv{i95#nf@m^`#4{;(nAH}n
z$cAmiQB0@J3fqE%HY1cqCzFhZ>==-;EtRtHN`?iroWxJ;8#hi7n+t2UMczg8OiCUx
z1XD78;yCSbhO-4EV??6^mD00Ei>)wi<yj67*(z^ZrvJ!UKOtlvdWpEK@f(}wn@}}9
z2b;7Gn{Ck18k^e`zC*Uj>)1JAUx+iB+6J9L?5!0p6PqJ@zfGYAbKVXe8&cS!-O#b?
z65Ofu5%MDh_ekaNqC4cLAs$It%^Sg;pYRhud~rFA*j(8C6ii$le=D@@y&VwK?^*%e
zgwff4=_VPz6Y!!p{sY$p$Q$(f#iM%EpL6jO4;!z)`5(&vJK!&^YIQtRx!>j#5qB}v
z*ZQqslyd^$U+??}Zhi{`(?W%pUn^HmaqI=F=<Q!IQ|-C;AKnVPG^J&8)&ci68@qzi
zPbX)Ev4y*lvtXzhdz&vm;*3n~*oaQj{=!epJk=j^k#4)?Gmm}S$;GKLb=eMP5?f2@
z<}17h{%@MaC0yI0FrG&NS@<?f-iyBQV2}L7u&-s^O0A*21AHqMQT?8hjQXtqUQJoq
zjQ(s!<y#%W)=r1b^f_m%@Wk6BcAtDpU0*UH>mV3+Ad!kKbtIcJ{<BZPO(*xk!53cg
z)Mv6^V<+7-J@*5-{0&EL-7oKxi_ebToezJ^KnkuWR5x#OI9t5~8u^c@4n9B@yywV+
z2jru4`p*RqQsBj6cp6=Nl6lZ4&gOMcK5nLcdw0wqRuzX;VtF&?8)sYk*}Ei*?xe8f
zY;p*u+5P13&WGep>%M+vhqDM0x>qBX?1z67n*+-@r0{lOmBY|+rw~g&fl+SgVfoRv
z^Vm<>bOD`oh@-7D-gO3BjF*oI`+ZnG{J*z2WJN_yHh$t(WC;VVud<$xG27Z%Vc<KK
z2=l`6R5Y1a?1+4uo825}Z;P$`Jd^(w<7UL!qK_yn>7^WjjzqjUO*()yVAe<FeZ8;W
z4>vm2MlTeJ6_!_VPPy@@!p2eNQHaqi#gQkDX-t{xG5G-0ZoSowo;9<F7;!k?jAyLL
zK2TPb&7ujns|<LC2B*(2iQ#NlzJSeyg&fyd$qu2<hIDc31WJ0-Nqj&AAK*$tIr`+d
zLJq2!1ZP>{32U;fQUxF5wtsW9aoicbIkYB8ulR^(Al9?A6VQ}U(Z`7WOi~DK#}g3N
z1g~L}upn!nqU`oq`30=#PgYecK+Famzpt-Kl&xhOuu;su%k*M69l{eQS!HVwku$4N
z)yI-m+AaUW-+;mCFX&zbJsT%x?>V*D`;!`f>47Xb89s`vLm+47WaneR;*%9d&{qW4
zv-=O+^OSr?i8s49kxC_cZCWfh7Tf=a@{$7O@nKef<_1J5I=h-f0i~tVci0@iHLFL{
z4Weu&4B3Y<VJh(3C3~OZ?B{8f_&fvWb;L8>CouC0aX@@Vo{=963`Y;?#2~4#P7FM)
z$0_sAD5O01vk;Tw!jX5Jeau*t!d>F9QYWU<{k}zrb1@+6xN=IXa|&WwpMw}9H;!cI
z6jnFy5wfQTN7gv6Fx%0d2h!1tBX^!x7`k2&@{2D=Hn<=^?>kdsQp^l^?KHe5mb3fu
zP&Y-z2_H1Xr3(r{_4@+EEW$(G1YhOnWBR8Ykj+(@T2q6aP?V&T^jfswls7KQKMU}#
z_=P5hu<fl5TiaHgt$TB1z9aeaS^2z8w>9(*d@g9kVPa2fPI;^)N}ykt6kO(X87_-%
z!{HMz%jd63Z%VGBMTjt+E*O9(yQu;6t|&yk*A;5I4s7^Uj8}86$X7qE#!=_!&C8qk
ziM`LY6KAtXk!Le`UM8EYYJ>7cWINNDv!!)Fu3DL*;NsL2m}cCK;Lfb#Rr$@2C%ezI
zrzNYeIxcP!Ol<Na-TkYW6Q5^OQ!yvDO_gtCeShaMbOWAdZQ>x+M#J6Fy{C^kJDDn<
zy61IYR)nUpbXroJ8JLH1O5ZevZLx?nIJZI{j=YTjkRJU_(}8T+k0ZOL%g4x~M#jru
zU|S>zR){l^QUf^K!*qoVTJaj%rUMJQjy2<<*W~9Q`>PfCNh>!iFpCvedG`)t?XF`n
z==(MKmd?o>;8+f9MG*L6OE(=tYyq-av~9+>p=Cj2qZ2ZRhjQ;&+)&shZ+8Q&WE;kj
zaW@qFdY_QZhI3@CoAUcQ8(L*-ru_=~ik>(__&S2K?YpTkMR;=)I_8Yx$VRv18~Ck5
zt9=2`a0^W$rh7BIa!wgG>6U^&e%*qOcsy`U$mX}@L*si3pHmbXw3{sk+Pm?b?dolX
z7PY*iDbHHm#g(hvJJ?|9eMi1!R{xwH<_Q&+I=RDQGFOrVHt7uDa2Fm~k5|^oBk>ba
z!p^&^kk?NTy!$i`H@+wD&|_J<W2ooS#7La551h`~7J*ILjFfxO@dYonlNn|2%O^6&
z3GK`VLB}`*n3%}I@Nhe^#obp(#ToaZ!x0a+6ViQ_kI7%ng*WZ?UD6Vw!r>fI)Ec(v
z0Y=arb5P?P%TQ>jcNq}ojW^m!n8yS89@yahG0#)bavuY**aMTJIop-_5Oeu~f|&dV
z5OZe{hqrnt-&)&;G|HgI%|dkw%6&^XTk1pk^0dMJ-z8{dpNzH_%kPXBmi`PySV*Qq
zS6Y(^t5z_M%v|YX$l{mce<k68A?Y}-`v@HU@c2Fb^*<buj})fk#|b_WFW?uzEwdB~
z(10w!ZQ}j|U!A4!*Y6Yj`sxC>1snHH!S+Fq0cUuBzd-!)#|nS_2f=6I{rv)X;1l_L
zl>II+$qTXIsng}`Hx^J9W%r-RUmVeUvadDuoGu7fv79)uiBpC=RTwkYJ%xSu@rFOy
z_x7p0X`2@(Ul|1*V_}*Y=5z3_Ke3H|CO`gEvAFWG8km~ubec{(h)sTb%kMc1O2ZTX
z&ydlgo+~u<WkP1-J$@2jCR_f}$F2)T!}H*ZSe;~MwT}(YR=8;OFdGtjA0SXYX8%HA
zh#33=$l8ZEGVz7{YC)T2OBTgK{4bply?m6jHF>EpWJbP(jzh-@>C94I%Ez^<P4~?1
z(6InI#1WzGNmk{Rf)k@&q3r+7l3$}xfA~s4d->PU-uX1w-v70xtnAA7>KOa8=Fq+h
zKe3KWW?63_<I8LL1~FY1J=qpS_wW;Uy=tH1(jwo;Kc>`uV&M7aV6ui=MYcWX3)qbR
zydWk!4{5q|_bh)<mItM{``+c^e<*jqRp@(f-@^4jF8v4ou!F+cl_@!ZufD?JmviKu
z&05~I*g?*QE#g5g{i~d<Q?9~Lw=fqvillL*WeQfI-sUQdRaM>re&ia54|}ID1=&f+
z_BVO%>UGV>;?G*Nbb;XU9`I$iIegZ8g*n(sLdM)Bq$68<3riN|J}6im_yKV13|9C%
za_;gE@&)9e3b`RvvzZ|0ib4490cW%MsHq~`fmhsHw6qS`Qt=Z9Gi$c)6LN9hJ=9#s
zKFX&vzhbV78zZQEF`$XprPgF|eZHUMd-0;tv1h%ZjW!EJeLhb)TR;}pWFLN#UoEmb
zY2-x@`K^Eh#nqyl&p2hT&kEyD+-Ef8yljqq`B{GCcUiF`lg@e`g0n;&<6m;N(O={b
zLZthfN6~)Y0I-SG(X`jZ=FFmBVC~!dtGuIH=pB2e0p&kBly%<zOZin{aV!o0xbTzM
z?+B`QuOUV0OB21m!OM%@@jtuzE!IotJd(HM)8n!O^0B-&71oH!&g278%0Cq}^gDF)
z`p9(*eg`uQM~BGIM}87K=rf1+{D8>)j(g6s<InAxxdCo4!37N>b_SQPobu)m`G~31
z!`Gd@8I+;Zyl200HtkPMd0B0?x&NGO12(OWwxl1NE%&EFuX6YWNA>x|krRI@OdF39
za`tbIES4wlkJ+O;2GD2AuOo4ZODML5n3cZPk)?h1(Py!F3NL<K%_A{-|H2J?4Vlev
z`G?#S%e83Z0G}E`m3Z)>oW4kj6pfRJvTYSM!*qr-c#DEp{AS2jga74KJ13V9b3F|I
z!|@3JAKAe;ri!+_-dQ}5{>Rq_z7{bG&%?y*0=SoP0oag*8~Q4q`u8dfjt3_H;fOA*
z@b1<Xf{!x$58PT$D}7%3R`{R|lx>sIC}Q{-TX4z^dI}flGxZ?mxFtv07SWcL4UTsw
z4`tId`wn!71IfPP#OA^d6_I~2X-_S?ZW+kDwEQM!-qe!BCZBmH>%*Y@QUr2h7xm>G
zn_aVcxyAVNdKmA;8(ELbusz0LYippDzH;*N!I9AsU|R|IhzBCl%5k>vqS|6C+d$sq
zMP~QBJ_eMBbp-CLP(WEpwxZi{=SL@6;-~YxVp%bTWf^LnV-2<P9~<{Egwt&*lL}`x
z-%#G^-ET}QSrIC};3r1&3LDP0A8+%@W(F2m3_6Uea^#9)TKP|ZJ|d(+bwau@CnNcW
zULS3Lu_t_(jp0BH8{?Y9)__&0=4-;zjN~`l&(*&Alosfl>Acu;x;9ZZVqJ~p!^U{$
zA+L{cZ&!rP|5O8Z#3sLTRK)~7im1zd6m5&NIo?F!WNAFXLmW9g%-+|EnVZTxrCje@
zpXR|Sy>uQ{3UU6I(!tl1tyZ8+IjvWp79LBX>BKJ3%!N}{HPgy}Ik%@7?7Q2LBje4q
z^4|~6CFGq(gsjiJ&9zptNw~$Q1}C?pZBN1qamQk`JM$}poOQ}vTSm6~#9BbcXipAo
zjsK7ZvIT^U_vXmE7V`c7SH5jDZFs)JPt5x#eK}i*rNU^o(h@p4HRi}{ORfBgZW}8g
z?=|7bAy(QFvU&9Sw6w1WpuP;cmzcru8OY*DhaapIVyJF$$VhF)W!!J>`*-&|x72vH
z))<;-I1`uK>bE9pXXe`yeZ``LeD_;*@5jYSh_VejX)ZR9Q!Xr_ttcC}EyG7N3WhkE
z(~8BzuprK6Q&J)PwD`w*)!K8UQ(Iq4mQ+&SwCqvFjT0e;mbk=|zL^~gyk)?elv1ei
zrj~-DkDdO&V>=*Ie($ER=wn<O=qX(a{<uDi?uhofFt3;V6mlhTeC_@pjyI*X((k2b
zmGJLON1Ny|O|gN@dlIGenT)BS-f<&Av;joos`Z9mL{y*YmDS1*@SbI1)nE-F>#>Ls
z-=b`x3j7kmhlduxOR)L41|yy3LdpStt`CRDm(xmrdn4Yj@L76;n4b6+i-ggvN(J=C
z2Ib`|j!EU;7*gd;C#1#RZ8?CXIkAd;ea+bHI`Rjb&+Z+&{URvOfKp7uc7r%&`w9wa
zII05t)M5xn-m4%#93;gxDf0+A{GdY|k-rY*Y?_J+W$BuV(BTlyk*_OiOUmY_b{E(;
z+Lok~`l5@U4(C&)++n_IZ|XnoFwd?jD1AXG4%HJza?0P86ioB7hH0fnbEM4(tQbUF
z%cs0u*)KcLehdw};-GbH45u`&tkB-ADnm^DaUAJA8o{S>;{R#L<o#zLq!t=oJowmu
z0;jBEqcDW_uz{G#lQ?pVjaGWO<K^B4=~2)@S0Ths@Xr*^=1@gp2pCMu6n!H(GJG;x
z=y(-{YWY3E%S_{N&#Llfq|Wl1c^GEUVGZ#NS(WLW?Q~UzjGI>#I&5b$tqWGRT2#}P
zmF+`Q2X%9^gDY2}Vi244{w&URt(ro!npKC6u5&rEYjt@YJMJE;N~>cp@DoQMy#<`j
zY_6{{dsAJZacpWp%#0`wUpUX#f=#HQ08b$J#>E`IE85pI$heRVRzGm7pitRDg(N@!
z7~wdyM?4(79u5{Wib)Koo?cVlO$R&QilHOubSPeQlld~vW?oBvD#2RUf{7L@II=uL
z^+K1_Wn-s$w>lm*A!ZxIh~q%?N=~_A87LiU%cs29hcgG3A^Y$Xy=5B5DdTG^<li^7
zVc+=G9O+s|-p_ZMCpuMzhG3W`PRGCDks9h`$#t~S%jv%R`YovhHY>1+R)wwOY=O24
zR?WACRgdw!4e5Bh2081Yt-Oof+z)$BhZy>ZiMZvMig#~_vZtL^`U2j7fY|g%uu<hG
zI%?l$&X%+RBh7C+d4ahRJ9oVSWgDbMF~;X@<&=}{6=M9TJ-l@V-$fzQiq@51lBpZN
z#B>03)P@dm_-%^!XoxLnn{P3fzex)0QeB8DgePf;rj&z1rf=&2WHi2eLdX?B%J$Y3
zr_Nub6{emrN353m?B#5g9TiqXw2siRdp}2p@AK7XyB)RiM{C~^yzjvRc(K1quE%^f
z?Hz^4+ksdXi-9G0z=k}u`hc$yyX>Tp_Vb;fEchsgw{li+$$V!ZKj6t4`onpNNPQjy
z<o5%6*c_`@6z#JMKd~pB!n-v@nQ|08DXgA+Pbxdh^AcTqF-DV%gS!nrszQ`G_2kR#
zExQ-kP6S($P8Ms9H)x1$RDJmj+j>RMV~fE=-^mtF7L>&sG%i@$cF|hP#<taD=T0*~
z)><bHik&Ai`HhJb7qnp(o{xb7mU9jcuhm9jOE|az;3KaP+=)e8^tJfA^ze#ko?YcM
z4I3(?hwz3#*2m{mNPy2(EV5i_C?EW>u0T8E3o6u_o@rPSSNa_3T!P=Z!Qm%wU|`B{
zmCv^)0}d6TwXjs3_&RXAfYOA8HInZDtxP7=k3#S_#1$BED2cnvDRUYr3?=q%urKlf
z^J@b4jCGUmI+IfV$$x;tu^G%0tNnj6Ia^eQ@85l>=!(1DAbLln3cMzcQhOe8>SGVE
zvNhLTJ_=ZpJM8TGn8S@c6xR4!;UDYmc*2n}_z&40T;Wn?W^tJC4Xq_sCC1M<TdBvs
zrT(rr4f2GjN!grc)>HI}Vk6{NT~??1mi!C{2Sb^-M_BO{r>vFjTU_k`%v>)h8uo_6
z$G=2Bd*me_)jkirSJJb4ub@gC^}=&FWr(-J6nK?4#2m}z$ZQ~G+wAMY(IHf<)0e2l
zvbOJg&K8~n(<b;RgkFLV#9aHp;SX{#hIX$d-&T`b==+R?qG%`*7etqTCQ2tZ!&h5D
z*1nXM^KXv^+cdC=F*)cfXY*>THDVE;V5HJR(7}E%(&zhsICkUzBfY@+p5V=X7Qp3^
zQyK&L@)t*5YOGMN8T$kI<~K)v`{}E=CL2facZHa?oz{W<$n!P+t8&llOdZc2Xb_r}
ziKl?K>2d0?Ch}94#OH@jP5@g3*u-z6_0cb2GiR1f<s)WvjVbf#SQ^cU#TvUwQBK*W
zh@S=9(Nv*FWHyECtc!7Yon{JgG6?@zFV2`F_cv2m#>pjQOH)GPrdD(LNk+K=F>mRF
zC+$dxyEN|Rob5z&Z6(<^$gjTG<KoGNf7F)JyKceZZCYq6N_Uh+Envn#D~`-)A)ncv
z)){}l6U<=9`QmsTS%S0mX{k_@t!@b&HA`{i%a#gL3cFT7mMg=NV_L}{)hXi_@PT%8
zLeUW77-3qDv*ou^7$ZCbpyPUZLgMOG89y^NcE5aDPQGh#pH4$%L5w(1Y^z9=^;y~0
z^2OAnfwfm309!uT#3UbL&Dn-k@H6@Iy;A8&$!ZPzhS_kqQ=o!ph6Vz;rYc7!RQ4;z
zj)uxl`l_AY=s@RE#$e(i_7}YxoU(ZvZ8_NiYjDVty~Dv~i6beZpO4hyY`5AdWC5$T
zFm0+WM{3$Cj23GNIn<sbbK5Go(>@5u6%HIZF-Sh(m+Y@HVi}_1D(n}h&*PnltpPJ`
zCm&-LYbPF>1-3C@6BGHsdc-FElKCF*?%@+bVumIWPkpv@AtD#n&DqcD&!(|#E6)vl
zW=)qpx+6J>@n6H0QyywB@3-!2UXG-T+nXR#oQK=GF{=*Rwz9H@PhDBG&%Z7cW!ZZW
zkvn_PL2D(O`X82UIk+oJdymxr%9A;F)Havy%WFC!gqHab$c5$NKctaPoq$~F$B~hp
z<WEW@Rv$2~9~|g{ZY=H`zxSsmsUPcylv%m6e2xD#-?tHMbIk&)7=Zhl{b6M5J1fjw
zA9bc~)q*1(yC`(XAzgr6(265hHTV0wg}N;nXJ*!bIVbQFSE63FChB@Drk}z|?8#jr
zO4Ejr&TMFa-`|y!EA%36o+Cl%NTR4!L7ci%H-*DVQQaVFe|wI+52S3*F*D9s+W<P!
z@e{}D@f|svw!1>wUez5s^g0vLiJ5mm;2qi}A9!n0`pw%0AqfaPaSU18om1}Y;%Cev
zg5@dg-R9PyIpR3@SuESv^x%~F!CD(xZ*{ym@G&iTl%W15yf{`YgtIN~p-`J$=>cyg
zXgKmnPd}5tnwd<^Y4LU_MA6Jd6xAV=Q-_536=mCcDir<?dO}(8J{)eXMLTwNR)7!c
z1^DNF1b2+>gE6LmDTPBcKM0*M@c+>ItYwJ&=y|>L(&u-niF7*Fpdo)4St{71)3UJ!
zT4IKA<l4a~v3hD09I=Stt-?7xL!&JtI|do&R9of9a+C21r1!&FyHL~+gYoHZ*+4xN
zXz3CTFVOSOVhYDul0R(UweklBZhZLX3T?L5*J1M?O>EK?iT6|!7rH+656Hx9b7~9`
zxv(2)3aPkNZ+N%VI6^wH*xuS2vhF$Jtldh7*IMgznNO4du*FV9k5Nfo?e=dtcMFV}
zI>q$V2(E9zB+R~5-jbYsV_sfKP||THaRGVnR8E;R#m|Vf?yC@wk$vH@3jgqUyxdp5
zTMeJq?`3}op$`&>C2sT#&bDG2vP7?bS~J-Ye_g$z`9RjzKeUuy8=Uu`>HdR$@<Ew+
z@93@dQ1e{J<HmD1TdA3TmP*yFOWBs4=;GE&<PI@B4d-*pkNp+O7pDPmcE2c=6$aBL
z4v?>l6ZW?Ib`;Kj3@zd~m>td8^aslCc5NEj;qY>>rNJt3mHyiz&K5OL;V9Rofw1c7
z5{}GWh<;K5A03rWsBH%UK0k)TSKvRSk@pFi70Z!tmLL^743;kh=Ea?UL))8Q;8Ssw
zJim-n#t)Y74wk{cb{qqf8>UvGPcN+CZ1smI_%v(?OuHRNNGEo5h{7UG9w7tPa%9F(
ztqJQmRN)UV913{$x&pZT`c~y(K=$9jk%NaRtc)cP^65s7e7DZe=&zn)8c`<qd>&fh
zCR#w8@^xpA!n6(9;7xvicQ(GU>**32^p#OM_el2aAkl%cqs-SA|Fkj((N9PebLP-p
zY<RfBy_&3Wxa|5~`s*&tdAP#lD{MHB%?=W>K1&)de{rPn!9)MhB#@ra6c1RPI!tUh
z5^%uJlm(7Z==)PgK+KjS9DZelf*HmmfgFJ24WrRPI*-)Ke_3<|Aur<;10hq6WBTxJ
zq{1I|7^N*=IGJfiW3mUdIh#F7!Qf*+>y5(+1%exmmLJ@bR=<9>2;L8Z_r(#w7AF)&
zE38PQj)nxQa|Ei-Y)-=h`!Na@XvP3O`9c9)pDjG=r_YjxD%A6@iDTR)&fz{*ejJ?q
z(BSh<^l=k(AaU|`{t9P1KUN_WOvXXSwN#GmK2Bc88SBegSJ4`Do?h(8_i@^R9Gg8(
zzBV7*&u7^jSk*-*EfmJ_1!A*IM_sodT*1Y=$HTP8w>Uh1y!`1Er;e;o7l?636(ugg
zO~WY#5(73vwqk;O>_&we+x__0TjJcqHKTyCD6^X=pNzJ-R^3X^s$YasF&WK$$SL<u
zR2cPgCc;}Y9}%)1^PD8F!*cBje?#clg+LJZ<J}&!DwE-@7MbW_4mCo}WN(M<>XCf-
zH>N}vKr1fN#xcJsNcTG*`4wkLV3aPDR!oL@zn+qyM$GcDpZ;GhE6nY;&y^02ZilVn
z_CUaMZfo}^7yw9_?10$qYs!kxpzIAwvA#Z?&C;hR9F_8lfQhEBnAJ24M6)C0i{afK
zai<1B0xda<krelu*qqq57udkDj+Cz~4{ltRPOayzV^y!WoN{%fLU7)TglQ9UIkM(d
zg|!OpR0`|&g!Eu>ImjWl6XmyqTHIdfwh(5Nf*Iml4!b`RWe4f_n>P(Q)_>+Y9#2!S
zpwd4;Zv4iPM?b@Y$^R$}R(lA(=Lf;vnc;M;m9%7^=|GPDMacRrYPv#!aD|XPe{<xJ
zpIGa%pP?XGGXwA*_=wE{q@siw3V-+wA!GD7(tW1<XtsU(*gOY>e+C*_Ok#`lIoq1T
zjV;*rR`MPD?7hY7i1LvRWktgRN<-FbmO?*RF$?x>!53@DGf-s6a%U+_zU^lNj{Nio
z-qxtG8EeE82GpYjPsdkp=&xs*G&W@`pUS6%PpcaGO-5fT3V(=MW~U{mWOL*ThO5a<
zx~~P>d3adN#F6-h4hf91fPMMn<U9M46Zb8nKz9H&h)6lHB&VEX1<Itk@-~-n|JJ59
zC@;Wfu}JDuhEw{^QwZ-V^UwfK%Mr3ZOPQyz0c<uONb8CmS+`tcBUbjVyctjTxQ?`d
z8T6qAac1vZnNz-)uaH=57C_8;eClQa#^O=<581k4_>>O!=uqNGoi6o?X`?`vXVci2
zxoPA(Y0vMDZ##q01EroAl-+8QK3BFpO2M-9C|Fjs4k4YHb+kg)42}kJsU0Dm*xK4K
z!}WlC=z2V?mPL=a`NIrxS+rbTR(PSdnRL=0wh%h-+{7OpgY6qzvC9h;Qg=SV`{64w
zWJbUug$SLu2*{xN9NEJO$>r5Zc?ZmFG&Xn$96;~;hzEp>8xW-<3tg<R3AJi5#GG%)
z3dbOkIJh@1%HA!O-+kVj()`9!h^eL%rVef*r2(72M848KV9|L3Rs4xCQry+9?C~Go
zvP<RXCGlSAmnwj+3j#+R_iVfhC@t6^7x^wVHZ9D+3@Yb>R*XfQ0f0jlVlf7-@WYqu
zI2NO@0{EMdxs5q8&!@5R-yKw*8%s1z{-yE5aGMz`pEWBV8sI?(%&B9Ft8qrniPD*2
zms5VJ7dO+&>uqbnkvUBM4B)fj4X>?$h81WKF~`}p;%uXr$yZ8dE4t>;ZLsD#Lt4ew
z#OB2Emnn36pXIO$CkOuY(ZK<Y&DCBQy+ZH?K^*QIh;hwkg?tM|S<bylcc^`I#<frF
zIpvxa3f0;D6%b?6i6d*Sl=tbxH|y(}LWk}{ze~EX<kj%$?v)CW@*e+K?^{=n^jf8W
zoPvL>_cE9xFRhY~v6c^l$KQYjw6rT0I;VPawxBqLs8|>W9XTN!nGvTgDO(}j>G`V|
zZKQ5TJ`?-gD%NfdDui7j=*8bN<wusg<}+fg!DxiuBWB3)eMny$*@=Fp+Xpkc@AnMS
z#Pae}Um|j4bJoZw?hji_%%%;j@n91dLmLlZS!)y)L))%}ubl^RUwid${C67!&uy~O
zgW#eR=n<DO77gLlaRVC{WA^J5iV4j+tTQ)Yi`FAm?p!Ay1dq?Ruk`21H|P;P?Z~QZ
z(7G{?_1coMJF<h;1h(DDk^`|LTWBP=#5BCIB}*JHKO`E}fAo<K{~pwdp<<&8D2uU*
zBmUC)c9(j8ZwvmB;1@IeoiUvM$p-o5pv!5|K`+4;fW9pDp(*1y+pvuaWAW~dh_B=c
z9GNl}g<Y{t3PIqx3Gf$_cv79UNj|CG*fM_{eT?e~%n*CXj0l#sNu`Huh6K}T1i}^H
z%?f$!9w7((!;v+%$cvxb*g7E=;wxe<D$ckH&ERYaTNFm7S6iUt<t&bDuvI=5Dr`tj
zT!~oN2QA{d^|d*i?Zj4vSSY*=I?l~2Ko(`4Co7z7nM?3%3po72T;!7n+Y~~{YCGUh
za9V)cF=syDw|mPE1bvoRUmXTl(0aR=;ilur08vIqq5gQYT|tq}4k&7da{~k)yhA?y
zJJ;CQemum`nPXARhozh?ZxO`&+@T=GaVNx_z*zzkGhwHEkW3lZE0I=q*1$7jPiul>
z1jN=hrm+dLh}TN*0Gybcd!Y*`m*~V@88$ot1yNMILfECn!?N=$xt0nE@<$p9)w;B*
zFl10^Bf2>d2NTG$bqNZS{D%q9u^!)?S%6ztJ69qAofJ-jHt}xXrZ@Z%jv-de33u=z
z8KO+sr6A_@E{KW3$6W}yY<=V6tod$*XqmVh@U!?P%RYD^Z8L1S3b<@BbZns21<ET|
zVUIXp@3E6p2JVrsJ{LDRa<DtG;dFu+fGrX@+qFFk?|E45g=yb*ab%CZ@{5ummm6f!
zu17k0r8o|k+D~ltShfP&!gnX9&_}h_qP@k+)8!y%E9&fRp|qdzq-d9Evmww70>uMA
zg%gQV{sWaB`%#<SXIcBv`ZMr<%QpP0dUo1SD4@YjY%1+>W_1WXd*~4?epNi65Q;$u
z&|c+EaQLbN3Ja?D2wCV9AsaBegYx;eZj%?+iok?(aHLoxRXxMm4j+_{n+7=sr|BRe
z?dyvRI}zuIP5N|=X5o^Ub|9hydt$z7e1WYyq_CN2b{L+?zQ}#r?Xdivrv-;Qgwtxn
z4oDC^lX{u6-M@fY{)wsbBkzX0$8XbBBHcG_PN#6n)JrHUBNFBFPuJ^-j`XfvE2tE6
z>AqA>nV+bzN9TS7-U>+P$Szm0OYn1!ynV0rzb%>rF%uw0?3Dr6+0<j`6D5u+EM5j4
zg_xQ*Idb_?`O)sWmEmh@x;W?%6V8y^#OBH(ZlG`e7%A`P<JYd&rJIJ;Kq+R#-gk+z
zh4jMoyJN7b{C#ef=W&H2E|JH9yqm$1SB@*x4dzKeE_=w@okSaSPm-^Qh8(-oI1Oeu
z(isRAJmPH2AD|+7mn84WdJ8v9y$dfs!Hhr*lKqc4W%vn&AlZHbre!|k$k&e{M&(}r
z3ggCcbRU;qz7(^#-V36XzZ`brBy_~TBv5^3o-9A+ms{Ots1YPk(J3x7?|;MD7}%u4
zD?J%Hisulr9<zDf`0vh#1b*9>Q3|5g<0mHai8#D)2xH~UH`r3CZ6n|AJw8PJq)*S3
z)9FEP-f_x$r{%M=Ua5WW>VoYKeqt0Y{J`0cpO#M;Lwz?caRAeE{KRuQ7N0oV(6d@|
zw!T%U{KrujoIyjZ#z6`4)*txuGxFndz0rkB*#E0YJh0*PwScm^Y_YQS{If{gf7!&d
zc1bvoQ6R7$Q+RAY;2i90j`J7<kHvq;ikbK-IhZbjb<`<2hUBrS=aHet{lLI_#8rM>
z%HU+P&My&H6Hzydv-_}oqLjYFa_ZLTIrJucd7Y`r9vsHFj0wiB^I8LTGXF38Rmu9d
z9OGeoIoK`^*S-eC@5IhtkRPsNFQN(X7}6hL>x=TyRU#&~Je_%@M?%HX%m8OHNXCte
z@`FU8*MUm(iaXsP68oa931<trB%cpQjIgO!3`}#NO-wz<ap2=J2JbW@e<P)(Zx4$h
zrQbqeV^E5V`c*7A<)q8<w<_D~z0ax-wr}`}0{dAJn{<);dGd+-B|t)3p`xtM#hLbs
z!V&WHD+mM)4tHEe(yyE%A3>~p3Xl~`bL7?(`BMMa^*$}>P3sT%i4$L&vaIk`ZDZ*X
zYtU6l*p0&=6nDo;`xj$LSLKJ5I~B*9(cP@aXj`%C&#k~Iy;Bu7jw0}n^%5&_<mFU_
zn-At`KqlcB37G+;G3%42aLG50;Ky*5<X^ZEyWT8R{*0S#I;OD+tlc&I@zLoD0k9iD
zy`UQW@BT`c@26{T)LBv%{d6B3FQzhEya{m~I;LGy&~f}4bi~x*NTciWxy<g;z!*BV
zOZP&>T-L*m*yJnowCj*?#GXL)nDq_$C)vAo4O>s;19n#ar!Pd}!HMhG_1Sep{&d8`
zPS5uD0vml=Nu2xUJ978bzp1cf9(EH}?Q!PF;|@rjwW8&_*HFjtZ|Lhh^w^zPot~)A
zDK9&LGVqqdGRM?gP-NVY!&7d_H+Ar(>T6p<i~~kzv8fL<q5yVeCmZ;iGR<vy`<{9^
z4yKEu^uVK7XLWMtlp0t6GJlR@NhdVhJFu^aR{`9Nea=+a95_O7OP>O`F|)X<upHX@
zF5q+g3gAX;?Oplc8(`VlYYSXlL1(BO<j*PLVtrQYp8QDBYG0Bs9STUmPh3bD*pyT5
zx+i}o>2u+{k5#}#vr>^QwOIk10n7CFH&%N(FY-S8)~W^PxO`teDogh1nL=w-<~sc~
zx+Q08pP|rx(HYR;62J;SLJIY5fq14}e(B(=@Br`&IKlEST%QeoAm9AEJ6-apMA{$C
zFV;48ZHUr^g$Mc@Fy8=wLze$QzMIwQvaSw2z5NqD5+_)ipaNbirJ^o8#-;jT(6!WA
zRi56yfYOMa-W?+SJ*CKm>*MMEz(CN71zGD(1(f<s)1G>O!nS$Jr&0sy0f!n`@(|af
z%)1b;^wEpHb+%8Agg{#M7K@#8-H6DIU4A6r*!nGIRHAnT=&Z1~_^~FK*qm8VmO|hz
z$U@}x?MX-{b~j7Dl9+MA%#e;iCqRdI%%OM)XA5~OpCH^SMlPV_pnDI+Ov~AF9xDu=
zwog!4;T-4_xWh|>-Z-$l{JgYB*pJSQp@q)eh#qd)k89C;s<6uM`xIKT*zjj?@S8sV
zmVb_|OJ{~up!L=b<bOB5AA0aCd-)zbWNYs-hhWNhokAdI5YKY!o++4;`3z!y4B<%I
z=h{-T$5@8?So;rV$z5@bW#TYql?_+S8tiZJ=MfUw6^Nii`(vnH%f?Tvu>8V_QvOxv
z$=NXDG(HMLI#P%Eo3OzO>*d2fzH1r*4Yv>;Vm%X$kHTc5o>>u&hzofk-%LNcMbx4#
z>{mK{sV}}3LzLko5I8vsl;wl{t`7$#y;CcWxL#wa{T$ekmkO)cyI;a(#l~~wkCzG`
zY4m*s<hcnPnKl;AzR*d&FAhzqWkL%8zE~rwCqC~pnNyZ{t+37-_!?qXL~<m1Eng0u
z42YOaXQ;aAbfjm~I9qN6Osn%op`z~j24do;v*8~QhTGoAFMO_lyEAYv#L#hbaX`U0
zU;eN;y;Yb!563^&YcRV2sn3$%DkOz`f~U{n@CP$7uW;QX-@rkRPv(2U7TSFhd-ddb
zobpDFLgKf~g&6Y%9N7c^A)RRB2)Q<jBX`d8|GSr;LRXJjNh?Ei)=nH1+b-hN!BNP2
zhi}U7&l!&NsrV7sQ4fMv%r|Y9{7bnIp=bVHKHn7E^{qKg$>{98I6qvzlv75%SEwN_
zzlZBwV+rZZ%6^dVRV}S9wsb-z_!SSbi-l|IGGdcnlyhIRV;3Fh_yL2&WsTrCR`{c~
ziF6nY`3PHDuHjxd{83@M?gt?g*K%aDPYSCjQ$GP&emzH~e9{(|J#QTHEN1i~m`$~y
zXm$j1{({D6|5-uCg3plAdovsU9r-A113I#MTltQ>r`eoZ<Dg|Cw1{Eqy_Hk8+JrD2
z`b8l_uKR-0$&96c#nMjB7lkxn`xT}<-@*Uxn6L6XRMT_b9IXc{Xqi}CAWe$rY(++d
z%73BM;~RAN;b{?aY2eO(r-iZ=&#o5nAuk|=E}V&Dxa}TJ*)YN1oE;i0|B<Gy<4SC#
z``*7mDdwjk`-rl&thQD+lB2WH)RCASiQ0}GAfg5=WiKMg`-gm1+Wuzc^6k*J9kk*^
zF7GfmH|dAM>DS*s;QRa|9BFbGVrF-h59e7ut#@^Um`gfht{mf(cM{Q@nLp+2+ka<N
z5}ib_M#d9eHaUq?hWt{<H|u`Ez8@zkYdEquzZ5)Up9kc^QyjVS1VTvV(qfriuWCla
zGifkIe4paj8BTdV*}nv{R(aJt;5QU)JICR%zvbtR7Y^Q^dmBO)>4f333!JTbzC2q)
z^BFgL!n8_Y6!YoD%baa*zCsqt$%j?rQ~n@h+(M<lEgds4w7i~uD*ubFSN!p0=WzLY
zp}cF4sdN7AMxqhZ(>Z1IRczOEFRbu>MO0xZ(p=~8!D)z?Y!!F~J;2>=a(F+zP#fvt
zIG&K+xBu0B3#(XdZeSECRzyL(XAy8rzgxgjoGn*@rx5(|{Q|fFtE3-VTH1o{`heeg
zz~P(p70x1L5%O{-N7@_6#}6B30Hi0@94Iv;8iY!JL)HGA?Ppr2rTsy1Q+V-X&gN4z
zRQ{>X2}Pm9;3-F1W+7~n?#buNB32FDTp`2_y-}RzL_RB^#AlWtW6@Y+D4*J!rMsEY
z()LFkBQ3KzZ>FJwk>!iQ$YC!yvTw1_GO|Nx?}|;AG=c_NK@+Dw)^9jlPBDc*vonH@
z?Qc19jFEx`dkEPmmm_}}h01@o&C?jjZSOg9mT{>3iKk>j{`$y~rY7<sYCPWf@KAWI
zH@qgU&Y6GVY~?;8L&TXVWQcSVh)Ms-;T26o<!6mO@sIUVzjNfhFaCe`RnU7L4JIFk
zP4{4v*zNB8<ka=e6xwr`8ALtK<H)x^uyS<KOu-v@1YcK(Eh-!8z%=<7%aigjV5nSM
zTvVsYW;zH(H=x9wgU))K_mO#Mb?F>xX8}b|iWDd^W%D}8ub7|e^t&w;EOc>Q91yP<
zaLOW<3jNI25@HezIdZP0LR!8;$ao`;JXEwv30B8Sp<Q}f0p8Js!$XXl7_gmIp=G6=
z_?qCI%nIOUfAt1c8S}i6Kj6&SI&+dH7M%KI@z6@LDX?^#6;XA-mWiL30+(5Fwl*a~
z%Sf9zzXVJyRe~ccTf)IgA7ZLh67V6V3gE?9SjkZ7eJGX_u`L;P&~BMH0bX8)Q@#hk
ztY`WyA9KY6Y-7PDPKNfB``0sN@fD$c?KSd;8<R@Gz9tn4;1=xu7KKg9fYN|ptH|LQ
z<(e3=)urV}-R5h@)~6knIGvg2%F0CP#H`DN%0G6hEdw$6RSJ-XtXX4)r&8V!yhe2n
zZ&Wt4wCs}0&q$kbS!kDyFhh*k8f;xTSaA|$(gB-S7BafmCK>opcRBgm!D05N0rV1e
z27cmPva&5_v#o^=`KX+H15G@)vsEq{Xc(qa;-cUJJ5Cu=UZF3>m4|8R4jh?b*Th6=
z0I5-=$P&7N*Byey5z*M0Q;w*hFe1iRfS7&tI5Nqxi5YvnKz>G*@?!Y-i4b!HV#Gz0
zCoY^a$GM56(vvwQ^&i!x`jcK06_Z6`Lrz(uQfN8Zp!C)3F(H9XAy6FQim<8Hq0Veg
zB?V{Qt3)m5&Shk{!dWUiHsgCHe5A8S_hFe>pP6`Z%01Q!qt-iXi0R_Pksg)hdx&9h
za%HNiuEHl`N4@OF+0Il}=&6NmpyRebN4B<+uUGe{6n3QxQ3v1;F_JGe<!sl$CY>?N
zsz67r7982NN@ywB0mb6(+H^YWYlPJ&(I1~$a<<GW3jU~A6*?xi=E(k4<#kM$nY&#d
zI&>c;3uwdHazHKZ565cIu_cHjCsYfS{s6Yql+>Is#0Nd$CJwM~+H<yiP)qCZtqvXg
zI{rb%c0z5ou)4xLDvi)%JO6*QO^s0L4^ys5NIhHn-`+3oqI~Z1e~ea2uY&gLVZL+;
z7&VAlF`xAB_J54}Y~Nt{Lpo-ySGK2*&)FgR#K9#n_zxpHQ&YZg8%Hf(MK@i2p-*f(
z{a&2SA{c3l?i5KkU{ozML3IsFcf?Ta*s}?qKzkuSL>R89{CgP`>3*%aODLxdt*wyt
z*42iXrhPavNZZ7U<<(ZO#kmgP-TD{6i?Qi-6pkeyBe)w5h>$A`ZRK-ae6J!WDd*Cc
zUc?+z8HYxQZGo*qj=5wD9d^Swvf<z+YFiyK@2@nXgHkjoiehesamw{}3Su(tAZEpI
zj<mIx57r{xCe=6u4NXy3iPgjV5ya-iEJh+<Bq~sTDC0Yjst4UikBf{cptNGG8p|)X
zg}hCOp)MZ}rD8$ZVH~Fn8I1<mk|p0KZim%bLwn)$e66^C=ZoVY1%~%`2rVUB=tQjf
zQYHkHJ$2gDo25CT(8&dvbeFetM3cV9ITF&6HvwJVZL<7UnyYC-uoJXsbOzK(5kx6}
z9?8oIItoo?Sx&IPY)TWuznYmp=$qR681!_2yTyH()p$I{DOCE?eH}vb-Dv~i3Y;v~
zriZ5!kt^HoEI%#Y8+@-wO)$~NQ^mkqHj~&~So<9z@>Bfqdhk_Qy#C@8TA!V$C$Hmv
z<>4+}Vbxq{5u@?RTw-&=W40JGg6hl9m~Qzs`yK>JLr{vt(9-#wGOfNs5n$;8(>(EU
z8WOX14st@^JWR6b^+V~9UQHYa7jlkQF7oA2sU`8&YhcTAG?SR6%HV+*QWV}Gw4!XW
zIsN6puh+m<S*Pn;;X5<Lmft|7xN1nAVH}wo1E<6^RM>^TO7JIm4CYTO$6z$I!!<=|
zpN6;sUJCEG{0lc^dtDW>Ob)?4@n8$V-5beQ$`@>(7pK?cp6EpEfi;}%R3rHXrP^`5
zJ%Yj3QHO2OI!afLENE>LeYSQr(qIoa1@|m;gMCdm6mVFw*DCPJ?tpLDTmaW+!`u}r
zrFen|Z{_fB?(((DfZ#bP_2Ca|gs4~^q~Tc^^2Zbph4SF22Xu7V!I4Eh<>&6HRZr%%
zh7NzUi#T7#Q7kVE2y3^aMOJw#v`CsKv^2yEGGs*sFL|GosJ^pRcW7w^pNLiZ+ufXP
zotMHAP^K4jtlG<ww%+n3)AaWtuRY+8pE}8?!U4`!b1xQL`j6}-{p8Qg8Vi~b<p-VS
z-gAgk9@~$+65ylY=LjFz=X-?10}f%i`GE@D$`|k*$NpbuR~}yT(fxBn6OxFaB(x+-
z-)JmR(IVE6d$VtLp$T6STUH`PHH*X^#FinJgxInmiUwJ1wHKwTX(+L@rKO>&)DpkX
z$@Ix<n&<bLk>|O8@Z8Vmo^xjA%$YN1W;lFAA9=@Mc{TbH9So<l8RGIRsf4pFDs-*G
ze(R&4i>(WUF*?ZM=EbgWb`RsEV$TyjAXNygEQStNhdK2-2V5;!rHlL|8{YiI@%^Cm
z1*JI2W*y;_2M=SaoY_~wC71MtvU`qJ!|SpApDC23dG-Um_;@wEHe1zCVR?0);4vpT
zJpP!gDeJOGKI}AXytdUC9XSp55aSr1)11;#ubHr*6X*f?uJU#salWx79U`JP2*k0!
z^-MLde4G}phmx1hapYdTd?0e;WFeaa{W5A)NyS|F$7JV_+4eRlbnXNLgc<Z5hmX8~
z9_YPPVdKNx4e+t096s1h-j99u$NI5W&}AQV5q*2h%be|+o5Ebz!X0wV`H>^XyUY9a
zfW$cui_x}rXj{=?bic;gD%=%@Pg@Vj;dPxOV?E?ERo6fL^`nE3V-n;Lw}lVg<ZSnD
zV3FxstWad-;|XDI{8SBZSoKVXbZ~c-;JVw@a5LuQr7*=sduh#d&Dc(F?IYH~OEYCB
zyyQJWnm2yC<6ZvSUf!DY%^(lT8a<@lk(RKdxYYaQ9%t)*2V>;ExBT)b=Sj)O{Xt1b
zNc##0E!I?2Q<}3l9|hwS`9MG42d}`D?ke&21^nqB9L{{Trn0M#$dk#vX-An(J?RBq
z-2UWjXCJ`_WIjZ^tJK#b{2<Z1zeJ8Y><r4Jr8}I?9~?)XRC6?8WySJonuz;F<(Hw_
zWT++{O4L28rnF=g{_-u~Iwhym3!E<)2U^kbcYDDpCj}@pdVT=(TTsc7&jRF~)PV9>
z6Dm#ihH7Hz_2ZYEEwR5sfl*<9$kEf7B?cl0c7KU*(cVR6jvoMcQf&@jq|;lndFAq{
zuc2KYTLnXpFL7*1TwEM6;gn}<>Fct#0~I<>@IXiuYsTR@1LbF-EA3i!ptF^9*N)i0
zbu2iW(;$TgjvfR#+FNpD(IABc$8$nf)aS^j7O<(xdEDnydvrSoHTKo$`sNKdWfMz%
zL$!0)&4xgtE{!-mWQZpHn)kq^Ngpu?lL?!OGiu!1#D+}d5c!zr$=vrEQO)rgs3zX@
zG_DD;IkBljHTefNi-tn0TQ(eNK1`v7yoO;qvu6o`NXw-UlV6d15XSr;!yKtlK+GO3
zf0xAgn6(L%H}01wziP7!Y@NX-rVM{>L2O>K6T!?TZWm~6P5X`F-s?j<BI?9OHyPDH
zHu*fHwDVCaR-)C2sN@p1a|FoN*`iBt9W3uA-kTQGie7Oq#79)Lach#VBO5qEKDv5j
zJ-ALSXgU>U6ITW+-sfyLM#$%j7JI&1)E06bz(-_zV9(hiKT$~G<>Sl7Q$AqpM`3Kd
z_(Y*k_6!2@M+c6aAEY&uZT;m}c9c+UZO0mC1Kw-L*{p&UGzh?#jU903GHC#$3ELPf
zAM3Fz1h@E*;7+XVNQJV&@R2~i?ZlBqBjtBXI&51QX@CLfz=_y|$64km3~{$n^0P?G
zQ@=i??S*dWU82Ve?Lwl-AF;F0pwE<Uyb}%8<h{((Xq%6z;EC>_6ZN^_%-PC8Eggxq
z91S_Fdvav>Xocdld_uPB&5@2h^z~TXF$yzz&oO|1=|XTkl{rQ}uwDJIUF3QgAPNQ$
z!-{GBI9sC-g`A~-h}MkF4u$9H5Q^@c&{uE4wui{44C?;ic!gX9#oFTXw!Iq{r+uix
z@-{3KX4&q}kp-a&vEBnhW_xmEkFg44D{d^1Vcr~ha;#<}>s)r)e|mTd^sZT-`MVEi
z``Z)!V&ph^b1tpr-JEu(F4ZW&EA-=(*TyNtY0bw&we<cRIc~f{{E$b;%7GkNx4-_)
zirTHCyWj2ubt=(W#ojS#2&evhpx&G<oS-mr4o!e$bpkouVxs)wqTrg1Asfwg3c`pn
zaHA2Nt;H}s((Drzg!yJ7f~5v&;c%pO!=Z^om;yK`44RmZWV&!n2iwBrmuuhj-Rs{A
zn$Rt7Vm>qqH>HGY9@73VIvgUHj3!WLHhH(a2zQSBp{M&We}xF5F(-`SY#tHv)3je@
zzvo_H+J;$5EME%4bt~Zrg3d<BSCs$SVD2osPk^?Z#Z_b@T%tm3wxRmB-e`k8zU}gJ
zbmNT!`j8k+uAjiEZ$>IOt>#fM|FSTS%owjXVUbbt&cdvAS@vcKLs!6y(=iHWs`RXg
zQYb5Qh=wq&qd2l-IE0xIt<anE3GP0LMNfu-pGPZ1cReNn85_fqb0^7<=uLgiJZV+y
z0t1LSu#vIE=FFN-mJcmHICSk1u~9{tm{(aemDr>&d+K8xW@7`Q7x;+nQaGI}*(pY$
zUBY8vp8w3?$bB*L;o5t5hTVvQ4BuiLh_O<|=bY`?bj(lwQ?z=rm-qxtD=V7F0)80P
z*m!R|=lEudLQ`ACLYL1HsgF6b;js#lK{_GLk~s3GSa~a$p3gR$1uN{plqy~yQ;^Kr
zB0iP(RN1@2H^ifZn4A840hltIv#}(-6?^P1Ka4$AJ-bhZ5)DBsuKYvibIKPBFtwyi
zm0vyE>Au)Zy>CQ~fx%K<p|qW*kntZr4Gr+eqH1`fst3rVXPSEi_gzvAH)s8(%ZFMy
zTRuER>)P>9$Wut??pVet&rH`Gq=jigr>mQ#RSSbFUjr3Rj^q;j665f{K9gUb=g-P(
z+8=5-V4f5AM&r^s+dPH<eDMtV-eWhWeye0ObvkH8N_$*;Lc`4RbA<uw`#DrI&fv&;
zYv3M~E-@@4cvdEdZ(pmg&+-<?=R#~U7g*EQaTatD9cRA{oYFT#UxyXODNIWhaggXj
z7Ki_s359$bE98JbiwFGHCJwLIpf_b_;uU^fmjHO`77q7Lke`e^o;>jMgeeBY6k>>%
zn$6jQ6S37)mLQ*DY`(?wtp=c^-8ZqPbjq!!lt1^IkqFh&^EfhYre@Cavk^YOOjPK*
zY|u)&?PCE(wV3<5yS<uM{yf;BnULsyK1W(4X-#BjwK<2A^473~-+~((SA4<YPj^6<
zbxHENykpbk30)&x0A0ksTfUo9Hcyss{*mQfD(Ttw(>2)K3pm?Guu1#7@?==%$Ucrd
z`z6MZ%2mSWe{u1kvdPpMeKDknQ%3E>xH>RP-dase5}(oKA^U5ra~qei2lJ6#>oZ$H
zzZtWkpYtJ(JULrFIQZlJU*^zrR6Sv5F`qm02xnV-5DDG!Uh+<C^p@cUdVPcTe#Dhg
z$WcytbB=;)wsWD{h~pd?HdlVQpIuNmkKO>k4>OBP6_=Bo?crR70?KytAcy^Fj+{16
zA(c=Jq%NJ^pN}My*?fh$$a6k^a`8F($<8d}Yxv%)E9Ki^V$|JLGob$(=r4v<_UDPx
zUpCE?ne5$;0?4f(68nhpw?x#P9atd0a6Zv$txJ2b{f>|5CvIFMHYa9CQAjDrrNBno
zB|>&&5#M6b_DzcXFg&wt(VaUG#2tNAOeXFv<&^#l75Zw*LJ0Gyj3Y}IDr8gNSp?+s
zD;!y;3~|G_K!sU42XNh6?D}GKl)o3rhn4=D`i<QR{ga@-H~}@h!DVT24a0xVT>0Jk
z`N8ECbm`_n^cJyw-@e5u?XIIIH%(QDB79O|ozkDUuU(lczYh3(<;{WR5av6qR>Vxm
zvR~MPR89V^hrlHe;j24bgmXXZ-(opS6g0R>@b`aXE-Mg_cD$``z?_#Vz$2Cdo^-Do
zZpscWl^=5H;nxq@!U`d15;5@ESwWN?S@B&gu>6+E51eBs>`Lhp+SceeVq(+&0jE5-
zOd(HOZ#ncE^N=H>?qd`OFW01>D)qE<7)BRrU&pFKOoJq_J}a>CdJFWj-p(#!iyxhd
zr1gXtczQe``Q&qpJ6B*(TCwsp`2ETi@>w10?sktTtsYTBf_~50^)w9ed1>;I)X!m~
z9DTuN4K~rmSyd97{1F`=hDQ40B^kky6+hR%S$XWZ<fWD|kjEYJh^fvb9ZOt^*0NtI
zAHNtq^eJ)%+Y@}memDTfzE^7U&!APTgmyPk?6MLD?!8K3nvP!uq?aino!Hq`3Y$;n
z=|Fa^%aMWU@@ltB+0|$#R5ru#6FceOD2^dHeo2@2lHK<mPJM~yXjbF#R^xh{ZSrb`
zeBJid&}xVkN4{7s-&GyfrP=R;R&;xaI2(;_$l2zuk)PX!S_EFEGBG-TBZe)pC{H09
zHCZda?f7-$Klj-}uACY(Wgf~?h^?@Z0ZYKO@;<c1@qoB#5ReW=if;M+rkv7gokH*t
zxejK3)Qlrb*2xFTx~&y2$m7*~JYZIH&gPaO-<kI3ExMQnwpGwd?3&)ToNf5KhPv!Z
zhQjn`l?m0HTXJ}CrosqYL&&bJIP$kl`Mx;)-TbMcP{B~6ZlEy=NvOSJ*UOJryBzl=
z^nx`NAB&mjizp-^wptq$rc0L%&`RgPk*OOL>~V&WXWMe*k8KQZcFeNdPmyKrQ0FB+
zqSvk6fm3hJQg9g8vmn$4M~>{cQ9+&XjX<V-NXSmCaHD)k^h579mJw(S8w7^p*mH2=
zY%ZG=<cQk@IVwKp$QMp<1azCIbb7*kGvHJWLTU`#ET4@pc$U$y6B^-1d_*6&u{*Ij
zvK?IwR_xwp1z}olfiNGUB;+5s3G17$@Elk!!98(VNiKf<uPqAeWaq6w8slOTLe}eL
zsL$3smS67rAJ`Vv5CirxT2=HrF1WFTD82g_>M^@)c?a$6`1X|mSk?!$;!-9T*Om}v
zMz(^3zMKvH{M<M)(A7}i&&<dUMaM=)IwKq0{yxerW%nigocQPOr8Dkb>uvmJ9izO$
z&;VES4OhvPq(DzGt)XM7xrpU==O_%liX6yfk1I@a(erxd$`7F0x4-kEvO>y<iMF}u
zLu~S;P|tHA!el=Jb!740Xd{)IcwavDp3)6++{Z_hV`u=U{4P(y9#-2R%q?7gLc-kl
zGt_ybUGne$W70GkhPhB<^3V-pF5BVmt@;~q(jGoSc3I-|ePKW;bi9OS7xlb4gec|h
zowpq-)(zxxJlifGCqx);I#359P+6+zGfh5W0XsDL_v#MrfCwQ$1nS5v^0gMyo-!aG
z$iGH%<XZeg8hMqF_cV@l*r|Y=h%Xx-9mA0YJLO}>n_UW?)A+blW4EhWC}->Ug?v1l
z)%mjBMwp&%92X~D-FVJ+_6vm=!eSS+dNzT2x+5F1OCeX4PRLVXG(mJ=w{~eZvc<za
z*5p2-Jsqk`5tpKaS->9Tyd!rjxYOL-5aZ7%E=FZI{D#V_KueY{3#L-edq}{G<LSU8
zPMNSrApj`e17Xg_aAavT=B^RB!SVrs=a+!@j^%LMDFzefH`!ppwq8~^p;ty6ji**~
zn6VB8^8TgSr&)V~(Jpi~mN<QWFr8E86)4mc{$2oK%4cw7*S+#__k`gQ7M_r!7vvD9
zx5_xqRsuHZQU7!=<Va8CNY{PxHB@E2HkeqWf6(@vSPbKl#MuTU7#cB~)$$R_`E4FY
z?_(aPk`$4$IGIx(PXuKyD5dqw*$@59W^?$T`!!o>q;nyVE9Y=za-saa7D<~@zM}+h
zZ)zo>6d`IJXPZ9T(2$*4A)hmjU)$Sy1Ssi+b+PmHTu@DE#&V0~<CBY?ANThFT>|=%
z=q(?laLV?@3OSzeVpuD6F-NASVDj$LQeMB?^QLd7jzmT1qO*x#!Wxt)Ox`m}Ajgbl
zT#jQU@^jIHnR^Q9Y~v)@M6}1~6`algfQ&tis)A6KdH`~mGeWjXo8ViQl^#%7Vptpm
zdO$VWdSFOo%$vl*Sxq0$Y?WQhsOdQKe=VyE{&r)!+x{I`&~hxsDh_H^u9ETf&J%44
z{YUAHT(OxgF4di~@U|s!_R93KWbuczda|73FZ3xoJyvIQ8y_*Tb)~is=d3*Rx*6E4
zYF$7}0OoR7YgS7a?pqD5&sHDSETzZ(H-s<E@FTo4vp=F)NkfB<0J^mNALt$x=v{(7
z9EWE!@vB{8VnW}f$=UR;z!I5V#nOw-O$d5TEBx1Nqq4Ttz1!Kyh(4m@YW-UkU2isi
z((CB{yAXT7>*7cCQglX^Na~1AE6gr{w@lPA&5ZqiRI`$e@&~Lb?f(=vnz<QS{)_W`
z9&<USviWcfW@`1x;8z4OIj+#oJ&yxl>keM|q#j?TNOD4u{IlMt2)`i#k9$_*ZBNJ~
zHn4>gAJPBSHL!K{Bx99u&t)?18ab&oWeZOrxUr}RyJ7P^+?x3J?=|zR1<iZ@8e?RX
z{D}@+t^fJ5UBbP@tyOGJ(%rx9DX4YPaX7nrLbGPUr(QQ`sk`8werUuFodC4*SrxQx
zn}ojGmdS|DK0FDS^Yh`%_oUY6^>X61!-7z(Ur)osX1-)4r?htVS&lz{+wgx|sYwbz
z4G46(3S`T?PixKFB$)m+aP$9!8X1jRe+O5764duyw(YdmwoS#gkj&%DXtgT-z1l40
z9)ad*UjsC+3S`T=f31CBpWfAGfB25q0@(sWu5+NDt3ozq*S^;3xBq|PZ((Nx^~k0#
OO!Xm{gC_>zU;hU&54Cv!

delta 195239
zcmZ_030%zU_c-3Z?<Lx%q9`ph(`NRWBub&UDxxMkp%SvRNwy?KdL%7EBqgGEM9PvS
zRQ4pYCRs}MlK=Cb>2v4I{r>*<_3Cx+xzE|pdCqg5<vpzh+vRiiZI{>b^O09Dke9*#
z{9@h=$j~xVQ~MV}kH#90QvDaqa2-wpDk992!W=mXRG}cBBMZQz3Pp<n7`R+}j^4kd
zSvPVyVWVVa8aA$JBGxp?HdrPc?3`?}x$TGD7xnLYQ|s5TR|%AZJKcB>FKflg-hFtY
zz1z!X%Y{EbW@PPQ_y_G@vEA%O)_m`*{f`UhA5Km(P5u$C^JrUgda%_lZH2g{-HRSh
z+$)@3(_qn8eV{Df%FF4~Kv$m(GibirMbqKM$!0BY+m;?2l^a{f`*J1OpO9@y==YAe
zqcRe`{Jzz_AVbjnE}XUBMtP{b>!uCy3IBY4IsDe%9E}%m)BB5#X>ZUD`h8f=ZtBN{
zs+8VBt7S3Q+K$;j%1x}l|0PByM{aLs_bE5t*Nn7=)}xC&GS}(4Ue?L>-jI;Juz{@;
zd)3`?LszY*&y(f5O833l<^N~z&IDFye?oVp{3I*Sg?r5!qpWM013kCzwcL(CyT5m7
zO`}=ts%KC<bo~4ld;FStWt%>6W3{!_8Kvc?bZ>S2i4RXE4qXkr;C3{%rZyqEu`OL?
zOZV4;n9~MdFZJy^UR5_j{*nVlX@#qX##kp42l?T%b_e<7s?S_Ox$Tv-?U|q6OHNN(
zTf+FC2a+yckx>hhVY{5QeY3hsaX2w%Evshzo0C@8G=j`Ko647##w`?{k||R;H00gV
zqQ)7o<939Mm^E7ckMP#1&%GnOnH5u+V@s;kEru$ejGtkhJ?853l-^Wtx1-Ok!{?q1
znG&Nm`JQ)D<*kHgONwocjum{qsCawAOO4=>PD5uTG&I$XS-adSXWX9G_Y7y~O@G|Y
zbe`7R^Kxc$Y|5dripLT(>)%(LJ(z8p^7X38(pO%TAJ#WMbnc1yw#N5S_p3GA^sY?L
ztq<@1o;7vR^M!&j)&ZPDmx|YU{@6M)Z@mx0ZIn>Yec#_1$2SIOrpdi2dr+Er_Q~o+
zF1M-^CKu+)MD!&ne7K=KwkR#S=hd6VzgIS?w?#VTyUn?fa@}g*AL}{RPSzgH#ZT%=
z)2YvVnY(5jSNKxkqIT*mJ>1~*wXU2^qkZzD7naD~47}gD-;iEmyLH`>_EkEgth)OP
zURNBixS+N+-!tod_-x@~`Lz8zG-Xb{=rY)yv|xX|_qqJWmoAR$6WA6N4>nlz)y7qR
zNv>$AD~M*j`)ROe-L&401)J9K<`m{+aX&Ao@4sk1+3=alipt!mord><BTOTHEHaDQ
zRdwX0*897oTPDObHJP36(s~jtcVUHGSNyx9h9{P|D9#Z~)gS3S&!S9uW>v(8mA|bu
zPHikJew)2^<rLjp-wrvjLTeJtzKnR%rexmwDmmg^$J|DvEft4;Q4(6WUfSwd^SAWj
z*`?=<j^(X8;xpAzLv;<KVZ_D;lh+5<-V2NSq<Yr8%k!Tnw{906F(6hfCRFmgE>E)U
zUdyF6$B)Wl$#RP=b;o^9sZ$Ob{wi>^;`wo{)9<e^GuUxhHE-fL6T3IBv>)q#On5Ea
zmTctXk`YwM*s^Ds_M(WwZI4tIzxu^IGp}1UWs!a1@;eTh^8=1;`RY-Bo2B(NmiKHp
zZPB8VR@YM=N_*eE?^B$V$|{Mw<9yd(*A6EwUIy{Z<!*V@=IfWO?>v4Sm)~f7HtoJi
z7dkT~WZ#1cL#XpkU7DX1o7X#Y=)eU2df$YX*S8-%QnjHvwm!^q{;VyYJHuY;U7eTV
z5#`;nF1*2Kxy@C_8r`1N2ag~AGymTCXIob-(DM5GtFO~+NJ2?;VAr^tUWXPRGFzZX
zvzsm(WF$*nxAt-EsP=i<HO__ELoXMGyjqvH$>C5U)%305s2yYKM$fX*y*zg7;y}UW
zwBsMHYb4x1_rf4?88z+l)W}~tmphWTuCpn;qx+yY&8=sy{WQit<HN~guAI{ipd0vp
zpJn!2CcH7N#_QbnIKORm*>e|Zuhh`2wY_veX3IT=7=BrAhW3}?Tdv$z_x-y4d5ErJ
z*NHa^63@i`UUX^y0>2O6n~k^Sznh?xF|V=5T|RcpsP6+d<6rzVUw!7v!aK)bC--|#
z{?O+5Z0oDZ7xUgvP?8PIdiP`Qx7ufSr%<m`rnSGyOxK*)TbnpJ#W?A&vh?bK{{E1)
zl9YYI{-^9Ae*m|5%Vkdi@cL{y>p%b(cgux}VDVx^=z7TqOaSANJLNn60kH73{Nm~Q
z|E??7hNt!<%#@MQDM9oe-I1tZr@R`W!BW^V6VU9>RQN4|2W8}cR%rJI<6D`EW>7}i
z4#lHT=g>Aq-VA_W<ffD*f(Q9|rYogDevey})&~LnSx(AYffAj|%fB5yJ6lHPaj976
zZci08qI8>b-E2S;)1fQ~A>lz8wVo<ZeI-0@*sY053XqX`7=R9_X<)n8hA0p%yHrvF
z0FR}eD#xK+mORzqU<r?}KYLF(2g}H;3`XT{N+KRA#D#2CMlg^&@KtrWkA!CK^kZy)
zOj8mp(w#UgP@5}47k3DR?tZnKvnA-C9={x~CzO%7eo~BX@LSDF2sCt`sU9nW2d%6>
zr+yuJ9;s<enhx+khH3;r3w<j!5@$-pO^!Bs8G*B*V5Zoj`1lYNLQ_|BC5(PbxaOUS
zfM-~xW+TiNrmohoP%u6-QmX;Nj!jysP-g*6+Y0KuEI~T}X85g#+OaSj{HZ#!vjG3#
z?K<C}$7gitjQ0iON1b(lLj2-%-Br+sqk44bg-LvH=CtrBGfYM%F$`_!P#%ezl0(#p
zJ5%+>hLJo6{cLnv?}HzZp{1zb7euy%;xH=Z%9%#ZkdZlTB8$p*saO+ZL-ga|47g6{
zCxbATJkfZYMrQPEk>80;Lkx06$vh~|Hrim<BuO)Pit4;|Iz}%-C!KXiA?mgeO+vQL
zVCHOz2BUQsdHuzSb7rJ0N))JBlSpbr9%YEK$c({kD@z#i9GITA?`YT~Y`WDPvFRe3
zrWZrnq3LHm3}az|;_We%hvA?2+3*>J=@W;pfZ;!0JTzMb585_aby(PB;L57NVZktE
zO-qM;oND;5YkkbP6)&-C-yM^Yu|qw-)JC9XGmTWvOf-5A9n76+<SR;Sv6Npw779%#
z%E*{b6qgK4qCwm_Z8RJv@~;6S1$9Y~k&>FRr6ezo6~yHB%E`zaRY5E@V@kru>C2|H
z(sTyw>c*BhJYD)>Zh^0{m;POz?A?);BhTKjc8zY#j(g!b{cqnLO^0R5Ci;Dh;^}ik
zzdY?-5!I#TbBa=NcY~_l{SWoYspG3-vx$*1Q!|rBj(uZjSGD`S(0_F9P95)*{kI;=
zqVTd_rx)$zm1!2;j(b-Oe{*WP!j2^gN(Xf>tQ`?!J!$Dbzjj1TRXL2p)hZWTc==D(
zaMLJ#+do71u<)goZk(C+)C#2c_(NzP&2?o;mZ8<U*Rwwjt8@2m$TD6xe(D>2+K|h(
zhs{;(<2IlFT9)(j?vBF^6JKq0U+;Th=o$H&b{?B`*{AvE6wKl*ew}9Bn$#+{p3eCC
zF(HZB^+9N*w7z_d&V<ehrZpeKC)k^#@#V8Fw6T9weVOaAxzu{~osX&GyH+0yF%Q2U
zKC8UOYr$)?8OXzalKR4?@}}Ecg2EK^gEZoGo?oGS+BVx?<v`4{&fGXx<)N0rZ6mH+
z+9h0m`0feKIl;8PDO|fx&5i#=4AGvJSbWht@kT<(;rs@_#&w08+O76)nt1EMcKva#
z2QT{4-aL#RU-OA?QXjOmI>D_#Id!khn31p9Ph*ySzrX+Z)M=d2of~2;H#csW{w6B$
z&y;UH7m`b7{i<F&e8%aOE9%}I^3U;KXZFBeW|eHk>!(#Cz6{%PIO6lF?^UT|!b{wO
z4t-lS{X}VdnL@%fO7=0<>XGAZ>yukna$*}59<Apbnz#R6%lDD%k~^@AcE4d-F5HuE
zxY5I3Gh8{QW!2Cd4}Tn&QBB`Gw;)*NR%(T&mP1|U8=0ayhVRkKBY&0+G2i+AprF!h
z(Y=hnbL{pRu>1B!bLGuPt0?B%E$g<vvgo9D39mP(;H`h!;!z2n!NZo7-JZ?bHpl3E
zbm%nepRH4hr_g<V?B8-qXWoqsd%Kk1Ts{0Q_g+$)Vc@yX>((9)zE``jcC(TH#q}C@
zuBtyD`8xC6$^1$!m6Y3a<Nkae_2bB}8$wmiw16+Zw-SuDN9PFhC~3>?J(~UG>zl^q
z{ga=_&HX$5SiIa|`=UEo>L&8XY+S7>BU5RN^0bUi5`vaRx4LNz*l9c}Ib3n*@u$`~
z6P~SFMtoZy925SKy4dlWSNZKdMVwuyUd<o)EMFXRZTY%3;@kcdtHdo9GI|!feV2Ho
z&RN%E*c$bD)`^bSt8EXZbza*0;OEzs6)od(M)?=LJ#w&47@1<4xpd7EL%Nx!%?z1*
zs&8{h^yAq4w)%vX0;PFh4H7bMRq4?8WGhTO?cXwL>*8H@ig(Z799ML#x%|>`Wd)R8
zKHYbER>NuM{)P4Pxp^u@{?CnQ6*8VTBi>~VNqhG-cF(rbJ;Ut`oUi{*=8S6Wj&QMR
z%!r>!x3Igp%cba|M&tF~Z{4;g8M-G+j5a_1-RW6vp2p*Z@+=cJYCAY49o)X!Jh&?(
zM?T|7$K)NYVZK`ym6iU{vOR0IC$29pEZZSC=T|4C_g>$vhxB_P=|_FL{^mPJTuv?-
zCsRf&N>^|-86JPiq2^|b&d2t5W?fvn<1qolJ|92bRw2Kc*A>Zf|Is$4ciwFS`iJqg
z%0)@m&MD8I7(Tg{_`5UVCCYE^w+#(!pht#ZQn1p~P07eKGTgV6H#G5zz5eDCi|FU{
z>^E4SnklDcyxjg?xQ;N<K>z-NOPidG3^%^mk+Jeg*CXAg&$;=h{<@gx&xsgq+LBYo
z<Nm%sDJG>M@9tf_h&Q9h@FR5=FV?R(+FfPMv|p(I$a+C_(xsV`tmZ9AFdELO-)`~o
z+tintq4S0-t{l)Fa<_QnCF&<4r1;u;ope+GaqO7~y_^63?#zvK{W~wK;Yzo!UQpSs
z@2*dtZraiDocrb7n1{+kE6p7f58vNuiaL~Mznqk{e5bC@DvHIH3VUbmFF}3pHirk=
z<&Ul`UiEiUkM)>XP0G)huGAy*A`|qkJy^b`|8dE_j5Fv<zl~yb+sE^L0o~hk4W7TA
zb!biUYoFo^OoOt!6bp|{hS4`}cWtkH=`u`9X@hF5gUva@q~B&YWxV4QUUO|pz{X0d
zfwOwqpWNq$3&zIkCT{<&RXe7_{>G}kwE2JDu_ieD{PTU!rmqEC<uXoYHmp4wIBQ};
z$HWWQ-SYUl!X~$!>C`#(Hak~b$!n7JTp#TIWK5j#O_R*>_4U2xeBR6A%u)4Pq5JIk
z3{FSVk*0@h>gWGnpm{g;;va77`AJ-r)P#j?SLbA_)BS}jtZ!83@Ga@OPNTKnIaROu
zw%J;}apRhG3unCA%Z=ASmrEQ~hwoWdwsu{DUQWV5PmsnUpM{fG2W_8KyNR3sWZ$fi
zNhzZ@Uqdb^e_myVOTqBg_P;(}Yiq95%iS}M*W2{aYi~hd=uytjD&KK=Gw;4>SNm8^
zP2B!uH+@HH@G16G|6QIXv#3vlF5DT>^TM#-`O(`0DynH!eTfhD4O6L2uuw`1|MtLm
z_NOh=5`uH7X*a&#i0oKB;f>d#{eDrw6#dW%XHT2yXO{IT1RGFIg~sphs48sOwzz9=
zSkH}uz3JEFW9E6Mo>zXGwdwL_`#Zyu3>MfA4I1Swe>c@u)8M+n{h$6WyZyN{{z=U;
zS=XWbZTyK93c;o6R}b#JTy$F7?emi?^X}d?Tcf_uc4$uEJ~nCI=-q72w~4VS?yIYL
z%pH<*?C8TYy2qUE^-TZP_i*}(g|~TuGivUhOxBzcZPxO0t#*C&d7sf016q$WQ^Rl1
zODcQSx%b$Gldk&A)GZqtdM=)_emb{BaoM=sH=||07(cW)wZ{QXe7b8zu3M&B-2DRc
z1s`tp1gyB6Z9(0wkZ{_uX)S&A?WaMT`VQ5#E$p<YIlIY<I1rTR{-886&yC@*MET_y
zzkT8IXUqa`3lw{gZ|H2Q7Nndwo5<8@Qq@21A3oi`%w(eCpYt1d*B?*+?s`kG#3JG$
zKC&q`8E0g=)biq@^lDCD!3l#y7N6ISjJmA6zjv8@Y+^|X^^td_Qo<Pr*V1!C?$3~a
zP`KJ6eu0v~vG3};_7xahefRB@Y3b#-CW~hs?;Y9ta=Yq%yxUIHv2u<a_*`d?e2ZRN
z4_p{M@ts<uZrR7ssX9yAAJ#B$J=R>YzVc{*z&-p>{nC%wjuT?E9RuxccU+%ct+Z%a
zR?0)&xP{c>P4gDyoDqhv|L0Ib+aCVf*N1~FW>)uQ$Ym|RusUj6%av%)+tvziN9TN;
zZoBI3*FP@}Hm%luoVhM?h-!LtMfa%Kx0^2S4m#zU@4UO%=21b&9rq`5tT(mBIPa`k
z=v>6OI?>v+K7V1{8NU|2MRfkd8!w*Es62k}47*h`G^t&0Y{@iq`Ymf=(%+99VS@Jp
z+wP|qvqLhStZvV1OrKQ5%g`L7KK1D8_;u6fr@gE<GkzOT`ZHGR*s*(mR8=&~ILTE`
z(Jsop<7@9eFb|4t;#$jX{AGHt-=f{|Y=Lau!G%AmrfJ<1#!snlywknq_^GRO&U(6v
zvPXYLo$y2a(OP=KD)p-mk`|X|=(av_s!9kouZZV+MeS2>D$3S(EL}Ex;Oe<;Q|z?P
zuj#3JUy#+|khD~nVzc(Z&N9Dg?{6MFl~h-?z<tPv_R%xvjj)VTY-@cq&zGil@YJKv
z8PVen)fUkI6xCdtyI03#w6TuO{3TuMOxZ!7RhQe`I20}HKl$ivF6B%2hI5(Ue?N#T
zeD0Bzu=7Ia1n;zd_9MHIcDIjfUAfS-)bOd`=Td=B^TC(rcjeM2EwG=bwoq$N94DHp
zlb`eZ{+&OE&z)^^j@x<o+rl>=8hoftn{Az!Uz^ZA>w(z{>-$w&HE$D_?0oZNUPILU
zrrB%5qV}Aq3XBW$>->4=Ma{Iz!o#1w9^CNlh0n%k)i*Q~-t`>5a4|&j&bFZ~=En7-
zHns<J^~}C`=G#0L&nS!P_Bmkn+~GHVU3s>tK1M@#f2B*o{BmJ~l5ye8u2egx6EmyZ
z9Bo3+M;huZWm7&(^yrb9$I7bSw(!06^a<(8b!K0F#UHBcf0r^j;uEjR?!)6?d7qD}
ztvOK}M+JA-a0ZsQCsgG!{Vh((`7AduMU0=3O&pHtMK?36%@5Abik`HzQdg+bep~5I
zuG{=)dj%Ii2hQ6#Z(4fJEhqZ*FpC*p1A$smo>v1mUthLl=jQvwmYlHYwx`>}Rejw;
ze2!{19m&mYst)Tk-P*^W6=ivI!OhpE|3v)W7{_z`v9(Qejocc~tb|2*Y0u`qHEfz_
ze%oYf$M=Q9jQP#7AHU>k{He8lSD0kWp%>>EE?a!zzM7n(v2PH~EM{40sAk}ZkNw6U
z?1aXp#>YP$+jcS{Ww!5<yN=~P2i&Ops<KDOTBiJrjtOY|yzWVs@%lU8gNJB_DRdbv
zXu6UgySYCq^_OZ2=kkYp*IygF^SO?5dO-1ir%dEdkKh>_yN>{StgT$*yWl2*m@6<|
zBB%QAl?GDsFdhjuLarXhQ~;L!4Yoi#JdE`K$D<y`o2E+OEpA!Hgj<$LgfpbOVFJPT
zH%#2YsLo=VBPzdXqBjhxelx(SJt!m%Z~t<%(O)**iohu6<R$yTQ^bJNbUdu9DI?>J
z+;5sVqlmjEx~M?YRFSxG$7Hs=L@R=N*W{19WJ~w-Zc^c5OnXEV)!9<4Na-U`M0SWO
zvGbwHa)6jTH^TO`vW(19DmpNqW`z>>g;*0ao|v3h2FxihO?;Fk%-d9^UFyfo_v(sh
zh=NWNTLsB*hrqV%0v^7iC6ZnF$>bB%^hXa~0|4`hKTJ*m>dMAnd#_;XhuVV*<%ZZ0
z!TlyT0FN^crtR{QLxYJ4;T<lrGBT6VNk{jgC{okZ6h+=NQ6K^oOvlMe6f^6HoI74Y
zMn+2qH9N8l0pcq~(*OlhC-I&d6%^4OQKXuwA<%QDnrRixEI&=tF%VAIHtmv=2rF6K
z_eBnGs`VAn$+_6E-F2o$=ubh2Dj5bP;)$NADy05kVERT0NPA*p`j1GX!SjqU7N+0q
zCEU*nx5iP8Wn{7!pq{B>Q%0eLLm?W()=8!=#uCI!)^W?`V#8*tAlWY_PN-JTRGrXR
zWV#BtlSm0SJqT1^OZbkTZ6_nMrWCnbm~x4@<)%yQfNtH{rX!63Y<}9bT22xUx1XG$
zZ*VwXp{Q9jYq8-2M?$m-CSm$s7SP$BHQk{iQMFkkU|I|g&wz@^rmW%+XJW`D(^%++
zef6fbK$LUQj5m+5s8SRrV2UC?3Y{+wQQwnjsz98*Vfq}3JJ4Xdz(pedjE-5f$cn+3
z|8JIR=|#sZpi0kF;)$`@-`^xHOb{JIiYP$_{~y(m;w52^5)COoAUKrrNeeR&$8(X%
zRTYGmn^L^d9YcyLx-*P&K=a?xW7qjAD8h^~Q9RgaMA-{CMH*9n0x-&i@)>}OO)0+s
z7;Z-SEOGJv%m8(SZFnF<PEA)-ZbH#U<>pv{a}-Lx1g~@7UyBrscSZ)CyiB!1>E@J+
zfN78g<+~)_^RDl?wG|_uLK}=Io+#KA^E_=yNhb*gT~nTeE1-}{F+e+qQ{d#!9Zu<j
zG0L!_q(RtbB;^By&1@(cvJy91wKSgJf+)@uFLa^`9~J73rlf*lr}}Ldwu^^-&W31K
z+EdaYvup<pOYFFMaIM{DoJ{`WWGXPEn4=~uiWZSTrDQ=m3LQ%!oh7!8{I~cY@k}qM
z4jKLLMf%|MHFB1=L(3K0A@L}2)Qz&l7QiM#N|i2f;L|9|cmOufp*o`W%@mySE2R7x
zzk)Iq&X<<e6j@MQgEwnlHp5d)W~ex>n8k2pQ5T{`xUZ)ShlEQLC;~v(NmuX5z}4)U
z`oDw@gibOg8<dT}hUqO!FiyA{a=%TrA~5rVu*9WqqfAnj<k+hNYU`|3@O=Rjg;`Rp
z2%X)OS)dwp^|H;gF}D<n#No*P7e$?D%Ap*9eAnesjzQSr0L2W*>FM1(@CC1M^TzzE
z`cQPCKE#MPd5rQyw5<J~IO-NL@bVyQZiyl)Da!u|CQ`1Te3!%uDV?VDl366?azMRv
z;0FHh8)$${w??!xly3mnu~MoiI1-evAgp#(6nI$_S49bj%W%&{N)=d!_x-BYreee9
z=%Ee6umjt#QRYB&pGHb6gsG1x$CV`hufDY=o{n>2fr`lg2$Nf)_(#~myk`^+i2da7
zQeQJA8JW$x;$A|8_;edZm1uoQv4V@1N+)GHP*AmS?+;BJ;X4K*1;r9XA*}7D7^q0x
zLbUy)ECKKqKUs6aPu3#*h~(IRtGunRcchGr;#64_)lFfd;^q)N!noMtpGe?AJWp_|
zHHSJ3{69Qd;90oUTq=^4bXn8pW`$efS#OLLordUhsZ$7x`BWO5oHG_s%OI??h*}8Y
z>cv!B2!C8cHHNUxQtC(u^OsRA0gM(er@ogs1I>z{zLJ21S0r^3z$WsdsAEO&U~R=o
zgKI$@)$l)QO0c7;#g2f{#{<+YBEJmQq_}g`&yew|^Vl(xa!9SZ@3#{>W(L~u125xP
z0`4H6;SMsQhPoHh>C{rQ0iEWz{a)KJU4V#=z;rcW)Owy-F3D9qikhxc9SQj>)GSc7
zr|Cs!I3mt%sxNYV8KR5gRB1y9qk1X@3Kd+VegLhVLw)jI8fNPxhfaQ`+M@DvR0=AK
zplTAkZ&1gG<o{=qBkj|aL94o>sEUa4Iz$=K8mMq};x$maq0lk62Q43Ty{KiVm8a?b
z>v|ZI#Ey{v6O%QKRC%EGg4WHqGI6o+l0^yUNwwdHnC<bQX(7c&)cumsq3j1#Km7ky
zQF}ABL^6c|dDIi?coD{@ceuq=c|^?y<a_T?2LPCVpV}h<3CvvK|E&|r6fNrt(fcpM
zV~?nBBplG*$J7=8u4|#b2H?Uc)K(H4^bKy491(Wfkbj*vn2-Bgsd5GqI^xJ@>U1rM
zvD1F9`j&=6JWU?8ck&DoZ4p%;`Ki)OvDs=w$N+T@3|0SMX?UM3?K3bk|K?2{C(O)I
zlrKyqRHbQ%+{gP8qC$L;r;Py#xof<=|29;vMVp8|->0e*sfx68F#KS{YL7JW@a^{@
z>O_JvO-dCrRoX77T9q2D6T-(dXgfu!{U<|ZfSo!&LM+ksLb?X<Pl*=o6ENu;z3(O!
zn`Ad=lEse@GeS<6<|2|c=zP8&Z7hg|s9Xw#G;O3~N>lhxKv0VwtwACWmFm;30&u+n
z?G^z2hS2H(Xl_WmC8;G|m)(BO!3ppVg<0TP_dki6h&PnB7Esj=g;ZZOWNPMPs;>W1
zJs(Dkl_W;ZB$qJ}810V?xnp!DP0>VUMzlo0c#JWv4uG;Iv>OubuGdcJ`+sP+nIstW
zn`owEwe`?*QyMH0A5Cd;BP5)OpL|;M5J`jjHvCl0CRDqNZc7?%g3N<yszm*C+76fi
zvjS;bAp9YS_Ci*&8)!}9B4oaoK3c?rz$^qH`z|ipUzLDlUH>P6rVy%0)XbtK103b<
zXQMX$i!+kQ522+10bHv*4vNdAk0!8=GXR~(y&IVu(FO+Hmgo+nl>rjEHMbr06kwh3
zfEDp;F3kz1*}6i!e-@~OS{N;!yK1rHl4$Ae)Sc3c!_bRDOpS3y5?%9YsnGt!g|yAG
zY6cSTi?-wGyJ@=rW+<#Bc;Nrkl74*Tq99r1Ki-<=S%Uf9){&8!f)0G8IiYUVPzA(a
zf|r)<%V`AM4g0L1O@ys*-fEf+gd5k<%oHTqv(K!yWH08Oh6)hP6Q9n6>JifuXt|JO
zUy?Kn`z<s@$da|4W&+`mowPo1NTb81#5Q0NZ}i2T9=3P@vPX!fBO)Jk3*K%`kmO|L
zewsh*17_Z&Sqzo<X7#?`Nk*7?BW@+VN#6*FrWdr)Kzz}kB@^-$vFEgq&S~;6$uJbR
zXK!ey;Y85vqOF8FrF^2vf^PH6*F8sLaXWucaqvLOFmyEW;VW$;?A+J<ps^u*{ufQE
zvybSfse=s%s_)pLi#4Y!|I5>yXd0l6fO_=H(%*{olvF^x{Akj(|C>vqT8Ibq|8q*W
z!sqbR1Go-U$RgnsrXi};$9dbRLa&f`7;RUj_X2RI7JVX#qKclV(M!NUnmS$7?~7MF
zB*ODE3)MoeH0VXrcoPvGP)8k_^n5UYDd0+u`AtOa+Vo?RY6#R79q3_;Oi`_Qs0QlP
zk&>}jm;OaksJfT(FCIbZ8gx&TW{Ks#)1#jNatrk7@c2Vi4h8mfN#irPhW8lIPiRW$
zh~nXNp{hj6XuX;dTSeuNz|^PVr2peU-wxpnD*ZKt<LUGrpfpA6rdubIC2brr+nFx4
zJ@0p+zXF&UtkoX&C_Wb#NG#I?Js*k9yPZo{A;yiNQ=y1h2K_l`Rk!TWePf3g)Zs`r
zlsgn9+JrKQ^DMe}YcQBi;zCEV<#Fh`lA0}dzhYCCD|Y4%9$lR{&Y|xF8tt?AVdEgt
zh`=}=B0XS=Hf8?*q$oLn$^~?V|KurS+RD^%Slwnhah@jHhq@5g1ax0$qUl(A8Za^J
zk8-I8rg=ALqJ5|{@^c7PB-F>zy&&BzPboT;($AxuF<rsGbfZy%W2hG4Gl9+kbV$n|
zCnz3KCti5b?LoIP;hy~18a%7k%Zd+8{%4gY5>BKygA8K%(Di}F63N|4P9u>{0$q!A
zh9*(qOCJX$6CWqh6aJrc;$Yh2@^f(teLN(=%5D(BgK-dLIachy=k}|&?9@m2eDrG;
z>QQpCCY7)zSkvfv@R0OHJiS>T*ipTU{tV;*N;qL_gTex7wgi?C1l6Et(O*E=WG{Ui
zgiEvOtq{)0!D$O5t<9xx0g}Qt4L_J9TEr2SWI{~Mr%Sb?9}DQoB63Me&jj4s3hC{D
z8?)-}BU>_e#}V3x>3m2SSVR|)goAwWqCF1q`B+3Z2Wv{AWuYR%>%kZuakdJ0p;Tht
zG5R4`|8-00!(lDwl+(Y#aaILg366VL(p%xU!&xbrQO8DB?!_`wb;LOrd6hm4&2q=<
zb?JF}E?8JbEOa_miV^j6(a8on9r+!@lQ{b#y#_KDUZS@En%|30KdQkraeCxIyA^?%
zcY@)A+w&&x#>25<*+lwv`Xv#!L2m^&&^>^+jx^9GSpxXa2fC*=fPMPuEimQ|1N0;a
zSN)aFk^Qnx;vf&!X<K=x`yi_P70Kf_AV+y80kT(iQYQiwowh=D9ZF8(nK4KnrQ-Ae
zj!#i@iU;f*^e*@evTO9gbAP0UG&@4mDG`##7+Jm?A?Zj~WY!4pS!u}}_%K3-N?v?f
zZb|2of5Y+L2>fS-|E%%fNc=Yn|JmR_Tl_Z~|JmU`d;I5s{~U>QF7=%i{Duk7X;0FR
zgKigSJGlWcLEDKXSxUYBj;PIZkdbNXz$e?5hDb2L&_(6iP71^iZKpB^Kv%|f;*tHT
z*gY?E^A4}YxnO3ijCwNoqfk57NqLJS&k6rI6OKHWtu-K&7yDh5R!QJ3ccNVJpBr%}
zYE0K>(kWt9$$$UvpOHv+5ySSs4GiAfS&%xK{W~xiE&n+TCpb+~=QAR}CCa9FL-nyZ
zHC0gaUA_bI%VDSxV;3=|!eq}~!bpKEXv-Plpqhuic-p9pRlTE#WQQ}Ii5C%!Vc>!;
zo*Fnk0xuU{NVnmC5(LqVO)v-UtYqW^rS@(!-r$Ut;v-qE`=C;%V;EzhQh(Pn7D6~8
zmeHytY0NdYE?%vKStKL(HM~I<85<b}kfdxA!x+NNTNt@etC($!8PM*QR7N5=8f|)!
zU2TL7J1C3rk+BO=kioEl<juPn-oPkJ;T&fptdSOS&t|z0!aWQ-P$D#a-yU(oPF$so
z!txky#C^ozLfOVS3>V;3|BWeK2eE7dS=O*!h|E03Nho@90V58qf3!nOX``^{a&*AN
zL+lJBoQ=1N=7kJ<pyJBoGgX2y*WoCmj^TnnkSKYF7(&2mqu0r_28{9rxkvmjnw~|B
zCs4Z0QN{*9QgrjR{3T5CSwxa`oS{zi7BlWZikl@2Pq+mdR?Y~7`-?Sa815kBw$ANq
z$;Nw<IyLex*O~ZR$vCbkiT(NcM|v%>xtEcw)mV|a$|&L@Lm7F`!SzV~0%Ihw`SmTw
zp)wd*h}^G;b4{7R$T~1Fw$?G8LUos2X2A9$S9|J=9?ZfWHIMoq3#Y3LSr|Xgb;e{6
z?rrg@H3N7?&zD6TwlSQErke~MD50}~aUZyF^oh36X;=b7lshPY0S=7L9YzpTGOCF|
zffD!LW9)-0*$)^;Al&s38!2&GWc7Z&F&1$QS<Vm#R+(^b!LE{2CnB<yVFE~sqh9Ve
z#(_;ky63oqeqOR9)PQ)?#xRGXG@mm{AfLJy45<an_Z4FW9KZI4aU5PP#C~8Tg1ODC
zURfoF=gL`ha;hhmyF644H7vs}ncB-x29t!QnjKb#_0t&4gXN+4+UGl?0;;y`CxZ>W
zcCwGL0IFg!z}N^g@why*0CY0RZ&!Yk#j2cF6vYvlL}4}Zm6=kVNtqh+EaVxf$!vl;
zcxyAm;rInzrW%Bs^qDt7_IDo1ajU|SQd1OXfBO(-1Bi;zwL>e(>1HRM?2)TNHBtA<
zP!;0uFy=KVw$Ydw0pSUz%!R;vqjT0wd5`(z4o-~an8i19<}Z+z+wE^8lwy?I=)f~F
z@i7Xb#Nat57|uKeS@(@#>VoXg`fzUeB|LxMY9RlY?)G9rw>6=<#JrKrYhWgyqYqm}
zU;$52SmdApVud~PD&#G2WQM{B9;GvPLRjF+R0r-Ea;E#U8}{A@6gq|JiL}>;suCq*
zm{La%pP5V=41f)X83Ew}9`giLAxOZqf#ci8GI<bg8pjks*k}S%PfpVE%$Xl?JqxQe
zfjnkGVPlx?Xjvlmc8WJssv{ob%QS?R1x#U%0G7#6F4D;N5WeKoi=n7{9Mh3#@@Kw*
zn$}EXt_OigNI!mV41QshVTzjH;3X_Efa$9#sR@1M6Mpz(jy-6@8N43&ZVc5RDD#*B
zkYn6@<}8q$0kJ2$1(;+&R-ByX3z^d(`uau8Vt6m<5XlTvkw}b5-tgf(CVzqs+`|%;
zHiv2xuhuZ@AdAv<OsT^H_gLmu(0}%C-|1I~@;dl*q_dl;Lg>UZrDpuC1g0$Tnq9q|
zzbtnCTydI<NDPvgQuW^<nK>WEFK07zIhY3C3s1W+FpEBM=@hZ>+sgESB>PjCkDw8;
zsZ6QrY@WtE2Uy1Mwr?uLELV${6wFeCuu5l^LY7Z<F?Ruy3;lN+$SZ)0=w#G52a)Y)
z{|=np=QEk&Yk<Ly@Yf!u0&u_&mGs@@YIzaqy5rT7)E<?kh3XLh>}8GwxuShk_VqlB
zH%S3m-ob5N?LKBK7_Kwd+t7iB&Ba|H!oxU&bD7-$$D+yQj44*}y{KctEDD(RzykTc
zu91eA1tIR)M1FKGWLiO^g@>4{pdX(dX8MBj*wrb=j-J6R{_JrVI3VF(Jd2`^G3y`)
zb}6$TauA$gvOq;ArgB&gSjXRkD|78Brg)<}=slIw%%hO}>>1`r*t)zs%T$MO{{?CM
z(u>S{kbYa8H2>yHOn0cR$yH_-gtf0Tm&i#D)n=}+46s23o0$wGxW!Z@uHR%j0heC=
zgt98IHP4W247o(_#}&HvCXS5vEnGz<^KMJk8B0FKQ$p@cve5pEH~S8AGQc|#uz@!j
z<7o_5{6Rcr;#VUx5SlfknK>MIb+7rOVIDXx9r9#*>rB+$XZk~{Odc_xK(7t7GABZI
z{%uV7%1~+J!Ud}M`GT7&iZWoipq*_@CF0r(rXFa|Q}XnAc6eznQzG-#g|K+b91E*w
zcqh{g!Wkc!QBb7%CuTT=6Y#14;ks^S7&O7Iml+DC)eV8c?%UW?p2+eIPQ~`ZP*dW~
zH|AZ)qV@;#5o|6B{z$JoEq|GofaS~Uy$Kzdr3-5Az<V0ZQk@tl$NC1!@7dvhRIBhZ
zVy=zo@;rMIM-|l`#-|*+6<8ObtQl%7I^dn~{@(egn70}7ufshRNk`n(V0D4m|8zfg
z@gYVTA#N;0td||ZOM<R8s}<<5PyR1;2zGpy;^68|CdscOcy%AA%Q6NX#=01Ni;I|{
z%3y~<;-wr7RU=Lqu&zKq#Tv4t?uc}UvFc#xT1{9dK-W+a8mYGw^PNRL33Wh;9xN52
z*^&hhDb59&Xih@H^K1t4E5R*W;Rx1LDDjUKYXO9pj%0m>@M0SlA8K&Yj-?4Kd-C1&
z3l*ok6{=%%T+l!%J{{GgvRq)kOrf*pLKf97EDs1PGg#9B%UwbBBfYRuhT>L8WYj@6
zD*yy2{^{*=eRxx`TD$^?Py}3-DnRMI8Z9JC>@l&+MJVY!mNitYM!=G~n3?FoYJj#=
zJXs+ibME!7{p5&QJ{M=Djz3EcwVw)AA{r*Jq~6G?Ph`!7d}4f9S3!yR;}Nl(jSa+w
z_rMywz9dayO@Zi7{8(_=vT$8^JrkoBi7Oixt549Tu?|9#r~j}XL-;}f3(lusD|4Td
z2jG2!E2ck7lNddNC3R+=Fq5?d<Tj_K;pzgM+d9g~oyu`0rp{tT!=T*>W%0m*H~mtu
zRXP5Oa3qczS@x#RVb!RD4VBSS)+@k0BqhX27SG-`{D=;7N2b+y{hGL(r6e_Rqgln!
zDD_o1vn7?hXuh8O6daDfgYExXocv9zSyH8nwU#vxq*hR4QtWz6@&s9q#HA{7ElU+W
zy?{HfZ?UXIm>Ka2tPv1Cwt+PfTK^}Rr2t{It*k>(Rbm^<1*n=&Wi@lK{~J*4HkK>l
zw4LP*Mt6?>SV{IJU&X14wNgQOb+|g*N@YpyO8e4S@bIYjo$EebOm`S%e8#ii;u5YZ
z<(ER0iFX++Ly))4-~FbO{P&0}9*IYIX5yj<;**fYDu*y5o3#?KP!Hs1k~bk$;{Le(
z3ND5NIV^YyLhy50&p?PjcjxrQW2v(h&;eCkphfEaxQaK;Yx425lf*IjQsnP1n0Kf|
zJ+!?ZSNutZtRK*+lMb;o0o}*oo~%zI^F@ad<=1f`FDzp90~DsY+T)v;HU4P46E_7I
zMH5j;yxw9~BV^rB!pel^FDhe=1bK6Ekt(Yb^T`yaTJ4R{A;im*tWS_dO9g8Jc-%+W
zo@cFv<0ThZd!Y#5TGmUT>QHOm@E$B;nYg$l-o{$4zRZ$^B#Bp9Lm-@Yja3a=!lcHe
zbMBbM7x63?w%`d-a7((j{JhO-28QKlx}PU!`9XA&jynhKyDX^}^E)1}PJ%>@UrxDB
zzIodw-m~zU@XXo$h$Z!ud2|a4L9=f@VYR}UQud5B1(?lF*8Ar!X2}(G!da~>Rl@TH
zOX{M>;T3Br<S^+iYdeHrbh36rudMyRl6uET`^0(+H8SsJO@Z_=y{t}n2DA7#iv{@|
z?`N%p^wa@XJH#KR$WBxTQ|W*XTgn6OdhBtKUz!11>PXnskS#UKeTK33K>SW)_Dv}N
zyeV7ibR(6*o(1uHEZFm5hZ$<kJ^<-eN3p#i{!Cl8A%xf3v8DC_b@pty@BQ3wnPrPp
zMqf#E2#%Ju<602m$aa*M^y=TO4%a3l`Uej>YJZLk*;_h$CsZNcnOy{72Uj-SW^U19
zsB&>qJP{{yx-DCUc<ILW0jW46{f|Ndp8Q+?JvdiJMz3(uh-a{qp*8Akw$!=6FAiJk
zN~x8{Hh|gi)1Cc5QF1x*HRni&K33(FEV5kBb|&<_*ir|6Y;X1l=xo|#w$x#Lfgk%M
zRA=Ti_B4?G``YRou3+{);w@?VG`2xy0Q)v5qn`2l%bEHzGF$ACzbVrh8Fu0g>xdvW
z58k>i31=S!&e5D*(n0QB<is6RK{#8T2wcXV0bPD}Ir}vbqvlvW-W$IS_RuHKN1TaQ
zk?c@d&3x9fFGKR7>)BVq@~^z$c?lbb<FR<xgPwoD<;yOfEdaKbF6?_zjJ0|vK679A
z5qG0CiR?0<xU4r#mpoq>5bukHA2FBHNo-FbDfiptObyKCz~IiBzlm)MI83TOx%VC(
zb^sg>Zf3Vb-BY)+17XNNY-dY-u=9KeTk7_te<!;F#;|G^dp7J-D0|uZFb7!sr6**5
z9=jjZ+{u&sG8?gq7K4YiN7#DAheEd0Wp~pdw$$F(_z1fKSgC!;J(Jv^*oxO9zawm2
z!mOAr^{nHWUdaiJ(krgjP2ce}^ethZg^tiFW&3~t9dOk6_8XJriI*VERTWJtWh)a$
zPq5_y-Z!nadw*iQ0P(6Cxu30qx_^XfRi0x10ZQ(1GSg*Xw0=ZCich%We&WQPcACwF
z8f2egt3cNtBiK<O*d1Q)WZq&HY@Aja<nd_^zT2Su#x3{4bL=k2DEK^E>YdH78nzZ>
zOs!?x1IAaJi#{6QmtgtYXv0f<tyFl4Z3CY4E87;CoxwG3gfe;I<xJ?@WM73D^XxYJ
zC(MB7_t=-=Y$<ulR)*56pRuJrgS*|1OR}T`%KCQXGP$vsiY&L`Mo##it%d||*a}4T
zOEw4aseHrE265Q>%V0Hmd6<qYH{zWvNk+WvVDkY5G5S5*7Q(YWu%*tFM}J~Vo!~Qj
z*y|zwg<dx7xo*1Ox}AUn5`o;+@%<VWi9hsH5GoQwzq6A;IT<tGwL~5}P+3WIIEoS#
zg$l%*A8b9~#mYYRK0tEs;mP}F@%I-$wZ$8b_I`FfTxL(mb5sB|QLDtMg6FFnv^aqf
z|Ahgk2wIXplp}SE)MLb11;-;yIdi~qQ;Uo23U^dsH;zu|m~#RlW~3!&HO#%w!#QD4
zvl$~f{$ReR*%=+G#y*o5_qUjv3fitAR44jvIkg}Q8WXvVF&OWLc*YLV6lxQ?_MBLN
zG9qNv9v_TiB)*d*SrPXgI5Po?$xu}na&mqWZwf@x9JPeXL@bp9XJ;BaC!UPtWbqmy
zVpU7$>;SALuX6MxTT%oR=V@cb^PM^0p#$<<Ildq-EfOv*B-=znT%AO$=?qQ|VC`WY
zn!OXFyg-(2IFCeHKGPAZ5GE{6CS+a3<}8E0cjR%Ng01wkrPTf$JO#cF9@YAd<w%uk
z4NuNPNZvJp;|oi*z?TEJl!p%IOzy&J;pZ6S6{$$AY6GDfp*@)+^@)UvAEz3sdCOlq
znI`_jDFo%_pKoe3I_BFhD?TWqE#au5kA^}WVq74{4NQV}R8|bRQGX5*<A-9zyFnZ;
z;J_c3iWZE(hS!U0wTPkiFdUm@GdWT>G<mZ)ejqllzINo9W4azhe~-`3MRet197W_{
zBvd8Fg>t0MprgV#&d`0Ob8$2z%~9a~$*r+?mJe0N59Bzm=#H^ai-=sn*#Kw5@5LOc
z1I|g|oKj%%j@_4<USWmiDx#hse8VkR#`yw8vLiV|0emEQ1qYbZr!M<93Hz%^JZDTP
zc+Qls<Vd|U7p&$~!dU%{;iQ4-sa0<Ni!4<aP*fRyt#EHWM+d6^A)ZqJuqRxb^!*!F
zciP}}1vvxnC2`<kz>)S%9LS+_D@W=ABsGOo0`(E3a^N>U->fvQ)vMvF#$lp{k64k$
zX;qV~6;lpYds<-yj*3&1W{tzPC!6C0e1tz8<fy>q=|urY2qjJ|#90q^EX@ZwNl@ci
zN2ChVLsZ2gPcJ8l*ZagmT)@Id;ZR2vbEHl$c_kb<sE2nc=QfmMenL7jC(1co5X`L_
z%4^629TRa+FOp+F8qYp%1?L~gci$P#DKHl*UaODTi1kZEx~G{gh--)I$UcH2^|Z_G
zEN3@lajlv&7qA%L{ZJT=MdQy02H)W*6Ok7<>w$LoXC`}ZVU$FaxDB^6p$<Y#f>+CF
zhFphT<~)V)pR3ZLK6#D91yY-glctqpmWGn&6eyL7Co%s9=ZqAe2F_dvFTTU^f$)VU
zj#R&K`z~iFTnj%w=13ij1-5eL13ikqc2D%jdf1AO#RSg6VT67gCjeMK?fuKKWUui?
z+*da_3w4RJ&p8aJ#qSrKeK3u3-*6P+cu5E62~3ByPHC<4x;U@l`1X%DttFY?7V;~q
z9*0>OS**t`n|wD%>Wbl64`&LfD-p(*=6hm=`3mGiMMG3Dz@ZQ;dpSa=QQJ4pHwd@>
z<lF%gmt@>5UWa+?7q3#09GqC)eVi?jByoTf0^l<p+;#vGP4e7oP%-~3seSekbIel|
zACopKabH998ddIM2-7sU!N91K)@?U_Ve&*p@ouzPldA|l{#=Kvs|6<ZFA7&5td<im
zYy5nSFOz1eNqmCN^M!`Q;^EvjxGqi^#m$F${IKOd1dh3sx#<<T|M)JxcMv(oz=8V?
z<dkmtdifm~1wUOOuO>(oG~kZsj31S|3r4w%#+3uC<)WQ@yReCo;yEE=?c&V+4NyE8
zEE6&;38Je{(VigB1BWKojhg__)?Ht>hkQ~oc*AZz4zCS<OzwH0r1tWT739Zu38KnD
zOl5OnlTs1m$|v{!o5UL!mM30@J-FOqARxuH1@Yun^c{RW;KRlH2p*RM`1?KEePI9(
zhl^)T<XEmMF;c))hpuIf<$6PZq<U~S011VYPv?xn%M$}%Sd!=P(>%E@Fy!f8+<0L0
zRVDqKr?ABH;^%Vz_;70>bF)cYsVSy5g)22BKl*WdMcgItbuCcjB`!r@`qL);Jv~bM
zP*~46Ix3jMRY9kHux~a_=jKCUc7a@}`)Aq=ZUD4=XD}Cb0-EX5K9Z*vRME?Rdokmk
zlX0QRoQ-DzNb8>=T&Y(n<wCC1qrfF|xZ9zifq7iG`J4G|de%@ZC=WMT$8gZ17IJMs
z&^)$lJR$pVOB6<MU5WNZT&a~LY6%y<Q8M#1yLAj>d&rZQuXu~Pm8*)%mvB{x?Mt~;
zP;1}iT&ZVi{Sn-AaQtEv_dQVKlINch<dM5Bvb5p365Y|<aS)rkihByeKUZ@rK-#Rl
za@K7Yre?^Ar+SmW&;rE;2n`68wcIcu#xCY?MJPrbLq2VDCCb-vV<1~vEcYzHUR0?f
zLr$1qh~7#*IK;*h^mwk+cj8YIxXnP5ZsVb6<uJ*9(SeQFLBzKWT&Y)pS{u35K#Wc6
ziF5NXjhA?HBAkhnz-SY9G1P4PX6|MP8*k<6fr${i*0^U9W<f!g*<3fIGYj`CNh#c^
zkfd!p*Bp>M($H}^f=SK|UipU#)evnq?yn}NagPJ-@=_u`CXw|=lpsiZmQWeh&c>VI
zN$FgvwV`bnSL*DsA(IP_Xe_;k_G@51R|ZdULWM(!fh?{rOx<DGT&Wi7(>`twG~wNT
zZX$%E^0;bXy)n8vYyC4U!fx<}y5K0z&VhqmWn?l38+NaN`wB|Cc#vxh9FjlW-IBcA
zH6Sl{9S|l~Cq@);rCxk3Im(6aHyJMj&!u7?o)Tp(YMLihBDNpnN*##X9p}Q=TtELl
zT|?gg2+8)+6$$6#NF6NW{s10ln)B=&up&xgMY@}@6`$t|HHc5;Tqm$;-?j6j{&$q{
zXDl6waAFtW1!q+Sw-35#?HTSv2nP||BhU#d=eSZwN9O0b@^IX)hPw^I7izgFke}Zr
zuGAaPhAUE0-}2A=({r%7R%BwjqO$8;CE`atHxjalyv|L4@Xs6E$FQMqY2->>_nvF!
zet`HV?s4aUIBs*%)!%|et{|5=2g2{6)H3J7?2I^#M>mVN`FK>7aDL2{I_~}3!u<sW
z$Ufy(LLbyVlS&+u>7(as;dqsacbOzhBzVeIAV$96nn60>SKJL?cNOsFsoM{%O67m(
z(9Ty}r6cAYTu5uv$)!SA*u|B)CrbRpy$z<qrI(!}(y&hNME8*{=wdWZ&3!%G1He&d
z^+&pqPvo8e`L)qPMHGjBaGc2a%2k2_3%+y5L-_MgZUac#L)x<_<e7N&;8uH$P!n0i
z;O&e~A6M#;<cvSu6M)YdT^@X4A(wsq`CZIr1PW8)35ZB}-gAIV1S#>{U_XFVc`l&k
zGiDSS-^bK8g9U)LMyQ2C*WzMjrimFz_VT+HDE_#B5l1VbjHx^ql(-ISI!T9j9SWo9
z^L|6v(vYVOg)@zKQkQ*ZW;`7b-bO3KImtM@cSU)Kur8{^Dhr;})sW_JUORB&ybDE7
zUSN_oajktHk0-sriYIlUM;(btKzlIEhW8q<SkBmnaxsg+`(;tTvNI9yvL=t_NiAHz
z?0E1z?qsFRuXId@pQ4k8K_p$JBTuTsIZEZdgOao9JUH(z7c(oXu}`Oxp>sv!HwyKM
z=`Orl=t9aE9(<g>-H7Y=3JYx%7sJoVI7!ztdELMsU30mFM;K+1_|8aV5606WF0pw}
z0p7imAtkRdUV@la!X{i-d%3($fTCt56Oe&X@EeacSV7E1k+2c)q>d{Z+<8?{;nZ<F
zcp|*Vp^P~W+o&<PMqn=y?c;e;jUL~d2Pejpq)E->mlZ$6X+Ro4`1|l4K~K^r@zw)H
zpO$T;kx#upiQkxsY;M_xyBXyvylVjOQqW9=*%&Wb!Wu10!Ka_5{=7K=@2SoBPvk+W
zy||ANsc>~FPY6|T{D(&Y6U1le+x0gviMr^DOWd9ky90O+0o&2_X)j327650I2l3hf
zimzPGXtLURiTBzfOYC;w=)IoFI}6&T9UUJY9mRO~?YpS26d_jc5b6=%XYop*p2tIY
z&wv2=K(-$Fx@ex*G~pbcDr!r^d!H9Vo&eH~p2LH`3$~$a@<t)1%M`CmeLFFU&OF|H
zND@Dv2X|OwEA=bCW0GCs3^U8X88&qhuMcR$Or3t>7e>L?isV;U!c3tmI-Y?`Oa2nx
z0KmKO$0vi_+<S}9Gf6z+%~I@KNrf8L;&-zYqx>%bA{_Y$>@~?50k!33R6fqeT(NgW
z;(T^vOZ207hhP@hM)Tk~;ve13$67G&*<wouqIpVac_!Xd`me^$1+|5-21gUXlyy7@
zP;LVf^Uj-NK34{tU6BHsS=gBUaXc$Xcq5)CbxJuSktg*cg`R|`p~Nto4Z2z6k3ZsU
zAiD<EUZFN}ec-80(2{wh0p9*wWohIM>QeEuVA73+n|L13^iNxO`vFDgm5I-aF-4>J
z@~L|tj!;`Rj%52bUKv;$chuhD=3%_+gFP6Dw{#ya$1hWP2O<BooxF0u-=O`{crpVj
zMKy-ll)+O5T%DBaDr52JFYz$}DV?~#n<w?dAxrk~q#j6QBk5YPHk&84iJg_hTMAv>
zyr0K|@UT4I3K2ZG$;H28YJr*_@Jvx-J`c88ZTY-lXqkJV^uj|s#QO;u(~Edg`-{{g
zJgKwz3&lLCpUep^;Yl5hmmTLxZE3h=cx{yAz-sPMyCUqX1LRzCCUnbrRbbRB?5zU1
z^N%6hIA=oZ6z>Yut+j$z1W$NUs(5kGHl1o-7Q{bso+s6`PpRRh0cpF>mc)=>Kg5yW
zIy$4oV?rf#;)qZgMHb@~%e9v031+UnZg8tIM!tj}JQnkvMA*dDI-UW*xt)INsW!%`
zmEdR*_LngZm~Gxyc!3ZuzRH^kVU24%PiWN48@zfrZrgzC7vOjDwsiC1-6%aNTbg*g
zfR3|GR?3p^QohNe=Wb)2i1NEUcsgfiIHHfd@cxWVm`^h#Qwp~YlW|5bxzCfj_AY-Q
zE!XQ2?=*1kLiM22<kyLw$o~;;`6jpU7C|d6KH;5#aNJYgaiC>%<39`*rtTl~B-T=i
zSow@M0pQqAiPIY+!KrM=i6}`l9otfUCLYB<THxsJj6@9fypUordFS+a66G((`M`5V
z=`VQr$HmUz*gL$!vrWQlzK(;LFGie(PHq_QOq9Rog+bko-|`Ma_<9FV>dg3IC+<Kc
z+`dgnTKWfbyGZtA_?5~Bp43+D_b1*xfQ`Q03Lq~OX5(V$Oz3^#&4$5W^Oa`^X9W7m
z%ZB63K3+0tUS}5OOuLFjdywrs`C=8HN$CIO-2}Gk{uLZo#`0E^pU1cmBV_sdkRe~5
zFZJ}uQjz};v^`#lFVz}OQ02$Ka&%3LzaDnmK6?D~kiX6lehz3@!j3+iLEaSED<Hap
zz=`M{%9q-9Fpc?Aua?)E@})isHmC5V4!+9G`S1tuX6+f+MLxutK|Td=CekeVM$nk@
z;rwMF6pTF;4F*`5O7hW*GrDsbx5BHe`9=U`QF!ya!<eDH$a_e51-EUjqxi=l*EC!H
zS_tdd@ugPL0()tl>5lwVkoMG{<DJME+A}yqX?A=oLXF0s0)ja6V&f$~#&JfLu4A2v
zJUSn~J5ye@bUMPL_`H`4G1Zwb^$xq$g%6*1MGU!^OdgkIh<t?nZs3k${TTjkAntoX
z#uf6>jRiW1a3Oto1Gj>6nf$-d%5XOS286j>ehtXX^H=XgEx{~m$TMFDB)EVb=kCs5
z1EgHhkKMBgqg+NOz3{vl7|Y)a8Rn1UmjQ;)!!#6+ix`ShUH>*t^@Cn~sWaBu6Ztb>
z@?G@hOZ`?t?qt5yP5cahzSQnLe;Up<Npm+wEv=sHS|7-wumyY<G^Gibl5NxZ0)V6b
zc4)^}j5Aq5ghS{AO1o*;3_kqO<5l^UsdSujKgdwI5gEaJHpsSm^;1qXJi17<n4<2x
zc<W;rBCX>rA)kP5GM&R$fHvFC<68rkSx>uj)?xk5iKC5KDiCM^e<Ls<gQ1rF4u81d
zhmW3Bakzzx_~1v5iLk}|04T6_2|ooy@ze7~R3j`vUX&}u&ZT@uFgoSw&t=2#D9$8Y
zY0;!dIFt02^UWYbMg%TNl5%R2=%G3TlhDLzksifg3Y0xK@o5qHp7<?}iH5rq;U3MO
z1mtm<opZ=X4M`{}2~UOlEBR7gmdR@TqXuBDt&ZVKJ*yp9%a=OOja<(^1o6${u<d}p
zJf437R=-6_d?jGY`4{DT$W_mP)W(%Klgu9vbY&*qIc0;Ry%^C8aj_C?=DWZ^#%+}j
zG&hC65RR9o@}-(1-!%R@s9WPsz80vwn<uWUNWr=+5ItLSB8KmhCa>Ggw}9;5@8L@=
z=tmL%GEjc_s7~{<m|Z-%;m1p8Hec$a>TNmv{ZJXlT<MzmB99Nx);;I!-;#;B;ln`8
z4PkDo=+7J6r1Ta@)pxDsR--0jJU`^GMK%E>-j27pfW0il^%4Yzbx1l;w+~A%d!0x4
zhrw5?MZ4;5twgeuJ;xCDigERpWTU0_txobyizoT*KmMK}i?2c)D3OlTvr@hms8k1z
z<;C8|N*aj!0s2Y4)PcKs1>YMwI_eDnJV@}qL`t47z7LI5K^dL6qmCx{vtdWjQq6w_
z^n1`7m^}gOXCO`@*&1Byfgfhq@{6EfG%jI3Nh+KzabO*Jn|Mgnmf@?y%Y3N~VdE8k
z2te03urqEnMt_1=n&ARxRP!01c5JEVQ=y29*KiS)IM6e*d<*${$Qb`7Ehh2n#wU*5
z-8i(w4ZatoQ)%GmK=}AA{%pVpdADenkg~-KiYO3%clc7bS-MU9GHCtvyL_ov_`(Oc
zmP)KYqV_J8TvD6{r^L%gn4LuPFq<P^$ZG5%-dtjd%0zn$UuxfK|5SPv9B9MU7x>@4
z9WQwRE`7mAaD38hK78F~SF6e;FTVDP_De|TCth%@-}0rtgv{>1`6SWOWnam2a*Kr@
zwmrjBLPT<-lV1a+rg!o40Ew5}`8VXL%0_Wf=KaP})_&wiK$4zMc!B`M^Sk*{-)9<q
z;Y)23m-g~IA%4g=ek&09X!B<uvNd-R6?LTj3;S}@556ZrF`Fe|<ztkm;-(y<NIjmt
z^;;^f7}x5;$x|&a@}A0>WT=E{{^GQ{(2pyT#68YSA3Y{3#*%*pD-n+e_;AN|h9Q^^
zinhVEWvS%v8LJL{w5u4Vg@m$U+C-<Ez!h*lYveWA@&Do}qkh>i6=I!&z!}V(h)o)s
z$aP6+@anU?i*Js)Wy3TGStS7<I?h{J0Drz^>lSN7c77&<UQrcDwdYIK1gjx+m%0G%
zh)WG@pYt#^UVd?lg|t-#DkwxTOo_OqDe!=F!?XobJ#B-I;3FKb(-TN-8`=y6qu{uv
zp+M@mqkE`8s^~p45=eb_ea=K6)jg(~39=zSM{|Kxx*fF;EP&%fhYNZ^EE1;lY$4n9
z3UQH1cM&L|NR2QZV!oBMUBgBSq&_KYwh=4>u~$1zaC<SIAo9cyZy+(BBguABJCq#`
zf=5u3WmLfrDVQ#J1~}fnEa%L@MPvxs(zzf%D}f@B<s$F`D7}S~ZypdSkH7vF3q>Dw
z!nBAnV+2LO$fI<x6J#pOAxmw6h?N2{iYb@|P`tjn)*izswJ0N6;6l{01n_4K%8E;e
zJjbI)M019?$iY4YQ@oldkow`1I|4x};9dCq*CH2eiKBR>$sa3_^2@t%g4bXXyqDDU
z;|!KHlzj5*{Qr^m6<}2^&;KAGU4jaTgq@@XD4eztJJ53gy8v4e73@SXSX=Bu#XJTI
zcn!n=tZO3nMMcbOqW{^m=W=%O`_p~>d!O@oU*C5=@67D%?Ci|$zR0U`xT)HyEwDqq
z@LoF+vxGw2K}4?_UUU1)d3<i^CY(2I0^j2Zw^hIGD2k{3XKaWlm4@{0B4Uo4DDEm^
z7Pjd35HV-pEbJ+Yrnrtq7R|GO>yH}!p{X5271eD*Ma%|V=YF6TN{W3-Q3icIDNIyK
zUr&n=(F>9D%*Rf};cY2-#dGIybG7q8k&@E%Zn6Fu+~+-Uw%k{pF-XJ&;4VW%m1rIK
z4HMZ@=5%6!#dTb6fFm{V9C*nH(J%`8<XTzPLbxj?Bg{J2a7%S?B->eAMvHb+B%QO-
zC!Aqwt<Ai+fiG+|S|p)`oI6HDpN6qE>s#P(AX!IvP>mBYqhR59Q7@WWJW<q;lHjpw
z%0avVsV<%*!F;49_|u~?tixCk%W64ks^}KQ^SoGnJ3PcSAPnq{6OE+q?wFGf-!{f7
z(irFD+F+c+ri;=kp0;_;WX!w8Y|(b=wz_DJh~A4@x!|N>H?Y;~c!ij+dgFZ2K)Q)+
z7Kvi0(V%q~{V``?{nSnq<n9;bqs~nb-KMOt*6OP_Z2&BY<WyfR5!Il<9G8ojf~WHe
z(I=X<>Z?Q(=<BtsMPun}r?sL1lrsEhg?*_H%7ERDkiJT89B!n}UdN1dH(MX|a)l>C
zHKPbTVWkd95ix<{lnr2IRHt~oQS_L;zPDL)hrZ6*Dq<=NE4Pc7Wt+EmilQkV8}D9f
zF$6fMr)e<t;#79jv)Ut?O>1avn&=`$z3SAt^VqBRBYtnsevvW#^vQ$ZLv#^Ct??IU
z+<~V%kaz7pEMfwi4M#*7H1*KqFyiVYKYT)Tj=EImofLJauRStFE|jTnOIy@nGQ8|0
z63+&Qz2uZ=0c9s0R`p9?0){Zb5WQ(8@<FYdhuf>ipB5ns!FGyw_gU~v2fQBC7v(k&
zH&gdLCz?<5SaM#(tPY94C>lyZv{?LZ|2JS_uBN}KJ#$5-G_^Qi^nn&3=&Fd0Cf_)0
z{DfB?EyT4NU-aW|h%uZ4phx*$7tNvGlG$Euums+cs}c3^O%YS)-gOJQfKH9-gnObd
z^h=ZOi)z!?8HK=vE|hQWbY?z2eBqux(l3Q+M%%z}%WY{7ncCvfN30)pcmi6WUOE36
zD3-cz@La@9)M8(XKGQ5reZ|I5IVGYL%8ouJj#E_ydEqpHD456XeIu$zQy0D!ousrg
zrHx_G1bBKeiSr(PU<a9rAHkw2-a393eW%{#=Nx2=Lj!A#i&iIoWyX_96Z`w%sS_Lu
zg`*l11$1C>sVI#G{PJByFGxD{T};=@TAi-n60h6~#mRqPw6}G5WwnWcm|nAY^r<=%
zCz__=bBSRS#}AQ-I?Yf_XJ^ONp1Lp|9@#;-OsFVcPP5R+L_D6>|1L8zy@B*r-!Xeq
zfcgu`fiATWGb4W+D{&%?_P|=q6znG0ikY;0f}NP2re4{)F=`c{FU7nyLG?R=j;2)>
zucwr3IC*okb@0emya2F?dO%e%Q}T9l6f={q2TtNk6m`}u>pOTvdY~}}6xCd8r2gbA
z9zpXw(nZWH=81I^Gqt+iHN<^r4cXKd(~ES}*>%OtIk}4)h#%4TlN*Vdtu)&`#5brc
z$kK!EqgNoMv7$N3?G|pV&hZj&rX;XVnXJYuw#H)>wNM}N5i|Lxo=wDbonwB-Cob6N
z`XKQ>2tz>LOq!JzeqyFG`3H!ZbknDn;w@D7a6LI?7%np&BBj0cJ;N&^&t4F_d<YUV
z8&`IS#T{uC{g8^8)Bmy*;sTnF?QO)*>Fd?)#7qL^V+V00eLpf->`UYC3=vyXDTSzW
z5nsjtpKahAu8!iSYW=R_DKz<<ZsIul+NOtiIi20v(?|R-eSddfaTukBZr6uC>;~|5
zB%7P3g2<?kO5B?!Ne>e<skiV5@nQPD+W_%x3i4at_-+fpeZ$F<b)X;>G+4Zmmhbsc
z@htj!;s|jKirR2;b!WVA&;w^Uebx6P#mt()UeV%p^t*qIV#S|3hP8^$<HY0X=kvyk
z+fiQr*`A>Gli`GxL2v*TE@pZS3U@&_28BDQLvmWhQD+bx^A6vRGxr@x_!l@;%%qwY
zPh<O4X1q9zer^33;^DN=YiF@4>^n!y%rYG2iQiL7Y2whfyE&+IHHxzZN6}@W*pXTf
zy64V<+Ko`+>{i|=Z@JhQ9Ul%O_VEO<H`Uel?C<>PIPm|Fj2+&IVmhALGN$X1m2fwY
zgs+!Iz+l^c320gu#B4j&q)$(H#GW`yk7eTiw1BIYi#yQQCCOrXJ<x)+f4#)}wErb$
z_A(O8%yFfdE(hC$e%qA}GWy{iYK=9LsO?sZ&r@pfcg?<m&on)y@c`&^RJaY2{4I7+
zw_PV@0<hjGV!HYyyYpdIZH;)aN1H&y$(}HomuwU_pkz!9dG1{Uo>Swk5ZdQ<;^$6n
z64#}yCTXSVLwAU_pBf?Ws$w6t#}=_S9cm2OE)J%zGj@p&(ASgqika`dKG-iFMn&s~
z-=xl{4`Mzg@nYg(F;l_JJ0hkRz}2t%IdlXt9fL;IgNm*Bc$ofuJ0>1Q$yL~Fwm+`e
z4kO9%W#hvusZXbiEoh6pbyCdaXL2*e^qB<@S{`eR=Yap>p~_c%>XdjS<>ybXd+{U*
zJ!lAiK5Qz4`;$(?P)G$Au4l#l>6b0Y7QdzV>-PEMalFDRoTT0`1d53PBhJqe)61-;
z6c~L-1v$*|N<(e?<V_4WM8=b$k?LF$(}z%OE6imM7bwaXSEqTfz9zm&U%$Q~W`ecE
zTjEs8_7Wn@8h!yDH<j^dtxmiv{y}MBNAnunw;=b3AgvZ|6^Q8#d@H|KSr`ro@x+DX
z6~Z{6>t8l08B)A@WG^Wlr^SOB=ROoW(Q4fFNZf<IHhUsg(AT}6ikXya{xdN%<#c*3
zo=ZQ!>xK9TeLbRB%;e<emWb&S5pu5vn&kkCusZ7rIQG0ZVkRSZ@|~EO*Q9+Af2I`Z
z*Yk5eUf6bmWYmD#QvLOl_&Ci##uvEO=_GAu`c%AsI!+VbAs{hAm*;?8T>d6rM$--d
z&J1#ghDp4rHyhOvWp4(UQzU1pftfrHTwHMl$qpK3y`f|}Z4wQP;aWE(Nb$S44QJjS
z8IZ}72B^?b0)fK<Kr=FvFb3DjLNbR&yKg1ALci^pjf6=9B~+5UrSH$PmlRT7-p>D1
za6P09mNnNXLVcjBq!}gTjxn2paVpN7EZoRTf<9!q7}CK(P7-F~+{jttNIRooR|!+%
zPIH$8(QJRJDH%k)r{8DK;vS%c08&wg_gJda>PSMVN7{9hti-GH3X%S0@Z@2}5>upH
z0vhUDUqV+)3M11~@wT#mHLGiU)CCPCBC7QR3Ti%h1GlC4;0O3z_EK<ck&PuxG&9mu
zLeE;9EpNKw8DX-frPXQP5~k#!^p!BxeTSwJrXp~?nS|cusBY;e`G;<i#sLy0FXGWk
zLZ7`qAur0v65c*v<0Dbj3ShW6NK%Q0FcC{$($}RD36tzCl}VVLF;!bj=<hhXtoge+
zR@qgw&kZJ}4OfF!zqOGxp}f$OQO&NbLL27$d84on5)<`=b`mBL-=KqpIUG4MSVD&a
zvoBO_Ivg4=P&4~iPYaR6P)(a)GyghHqy^!jsfjwMt0bS6#<9DES$Vdhr-VLK$<Dt)
z{}q584X11Sh<(uH^^o}M+*`7idV{=8&4qYQP(-|>Z(j-1)ARaCYSPyEO(oevU+;{N
z&>MAbS<Omz0W?z*<!5dLeO(+NX-t{feZRMsIG6K;WE<cSTXm;FY(s|(kvyg43>qfs
zNxyad2+3+nhE12eJhlO3KN8A>JQo|Q<DytwYc)!eO+#9Zk^G>zGW9Kdhr|BEgz?0!
z;dbhQ<0SNImxek0KX-yh#%Stv$y-6Rh7%;cXwZcdCCqAs+!zU+D{8fRh^!5?#~4iy
zQ~OMj^rED=wr$}=yt3pGsXFIQlSpWpou*6ZLc#kd-`C-)ENqq?CG%D9p8<EN2*7F<
zI5VARZ#J^Rfu->D0TPb-&XsJYpDvsyc|j>7G;sR|oL!x)331dm3nffOtZ<RUgy!tc
zV#x}Mdcabb%aK5Rp453mrb~>~xk-{(>X9ASE^opq^yXyJk+@Vcm}2Mfa>;4xQhh0z
zA)Y!>d2|X8uP3r3tdP(JvyAyA**I?2qyc=<r8F@4=vB}ybjm0>HzT46JOW!VaDLr(
zjYLepE_AJg39ZxCNg7k<;mHEK1oy|C3NQadul8dz*d!T3D`d?Ui3dfof5M$;yqV#f
zX2GEKPDvN~;bEx~dO5%n*|EcYfVs=WnP(n>WtL0!NazoSOzTj6*m($tVd@cY3*CD4
zAsC`Nq)9GQG3~pRMh~(9CZDX^RUMSvrUL53*O^nJfuj^dd~%2ng4;%@b(27A^^(Jq
zu{3wqM_G?kbWFl5@Qpel*-NQ*`qlg!NdR1cPdxBNw~xSp7?mMOrXj6PNgU~GuhSCd
z9EL?_B}|biBwIqSET14>^%!rUfqERyg`wk+=LyP@Fo~#p7r>sW-jIJu@{GRD%9Sjp
zuY2dSqeAbi5IX1##=`exeeAMSWP%WVU7}A55c9X>6^%CPmV`Mfu-+ZXVG1pI;U>$0
zfL2qJC`4vi5KH^slh8Gu?hUNF;6&AGQsY^X1%rM`frMEUxVjL0i!NC5N!%2F3pD@8
z2yLhf6^ZW;B~NK4i=RlG=xdvQBux7Dc#-5g75zA_3myr3IvWOhqqM&zuoLyKa6`30
zvBaJh)a{jonRU-Akqn{le|argO<%8jD`AoY)!$2I)Av(9NaoSkfgdHa=<AE0Byp4#
zKb#pb`Vxrj03yQzaCOob@Of0L$COH#4D^&A5<fZ;%cvk_iVnd>QYJPCHkPJS?Pj+;
z+37MgN(AXrolK>LG;=M?rSs|Q3l>slnZKvCv?bMET`IhJ;0tJ<AgBAJMI#heMQVnk
ztffZkqqb7|V=W)1WZbcX2e-fqA2D8KW+$ypzbDdO%A_(HRFTqoV6}&XbPoOeNk=IY
zL#(JKrN8H*7rh}G7odNT1zM(8VR*K8k?y4-F1kvYdP0u7l$nX7*OW4A0hG1bSGK4t
zr8l(A-`}k97<eT_1bC%sN<*oM`ayjulV%&%P}-elA-j?E1bv<0A!SU<(o4!rH8Q-V
zMzn2Q@|7~9t3xyCMryna&8d~r7FhBi1-u_Er1X;f$E`evcL2ldpgje|=4p6!b&9`~
z83b%wNttDxE<w_0>J2+?+**r|vx3MHFYH+F56xeA7dqJkv6L=HsV7RMOb9+fF6~E4
zeorACO<(tFBW+1vuWc)(-RG`D;a^(9dmTu~KDE7+UQXupCOyd-?jD5G`|;2Mw=1e0
zI!YaAM89BZBU+b{A<}A;Wk)Y>QVU14ZMB1oO&@7Rlold2Rp09(Wd@f%-K9rqVCSCF
zy_AXu*55fL4w$jTDS##@`VkCs)%r*o7qL4O>_B%!Xoln?3Pr8Vr7hHH{iJkIp>|VA
zndx4&aNwHq7D4@`*3<ynH|k3d3B25tWcx+WU?f{VNZOj_w`8zXO<(UFDwWaK--byI
z=vSDGluo4Y&x>S@xKp%r5`8~^l=Lt9dhHk~U6A<Fds<x_2tC(yRrTI+(xvp%?I%c2
zQL4GoHMLR%@=ArQB@QZ(e=%gG2227a=?1zB&duu;17as_;5S)XN+VX8BArJ&(Cu;1
ziFDMN?Waw_{kS)w_M9P|K~o=}DIH5+x0o%hKv6$)K2;4XyeFxjO`9w2Nk4smo|GB>
z7A%m?rSCg0Vhv+Yf^;jb`+iBRbMLnlysVCQlf9o>;|^bq%q1_rhq>gdWzt|uftMOT
zIWIw_Eyc~%@ySxA#&B<ibOv1n7`j$UukfpxXysc4z~PICcn$Tx|H6pBX}z=>_5PD3
zS+}j=5jdO{CYox44N_-Xx_TR>%xS!fHcRi&_eX7&UZJl$Y?q#;udD5p(rfB0@>JQl
zXU!u{z$=xtoQu1qF*J3jz2%0weNsPKw=oB#t?BEWL(&$sotPh$ex~s(k4u>V|8}}`
zJAHq_N!Cx8WJ#Gy;JQ;%W>T7ST1s!tUcUX|h2<dKF{1A4`Vls2gL6`P<74*WJM;er
zAC-hgZ5R8hA7)EmQl{9<YL;dJPIWRpvAZZ8PBm4fV?NP1LJuUF$%zIL*6J&lq$*kh
z|6D139<@{RzVX=E?<9bi^QDM>I`S&hIuA}+y5i|9EGfXt$+j3p*sIZXX(~<9;cqE@
z$XREj1#rv@UKFGc8)4L!Z$a0heA}%%Fc#^I{gdA7vA7Vsfv{7fK+43cx9&@sFs|JL
zX-E3qDG#M|uqwOuJOpR)tH81VX%ltGV`)?R>4Yb2{NeJ99m!+=k#3`nrO`{)Z5%0<
z&Z4wmT@(m`ES|~Y4T&hgGQv{5xJ2qoi>rPkZAV|5y_YiUA)Nn}GBb?(ADMV&+r7_H
zN?W%Bnoc<a^4&&R#UNkJZ>;gYE|t=URvg+Zqt~J&)t7B;1jOFj&n#4wnIKO?nVCAZ
zf{Yoa-x$c4aPqd1>=v!YbYmG41{^n)(dD9{>#DxRHZum7YMQ`@)MbX~rG13CdXG87
zkMq5NJ}cn4Gsrdzgn{RFP|B@pRXPSI-REjh)QhcU^ag|~!K)JL!(BK=QWG2`REaQC
zzqFNkPzbMb$GKsI(Zmo{b~0wATTEqHElRcM)wCUWwcb}vN=5yss_ZH)bB3dAK84-m
z`{lb$;ps8j)d$sNZRw{Aon@JHtM71?F#)(`4Ow;S-B0b?7~t~uay(i!QAgL3(JL*#
z#<@*=0CzXz3Lq4}>&RZy?;281mQG(cZXg>-U$1T`V?K*_-$TZH5zWC{mO?+D<s++0
z^ZurZj2`Lj4GSB;18!i~1m1;f&|Jm@v$lS+Gc?+Lf0;Lp=GaO`8?>{bV;nxM6ZWFv
zL~l$DFq70EXc*dKh-Gvs;=10)T^oRby~y1glvP6}V^&Vwl*_tNsy)9cEjb3Beoy?%
zs5Y{>R5M!NO3BBE{+W`DXJ9)S6N%63AUj73(>qw!m5MHB%%0oqJz&ovOa8aL36ar!
zf9WD))^KEXlhG9plR-YC+<-ckxYnRvvWh6IUWAqUdJkD`ipTYPa?juqTTT{m!gF*A
zb5LKaWlQ017%AVvT_g43-m*0`+o7Q{dY`*l!jd&OA0yIaE!4qE*&XV23%)tlEP%Vm
zN#qn6CVNHQHD2ZV9rsyScZJs>ZHRzAtDE?*?>YGL5m2W-e9jP0Bt?xQOi<%SFy?I-
zAUi>|O5i8Gjq~8ad!&-Ec!11QojO>ygnFdc-Nsdx!JAHy%-D=!GUkl`#v{NeC?oNU
zlx?K=T>j=_i)f&hlX+ZRg3MU$9xa<nt7ZErSulP5W3<ea_WrixWlSg$K2i3Vem*!x
z#!Njs#LAd#`;RFyW_j@ZX|l;Qy;ZzyIencvU1m!upsVVKKOU$r!m)UASfSk{!bEL8
zOGdAZ-5+|}pbn@Jk)n8~CJ`0Y|IC&(rBD<@w^o`6C}NHMBY4C}J$Rlho__J0`LgYl
z?rw+`pF@Dem_%d+3uXQ3r`sjSMo};L-p+HAHSlmkv)=D;lFXU9S$XMhm-PU(5?7|0
zpuH`?6h<$VZKm;Dm&<C<E!hsiXhOB@n-#M96y(5xyQ3}wq_YN69kyEbfPT8&S{XgH
z&2I3t5<WTgk;YFaw}kk}Dg|5sg};7-Y!_w2$0vL)!KdXSIM}<o)JMH|lZ>gE?b|A2
z5)ebT%SO;}1v|jXbn#7St3%tK0t3y6yWFr#_KCWiTO+fy1KgF8nO$B`goXO~ZdqsQ
zkw*u2PR1!ZvgcAAw^znYvA?Ftw$iWPxnIVtd#is)wushlhFZoZnvTgL==(?0Ww|t7
z(n%RJQ?kmG8Pm_ZoPu$Y(&oOuWTsSWnbmp_lLp-1BDVD7jO;IJ8gstc>S_Z}_#AO_
z1b2+o7TL0ql;|7RWxT-kAV;#4^yGONQx6KgAnQWCs&9T}t6T8&U5(>Hk!@foDZM14
zzu2?y#))ek!B*iYX3c(2w>(*I3gO}T<7f`tUQc$Pp1dMkLwWlO%kxX|Sx4t9qEUmP
z%#m_kc9FVWFk;rTfpB{;oI_QLs~|UJOoGAlj;tT`F6&cK<`KZ{JmTK+@5!QQHMYIa
zs=4<A8FNZ_?jxB4-3+gv$g0rS*8j+u&tBGhF0-WX2fmc;p^W~`ZM%24QsJ&GZ@Yy+
zoG*VR>r3;rvjm(y)zp38$e3xc$vYX7a_IhE#!Su7zicRw{|P)5g=hU$=1FO&*20}W
zrLYQj2(BtMQO_)uS<r7^`5oMnZs_S+IKJWske~w@i&19x2;)O-<V@1FeFZtQLp#Y(
z&aAG<uPEP1rCm~c8>{eE1qB%iGtJ~3DdW7`sHR6A+$|!jV!Bw!nV31iO3vhyO0DH~
zH2aRW@|u+OOkV7_<{bz-QXeHrA*`BiC)cMRUuZ9XK)w9a+!}V(!PqXLlz+jmzU~)c
zh>nDUb3Io@UV}=VuUPZ>-9IQHQraAOxyp@D`@Y~{f*j?=6xOYYH7nrwVhOT+r^Ql_
zuO_caJyL%J3i$|+Boa3cuQOIZb(R}Zt#$bP>3Rp?ktUj<NDXhxruo-*mosDC`Wo`d
zRO{84q^wy7sE_NDJq)T^@&M}nAFB2+F#vHVl4-767`X9QwdG9Z??+t*@x_Oau{e9U
zM;~Ri1BGVRm)D>fdeK16%z3;T$$!ws*uqoJ%z2!=<#dg<)Z<|;Uc(GqLOkWo(3k!&
z{TS{mr`Irh>|PY50H$5Yj?b|Ep!%v!<#cfBp7Z=mI-vNGVoq9fc@8CY&((d$JHlNV
ziD5*2Appqolh>iec<nE5M76@O?mqqY0Z9mHsMJAtylo{vOp|yA$>&of$#abCM*xYN
zW`H^@kux#U9I5;zO&lv{!2(*#nKWX08~Izx!K?SI^c;pf2EekY$-|)0Dzuj~ZZ4*S
zd=d@+t)raD#+>gYzd^Uk_AYW}9%a#8&aADB>nUGE$u{1le$Y{nZ2}oUy7ZAVnJD+Z
zawdRtRWco;imG5E?ijgb!9_@axskd@nB0|Scxt$u{-&VQviy5CK%&iAtAU1jeBuE4
zXPP`_kbE62pZicbQ)SvaOkPAkzhQ)YF@5b9DSu5_%xt@AKd!**R}*<7qviBztma!%
zi*CT(uVnXm=C}xR6f`cvRGl(fPR{^D%S!trcrHOxBhDNv-$K7Ka=g4Y&GMRwa9Tg*
z#m~pc>2v5}CkN+`0kGv{!Vn!RpGl*YPLb0m5-KO%P9F|WYby~}lVCbz6DMbu0ndw<
z&!!<9X2>^FuEaQhhuJKE*lUE`ra=6rKTFOm<zF>ho==@;)^_FB*H~qh4A6#8fpFr{
zd@y+3u;Qk_e`_h+?yDUb;kE@*#X?W~uux9twGJ<qGilhqN%CH_T23sLGjUeEWcdNA
z<q|@ldEkS5Y7%FWH(PFknoom#lIIHW7?gS!u9Bxv4&H5mb<LS%#gB%jQyfG+Q`gFw
z!i3Fw`3hQN`%>gg&ad-ER-=WR<a7*I(=DtnPBPXbp^C>=IaAD7w@v<$Mqjr>zLLHc
z?UFP3$nB|eW+%*-J#wZ<_&rU|WS2_!%m1PAULBOHs6HN6*!(*__~HWbp-a^AX0*QY
zkILyU3c<3-w!J`>L=ungO_$TF8LCu_|C$F_$Fz%kRVU?46}L^6oLL{2_?P@P)rkGK
zg(@}zxQaxeZVR9-j-8Qjqq!e;PJWlZ?sQ&$kFqx>w~LARqpq&ng4N-L5q9dC7vxNN
zX!|ABDX+~1ub`W943B=fG8WiaL-yCG5+W+AXXneADWA<%`QJ1fudm4`(AUv7<Q*v`
zUs{?_R0NQ1G$|;QkO;$_#Vt9V8SqH$`YaV5$sxtskfjkus9F+?c_DY?`zYvbX7}V&
zkoE7~2`_Qn09g>&*?}}<eoH`cszUh@icIbH5L~BD$oZ<ml2JgHN#?acXR03jSU#S5
zWI<H@o`c~L?f41(!&qJOseBxby5X6;9u<bEC)w|@1(I9(#CcdfmpfC4AKG`{RRLP3
zGt!(>67@pPtR6`!W?f@OiJYF!oXvK-`3%5oX%<x>O9aZ9@&=kxCsmDts2O;ftt)Zh
zd)~3Fl<+~GNwtbw<hD*x@boH;F{8aJz*}zkBxmMpE??vg=>E|88#}_fd}n)W<_|V-
zOVU>`DX?$@#T;6JZwwVG8o#%(g06oIU$rt3@3kC6mhooVD~!;pwO~C-rV3g&jTRoT
z!-0z#>g=v)p>AWY$e`b1W2xvs8I8|(_l9^s_-k@Zg$A|NdT`2nY!pm3eN-id8KtmZ
z7JcsE-I%U8Jc5|eUh#&0%dsj7I(Oi5uJhDM@U-?Y4Ez@LSVzTds=XqnFY?DHAX}33
zrG}C38z2kQu9`wbxoQ3FC8beF)g9t+4a~LbiYXM#vDAcX$?&F?q#-qrtaeo}X_7YX
ziVqY?$KbFbvw<XErvmkynhJXBLyU9U#6iHEf{ZDNt_pMYfZB?2ltSEgwn@4MC~hRM
z*1Wi8J;fthE7lDZOiXsSp`tO>W&EB*-EIRA<eWSoB41YzMK>BF%~L@y>f6~c#01w@
z4ata7=&k5PKi$GtkxnP#N}DOBP)s|V%!s%P)N@J76PPws|K+E6N@+*^b$ultc;p`0
z%>kktt4jhDt?9P}wNfxs<X%CFz4Uz>v4R;%I!P7bw51=FD^}Cb_iL@#LEpD-r=WBE
z+YPcShXPBDh|HrpD27lB8~$^>Jx&BA5_k4v54f|s!HUlG3*tK|?ouQ_K6V)A2PCga
znRa7m5Krex`uEp+eje`jBSiy`u8Ny9mUVZ<HJaI%Jry-56{jd>F5M2M(*}Pv7xrK7
zkFZrM`zUr(k3?43l3@ZbIDn^(zUq*E3McCI$MwfP!sk1DB(;~lN(FsvLF3%oEAW~!
z&8Jgf8Bw@mKh50N2t_V6CWakYXoeF36Jga6K3o$XH&#~}s4%5z>J3s9&;nTxW&5`2
za0L_l-yETsK}pkc&8`pafTKEOuBBP(m=dMvO^FopqsPLr@JMBn$qO6>o`4F>E{#@H
zq#3w778;nk-*LR+5`}hqNb;miK+`AfqnZdJ>srrg!lpwiP#>)Lzz0QX7D>E32JSsR
zMlpbX%d1#LW%}A;nqnz^y**yBmFA-748?Hz`oc_wjJ|f5t)MHMikOpqrvaBINtx^6
z9B?p{OjGBvuA%(`1+#zh$3jIi&CR;S&`T-$MM;YH^!5CuiURt2)N;jo&9(L%TSue_
z(vi;zM+$W~Y8@J35BXXXz0ZC*JvKRhoL+N>fu7?KbChr8Uk8as23MV9`K2}d+Q6@^
z+VV@ghC3(_@uv1_@um(b;ncr9H|(f>ZW!!51pga(_Z;hy!D{P~oi6+6CI?%Koc+T@
zurg~l{>*({{4NU=^&-SV?U~YPh)4&hPATlvYc6%IKQv?veSgZ1kW?`SCNB%$w9WKo
z6Ft3`O>iBB0ILDGLQ@^aoEW#x>KL~!eHT*yc0aYtocpO=;nz)lKec<?H0qvrzaDDu
zem(zQK>eF-QBSpPQLkh~{aadGZ*^K+pKQM>W&B{i{`*rEiF2yiA<v5u##aA*GDq7y
zd+;&Ca05=3{uXLdc9*n_y3MyxX6M`CV|{9l!|x#XTRC6Vdv*a9kwZnjcG){BsqMW&
zOD<sc{(H%fP#+z)>Y^W^!<^aMZs^D52+Q)XN6vjMs4qv&No~*<e*M&`4V0mprqJTs
z3|IP2)0<PWuFvXQ`sM!)X|G=)$iS?OoBx!8|E{E0OMB@Sw>iEp{C~{Q(fy+aj~nXQ
zWnlP#kpn$O4lvVm(>$ZE=Ky8H|MMM|@Dgm(T9$?nS31di!c`ey|1o1cIkB`*M9C-z
zp!BCFjdVochbt|m|2GQ^S-*Uz4bk8R8o+khDvX$Q3{db0WvzO@5QafQt406=Iq1*`
zWkcS#S1AmNyA!UbR~=Q*bEV#196u>?>A*;LH1CJfavG;7$>-O$46m!NcVUK+o(%=I
zIX)?mQt*KAvEd%W#_;RdjB2mjBb83A-9G8-+G|i$<k&xKv4BXWlR-zkG&fRN8%>E+
z+DJG>oj0b<gMOW0O&$!>bs15=pxj7h^SYcksBx6islu9-C@)f32Sr8kbC8i;6kP)h
zHw=FD7!Gn!R+O^EuQ||lGvpQxO7Ll8K$H*>t*rEGQr&=nR%6nn#RlkspJ7AfH&1E9
zP3klXNaG)CNpH_o+Q>LncCN<4H`Ds)>Dlap4|Owwzw<N1oOqzVvy_&+aQ}?lbwUkr
zui@vxz@1p8foq7uMk{T94X0CQ^e4yfYuZAB0DhhfTxN+Du5h%n(y!rkDqa?R^y-7I
zkoxZirz|mWJN#fd{8%vC&@ueF`}`s#X9Sq-e$(=1o4ZI0cMagUThV+hv|`*nEosNG
z{O0SJn{ldlZ#}&g@MF#Q99lnCfcbt07Ag!%L@8sH4bY%yr4_I18(P=+U%y^(kPG}+
zJNkSJqt!->eT<DYR?XX5H750~da(!Wce2wj2RX&Z7`Ij}jA@4M&E&Vww6qUfj`q{j
zySckOo6F|uFpW{hcz)#{IWeMhDPXoxmbdv8$aaD<@Yh~YXYA+K9#pRA0F4Mg*4Q7Q
zqzTF(UcH@fIC0c;(Ay38u~vR|i3xf$8T8g-qSBVzETboaSuQHll3pG2yY8#&Z^_NK
zEprWp9aE|0Ig!AZP&Ax0n8XkF{?ohtz5q8Ceyo*mU8#lJH0gH^SEp}ucM=HZ`aw%t
zJw|EAYwi8J?+oY+T<n4$YwgJ*G-|T45n3O^Z$MQ}HrqBA49KB+c|-R>Z(@|Kc)5CY
z^P!?r7<?9FUwN*KzF@9e{@N0C?H1H*%K<+CiiIER#UoJ3WPXdzx1Bp{COAm^V=ej_
zii%YR@$%zVbgz|dcRjuC@MA6d2znhWAU+750`AQ!484hk_#knL(uP;H0Ulo2G8og2
zz%a>jF!C@#Go32H(~G78AOG5*&eOm#3bNT_m~z)}Liu&7(vDY$deb~sF9Hb);K!Qm
zbQCg8*@_qE-^ROp-T+T`5mqm=IDJqq;P7hn`umFy=BZ$H)c*4POpZo*)1V7Yj^l5i
z2IC@+p9M6%pDeah9zpvO_d7?U^9(7W%jOpb!`T4vW9>HF%NpfRQ#M2~@%&-Oz5REB
zoFK3q13%Vy5~f+>7|R{4on~!}KE*37xxI3u>EOJIZ)oX<O;_6UwqWd|utsOVah--S
zkY#5y%A78sH@VCJTZ~<RvZh0C3Y(#{{dL>x^gA%CMxqIfa`;!DiNj)^m7y7;f*DFH
z-a)UD@ree9`$EnO{3vUd=Y4I7j`L<J%}}U-*f=Njv(y(1>aUvRO+6=3hv~%KWVW-Q
z$=bZpk(#02vjljJL`;9EOC?GiY}LPhzfSAOW;W3KAEfEA8ULDIH!7ecOz&xAhuoER
zwVMx&8p}WFq)^P}0E(|tgHjK5n!_KwO{vsqcN=Kmw6yYuTcjpTAw^CEf4uz-b27d%
z92N!gpuo9G+h2DfohswzwF&ChQBM#5SOac{lIAM?xK;XQF0k+<Q^P_n<TYPOLS%0G
z=y^at%cU|FK}(Nkf86vXm_B!!j=m~4Y2<t$RX@;?8l$`il?~DNxZim(ogUFE402mq
zh2mcWGBsXl#m!070sv7huR{7o<nk(JNWI{9Oi&j20@DvK(a{?tuZ8^6z{)*WMEJtk
zvtkeAofvP{rCrrBo{Ukd0L&-heKLDvO!zfqFfZ-UVoo)6Fh_S`ZvJaMQOXWm1ad~1
zIuM@LEmAuEnv_ye0VciG(_y*0V|`RBL4bvYCIDrt-Gp+pV>oxn)xLVG0}o+7`_Inu
zD)7}qqZY&b)MYV$j6G9*!O0v#pKkDL#3)pWq8BS$@(x{}KMoFaZU<ot{Md2kz(LHF
z2dbXPKWo06S98x@Gd;b>5;)wD;;J~_=?98TRJ#8rzl&Rlq+apg|NXHjL$Zl07S}a%
z(xvx?3C!))(B`~%rc7A-4$3^+O<<Z*29MLnosn0PvaXCbt=cZA`Hb<VaAb@VoYKbt
z#aN=%Ny-}BNKOT%?W@#;R1++oWRYrAMfyvWHTYA#?Uz6xGt3_iUZSk`YeUd=iGp?i
zI{JY|-oQsos#Ag#$IDxxD@&A(exK+4x#e_uUfgm=gQ%7pKQMAY)Mx>@bUM%bVkvaO
zXF*OVR_au(iLhZ?o7&I6908MMkp{x0voHvf(qDYOxJSz_Fo%L7d=o}veYCJ>&T?f{
z<gomAK26sOsKauQ?4KosElgkU_dZQ4(W{FfQP|mPC@H6!>z^rQ-}*2ogEa)AF-lBU
zT5uSh_Vp<ysw&2~nV%AR?>|ziPhl@*0(gPd*06<$QtIaTCg(JgDNu=%>NjHqrO$f^
z^jZ6YhE$4Ltx($YM&RS>8{FFnoXBlpAqT_BgUcE?35vT?%?O3u5YW6fE3x5T(b7k)
zR95+Y^J)u7shIT04GpOu3cg*<3fZjU4>ph8&+q)QqMlwmsE@T{#K|krVVa{|mMVL0
zo(fk1Pqm(E=`XKVnxlI+`6G>IqWXJIfQnCBmFH>Za~-BDZ;Q1^@!p2rSJNu6^o$X4
z$14JtyjE$77FetJ1InFiK*DeD%E+tp`qRU?pI4j)*=~R#v*x4zgu>P;yK^h~?ppBX
z_rGBx`SLhtW0c~q;w~Vzn>PGe6DS}CgKH09bds%y+}A68(AjlLI2`8xtcWs2#OlwY
z`zt`hR?sI{wC?aZll97WzZXjDEpDfRQ14+w&laUOy1!m&!97kc%Sm|<2GT5rlBkrC
z2#&%6I6qXH0u$pGHC5KUVr6ANio>hZjzN31W*{q=l|fejy=>Z^D&7FHNi51JO;Mq>
zvmxr#jKA4-4gLBSuXnTqWw&8CYGzI0f&+oAtA$EyZr(<11m4!!5{$DOl~s6kbTOw*
z!dKAG4D<4xYoP-{>$OSg#EVv8Q2luu8bNvGARKGR$XDcy(fm=|W~EUxA$4HN={ML6
zLOyF-2IRo4o(xPmVF0F-A=fQRZWC(LJ**V(Ir;HZgS8xj(Ry;TP_hMB_-7a<@`I|g
zvkB_3Rlo=nw-v}YCKK}OTa}KyO%i-GVbB1OAQAeNglUreG~~Ta*_jup*{7COpFnSV
z1lGcOzU2onkOZx+sIueMhj=>(RB(t0l)PP8nU{}ziymDkKy!SD7@u_%V^0z^(^JkC
zn(&Ml@{`xq3xh#N3qeQh2-D#&0-3%;$)7+gg@-FtK3hg<4({C$r3LVNu0}IQ<XXad
zr6YOe8S0viVZBk|1?S4>^G*R4)OZ(gb?RFgxgA=xOUcn*<>SD>s?~8Q+PM3e34;X0
z`MQ3bTchqjyS~8ZD!!F>5(~A^s7kf!c7GP?Y6hTXl~8`3(hb>Eak2d~n9$vztOr_{
zL|4dMrS9g6nzds^A*T1SBWwV@8+;(k#S+;(6VPB&_FxQq8l$R<ElS7~fZ?(iFzUl`
zidY^0@nMRB{}GT+O~)7ws+7mbb#yUBRzU)Sc4Zm>!K_!uOhz>qb7Z+nY15E1QYl*X
z!wqHbRaU7`(}BgQgaU60P|Ui0z)Lkp3Zwl|ZJ5i;i}~^07YQ%boyy}ZZtrc33ReqY
zs9--ZRJmFiP<>$mZOj26w|6ch_d+&n1-#wqAds6?FC%wDp-rJ_JbYB#iLe3L%P-D_
z+zu4V^g@_{#?*zywN8G;lbO>xo<4_wwI5oDFi#hIwDXXVu2_KSJGl}TUaOV$(DR!7
zQk}Px9B2fi9^Mhvk&#O3PC?!~thDDHZSGt@{Cp8Wc7}nJowD7oQ3lxnO;z)UDgV52
zgbzDIUKh9wX1L6)RR+mj^Q?6%Hys}n5d0H^L+cQ<#3KTV2d|Gn1N5p#D4_ve5p*^F
z(R3j^T%mmfmfRe<yyqFbwC=dkF~E4-uneOC%6!kiTC+&GYfM9}b~`ZI&1+l+Sx*!G
z{MrU|N$&r0p!jcgA~4XCK&BiQP~!Z49OS#8qpXXP|5a9M#OYMW)NMDy10@|*R@To%
z4~{8C$-XWos5D(b7Q_DpFwn=hOdIy7Uzkf3lyZXKh7X<l`*wF*__}A)@-}>_FN^EU
znS0YZkk=o9w}eQH;Ts|>BS;YF#%fyD{x~OgkD#J98A=<Dl$zEW<1&CDuP6;eC^th{
zpF3!F%>>E?V+du&XctFK>g(4=rwhD7XIuVN9U^DFs^vAjd_ozd18RRmS&0|2!nRR!
zZh@PKw%60^Ql=W5aCeENAXS%OLi@TgzuPVHHh+W9nmz~9Qr4jjjw{2pMpOTWK`QDL
ze|@Frh3>b80q$_9X0ZGYK<=lM!N~eAC4Zi*-CwZwIuK=@QcBU?c`g<x!J0o8@Mwcs
zOl_FM?D8u=UM^cqi3qr+D6GiE5Cwnd88x*wHvcqOO5GI{P@~VFtHx3RNwNlK0He`r
z7K3x}*0OOKL)>3WAR;$_!Q$j5x4jQL3*<)I%E+sr+_OCGqwV=-=YYKbUP2yq*u@xy
zofD9fQa+v6c`bC86!@{z!lOD&3siEBhb65-8e{`YN7BkzvOu%4mA}b8>V}OC=0)Gn
z12_1`rqK`XqaZsS0{`9UyZ}Xqod>oG_Y;i0=auff4&Yt$hf9)xn<emLJ8IzpEk|mX
z>VGx~bA1X--8+b3nxUc`AwggD3qb052$PDDDAR=`4!P~_7$)D8UPf+%QWOFvI-wVV
ze8A~4a#Pg4nd&#oj&yEX6mwEJ-WZCQFc`9dbm;{O5`1c9Zh=-`0*)SBCFI~WEz!$5
z{I2Tw#fekBVc-}9?uz9o`F0tkISMRrsfY@z2vF3W%fMFC`vgPd>Dv48XGu;qIce|~
zY9D{umAAcPPbf%mo)wYTasGJEbmNMTmLTe77}VH!&!HIOc0kke_~RNIw{&+SKr;p|
zS>-MMfYDUEUG2HMVzt#aeZ9v870bnp6~1GjW@tyg(w*BR-sD3GWc(I4lr`H0_JCdy
zP?E$El|lU~?r7f`PalExz~6;b6Sc4?ZltFn8gflYuU~Tw__{y=*rKQcC>p$U5-{qu
zx(*=29f)w43oVG-Ku=>$@`bl<wV}b3scm7}Q1DZ)(Q_(?4h{l>E?(e+YfJ{>jmqHw
z+>Hsk)YX0hF1{fkjBoHa$R1Ih1_>JONm4Z2hIJ8xEORLbLh>`bB3@T*IgtfJ3jUA@
z+iBFUI$&o(Wyw}4-ph{wW@Er))%Mg)hgnlt+UD3T5Z0!Kj@}mSiSiU!jqGz9Kn!Y@
z1F;d7!ugItN*IvWqoC~sg?uS@07PD!;w1U5()IUEuMN2Hh;5KqM?>Bet+*?s^Ip6Q
zv=9HIoi@hP3AMN<AcPrl59pV5*S;I*9ng(?0&)a41wda5c0YnslVHEWzwB%;CUuV1
zk(!~rbkB;Kpn=!oJ&#-qSqz=JH_WEkKq`Hd4wys|yqL?A_m07*Hu!+Wv$Gxb7#g!r
zp|UbBrsan<ZRP=HkDvJLJx+^>T}JW)r8O^P?E%%-V$pww44$BY?1)kXz;&%OCJ86Q
zJb#k9?IaCcS7AX)%tL71XE9pgG`$-~DZJ7(K09-Tm$ngDS9Uj6hiQq{S5*C`-m9Aj
zpkt4Kr<kc)dg$jy$mKErBACbGJ?(J{@@I`dp)k$S%76J=aqP5%Mc)5Y?FDf<KCLx%
zFm8uZw)$w=bilCj@<uP7a5)v)Azk{9cH~o~jhuH0VA7!vLpQ*1flq#7Grz7gw7lHE
z=4rFMy_XrXe8#^zX3(A47ncDpKI5e`GkQ0i$>Lg}G{F76uC!CjsOMl49<x{sSfr2-
z#vy1mll2P#3Yc9U=+!?0B8i4YfDtrDhfz&a=iwIS0;X5Y)zQ}wR^QPmLo`oEZ-Xv9
zS61VGzeWcg=hO5fUnsfPEOj4#fACCbWGHi%n?iJ6pv7GOQt2qH#?$#F*6BhWePdo9
zG+ggPqj+GY2!8C~;=YI$G2vgRf#ISLFYvHEsXfL5=wI+-M;NPwpMcZcAp?U~IsLvB
zwA~k%VGZ6Aq$X(YE3U4u?GEX$fL6L#!$lKx|Bk1lz$}Cor%wss1aH#eR7I7R3y3Se
zVfxg48hVk&Ti`WJybAu>aZUpEs*PYU>%@4AO$W*#1*Rwb-vCGALuKTqDCN!XcAe?c
z6YFzwY;aKF0UWX8nV*`1416mfJrVO3IJ$L&kfV}o5VjuAS6cHHFs{dsmnNWT@J54+
z$Fv~O+s#qjJO1&j%Qd6O#voV2pX557uEhioV2z@T_**YF=ZMRE!0Zme5?kt1opeXG
zACzs;$@ly$zNy`20WL;j)wA8WbEXEa@2|~D7eGLFE&J1+F{`31jj(bw!C%0NQSX1D
z0lS>ikha%^4ZrW>+WwV`N!y;*kak9e?FG1pQ8*9r^o+Y^X*3E8gI$m5AGv&l*1u>H
z8Qy1U02^m7LlpE$X~7*R^q;G49R=Dfg&(`jFs?kZCHhuDWr|)nseZE^PS@R##b*$*
z+qrT)5~O5%FB3sI3DeNdpZ?>OtvlAp{$Fn}M;&kQhc-b;4}AxM7GA)QO`LuFKhRG&
z3ox<=UqBOQ&;P_{U{x=HDT>Ko0cmy4|3VU$r#Ks7_Tzu+bMS?q(C<3{pF$Q=zqQai
z`M>qq^5XwOuOuvY(YX|~V1DT*q&<#aq?Gk*Z=$o&Hh(qy6aj7i5Byj+SMWd4O;Nk=
z{F9X#5my(E0Aw6Xu{OK?GR=G5cb*ic*6X<b0NG=5X?p1SuEN5Tve}6uPX|<Kxw(pG
ze+6M=d5{XS77Y0!RZU*Shi<Vqv9GMBH>qWL#jk%yafBLI_p(QR`YJo#5%uZt{U>Lk
z#Whux4XT;eDD$t?kZY)ysb&EUw|_UQ01_IQmj?mYWrU(CsJI9D5C7UVn~kz+0ZU6Q
z%AtXqYWBO?v(8*mD+6F@id8ufTjX{`Y00ahj3H}|OhcoLfgNib8p+F0#lN^^6g+J3
z)>cPf2L)E)*Ga2d>sr=BZViBmTXs5-Mw$c%uO!l|=a<buS#<$qXk{(P>u|3+sG}dx
zSgh?(0Tn@#;Ho<MS{&<vbpZ)_Sr6#%IB4lbCMq{!5y%K*pbvD^(bqwjjrld%EYP*5
zR+DwB=|DKPNNYn0yztaO?OX$eTdKTJlqr`Fpr<*8)itzD1lCiC`WL)i6?Ped%tugU
zV&l2)1U3kTSwQ5m$V~N{Q>}E}r1)Z2`7Xe`1iM1msmDTh4XawrUC;QlhyE+uohky%
z)jyTiHrLi+3X3`xCaI$S0?eqN>ZKp+>oB>e?y=WwUZn%v8c-!0#MJZ9z_rt4GI(9|
zs_L1$RsdWAXpx;R1^Z~=l)OmR8ylLO1EiZjG1je_R?b2zm9Plo{lKi;6u><B6L+)x
zb(nvoJ2ntl8mNVHu>mv0d$oAQrWMFedejmfW_4aTn*f*C3n1~6pR{;fp@mCZ>Scwz
zr2Nh=*%o}y>vlSFbMzW{3Cwlib*=`coird`sKi!f%{>FD^zh!9w~gTwTkFb)0lojj
z3tHn<4JA}kaUYR)z2VKvCt$~2zPS8c^S~4>kJfgoM!aetzv|0$M^Jk%ENp1YOgQf@
z)57hwQ`O~;DoX7@<$YJ^NFC7d3IevDtg#3BLF;t%Rg)|8yGFZ+znZRt%_1FPha+o~
zk2X+{sPGlc&u~=1tERW_mv4`S+5J@jXFE{wHXX1P%B=z&9Y+ehz?0q=+1!NG!6Ik_
zmgD@L<$zsyF)Q}yavgvDYXUIK2IiG_)0k0JRs37E_Ed$2$=+Lz-jpMl(2ZQEg9Cuv
z-A9AuefP3NdB*%5pv&|#PH?8FUZ!Pvjded%4p`IO$qt|28?biF*W@l_$7`Ssmfju$
zGm~`oVljd65x7)hz7uGufY1h@ToZ3g%?51Vrk}LzK=@LakHvvWvGK;^bd5+FOfwYX
z;SG8bQpL!u28<P+(1DP(5x>`~HV*CM4D`=V()4-W-emPDH;9Ib#~B(Bg|Nbf=KU`+
zHKZMd)hsk`{U=MydZD#98Oyo3*1Wppl#ZU{19;nXbo(t`Hb9%=uZOT3{9gX0#msb7
zaaYBY-Jl`foYqm2SwFWlYcT!GGg|rtcW`(=+*CHavznq2$-7n}l{3t0KA+Wr@ULYk
zo7{gpR|Aczt@^Wr5A5qWoa+W2q;CE4N^O@-U{TAODtmOKhJg9&s~Vu13O980{Nv{Q
znm{`IzJ^pPY$ESo3rKrB(2{oYfE`YPRz;>``sWWd^m61<n}6^cIHdO(T+y!qgAF?>
z{{2`3*NfY#Ue^XDMn2V0`J;Zm;P+1C^UwM(%)4@IE}8Xr|3?dQzm9+jzgt~+zxcV1
z)Eo^r5)ikfWBThawDi0Ey-ksGJ^pF#oJF=z8X{3e=oKf5bs*N7^^w0;V)?mxaEX>a
zu%)*J>QrCFojR#-?Z7Op68HTFvM3O|9bRtmYbK~MzFGs&#M(DnCV<}d4~hpq?|?qr
z8@7s0^S1i`7=@?MI4DizZTLsi_!eEqE|h_x=YyfMrG$&+U*M$KOv>xqjlLgN;U3f<
zfZ6eS+y_bnnDeSAS^`~L&^FVOM$i@(A8Dl5QtxV-We2=0X3zT+i|cPOz#=>EKJ=*^
zumdW&0*f&PZ9cu=4J>x}LL+&#1{MYFN67L3kSAZufj9^|T}9;yAW@|>2&ml>g|+jx
zLWQu2l~-d^pQK;a?6w50u^L<Y{ePjGqq1$Oyst3XT~gN<;8UPc*qC7NkDp$V(g7R+
z-U7qjhdptlDD-RU`XIJIO9V)!DA8L$ZAjC+mn$$xJ}L*zVg_z@G|fBMupCIE-_vUY
z^0JWOjgb~Z<g2RAJ&hkfXR#e>sHgWnxxBK2D(ZNujh^`mh!v_g0TuiE=;#}2cF*yK
zQ5&}e#LXmy0DFZNBrMsxrm)Z<q$x1*wKYwj)>LKB%fyNJIf>fT|NOQ(kh&;Nt+eFb
zu6_5$yZuOPpsHdpw!Ic3vzh8QpG=^}8`tI_L&c7|*E=CcPY6ndEL4yN_H>*{!iVR<
z|1q)JyRK$8#_!EcJH_eL0yw!6qNA^^*$vC9&G1<@Hccn_{)jHLI1)br^YnN>U_#N2
zroZW@a{jdt<ztAe-D!I3E#5|&q(5(y&hOu>4vIF0CT-TE91sa6cva$e<jUXmNgc(t
zS2-jSR{Y*!5+4Bbr?Ni{%ko@!uV`9t4R9mm*-}VtKvP%vOlZAO8qjk4lb%(U9XJP$
z+qzQulTs9YG`uuNms+XF_K4rhM~pAdeWMY4Hb$>GB#hYzC9<CmlRJe}lv3UOJit`~
z7TGO!!@_iMumN&6m<C?N$jj%B?E(E)0I)ys$>ye(_oso6JFBYjV%8k&vwt^c777h4
zvr7kQG2;%v7%t@ew&Ffls!RpUU^q{V<#Xdu9VR)yjhD|h8ShS>1<XM|DRuS;EoNV_
zz(T>OoplaleJ=b-pL?QonB0W|T9xdnM5&{-a4R#k(FCv9v?|$H<>)vq=6s2Y|Gclu
z67X=VCu&F~nr#%koNQXKE_f*@EA}U49iOa$Yb$J>!FMTea&T%*_?o546Sb3Z`48=2
zF;xb%degMDO1Y{Mx+~+KdVf1Mz4dd*a#!>&ACvS*(P7s9wcDpg(VcQ&XY*bSX)~1g
z4cfT4rhtgCl>+Ez@B5Elq2ez5)Y)jYa3+MZV#t8ACTDx#Ke%rYc6znuuLB%WRgSI?
znDB|Ua^dlZgES`IV8N@R<TfDT^ut>6NCO|38MNU~TL+DvsfY)b0)G-ybwq<1!aFE>
zw^yF6gW}smu0V85Ln;=QtH^8%lH?rMN@CYe<-ps4Dtc8PTU)DF*3)i3p@oC4O!iFh
zVm7XHqW%9?jAw=xGq*i>ML|i3*!CczO_q+{g}0f};ww<^TY0J`SzMFY%H0|Tz#*I5
z^tM-le&$mhy)9B+{oQ^kDgcAY3iL#CAM*adp<b2HD-#|&`#I2YX9AtKfN49XMGb)&
zke^{|GqBzk1Qw-P`xv5}4nmyZ_YNTISO!4cktf*IPVC}30)3djhJl(Wv!j5C=~qm;
z?LX4OR`5+Ik3b(Y)FD`a*NY1VkWrtTV7<cogH_xEt=rbrn9U^>^xA(h)$=LSr(0Zc
zd|YHx4P5f*rZ#_;`I_HJ<y2v;66N<&)kBv%aW#lmp}6{0;fRLR6Lky`po;hqc&UL3
zztj^YM6@s!c%%y%7JJxz(m3to;3Y+jS^^_5v=_=5*rE~|+*tr;t2+Z{hX)YyXPs5t
z$FEu~I&0bx7^#WR@nx9lG?<{>8P>uXC3I0){`$)gx^cGahb?pA%Qt!%@M90Leu%_f
zRNly{tBU(GQmO}cbB%$&%TNvVWBBVag7CMjE5Ec;J$rV?A6ah$V<vq@XmR{OI1&e|
zUNokKE%NHde?Ea|YV7r{0A~be6f|cTj2lHD)4Hknk7O?H1`SznETQ!4uBytrLtlC^
zc3?H&V=X9)<zwG?g4Qagg(<q&o!_dGdjK!)lL+<h*cO&3V+21nT7=1s;K&@T*IPYQ
z+~>lcDl!ka46S7QlPF=+3EIn9Aj<Hb0+?Cf6PTGX6O(%*o4J43bvHQ}m*8Q{33`h^
z)7bTAV`v{Vp%;IXO*v?{qA{3FSJ+D*$e=BlhtWFnwte1%mB$@HVVmIBf&sEmK;gYr
zt+@yG+}>DCa0U==GwY=-Y*52K0<^5^1LW6}%E(QS{lEzR?FKI}xndb1Zyu`RK9_Y@
z)zOwu!1()smtfoFA|hxRq5Rcj^dl7bFona1uol|)<>zD5{8jO|j&KHk^kLS;@p^C$
z5k^~>0^O*vFTa2B+C0LmE{K)}X2(L#UPmCq`U$83Zh(g?RNO!)i~9*sN@FEZ9^FVN
zCn@>O{6GcsgPx#}3-D{jSm*7{1Z~jv7S`xvB)?L&<~%ky1#l2tlr#7NTM6Xr9WBhz
z8kGRs%~OGVvD*o`a~Qw7lK4HWXa$CM%(VP?my=4+wuA|&vfd8^J{rJrNI1x75H6sF
zhJ^#=SUCC!Q~o&I!V0O?5!}bRrw`or&K>lLm$R~C<DjDiGAg5mF=`vZKiodP=uuS<
zAj1HX^-GVBmqD7Nf(ZVWZykRN;oaja0haCQ{wE1!zy1Qc!#a4lf@>zB-1!&u&3d&X
z_-jZF1_1fCEJ8kR0KaBBPal2W5JbRhoOQ?g;n4UM9Nna8zX2-lX*&uS2z<!T5z4%r
z7M6b$nBK1Yv>wh<^!mxwtj;cjHbM<A!r<#Rh`-Gm?7gSLAyNw%>)1A%m_u;a4-(L3
zh465NnwQEbjnTVE0ejkp4F>Xdd4&AXV3jlPD4QAos7WtSPo1AkuQ;EeO}q{U6f%Tg
zGu79lEm;6r2{g`XW-XkTh0P#$hycyl3<c2+Uni8ILsi_z!Zy0pA~YBHm;rpS!DEe^
z1a0>n@TV_^3h<|{!+;qDoY95F7&c7h&O3jw{Tvz42Xt%!=F*ZGFEY@+p%7#J0A%in
zMl>AQ7*jyl`2GN#;>zIyq_~91zr!hESc-X%T2w`z5Cij?%<&y#>-C0M(E+lUY=k%I
zA%Wa8Lgm7XW}9tY-xtulVNDn7PCbeUTHr{Y#DX?EJ7pw@rY<3r*&_vHr!69Z(*7Nx
zT>mdjR)@mi&D|txF}W)oK!$Y+<VI-kC$KIY0B~b8i~@}Qp9sdQuRtCb#osPwHT;!c
zFl5JBly8?SUkK!nDE@XCyuHUxe4uhNtS@JKu~H9h7z0sXVzhu^JTDqVGd3iY&Z7iS
z_8kS3VepY|{LYtVe(;~3o2DeF51%CCJ$xkB?DLg4B;FfQxk3#yg0;ue&k_ZV=2!5g
z(1Al;p%2S{niYRFCy*JV1<Z=SjRwJ@tT1KM<Vt>qe>A)`TkDn?15Pd(_+lgJ={6X-
z9dAD@+P1pc5dbj*3u1w~S0chG#|rRJ>*3)FgDMls7eXi-jRVT~s)W+A8nn^i(_!4s
zX;RvPtjb`v6~U#jartKl0%<g!e{^iHdSa*Npk17QV4c%YXM(nDJpY_wL8J52b_3ca
zP&1qM+2KOaTqX!`b^RuQqISCx${ldQ?Ps22N?3%e=~B%ms`zv4lP3b@(|UyR+(iEQ
z#EQ6r;TE99lVD!#pz*c=K?|9r`pvPex@=tU>kX7rKx+@J%nt2+JP2ChBmq6KdJIVQ
z)*I=^szfNEsb57jEr#DMR6g{&q!~2nOJInu;1|bNY=R*r$ab=T{C0=Qz|4kbgfhtA
z&-jo0!qd4=u2cc0RsmCV!KXO>b_)#MmD^Y*#{xfH0x*#nl?3`3p?k3c#x&b0KyKCw
zlZ(*EDJuRC&F;dK0YQY)c&dQerg$n)P8SnO7rCFQz;wJembi^!E=UPXvuOeth@J+N
zPvu&n<5VW-+B5<7Xd4IQMQzH+xwi<Q-I&s(1EDmH=kK3-E*V~UJ5vX+7rNG89N#3E
zpyhS;GeJA!1vGs@JTMa-g2{uB-*f@fnNib$@_iRf>5WcK|J^Dmont`yGk|hV7;yp}
zX9#eo3o)f<1fje+gMXgUBX-|w5vcAv{MeCmS$~4&HW)^+5i<p-E@dV#(|90!R2m08
zGX;2P?^!^3e*~eNGD|>zJB}&ajw6)DvsKl2Lx+>e(`;IS@bBTrj%%t31notPpE*jI
z&F@odf7?2$CBRh$7sfjHcM~zBH;Rh|bF4o{fKL0(0r_Ue5b~XK`12Y8r7g$q2WIqs
zn(9xDC1~bxAm4-}e)$@nt<YH?Wa|&zjSVd3PQ{S?$?YF=aeK$14f9|U*>N8Kso1HL
z+ir0IsnX!bnr+7!7>zq}Y&-a1lNKNg{^}iD8aq7`%i@JX=K59qqfyLuXI58yHs&gT
zXDusu4uQTsA2eSwpI`I2M=PKZfNTPgY?8`j9)XNnAYioKxd7CkKc7(cOYjp~`PB|J
z{tE$S*+K&2mgr}O5*PBzRGP9UMG7*RgG}sPZQ)`9X|qVcj4NajFjF^)P_9|TKZuBL
znr=7(e6$BkV0-PZB?PT@0zcYElf<PscbfrdY{+<I8A02Vz#lSNZ`Xf}Kik(4Ix$<I
zZi)z6-eQ$8k}u}>3t6s};-3MeE5x*{b$(n~2Fbrs*E$i@-gGUY3{B*pR~USKQ3uC*
z>YvoUZ5=^-lE|<2Jr#z1#!IkpL$ZxnX#+uvOcD^w>`DTu5;vlK2poa)R=+>X;*Ouc
zbNe9>u@qX5?X^#~66l#r1oYaBCBRhi4nk?ZRK<UcWyhsJ`F0nfoVwQ!w(KqC@2Ki7
zE&XvR?F;<aj@ooDfpl9YpreK@17?n;5z5qM{2@z3-}C+MfVGIBNZX9bMh@Rk(0rE*
z$kazI2R>FECX~mQ^V?c0<#$P6&;{Oy$lBVTV+2i>EWp;{lYtLaI-$HIgwhNFWxz>H
z>5Y0K{=WA(+pORtNYD<n$r|PiNbDk&jC-EtyaHIbltq~DeFlcL7TNrk_4krJcN{>A
z<DrAFd5^5q1hQkcpY<ON!hJ@&_oxRV{v0SYIfs%~<E00yz;n)Dsp9_1(V15$8SjcN
z0FLQTjuyus$}WTC&aKZma>zXh&?*8N>)Oww&MQ@ZsNZE6P}l4c5Gy`k1&uN2Vi_+L
zQLEMbp;gt{wiUC1nYu7A&|j4)jyJ!IA-i!Kg~b|`lRhl##aiyQhQDSnF?r;k0H!bj
z%C~ICx^xwD;Drj;2<TYV*Md6IZlbKUz(=dQf0&bKmv}7a8uSwxq?FlqGPsSQJMm69
zD$W=@$P}b&2GX(7bJGG0)C|pACt$XjwGO0P_7GG0AnWz~F~xX?$F3KlofDv)*`iMM
zr)6j+Xvca1%sf~R%t(s}xo3)i32bBvP@Z^Bn)g@=zZYI`UU~jGOmA>l%#KRlFA3U-
z5<l3Hyn){x`B%4%!|n(l)WpsS#uO9C+ztHe<xFZVGcyIWhj_?hhO2ue1nv7rVDQ2g
z0U^Meji4?0TZ;VN2bfWQ+bF<Gcx?iV(eKMJ9MSp_{Hf|e^}Xj5fXbslD%NFp`9dHI
zO8?MhM?EQ;ic6ocQK204f^Qn=<yHOvY%qA3{chSbKyCuatgRgSPMG%HqT>FR_R$)p
zrbnRjxWZ-~wqf7vp?zDSJ7#U+FIgq8n0oR)@V57-G0@zYpsh6X|FigW+ViXFcLBOO
zh|Pxja#IZ5hTEgNZ3CN`XpV`z(a3EAqP^Xia+@Wl^g^Gv3CIZrZU;(7TS7U1JAZWZ
zb-!mTJhB=?=VKkMhaEvXR>j{8x$NNg3~Lu!*bW0NeuUILy=$a6{x5svz6(U_<lt}r
zM}bNM!=nXwv78rt<B%O+7CDqbn;`$4{0carimo&Q6wntGz$QuLE(G%QPL&hyxOJ>&
zHOr2G77S=?=P`4`Xl=QzC}|h8=w5eB<c$h;@rNez&$pc5lUI6|e`-;enn*tldR%H9
ze-kt!Re&2zNd;!A)h6VxQUwfIjdufO|9XUS@@{@HZvWf#E&d!yE$HfOyG&|G(De5R
z;6t<r_|W$tl#9Lnt%OC3d6;}8)Q_<KT=w$M!|dzkIaY+u@Exp{HHf27I>Kn%_VOF+
zl3r));E!P7TmT#NRfU>Qno7ZKUXf`a&_O@KLV6m%K=00s3B#}72|}?B!!UsKm&8DD
z7#;TsFt7N1z)W<jGIGOYvHzbH%g-i#&X@)Y8u62Yz6BBZ?)&+}rq^FbcC-YfIUp+=
z{pE=XTETt+nFY54AZBw}8Knstdq6<kn2O0yC<uAmcK+7L_@DqK2OI?Q`fUjL9Jt{1
zX{FMr$N<nOPHC`O_}HGH*&pIBB@DfN_s~8-dH{N5bAAgu5;UjoU_Ysc_=88crh~JW
z0pwPIWapYIJ5i9HUHzd%VJ2Xm<mAJkvV_iM7*^=WJO1b|wRG-hydMCsyk{ki>PjHL
z_VBk6wAl6Y*tPd@8u%;x*#5t=JAr(n<~Q%*r$+3@V?Qoaupy6kPl6VCM1YIkeFU_1
zt{0*Fe1zYn_=(&fyaql7fudMG;`$P_xT6C2$T*7mP!dY>WBgO<s1ENelYx&ppbyry
zT^K^pmL3yOZOcCfe5i*J%Ie4Y^<giz?$sIiu=>fK&7*Nl2FokQ`&UG3#(?z*%6SwY
z2aZmRqA&u}1>^`OrvtfcOc}Wq`Z$)qJ6sz-`vsn@;Dv>39_{5g0@?M1fQ;ng6TnRG
zNrdwD2?4RP>q(&WiY1i8PV(Ew+X!js4``F=AOV|G?K_pAy*VjBogNvG`PqxIPC^jS
zau)c!!Lj_y-lz467>HN(Rsw!lPmn&7@M4(BA6LBJaBX4{<Od{x$VxVJHbGmIDL}HE
zOwjPwIfSxu7QaVY+@Sa{E(pB`J7IfZvv~w<ZI%E}a5oG1*u4PlI}MYLdZ+kX`rSWG
zSJ?s|TYwMNR=Xz<w6s$KG7&FM0Ut*bF{L+Z@fUx)%xq~q1+OX2f*_ckJ$o<3Xid=B
zzxda>y?!#`NNqq{2WV_8`g}P->wTJEN9H|)mf>@*a21L5+JjeMGyxOlGoYR~D~Woh
zu7#d3;f#R5W*3m_-$ZGrp&xxZqjKYpfrHM%dk?Q8?_GFSfNRgels{51r59ST88~)3
z$3H<X4t<mS3R@S<30Nzyyoo@joD;xI!8u^2Hx$V*GYzr@1f(OffpW@rLU|;czn|uW
zj4iqg5_ACx*#6<P3)!9*P!owg4~^Fr*_?--kq!UP8<ft;wD<f1S>_#Zuneoi1!<TA
zFVsDUzn@jUTK^i}>xFYmtUPy)5VZR_0{Xkt1<-51V}x?h1^zy@#7XaEGU&B2=#};A
z-_r@&s|y1BaKnqhM^Of$oN$ppYuCC-iRcpOqAK`5UnU*vbBdrDTvAoy?r1G90Usf!
z3FX~$5QYzyg>x_Xot``Wm>8IO3qMvV_UFl<u>K<SK<CQ>d`8G+;Am$KAzyu2z?gCy
zQ_j3hD6Ox+i#>DsyMEH3gKL!_M?Gj{c1{p<g+T7f<xhuBjdaPzi)ZEm8ap%le3hUD
z<_TC?7oP{B-MvmIFXjnwL1y_t8T&U1zXlzzM?QbYOHRpI_YEXi4u;0+BkT@AE6nGw
z)&$I~)a?qOwE{HOQjXjsXwg>$bf4W<K&t!q3FYud{$_uav)p2E-UlC`^BBAp>sx+2
zB+xUi3h*r_uL4s`pJGZMWO0qZBHLQjDxe=I$Ll9!X;_5O+Vi^JMjNjhuK=J_0AdIJ
zhtDxkb5!TLfV774I*b7MDD0Zb7pY$R8>1Cf_`~4Zb@hg>gK&H^>{Ma{*ZQxCikjXK
zu&Oue1}L}MM@;F3j^E&)vTg7-bi~U(@Md9lI8uHl{i*01xV;X43-D2Ke*-fQz7X;e
z-~BDoO(EnKH-S7yABk_l(Apa=xZU+COxe|vP!`$*n4wz}`R93Sk1jR%7t}BuY@Rib
zcUBmZKQ2tW1$>BX2_L1mRF!$R;yrKKDCQop&=^=?Ym=9e2&-e(Z2?A+aU0kuwMY8*
zfYRa)f0Se#Vf8!~*y#LIM_FB!pe5hoca^~{KcUHh)(y~D=N9Qm(A@6|m_PTs3sMDE
zBa}Pu@|(KR^Yo*RFoQ7pY2m@9>KIKx4*DLj03Y(wD0W@#fIsuEB@s6wacXkePxc1K
zXlbAo1^ilGzVq4qbAVP4(AYVWMIF@n0a(Dw`T^$XZh?S~Y;zyvY*>$w_q#73*jR%p
z$JEzQCN~Z+La*-g#~LNy+>`5r7<S+v*^YR#0pTU8P{0_!yAXKk<v}RF6!II)zQ6w-
z-v?AW^e4mh^1^8R26OTOuyEfSg+GLLFn`FOA)aH^!W6GxzYRaO@AUA+X#6Z(eh4i5
z(*$jJ3L}KmBYwlOU+~IsHN1W}Xn_p_PBbTIn;!`X1MWWpK6d#L%7%~mosxOr?sw;a
z2hmTH&qV<Q?cig6sVa8p8?gY89>9)NR;rzW1TF9hzoooiz3rJD=m;;xXZ`kE89_Vq
zM1bS|@dR{KEGLxhpYofFUiP_2T;ocBp2Nn~58Gih?oi32@7Cge08|RykUgBDOGl*t
z985^{j6d8T@h<zpXHd;SKw}r3S-=(?jQ0AOsuuS!AMg*TX9#S;(NbC@_XsdV=pO-|
z?E;3F+l@d}EfO%-=u-rg&O<PzFWOPWKSj3ex9eFjD4_zVmF>#eLophESB`uREDRrx
ziF{D{bCn%$cwy#oT+tTR)k@)eXzZk=S2D(W5*=WTw)f+o;VyD&vUMWJ6a_M|QEcfr
zqT4Gk1Ptv~FF~;L69{FWm;82bJm~(e0N~*!7#Pb3ib47Bz`zP$3gE-J82G3&g-{MD
z=1)K9xAn5c`%S+8KhEAdF6*XgAHG1ku@w>QLP9}Bx>QgRJ5V`K>;x<<?8d-cTkICQ
z16xr9E*mkh6T21PV_YA8*WTwJ@2-EG_w%`)kH^8x?Ck99?0k12hd9PnMsv0guN3xi
zZh4Sn_gIefpNM?6p0`&1oBcxsFFu~bjbF=$+G7`-D;YwC?g)@#`<L%T&X)9AzIr>?
zP2YPNoMbr|#VyA2DV)vWjly!?=?%1+J&hynXL?!u)#ldq_L`~D7^(e82*pUbZ91o}
zpX6o5rc9OJ((Ucg)XoSNi#7Y-_MzUm;ESB_(;Tm&?D|`UIA#70%4Xt*E`oPl=v9RE
zey0FmPVkotIsExM`3ZG4`*zz67%y+^{l)m-9M^QckE+jxzn5Pg!^6MNqn<xUFp6w#
zRuEgb><-@b<E!p@Afiu)#Q-)AS8S13OFzgf8MkF#IJNlG#R+1+*TvPG&FQ0pWA^?C
zV^3L2NKba`W0b9ISe|^R@a7cA@g8!BzPOLQ{eZaKbgP#MYw}6HWHRAQ*JB^SI1F|Y
zk6%(ZvX!5rB4iD|(%Ir8?NMm%io1%UTZpJ0>-$;0HR_|)u!Ud1)&^{%qTRQV*^mc(
zmT$<IU(4RM9@wZ1Cq}9L+d12)FA59$@h=#@#<&NJ<gomz5T?Vv0@-mlM=k(T*1As`
zJ^kk~r1ye7#A@}my;MAKVP(I`yYmT)Id!^$O}B;5@&IRBc-YI5ZT}{}6WjS~$C;C$
zd;`xE*VVLxoYLjHf}#3;hoN$DAfT^tW&KkBGIXD+z3x>}#HAJJ%oWGII8F?RI{1hD
z>SSDPo&6rzzXBM=)oJ1x&UX2SLJ+Y12^Evl2<gT;|CEoBy9c>lAAsDfBHm#Y=f><z
z&Q|scMsLI*`Rr`k=U*|0FnYJJ#);WTr<<H|P`*M|v^^iH^}EH9Kl9~P%h+|UTnost
z3|=G#k<qs~n?){46G^}19dp6Q^(UP{*8-}EK2YuMZ_4?}8bfyIzL)8I2l)!%dad53
z24JOAYjJtmnfrgN($|+w`C4>HZIC7DSijXnuC=S4M*hmVzIqy*aXjY813=0KnUh<M
zzYc@-BOr_D1y;|9O@7}oN}oh{&PBMOFE2vVq*h(3;m_a0JQGLj#VgJ>^evLD_}%i!
z*5VR<CLe`Xw?QlVRLmPr`Qtr&DzA|I=%)o-Os5u1+RTWX_=)d0WsHGF`a80^-8?oI
zg1*Msii>T)Z9cH(hML;!vw=qXw&5X*d-bOFZ2F8^j8Z#46Px@;`Ns?~h^@bpLaxl*
zNF#k`-GZ@a4;;pyZ;3!D`jPe@W@`$zSB1Rk?Ou)i4kg1#Q(A8T(;8`T%bbz71*>YT
zfbM7vRcf2_KYq;0+nA*QE;}!B22^&S7L}qp^K-5(r*tvV$X_Jg*95`@7UjrGCA|Oc
zuJX_#(Gw~{sEzO(aTQoyoTwYi=9K4x%9Sn(qIVz?YpCUzjVa8XX{wRG@5agu%1yT;
z3EWtunf%NzbLv6yityWQ_=z*Wd|A$xQqJ3ol~^V}^XL6DGsqfRJ;lTlDOWnMEOQ9x
zT*2GwuQr9}rg_#j0QF6s5~FzqqL!a!eim@-ZY<MW<IZMUD1`Ym0QKXmayKe&sgb_v
zq(bMx^Bcp;r7-AXglJTqv#qg|k2iKDOx-C{&x19@^60Y~oXy!vK6K3VS~7|vD`lo)
z=x}%DY^iPt9Y?L?XK(mm=a9FcWIFzB;>sy~tu^u&93)u7>=AhLf#O(>hquXJ`H$o1
z6FsP{fo?kxWByuqR?bEveQ!xnrKm--K$MHvB<9_d>kyGUE3!=Cp6}AO(5`nqLb|aY
zwi@Y=;7)h$={N<-jKW+KH}3c9b6fTG^|t*hTixmF@?#17;S*F8zlb{RTR?5XrWaNS
zQ)z{v=g|NT4-4_e#W(xqU24M2iuHa#S$~`liletIn8g*5AHCq2+4Y?<dQ|BZiQY9L
zqFT(gsDf|C6opp9!njt4ipo#o1MAb~_ktYsO^FyO4>sX!4I;d)m4fdA`-{z~1&Gd3
z#V9i>oKu>$@HS(2ipiUO#tBnfI%sZ<pertUKO#6~=i(aqTQHJ~!&>WGa^%b68u<$Z
z-AVxI(V8O@N@%3-iT!+HUH1ym;0&Bc%tf!Z;cQkVHS!mwg_ndJ5$!oLr=zzeTVGNk
zE4oGSjgcIlqV+anHA^YvF}+IxUZHaV{O`WSb<}?yUmhl*j9(03Q5sGiQd(hE99tSf
zU5)0*^wOIDpQk5_;;;U>y~xH6$SvJDvZI|wx;7JG*ZY1HCJ$}l#02VB56%`_23yRe
zJ}~ebI|X;2dm{4zIJ>~z#kFuxuL55Av~z12==Z8GM}94%U>R?FAT47!(!Q+5jLorE
zh)P)mFCJF_m!F|gWr2J*fFnl@LHc)~tb%{PBKVF$9PTp|d4oz%rqy<bue2>Y0`rTB
zO{1Zl@`Qt?sPs|fPY2|AxXH)?3u~yOd|uq}Y|~F4;RP*qGR=mg*-A%+Ow+m?%rR#i
z$?n4JCm~w&D5qe}B?MnGk;5OC(>O@0?o=K~-^m<#ei}A!y^6|b@t#gU>o3CeS_319
zrIvS7IAy~0zsxK?R<t;K24^toxPn<+_MS}R)N?9mr0;WWw)#*A?a1gfL|pMq7I3z5
z6&0q9rXs91ZXrinF2!)|uc$CwF9|+(8Hbl$iPgJq6NT>rhgSmp$8ruoT}eKbs95jl
zW+zynI1)keKw*3`XA7^aDJQ%2Uf=NKw?P>Eg|Mp_1FhC@w%p1JX`e$CXmx!pNA|9w
z5CgXYsrQEMsEp}5a<jMMS7|;~@pr#(<bQWcRe5V(2(4!01^qALC+eStuMlV=cT7PR
zWmiqXGn!R{Fxssg{&Kr_VYM&p?g6g1p5<1>-omB2LImtx9e=mUPX2fIRF_|1cRe((
zFdhaN11At8vGH!s=2JsHpjz*%yrm(Sdg)YiZtvl2r)tO#P<pvk{gRMv1%6`sG7O(p
z&;T`cQpl;MIl)Gc4sc}b5$sFuImu@XY^B-zi%@M0=AM{duES9Z2@_RQBi|&OjDM`3
zhLaLPzNo1%Tb!MNOu=^)gdFB9Kh%czuY7)uuk_l(oMJB31>aT>Ti#i$AC@i({vO~0
zVK$!T@aZlJA@~9zQ_gW@aaRRjZ|(}D-35+Z3Z!hnGwpcG?+BECrQ_={>71>+n?gF=
z*$r}x&frM1%P?J!Ir7Is>#BObEe1h$AfAiSXT??K=8ghLjho1-d~3<OsFh2y4b7Ki
z{KQ4l^afG7v17Fq=F5*-&@cWbM~2o`aM9_tfvlLrkvD70$B#Nk1{7%qgLK0r6KDLE
zJH!?uofj>0hX~E?a}jbLA-z@l)Y-`c@J<goe3*y)BwKzpH{~$wPhA9}2L6vZTlzDU
z$j#~~Ofug(5GLX&hbPw2NIxSPSz)g;y-v^#CKXS%eV()2I+{RfbB5K02t!|z2(D~F
zT}=^bWF{e#@;I_gJ$YY<DSe__2(0LbwM4w2{wePC@`M~~>S-!S%aK<Pa?HYYUWBag
zDIYb`zo%ax2RYX0tZ6eo5}W+VUA`w)_pU6-6Sb$t_2nhl_9(P6eW=}2M}k`4NdnC4
zd~XwWtG<FyS$n}8i+*x*SQ+>jGbcSCbJovGfnz0cjQfWL1i+-=FlS#>;7;CvHz>s6
zL%roaWBi0kJ?QSZBXDc6RuyaXn{9!Qe8oN~;b9Xi%#lQ$pn2bfi#F3oAq&3fLrR%(
zWJzE7xtblERCXVpI2!HvzumdB@hJ^ic)72pqU=(4#By)kd6+0tXM?@jj<b3ADJ;3M
ze$eV{S&lsHr>P(-hl}2%(xH$e9<D3ySoA7#wi#7?iYV0%Ha<V~fv(svfNEkQwy|;n
zr3riGud$Vt^2EG}53XVSKY>;(6;G)~l+q^#w%bP(ngOB%Iz;<w5Rn`E6`)Xq^b3U9
zm(}FR>4EaAkp940O<q8TSe?Sg1{cm&JV>4`q+Wfy;b0q$K@|50&uS5y3tJwfDJJ{K
z{qS?c=kH^w6Qhdh@AcsDO2HcGh7RlgPX^3{iAO^qQJAxJIoqyag(U8EFigC`lW9XS
z!@NQilAKW?Ko<An$g~jo@D*`q?vZ?GKwr3tncpIB&eo!VLYg+K0pxh;%aOMl$j69w
zAH2goAjc*AL^*u@Iop7S3UZ`0gdFDrIP!Z#`Q`2Hq8c7_+5T79Lmbh-5YBd~5!R=v
zjTDxqBaI-;`Gy2{V`ic9!b};|cvTV%asmR0XKfjw#3tP&d-vAL$rK8*K_n*QhZ_@7
z9ac3=BmYRSCJYL#Xv#f&bC}Gy{CW62KL`zDOPaHCtu?NH^)gzK`EQLDGri_`8SM$D
zVY?g4m+pFR3i`Pbh8T_E6>E&QagP;*V!hh>*svul<u^J{UHx;+VAqE_Gw43<u_DU;
z?R`wy?IsEyW7`x44#4$O1fLbIv1R?6D#VdZ1pnOrKk#!q<U_)WuAz6SH;=wrXe3;i
zuqm>DvWj%BdpjJ$M0YAc+Ol67A0y`9Oy0zv#Zu?ihcp*pVll@m6UBK`o5?3xnR_pO
z$%TIOWxcp7+O92NGhqJRd<<B-^9rLjEdrW8>cTm$MaZA22PIl$$3voWSkuHTqE$D}
zcCV+81?%5j-efji|FtK|NKlH7UZDq3)?#m(YwToOhwMY_FKz-Gy<#Sw%zt8T%@NgX
zT53#LVqf@qQVV$@TR)1dPo6daV=L0;<EpVgLK?GDE#=dL$dOmubq6IyIx%E!>-!(d
z%`N5UL&)is-RFbSQ%Cu@{{Nx$ZY3|}iIATa=)NJkmq{G(uCWD_Ml8LReA<{FFvXF+
zOr?1uUL5#3jwoA5PuRt+;l`T=63B;jdZQ3`T-sny*_}DI*7&ktL*Wc|o8_IMM*P}c
zbh=s>3W(Wx#dwz6MiU{M(^dLrd%qW()dow%{h>^+9eh1@B=&<FzsL*IbFaxil-PZR
zFyi!CGn^=!%4YKp+cmdGfoOvc(M-I?q(JnhbcqA{AX<u_xP<o{#mco;I3AqU9^;!j
znjP-|%Y=`IWg43)d_q>H1K<<J61+C+(?Nby8Q5{a;`)$Y15=18p3it<ldoMkM?!>)
z6SxQoks1ft(HJ?b^jqqgEejF;=Nxbn`8xtxNBM<h!p3#JbY3$XfkAYVSyKwwjM=)5
z^0DT+g^fF1czh57ie>SA(+Vh!m`5jtY^`4>SZmMp|G-l_$u});KjgNZK_dG2Pn2lZ
zEKXTwu8$du=qx|EmR0`|M0cG214?lLPMFOpvpOr(11zGTU$?m&**;2s+5MJ~97?xP
z9MbWIwE3K^?IIs5cFa+}klyZNgy~vPR=~0=`gk%UN>}Ez1aUDzqmWkY&_KV%i#YtJ
zMxpV^PYYy)B^;Tu+{c8~(~}>jQl~qPpeIjiVBan-rFEA55oR?g?V{z^z1o&mbLd)`
zcc2y5y}0B8N(;6<T3*T(<pavm-P+W%EtX5>t>TofT@;SO;_#34%dF+dBVFY8YW427
zJvbez?bK22>pHfw7tT-{b(N0;?9flcOt2N#2`#rbaJGJ1kP+VNDsQMSzjB7Y1EmI(
zViIk-nNxP{CVw32>EK(VCR8=jF?;K+ob6pVnSJ4(o-CK{F#D|(jvU=xp~iWHkTrI4
zq-75UWaAz{n(gMuB|YQ^=TO(Ot@gu`XQ02BsT|zP*}@L`STpZ-3ae`Go)9K$KZhUe
zDL)V|;w+AMLJ)JEfw+B;v-Lab^LJk!<j!j8=?6U@;wQ%Gm?K0je*k9L8`|mPiK*U5
zIg(EJ{N4MClLqfyKO3^F)LDuW@DNpRjr?s)j(s3cx09rV8%sIoW60`t)5>?)r4YRQ
z=>oVZD|tnJB0kyX*LVbCYIoc-@<03QGn}$+nvdG!EYG_h&z=m+WWf={xt(~CQ#$rj
z2!dMtWBtCD3Xlf%oCgl+@i!0Iv*$#m&E!;hm$CNw_m?--RCn7Vq!(=v#cJHef7$U^
z4Bqkn3deun`$L#@R|r{~g~iCv_-2OTvuXc30iGwWTRW~1n+LldBfnIPO+5ablHh;f
z1Y-Qyg-5GmHJ+?Ttb71yzwOTZG|2W8vWW}efLp{SeO_SKx_UP&h_wwwVsbqHHdk_d
zoI-d#9tUIR-(`9OQC>`XfPh$HgnS~^=21=^dZ})&jxbXm6i^zntpntD$WLdmmv=x(
zFTaYDB>NFjO5cQ2<W}p76#MUD{6wO{Pr0E^;av&o{kGm97^>C_jy##?W6L5E<PCM=
z{<8`*A<R?6fAPiwlRQqj=q+sjZIr@dRAVqC`t*jwM-EmP^n-+K@tz~ihse*c@{`PG
zjKSdi3suCmX5~j>b7yRb!k#B%2;><2nWu4MhHDI&W4wYIo#O#F|5gAuV%y^t>L4!(
ze)7kE;J!l@;KPRke)CrW+?>T0@-<=4n<}(*S`Gt;Ss|7?TvMMV8~K{DzQYvu9LWR^
zHRABQroLtihRa9o()HGrzJhVAs<UyJWXc(*4VRCWbGjRTJ_5GtXu}bA+50SrO}Z5G
z>-L`1O(3ENaK%8GY0ctB$Op>zSJ%hVp0SvYewPcAL>{d6Ncml;+vh3S(-4xzLq9Q^
zyeP)mMwY_xrH@n?KD`7CUq&f{yR#^Jz;Dl1nEx{g{<I9i-Po-J`4Ug#X1*HQ*)NB6
z#O?2~vdnFiLWyVjD2TAZk&EzRltM3G_0d4)mgmU+m3=Lk^LqJk+9fQfIu(1VUqM{y
z(<&0BD=Rccer)^Ko66{(qbQ88SUlNRnX}CrqoCTQF;H!D)!)bk&c24sVXXY}w`1==
zU+FNh9%K;<h=Z#CAEO!DI#$8Wa>qiR4o+N?n&T9j3Hpr#vavHq9>9M{ua@5kx!08=
z8;sY;Uy(m!Jdl~SIkID2MARq!<Q*filuyJ1m@h*odwAx-+$P9p54H~aqpyRgCy2y&
zR=FM#)nOke$Y+0-Hy7JX`!hPw6r)G``kZawVXgd?62~XPM$DU#9)F+ohfM-Yf-kYS
zF*Zp)3%FA*FM^t4=?ZNzMEeGCHpj^dUZ$B0Ia&pA<W?2rD?+{v;mA>;zUJ)0NqJw%
z9@jLB%3PljM8s{&>4x0>PEV09a4wh%SssLPU`$hAOO|s@A(+n~c#p;$esij(ob*&H
zHx0<CO*yjPG)+<26PTQ;4e}bZltgsZcsBc^a0_4lDTQpQ{sdmyJP#W-g)4|>gZCmh
zW#3l5g_&Qjf+^Axp^$M)4lh1k-Y=`4nVCxi+Fhr}Qn58>+ujc2vU$2f@Vq-6!Zd2j
z;WcJx?4`#gW(JV$+H>Tg844e0>CFVPb0kMLovF}ZltjpoP8^vtQ$bqCSwQA==E%OY
z6#ixkAqQ(X^1BMsHwj4BXpTJG&9?|!X0I?bSp?tTmBa04D^%R0W&>%`gCjT3R#@Ag
z6S7?|j;u3BQ%ZKSmAn~|wv}ZhYKrL(>BHeC<|yno^5@_W$M@sNu(=8&J993O17bNc
zf1s}wOAArhqLi5j_`U%Ja3j`#o`T$)2>yH!hku$Ue+cnub^jZ5N6;rE+~OjWIfS!~
zp0ALQq~agz8x7}3iv<e1%&-MOju^p_#-kBHzAC($m31b>cmiV5AgChln9UP7Wd){S
z&L{?99*pA1m~p<=?65{*F!KmLX$*(gU#Kw46BYtlY#c|PUnsvZ4709gLx;HoVE{2z
zPoBWpA{Hqm3rUM0N5~|Wy97zg?L`Wc-eED2p;I}s?_!0&xrLDa(>XGI7L5LKrb3+Z
zUIO^n85}-!iTrw2%jo#tkuV*#H;7Z9VG^-P*9`ZbuR7xjh-j4-Ylda!@G)4vRKXW=
zmqMY&^Ek5RGI@pm*|Kgn6^iK=ATg<~v4FE#FY`5KM;Bo$eAY!ilWTRXj(KtLuE9?%
z)mkkq;5A`Qmn%g2>C2(y_(cWqBJ9O-g+X^%0eITt0=O~jv>f?q!U`FVKW&&hh$Cbv
zTe(5w%)Uz@|L>qK8OT|`kuGd_vV0%GrR-tPXk$%%1mZ^J{c@7Sh2<wJcuK%Z$Z<cJ
zBS)>m*v?(45bZJu{$Le{_h0AxcL!vKCg~rjRllx|_xrBl)aTbD?fu+e{uaZnb?fX7
z2IVcxOwmj+I7TKj9b1iR=C6&uX3T%Jd`<4>@XtP9aO5x)yy8T)#DVf3UVGVoz^@e#
zIMs!e4|GDWhUu+F0qo5dY_B8N$hhPm$C|YUBl3Dvfh>mX?iz(6dYQF=PsRnbq)Lyq
z@+F!^+Q$Yvp-Mc)P%P0**v8qcccO-rzgFJXnR)lB_+qC}6SoGn6dGt}Z0D2->om1x
zH$s_3Y}ePKQ3Ip6&U^16Hdj_*y@KaQt%spb>?5QX+Y6+u9LxL}qo>P8LKZO;Y7cO>
z&<*lzM_ZokL>@E>Y~rzn-XUUZE-TjD1DoUhL6iU@u}fv)VJ=qeMuj87O&ig|=)saV
zXzH>b0LqGyo^&zC8e*j4Cnh8Fj*%GdY|<uq>m-^NJ!lN3<M@f|^Y>KFmUs#)8MRkR
z?;4wJhGvnh`6f)y6`SQXyBjoc@^{Fw3ll^vW*o%<`UWIRmA5DuShEHGXMuxm^4u*z
z%365K@Lf@E7-UDx1976>I!kOW%x$Ye>J_&Ya&$>!S-T*|>vULC=>_s{fa`r{dRu`G
z*(P7F^E#T_upX@W0YCBGi^O!2#huw@VY?cmr%=`?odQ)VXB5EA8MXUMJH`%zpUM0W
zJULu`H}&G_y;?MpU*jkC9Y_EBAIgHBe`&GqY=>CiE_04!IauL)=qXe(<8}bP@9KZx
z;Wx1+W$uuV;|>n#E}fxP1DzNZcl|%SkvrwBwWoggns%TJ(1}(qHw!2&S<OQ7DeAzC
zR`sZ@mhL<kBhSNZPC0CseB^OzmQa|6Q<rT>4zYzwk6*xU41nPsE<)kW3Tyc#AoUo_
z+=WP0c8`37=w?&Xz6oS+3FC^nQ{`L|qc&T=M^jQZ-aMM<aIF>C=ps6i?c#mT7Wo)?
zxBp&whq^p>K<-{pZbm2-hidpkPI+>#yqy;8gPEo<y}bxQjrVD4NRP}i0QK8H<3aQ3
zK6#Uze{}ffbeLlzLU1i1vDxy1vklm<k$*~c^M1%NC66ON?U#4b3EyYjPKOOma5=ho
zEpzp^oGsyid>vujmp6xlpjBaLB_=kZA358VFTO=thDtkM<AYG`#b*v*a8O>g4y%^5
zJPjA2FKxs;edu>$b7o}@DO_NvJp?%x{^ZEbhvemG6aV1}eT7bPh^y_}Uz}}3AwNsz
zdsyE4zc$)uOG(WW{KNyu%X-ZAB)mAv(9euLZLg5j{5TB#Tnlk{qa*TzZh5trQ+1r*
z|1|$!VZIu2wu~bRr98`{kYgC`ohCJaG-RER$_K7p-M@KKiyPfkB&JwDtvKbwqw?oP
z%;6Y>Ie{CiNtj>9G!`uWnEc3VH(YB^x0^XZ7;!=Gj;pNyP?ndCqT8;Q>-h)+PR}rj
z{`>;BSN~x%XDd?W53(QiZR^<@lytX~c#%krQk=5FafK+<@i?rNRhlC^mG%3(mm7zk
z!bur~qU(Ib&WGqSoI20J&y;zcP;l;;6OhaRmtvEdlFIoR{qCTX-J{R?U|Ze}(yZ38
zd^FQLfwVoZyq`6TI4M7Y>&@SFfi4iIo;-1@b)y^!>BhQM^0Q%`cFEuQ*RxO7Q~F+l
zE|L=?d1yuEc1jZ@y{IiY1!MVFCXgG8b@nr4uTIIYrL6jCET$)z>nZwLjL;)b%TJlD
zmf0gHX`<Vw#Z;k1wf_iYc1E7^NPpYk`vjsCZT+Bn0i})7%WN)R8q}h#2T?W<R_~!s
z1(b%&%+;?j^E#{Ir)OciqD*@RZo0w^Zkh_TY=AHx+_yD@M0z?Nu*QX)%7yuzQ;2=T
z&%q65xN&4j4=hoa6h1VLDRyiEefBpSUM{-hv)Y`p`FRClrk{r}=RG*``gw)&X6ZB_
z?dx%5w={*_+)6^e_T<QyX$ost^$S4m_2J0D7vwiJr;3c6KM__t39E@|?I1tS_A3wr
zVRli$r+hC$nC7^*n>-*V*w5m3ULfmKceNIVTOiR<o!Dm*!YPZU%U>GsrtrC7W9aru
zht0YnXImVGxc5z8KJJ}$Y`<bE1bhuzak+>K<&-~~AQ$q!q+qhxOE6ip#vFd=l6<VO
ze_3=X)gxkbrl2`)@TLI>%uw+9gbW(G2(}{&@!))hd>T~OY~~rd1M@0=;_Um}oU=8{
zlxH)4T;d676^=YcWSh{Ev)Qyoth$w{U}EbmsFv26;BKsAmi+0*gYBnUQ1R-sj)@K0
z5u5xvXZJ5enB0MD(BohE&6`1x+YtIPo;GmeB4yQyvn|&6SuMCMAG#AeEG$IZS?ZM(
z_Xw9dbH*{370$(uUB)tkPZs_~5zOj}Lf~q01tu}=!vEyLEAlQfyPnyir#KXefD+=4
z<Z4&WR`#lb938Jhjw0RJ>}x1oY`rSK8QEQ-(03}~EXICTEcXuR!Pz{o$xr9JyFFb>
zfvpf6UmR$|Uc@H-okO#nFa1h_$Wg~*hW6&>X?9)Vn0)qinCE#Pj=X(c!LW8WfHdmQ
zkv(q6AMUIU%UMTf7WAT?xK-E}!`a^7P}nLs-Gm&WaU41Hru+cEat_<o7&2VLkci<v
z9haU{gw4OHU=QzX$k7k?ofC3$w!CY6ZRB@?T!W6YMMv8{gtJ-QQW(*QTacqXE=eaj
zoO3iLZ1pYq!CC%&LX0;AvC#=18N&)F<=;r?pQ9<wdf!6+o;S+RmR-nEi0i+A)h|7o
z|JAVD@&-MeyL~>*T-p|iJNIg1Ia?Okq&G2^cOb`J+}utEZFfgLlDQ0TZrK}h426S<
zk<4WxXS;nzArzOn3prj-;>h9C{LKIAJ(soH{pW^4s8|?B6e?;er+z-&&z$|Zt1wco
z_aIq5E^Q|Zjku>ND!U!_czf9U1cbST6<C~txXR)#mUGJ_?9a_}6=d<tg)9qaa#^P3
z%8%BjzV&kGqO)k7gmPdKXS2R9pPqW`&M!g>djiH@Ouv`TVYbg`Q+8kBVC?RFXw_jJ
zM>?$VGiI+C{wE)o4@vuRzX#x`yx>0^sSgx3<39=Rg&Xln_}?N#JXA<P6CVP8Z_$6?
zcOEMIb-PD^&s|agw`Tj_E9kz7;B9dqe}V8nA1VCx`i}u`xZ*$X8IR@T(UUh#kNUtD
zymhABOI*tTM<OF;_e8$jrvG496Ph?};jCghF?toJT=7I<&B%QM{g&WPe-ftVQ+d_a
z%{hK?5afu5YNDHmuH$Tbp2{yi<*YA0s{p1Dok>${1F^}UbB%olg_1TA$c<fkrZCjz
z&w*Tz`}xTfZJ)~@BBz`)jr$2xEYOK%St)GCbA`{W%D#XI6?PJ+7VG;$VTsrbq~24u
z{W*@+zP^wz7KAUHJ9`0S|DofdiTk-26J9E;n5i$JK>R^MB80z^ck8;29qx9395Wz?
zxE@#^VcJ&;HoWu-A{;%+MX<|LuwjQhAd9DR<a!`w>l@4GJDs+I@JsO%^SH6N34u&u
zbs8lTzt{4cIg6FE5~_nP8$a<B?CA+knfhAeAiLUj7}4}>Lom@rOCnnw(|e8WQNmjd
z8W(Z7n5@bn^R`b80%K_~iVZ_0&J@UJ#@@V9n1D6k!iNvCa&I)=tZZ9_CYGZB>UTcR
z|E~EvdGBYTH?235m7#^$%ylY_v(0~}u+n9|gB&L>a%4m%icmFGmMZOgz=vmW__p^7
zJCK)zEc`DIUCXcHAYnr%g^raG9{_K6g~QK&kl%tW_y}O@YXo#*_ip-GvGyMo*5(-m
zzjK2H{6NIL`B8oY*W2!O6lHAYh`6HnZO`UxnoshN-7L<YJ+B(rGVl|ZvO75iY$oi-
zC;4y|U{ZHZAe_n{>zVkuRMZ_#Ip(wcJ!!KCFF5TB;pnJ96!6zQ&X)KP@ujT7je0dw
zO?~Kkzs0biSS*@<pHnXXq7XW7f5FtnM{S=GOKN_V4<qi2H{Ydp&wa3!D2C@_F2<g(
z@^LsT$Z95?`t<~xm>UH?B{nyf@dB0a@Ne>QxRL(hM;cI$*P(p&><{HPg|Aa=zQf~J
zzu-vM*APbO>51h8Z~ltI@4P|1^!x*PT|V3|+4C3bYh$6080{|P5vBYELR)`8j<RpK
z9Gl-mjfO*`<o6?9KjAGl%>M_noMj*3xt`<XwYWa%bz@Ix;EoXyC&P#LT%cn4@-AcF
z(Z4>uA(W#tz7s!kww3vs(z2^!_1EK5!@;K2k!{px&gSw<VOI731v6Lt%8`eDDeM}*
z6SC3w-^lrmw9=W(l)<eU(+lR85x2ww%JUzb?21<YeGe-=Eu{Fx<$t56#Va`I8I(2V
zfl`gaoncH<$Rl<>-28_%H`cn~nQVV!rqR<HvmXk)F%vB&x`EdSyyD{_J@x;WSFKS_
zAL@QD^dAn#LR$Gx>9zRB`V$Qc;MVLA`VOTx`L79H*0=y}%(k2PD|Y=S7=UA$$$vO9
z3=}TnvM>bP-RwW`&W2j)j^b;vy;oDHJ&th^eJ{<NQ$8?M=s0ySf-nh|9NF7QEB&tM
zo78<zXor0Ra)_(QKx<-iXP=F<C1kyLN0l1wa}ac?@+Jn|S+>L`A9RlxL!o1Z3FOL5
zP2>&xq;kVjbMWW&vDS-UW34L6-dcifmWfvSxy5I<4-Os;wk0r+*b0$UoU?5=)tay>
zrt%gqG^Nw!A)wr^BVgZ>1(ebPZocuYHC6YisaMP?d`ojSe>1K8!{ejPVD@`<gmhyU
z&E(DA;mWw8Wgy2V{6v55V9(h;;JRMv`8~rNa-1*Ak=f>2`FB7aEwrWePP206+FGoi
zh1OBlbyv-DI^PLKe1gS5^qaKuB!&lztn6>jY%Jxwqt8^m^pJ}44Rr468DEJg>#>EF
z@_u8sWuMP`ShpSg=6_OwD#RvVHPTwaxPH|M<jyi`B5oeAQi#2;2=3s-;VCZuwk+IQ
z-YBKIT>Fp+qjc7}Qpv&j52c&G1-qj_nSN5gHWeL<Vd%s;VC2RrqiwYEkLWJ5fqsi>
zbL1-<t^8BMF1A1}^dMwyHp*5j{q9bq4<4y>$6qS65Kk*S>aww=5w!FRYfDJa9{<9S
z!^4v!r{h1Qk?Dl&=f#nwipbCZAHS;4qSMYd_=%B!j1Om9QAA-qyHx~o6!YWADn+&O
zjoq4}KrRm8$Sp<XHMl%3^Yb1^Ujp+>j9`;PI9sh^3SQK&8047MkR$CH`<pg1`^OPW
zBf8E0!AroCUoY>l<fh*L{@;kkdis8a{@;V)>nlA<HiJ;KqKU<}_e`%CV)W=H{+6s+
zarybTH2d56k#MusI&rQ|7zyjfGK*`aA0Y~j9Z)Y4veA}SOdp(^ayCr~1@~Ktf2{u?
zoFijf_}j4j67s4&8DtiC0K!m#OYHYu5y2_PH1RiN6G|#%dB;maqFpUG+`kQCrDrFF
zqEA>Uz<pa4{B;AC(H7BdeJO=_dy6>swfzr=Q)z8s*>x?qNKhMUY@*vW#SyyHo+za|
zGR8*xE*l7<)gTg!)?Ffrs5T3<Q`jzzw8J`GgN-5Jv1orImZ^d^D+8OjMbY1_Meri*
zBEE%@4s$CAK1s{rugb`8)3yfaou+Gv>DF&COYrDIY_4puy?k~#vh+)1O1`O0TAbaP
zT{&CFo|xX}oaCGPPVbE0bRLwaKq<!I7u`AKoU#gW_)=LI%A^-ZmUhq<kuAa>T^3y8
z9^?ps9O9b1k7>&y$|O4|q@{NqAVywaE=CPUt@KN`&CjtfbS6pt`l5x`^yix;mjV82
z*X%!RnOGwPl>VR;*XsJQoYJ?Pf@%rnFb}S>v5v6G`Ev5hRmziRE$JAB7F=<;nlq4#
z5nf(lpr@6Gh2Ib2$WcS#bt*UJK8#A(eF}n9!Dx&9j#c70rM7~?+PSm>gz*{1kxwef
zPtRvNJ+fv(4*C*8^!}g`oUMOFh2X!rBIKx)z>(X>p#Ji+qC((ys|5J<Q5-(9lDrxj
zlYJ)bhZ@wQA-0a?j^S*DDl3FqpURNq`8c++F3Lz#D$5th#`bRSSp%kAf?Poy)+G}-
zTj44S!`ie8<S03rBNtYYmt*tIedVb*_7p#H={Yf#vo)RJZ^oReDh!UMDufA1<nYXy
z{?_cE3OtYCU1xFl>pA`wf7PWl+NEE|tuXK^7+8!Y7iM$nQ`O|nw71Q*`P6w%z3`%$
zF3sa?;nfv(5!0(f#f$|U*<mr#7WztEHt(p|zM5BM2(uBwhzmfog`6^b2`Ky5kk9WH
z+?mv?1nGyLXswHjIOVGv3X#{z3Ho_1;mCL=c{|@|c)-;GGDJc(aVNeXm($QB)2peK
zE~ESJ>OR*VY_?z%wQ|AbG{iQerh--%@u&4xu`DO#Rj#Z34Om%cc?)~i-|syEve1Jj
z;!)$Qm0Xr(&RXg3?|L>~kTnKulrf5S8n~LX<*&m+<EwBd((BP%QeJ{G9Fb9U@y2U8
z<q;PJ7ys@87nr`DBOAEN7h`H}oomq(a#V#J;_7R-k+UUj@i%e*n=KzRbAwQ+xQ&L!
zzO|b|pr1v^W_SaIkl8@WPS(XI&Yq{*QYWY*rb!j?E()<l)l#T~tgHn&Vs~)l_Pubz
zH?_3#-L$T?0k5>H0B-VEvGuUu+MR>od7I(OVlL1Uch`_kclP_E>(X6e(eQJJWOjHd
zh2YcN6-;uGkUMc%4IzDwAo7jqBYzCo(eZFCBaBZ9e&S3ThZ}2%(()K)Qi_NCR4+N%
zJB>beF~g9HYx_OiT|<=4b>#Ex_1kAu9|5+bIzh}BSI`jK?mF@Tw#nj7hv$Ha9?KRR
z3U1&En!3o8{p)JW$~w1gf?Ml}U~8h|2<LE#OkIUT3CnsI#Fe-|hD2~qgT;F^S2zh?
zLh#z>3GT{{UG%s9yZBJu6EtftaGD{W3h`k(A>XHS<mfDvS1jr)c)x#rz~5#N+=Y$2
zjB2>j6QyYcUzqh9zTgIu=`vpO0XMbrzCu(4%g}MK!B_r|(VV4t$xnbV^Wn8;!ujjq
z!xwQW>2!^&=<Kbql=St6cK+Fvo;$O>-tx)*$n^2QZlf&N0NRPkeozi)OTX)H{8u6H
zV*MJu=^Bx8Fq*hZ#ogxA-|ry=ruis1LB0?4EP0p18~G}Pz-hif_PNKASAdkAz;<bO
z?-qs%Uocu?R+5&>*))FI3ev@&O@5HW`(Xjnk_8WrmM+yV&+sq$5jKs4Fye_|&f@|~
zQx@|a8xo~<mo$Hf<@~IG!-S>2#LDRyAn($Cw|$q;MSIU7pSa|?zTmve0~B03Cjb(S
ze94iO1Lco_KPL^2qC}mZrWRA$N_m_u<t<jggMkWumlp_O=Dg<cGVc+47gv`rizPHN
z@Qa5;vmlXJ1#SP1Q=SZxuiK@EPQN}FY~#QtI%M?^oGs})qT{j8_#dUqpO*wf$zLD;
z!|?|HA8F5a3jy5dO99-PO$$*l@lk?r{L0}b4HTw!SOXxpeCNnIzx<1-m1A!ceEUxh
zudf&Ich_L}oT}#C5u-xeGO_Qs*Dp?;(olZ$a^Ug4)Zt(o4L0$mw2FFcY(uR#i)bVt
z!Uk6wHJv)qXg4e-*an4&&4tY}3b0}?8Yv8yLny3v$AH6ohbko4n+Vy-m?J-iDr68Y
zVL+OivX!kM^6)VE9Y(31^IuU{CmlnGXEWc-INPr<t-b8M<CmW9aQ9|AK52{T&$Zz2
znT@q&q$f&NW2jNhiX+Q3kxxS&RvUJ!HPm2;{^DYdWa_t3)-+Kt=ba{y<FPGAR%@y-
z<N7oO@@5f^+}l(>HkSx!{Em)sqA?KS8ga20XY&hJD3Oi~ha7WD5E7qD*#%g#ef#9Y
z^6{J2x2Ov$7s7}OMXypsS(~+MCcg=}*Q@ICJz)C<HZjOM*m1UPWdqEAKU^y9Ddi%d
zpR+xO$3`evW-B4195^zse1Hl2-c5eTSK;IuXKF_of=!D!Urv<cl#`olOUY(XeWK>>
zj02kuI#EPB53k7CinmZG<Th^s)dH$;WO56I$a9a7HLG!?OG^cF_H7AdhZ-DtsHMEa
z&)r>az(RP%CFn2iojq$3n+FSPCGTU_$s_hn2HOy@iGjSD3$aPxUcSS(L+l8USYk-T
zhEG#BB64So+yiWXpA^fE^0cOp%F+iO9T1#E|9@1QQ+{qOZ?_IBo(-gLwbw#OaTEUB
zgEeoXZ6+&L+}I^XUH_O&6zgSOBC5~q+iGoPL;szUp?%shn~w<nn><-uTWv$>xqP=R
zN~7&qY+H=EOFM<UDi;4(Khl@}nmbEvC*K}%pkmLV-C;j>%wqAlc!xiYNNwgHjF1`C
zUOvbF{L8-{9dS(tt>}OQgE-~=_6j+^V+Wd6AsiXgL198}A!O5r9GMdq@OM?Z^*N^|
zRf0Ol@Ds~W8$*e@7Q5O@;qApEkr2wUF(KX9*6_c~Bp2(CzIuiP!bB2<>e!T1&+n+v
zl60vfgc{V0BkelL_ik94<s^GRjx7Adwc4{eXIt4xA#CS#f*dDW5Ym-}w}In*-YM^R
zE7H3sZiFD);CSL1qG`)1Uv>yEW5+tnQ#yH0t3-Rmp|G=<u}8J%lzvh29h|MM_PS5i
zjv_SSggeI0MRK-(qZD#83k|H*zY|A((*&6RRRh=9yhgA3K`7dkh(aNEi-MD`hz>Af
z&ol~ozr7ZM{j1@Eb?%B`T&PmR-bC;{T?p>N{Cm(EQ&ORIrhYWwOS>1q4cOFZ`Q`I+
z@p+HY_4ZE@otag=7pJuDqTtbCT_8;BJ{)<kKXR;PT@);tMR2oz9A2iYwuI~=WR_Q9
zsS9(#HGTR!`m@>Hu%K-2D!+?3(bUF07FM9koy8cA7Lwm=p55dNh*#c?zep#owRPAE
z4Inn@l*D(exjTI_H6CPQxEVK)h}>DxD+;lAT6b9Y>L5b8vTNP7m1Gl!gKpXl)Uwt@
zXU^;%&e{A&VbZ7sujac~pScFgyE^G~z(`J+K03f!>H5eiR}y~~1toPkiS^?Fqc~;$
z*Z@;Dy{CdhruKx%ZjI&+Y2HhIUd4^;{;UTCp_d56B)1v*K4_+APeh<t-b-sK>*Fsf
zma*!^W;KW|rf-FA58|-ztt}?o0Cphz(6v>N=CO{&)0nmwJfii~02`(B*1cqCYx-Pk
z31Wxno@b|U`D*u3$X{anz}A%$S-FAG>`)*1#CY4z=3frM*7qTcxDc+N&e?+d%Aa+u
z9oTaJBCusbE3rnue<o+U)K{U8%d8)?T9d?)F7q%=BJt3ubc#HS;7#UmcsBk+8fn)b
z$dz+B(upAy_wO&C2_!B%`H~JdKf$KrGC6rZr+n34em2-d{@8pNOrF?Vi8h_WINQJ&
z1)HYCKsC0Qkgn`|j6#*hCl*NaWgJ;1PHWEQ#VY*aOoFdpUI3Rba7D!dStXexH^(WI
z#_|ZcW+g|ut_}FR*NFy{czyOKM&K$&K-}|{UQ5(iFE{)pbzt3-MKqW!gLFP1iQ7Qb
z(r<EqemXwP3Pj%_qZl)5ZecqHDtu5=ZV+rXH--MXJBu5nu>DFQq|q)y)@J#G<i8lv
z+q-W(Z3F4vOtHOc+#X^>N5Fvq3pQi0!sI_b7{c_}$Ke)36x0YC0%TQmHw?uLSujK^
z|DI?zArsNWKuF8u*g&|(EBxX9@qmv#QUJGN=i(JK{z341=ujAnOgwa`e9m=r`HM%h
zVg3l1Ut9y8qeEe+LQ%qc7(~cAL7>`9a|VY1eTOM%kW6r&(*<w?mU%9~faS+3r1Uk0
zlNHW#j^V@QSHgrlh99?JmYZV+iTk(7=Q*442nAngJOXmexyX@=N65=@s_cc_OBfC6
zqZeoLl1rSe%1HU_Jifc%!l}@ztxjAxp2^uFt{|~XAE;pBHzT3is>>YimmuG~;@XOJ
zZ3|)QBaITPaDnJjAfEx7G0RSn_uZM%W;MS3v6i^|_<W;)(unmLB_EA8)-At*u2Me_
zNyTUsc8gQK8>O)BIgf_58r&viEjDtryc{;k$AXL@M+zK4Je>b}hiS*aT2t<0hV`#1
ze?*be@%a9HY>Li-R;<%@x<`~Pq%)-KG0^I8E`jQ?h(`eie^pSJ)_qr9Y8TxE6~%)A
zbEX-C^=I*8#Ql5)4cmWCU;Gh_UBD>j)#D#B+i?p0Q3>NvV7<u3j>YnGcAWh2#CES`
zCwfByDm9Dl)9EQ|J`pR!vllqH={#OOq1?M>VHOQpeI2FBKIfEo#w&Pa=?NIS`e=n9
zVY*LHC{e5=WCOH4Ow@X@+iwv#dXJJn25NLY$ukLR6oVS#^$oFah_a=$_g$C>Iik_*
zKys9yq@Y2kNkDc*QvxBse}M)^CMm2?ZwVgvnc($V!^v7(X^}@y2GRrl2oo`JFHKfR
z3oNDpX^(ycLT<@NjjQhz1(A~pUIzUL1b;n6VN>Ze70A|THz4GQsq%}?rcLobo#FmD
z7-%taHOB)rvk?dH8U$Li=S}4!*XiszD~a-+4rLA=t@%S~%$846m<QR@pkEK8|G-@m
z70lB&5pX?I4xeQaXvu~yR#-*96MQyax*_2mtOG6Bttav!;lt880STB(MzDt%W%^oj
z%InkR2kg@E;10=PI|~boaoFFQvt23-{rpDCPxiUTZrRKP-5w+!BBd7|)FGYE7X@Yh
z40)Z4)c+D*6_n?ovzQrG#Dh9SIcBE9ygE7)1F)tzA!{?sSqcZgO=kglrzA)AD-&qS
z+U3Zr@o-1of!0ui-c%4b^#9<68xp2!l0sn7Bte*HJZ>`^EAejphiqjsZdA)`>O@S{
znNph^i7i~VI@al{%d0jZ@<LiC`eG?&LsH$Gt)P$X9O!eV5=r33I?qv<kV^>JswyE}
z*}WQpW-NZcyu*6ksgO(8v;{#6u>^Xv8Vi`KZ6F=$x6OqdxKrY{9GhJNZJGHzg@Elh
z5Ae#)9G*B&!7ncm(#Dk|m)1r|sU9zHfJyb@Bm2Stbc>JJ4wQyxU}hr?S~Xwc$SG$&
zgqd8M1uVqG?C%q3#9SB1A2#nyZ+K-MgsGt8oOvE1r6IexKt8G7W8G#rCHDuQq<DyZ
zx9)#<+cEhq$X1`MG&|6>h2w~;-966&N^7>MuKa2jpBZCl2`Q(6R`kVo-bAV3iwiLd
z2Yt94KNc#K`+OH6|4m{33lWfff&$I{uD?GGEcz({{O|jO1R67k#qy!jVP8)#Y9*(6
zDOTRj2N5N{yk4wO*3HE~*6$U<k<Lrx8~z@})%kZZWLS*x5F^}+2Aplr68Rmz<>GdE
z^xaoOopmgy5wW>4zoiPZe)Ljkg*JiTQ*?89pq1Jcq87^l|Ja1X$3$Q;(=3x8p_w+*
zuF}WSemaZU?q;0w?lOgx%x*b^xzL;=yDyiw>4=xBYFR)I-HUu%wqkm#VAD6CmJZ==
zD<H>yyr)IT1pJ3I@+cuUw&O^%WO*M8y&XC13N)Z9u9)47>%iHPk`=rnGZ}Jh>&TI1
zR?43@-01YfgbqzNA)JYGu45Fj)n%`vF^xSHuCKglHE}^%P?}=;h!N6LOO)ZVDa&2Y
zcb4>N-y_H-CY8JK79YuWewF;G-n$J&rqF5CFtCYrPklC<$l9(}$XjNuhQZ%<=LS#c
z9r$-=4UZjjvm#)objT#uFPit_)VKQvny|iW6cUQ$HIVFM9}a)HM&1?fpKW3P`*t@7
zB%1qmKhD-<AcPsQR$El|Ah!34rp>l6z2-QGO^qqwuwh?E%CC;5weP*BuHU^n?sN{9
zV$+QMEmp_Dfq!>TQH``NUz>q{Ao#^-zmR3EMLt`7z1CJXIlhoNE8-c*8e>|E)5(`<
z*C91ZS+5XX-ryhWkB#SAT8==5*Jy)+Cyd+x_y#-*L)qNf4f5gj%KGU;>DjFZ&_bLl
zAtPD2jS5Euvo=D6i=zmHbNr185v}wlAghky$ZnhDg`XB!cH067Uj|!Ial@55mb2w;
zQdpy^Z-yKjCvfE8&GM(?cB_vcSOQnr1zE&e^_)qZ?bl|71TA0-<d`(20BOV)j8W)l
zNhA22X&i1p6Z6=9tAZ;v-wOC@^a#*6Iwt{MqKEumqwCzVm-@pLRAU#zTre61h%#d~
zG7+b33KD6yK_Vk`3lMzsHu(hJt<stn!ypW`8jHg0oXy#M=0g~-6a`^oQXtG|bP$j*
z2UFyoWYo~k2dJ>K0+tbHngN;zh;7!wKy%h?yL^szY})H{Z9zF#$M3E$;FOoPEBKww
z4yZPHAxB2;kY7&zsgkx-4{}hJBih*#{RpJm&Z(V?OJ`bTcS4S6JTEgFAE~}v4iAh~
z=l~7&Z4urD28qQ&D+Yyycr%75^L8rK9%}4@FyVN|g^)Ma1{P+McPY5bA%aiD^DFyc
z1)ELK#cH?w03YsUdyWFjCFmpW+{<j_lrwhAC!%wL5AN+iZ0Jc4J<wz`XDhr%;SP`H
zd!X9>EgZRYk9<+`{UXC$I`zoHv=o=&tJ{gK7OS#Xo-OH3>L_|YD;eW0=Aa*Ta<&HU
zzSc_T84rxwj++7jEg_)T=W~1yQOdtXIbt7dv}7NFT-n)u^3mdXts2^Bh(ODmI9BBj
zvgQZDw)F_=U>)}>_+rw22y^oghv)29sHm1c0A%V>LVB=12jnAg&ETj17J>?AU`a7a
zx}VC~z8sJrYL7g_lhi**r}<)y$L}PuNjKGKlIG5D4kBvQ69bn1X_k9X;V`l3Arw>A
zvxtKzSu8pvf0#I9f6G`ZJZy#pqG4v8;{#-O5gYzr6XciP)i;k^r%#A<FR~e*#wo2Y
zA+J1kSU&!=yL`ZfZjlRvlwvF$c#%{39Z@)=8-4_CWPXVwSr$$Syk^Mj_rl=I?5PlD
zID`>rrFkYhehgEh<xzz)=8U5d=5ZEB-aIP5+FiCaenCUG404D8$LR{O)n&)7V`|n%
zi;wK~_sGAOYtk2n6+kIQ#0uAlvXS)K>6!|yvafTkMy4wCwWI>6w}_=4gC|=YS4bPe
zkK<3ayTxXo#1Je#E+6Ci9=;Kn39akttOHGNbGDoJkP*3_kT+zlq}5|@!iW#BBM^OL
z&|OZs{e*&#JU;=|R@~>v8jm52%IExx%>tLvXSj6Br5M9cJS0l_Z^C|^gdF`I6R0)|
zKPA89ms%d)&lDn1(ka%P2R-9#*TE+3UACto$G^`BS&M1%0uBD^!jGn3cI6a<P^<70
z!?+iE7Y-s(I`bN5D?Ka7k9)^=Gr!X_Go^GU(3V%6a=;n+;H+P4*PEJPyMdqRMG?5#
zfdu?{Mm}Ej^ItR98BCAy6MJ(q&>cZ+ThD2&*!`x_^3R~ApT$6QMxR6hyz)8uRk_w+
zy&_J3Bog~I-n=iMtSB42Hk^GlrurW?vA=E<+A#_Q9I#m7X8pwT(9am{7zDqD|Bw}C
z#Pj2k^!-;WorJ^b8#|tc2(|ww*41zI<*QPLsSVmZgI|q6+AQwwU49T{m~6%9#I?aw
z=?3`HIy;j%mYSw@Ur;FM?<Q2y+SgpRLg`XaT3n|8(Py?9P}=aK!ZPiD5yt<=fFq}0
zl=rJ5^B0t+4oA8XR9wbR8*;Xy>GI3N0iQkgbXhxnF(l5y=f<3EMY?<>95BGKmI;`q
zLN+nzB%sqH1FN=;Wss>-_1nw3Z}C?UFc6etVLun$A4GZhlKf|sE%e{!)&|=b{6qmO
zTM?Uda{Dpi*sUTUq0>-NtUcCjWrjk>xNRm<0!L<(fmJ6eQ^A841E`-<n8dEdo@UBt
z_&+Xp4W*l_-{B{2c<&Wu0a@BW>7{B@7DR|e69~Egk5WM<EI&(rJ-Jb4m?eFQbss}3
z&iOEOhY;nce-)~`$MBE!hn40?^UDe!I)q;aaunJ}=x+jP#@1X`_^9_b!AGKp<PY4G
z6$y)$?``XS1@Qi88X@>zm3OAz5YnbRM|xkCpQp)Js?9BldAbXh7h~D;3T)*y$Z_JT
zf+zmG3OQO==E%@%^0BN&TCe%kq)Xp{im|LrRbrD*$!)GfgyGc)REu@KuC<q4FWR?@
zSw)FMF_=S~4E`*c$X;KU?~h1o{b+Y*kkJ!L;+FTA6SvO58w$1Zlp9bg&Y2^Bx*>A*
zm?J;E`ne2yNpJAb&30m1I@*;}n!AH?#!ZFl#_^kwD6JNUTV~6TbYxn^<WLCXjAdCI
z>A@c4zb*?rgDhBbw!C@|eO&s`XQ6bLqnKY6tNWXgCD#us!G?8-mjC9h_bsS*(z5_=
z$vhq?9146Rc&1kY+>ABLQK*7W&jCEtw*YR+?&Zk)UQe4gKI>s&JDr8Hy8mxVSlEE|
zxGld<gzY-&PhA1q@Ds}?)dIPYuW!ruBz@HT`Mw;OXfrCZ%?c`DGh_}8gA{MeOT7cL
znT2o;^SkmsS+r}XbSh9;>CDz<4LIAJy9&dXaTjuYXvhK{AbyT%40onee(AL|@*dz*
zLJQyqZ1X+&(cj)WEr_CM4~)K;*t`fMN_VzBBFK=92@f)6e!23qtXkWZ)##G#@34`$
zuX1c!z-z0N(Z$Ypuh<84p*pqX;ARDsrmWEJDCwIR$85VijJ_J^1zIs1vuII3X~2?O
z(+p5JD^LGWtQTF^PzjX|u?lsmCGkqPUUaLrDPar*q+++2>P%`wM4rt2q5NPQG@58n
zmj+OWuvqhmYDa8tEa{<w<EB4^=T+)JNLN<sk$f64@tCDCH9l{H9AbyVzmc46#UuFu
z;aO(P3<?gqAD^Um;%v^36&BClkD=AuD2`0%g6X)?UVcB?G3HyFKnO!kH=>D6yKu_D
zCknOwF;5`O%B~z)vuBX??{;<R*kJt>dju`BeS&->uUC)}JF9R}dfyFQO6-Fw!*ue1
zZ9RCH%YCY#io-Lga<CUi_I{=<CfmHy&#!C{+GskWdBv*_YyKS0cD6q(L3fVGRvseu
z?VeBB+7tZ51WT_UQ7XJD`5Y!4&yGLCY_T2?WX?8E*I3FXjs4%h2^kF$uE9IRY^E8D
zAjPr=!rxZBkdL$9+K;Y62iMParc$K=q?ilaJ~+sRIlq*rEFBqeIS!O`J*~Ll{v1f7
z=ghXeR484)d5Lj9H<%;qzfyRIam*_qC&hE5%?Q}qq`mx1?3Z4}oHqads0`H-@A5$_
z4yn;HPocUxBM-uKNZ`opdGgs%YU9xf)Hl^$XBw>?&DmVWL$zM771HTtuOUpov24dj
z_{_7{^5xD|ueLPZ31O()TwG7^xXW+0*f$DW=N<UR`X470APtz_TZNF|_ZINklQ`Ud
z8a5U2yX6Ns!sWqqALv3yPU4*QnZhZHzEg<%5$_<(rKudb6#pR|Wp5KwlgN=TX9k)7
zRpC8)`H&@46{7w+aZ$9M$*GsjM%4RqLq6&m5A-YZ9v`0W1+5rvtdssw&V}oRe~=Fj
zCMjPU(teCu@5Rkw``MiG(g%eU!u%sl_jwK>-B`Pi^0O+`_I#)-62Z^7dR@$0XU!)z
z>4IGS6`ND2i{l#<5=$C(i&?-YZLqW(Z21ITOqX&ieEFnsNLT+eki(X7<fP9E6_n$I
z%wEosmS5xxno*DD51tLRDHRme_FKtz{6JWl^F=|9^e>R3!fK98S%;ZCyhXJ1vbdwc
z)G9+E%m@f0`e{DXet~C9+W<G+`c)x9=6;1h>Fc;aHNPpiWbbcS;McLZuc)i;|0dt>
zI3e%lp;}OaO2lG8Xw)VyM$q8s!qVO};yV=3!!05-7Bf=*><VQQjg&@Pqn<(#`pQgP
z!=E$T@5lz@cLd??zW(x$F|`|7WDR}d{R50*cyiiKLN<|2#lo%}pY;R-JqCLtQM8de
ziO7Rl?uGx1`Y9ijHoaW3XcJ`H1X^($cVrJYVE#{qmRH|=nEu#4j%<7g!kmkgUzR3!
zDx1<C!lda4GyMRkEO`W@>F`Tlzuh+m9i{GrvIuyh$$SoR$`!v9!cFck=y&i41r3+^
zPSMh@>dfyOU0Ofl*l!%Wbt1^>cacnX+)Jc9uRIHO$%G=}H54O{b4ugWK}A?+mHW#R
z^&nBNlN^3cFIxK1*>ihuO}h?3X6ra%yVIPltG+y29jl2~J3%#jFp9x+>N(E#PG8~t
z*trn2@=W8%VTGdQUynXS$d?y5GCqT*_#pXop>*AjW2gR^Mxq+QmpElc7LIBb8z@vp
zFBw20$4n02d>KAd#ZUnrX$bh&EDm3180{z>KVK0t|MDNXZ=!}Z^EwuhMn(#MeWVdM
zg0B^D6lOP7;FiXKC*CN48?sKu(ej<PiwV9ko5LR&D>zU&6Z*qB9NE`I!GX3B^2cqC
z{Av;{{Yt9Snd%>@N=s*h;(2h3yPR#bX|((U>IY3B$LV_<8SxNqlYd)2UKX<T@T?0#
zJTV`|U5@|#0!qB2{0JrEWHb5D-XP1<k_y}Jb(G9}z<C|a6_o5?4keu*apYR_=n}G_
zv`d+gx%D6e)z8G8&z+~7&Dlc1(fU|Gj^58Xa<7Gg25$-Z<poE2TgopbY@{WSz4AEn
ztYx%(o0FaukcZ!JWD_fS7d0DZw!a^&)&*7*OLLdrakloK5Fu_`DMSccYX~#@1BZ9S
ze@MrtWrUpdi6cvY3;Mg)KeN3&681x<Z0ICTyM<pk^*|ei@!Vzup;mq4$eQ^m9GTiG
zSi{E_aP3bHcQyz%pZ_`7TB*iAyISx%YJQ@xp2TB=;=leMEpsXyT~gZ8eF{UW)&H<8
zyJ%;YtRHN_F0_;XlI%q5{AQH4(5LI-qBxzswT*UTAw?7nJf;X_>2JVgNh_idnJtO}
z+0Te0Kbr;@VZDkf49zlv7d7GV6_&w<>}62}8`dZWcrmjAxaD7!I7(Rk9QX~koT9TU
zF|hbey`Xrsy=)LH9=>>HHIUuKPYi<Xthk&ri$|A`_L7Umqv;XttYXo4sj>*ntMuwp
zrxLJ_Q(^vh0XJbOCFCCjV|k-D9)}uqSSId&+ZW}OZY86oyX?9z8gkJKZ1G?dcSCW-
z{}{$D*oeJvt&wkO%*Wr?Hz-*Ew`O*m70xIVO94Ko6o;3w4>o0YO35#~4U^+*(|O7=
zovmkN8KQJ$ol8f{Uu?RvG=w=;wg73&CWR<`aqMIV_#;OSA8Hp}T-IT~k8vEDi*Z>4
zHAIJfRG!%6&mertK!nnj2!z+T%S4xuEekkL`OuRtoX){d+(_PKnPf;?d-+|@h%;Nl
zUSnALV-F>k0-ILlqOGu3n1HwKq15ae99hOC*j#Dhs8p!XT>9Fs0|XKm!nB&4a%WkE
zIQ^<Dgc<0<k@>ZPEm@7(@*Ao2r*XqZK$wFNMy!>rcH@-J9>F$B_v92cxL1?XPP#2r
z3=zX>bIO*E(bA9k_-l5UlYk)*P+ZhbdT_QojtcvY(&cFA>T+ZmFIY?Epk`R7ZSSey
z=oVBH^Rf$`obqisg{8{1JcKFX&5<L@%V*Wbk;fe<m%0R_i1Rbim$MmEP{^tSDnJhA
z&ymwB$mglM)Aj1ow@-Uu57CvU1#-5+6%|~$X+_BKB$y)?R*Wtt8?UTyCTCH5uPLfd
zqCIvu;A{?+6ztKl66Ej-<;eAw<mDJX>GdW9$f0`ynR#Q*=3H4J@s7bi*6-1jBM(-N
zmVV*dbyP-P4E%$xYZKSiEzLNaUlj#8#^4|84{Xkn{_T*FWmZwxK-p9Uyl%_?z%^B)
zrQbtcu`T0t@jn4TJU-des({i~=?>8D9j)fg1*HaVE5?*6Z3-w2*!%wS?KzfBmb9Qp
z=4!wL#TCY~9j7#?E<eA`X3kkkU$*)~Kymy|b>M8xIwN$^M?}(D<E82tg@+xPZEdW?
zF`8gpe)d9soiJYPkiQTT>Apx@B8pS4s-Y11a%(^sL$rI4FiBm5ZJCdgf-Z4RfS2l8
z05@T$oD|xTe-Qj@cMfk@Q$F5p?OZ68;x0YtBF34!Jvm!?O@%mP<_tMr^ybJR{e!KP
zjydMPy;zT0q-bRng;~&-Q{H!05XQj;!gT1*k-c5yowZQ=k(KsAh7crIVhXV%hS*$L
zvmpo>Ull0dmGJLHDTMCL#wQ09P}=@}?^Sk*h<decKF#^9kW|bki=g3yq+Br+1MuXb
z{G7NRQ*8wugVS}jV(so9bb=HpzTQoK0U5pGQ;8^0cG4Ns{GpuErItdr)29}8iaS`G
z8#ezwqcG)%jgdb_t81|>(iO63bQV?bktB=!CLp0UTq`w!m2-z2O~(fR-TU6RyJd7a
z40&3@+~TQB=g~wh{X}2Os9*Kz@ZchhEGDQ!aovl1bY1q`U4BQrGcvnSWiZhrsiI@G
z8&7QRY|geQ`OW=y57_F)L_*ePzdYpSxaAP%-VRz#gDj#quAWS6uFNG7YerHX`Q7Zb
zfCgV9Kxqt0aT#hgl~dZ(RmcM(>O!?2xKM_Kxi=j#Va81Cuj$@H=~e6waSWNkIjYx_
zPl<}n-CA}9bXkO95~I}hS)6TqJ^2mgglD}z{|hz;ovELN8(~O4KTnke3;$UE2QGv8
zJxq&Wl&hW!2k=()0bh;VU;e;tSs#3tC~eaf1iy;6V*bF5*}M7*LB`pOgkQwr!@cB#
z-MQ+I3)4k%4|F_s@KVmE?=4?Ts=BO;S0vb4>993lPT>l9#_C`Lc5fxZ;8Je|^JGE@
zeZ%Ae4jWd(M*$w?19+F!1#knl%|{_qdPQ)%wH#j0S3Xzi896n*HtbOrE-I!6Nw`La
z>~YjrAwBr+3pq+`;K&Ak@*DV!@~J<YK#m}ci@0ZQwTZLc-HHlIj-P@}ZTun3CtNl|
zYDD@+7nQ9l6{)x-tOJAzgHgmZeJfk(ht=u6zk*F10w6}m6fQ>Z0Qr<@!rQ19Ua-e^
zonUlp2WRWPC)nn%3fGe=%?KvycRIr!x0_S{*oXL%7^q<GV}a1~AKX4e=1x3_inD!?
z0=#(;;C&8o_|hQx0AY0}?izg&PG4t;`?R1#obA$4)URs<D+m)63}I3ab9m#_;J>?t
zalnzVbKa1u8>}p*5Sd3gb>s=0-uQ;dFSh;cf1W)E%5YGMi*1+G-;@i^V8uKUq7a$$
zL!j&66aR;{WZy<9^rcN}0Cd8s|3e$Fn++89Shfv;c0a?7aqN7sF^iuqpL;e~b9aM2
zym$eOAtp1H=Qw3dqi7?x`~rsmO+$Gjcg!kgMc)w7!vo^{@0nJ>E1#@wZ3HD3T;#|v
zjpVbD`{xg_$<S|wPMef_#vhaYi}T3op$eXz8VX^G{mbFWSK)rs=PMk1G!6s2%2f_u
z5GEhYM!Z|u!v?w>fG%Qy&%Mss92zSuc%2(Vj)vJBxv{bQg4cZP<o8D~wvHHEF<N}T
z#o1h%C`_I{O(2K)9gf`FM805^8~@xR6><!K9OA+7*n6C<=40$MC!{KLe9veKVOHHQ
zfEWJ#HimSDS2i5*<9OeO0yzG<85<a`aNe<l;MtG=1CM!*V>ydv3f}483><Hsa*o7i
z(bCs~yv;81o{me(!JOi@Z#^1BNud!hF;!e6<hM$jz8tO70+jR}X`t}EMaP!~l;-Sc
zgo2HJL_j~Qy#K(JE-IPc9Pop$IsAHa`SdF0`~*KbSEf&&LIhom-*PsquLuSAJ|Xv2
za=C3SAW`Uhk;8;pwp1AOfR^AG|FM9hI4gZzzBj7>o5S~RLA8NUP5d<R_~!yjE9TNl
ze&j1o-&E@-J~QYES~32A{mLnKwo(}MH?2@#Y0TcX#9rOEwY(TD?+r1c4&^4$Ol-j3
z_k)XZytP7~(f8Ic^Ur*aoT49M!+Hd(Ec9&v57J}DJ7F?iG6=C^=N0bmZddoSO%(Ll
zi;tJYea84goYKlT#FX`EtKc^)+Cri_#vJ~<t^8V)<5a<!KCq;FcEs^LXTsSAwo@42
z9qk~;D>IJ#(N3Y(;oTm{6bp{5Zv&gEe3biRsJCYZ)HtBy`4=oXWgFX&!fGF1cjy3#
zK3jA6+79x~0IlYX_h1kv88#KyRbN|Tb7L-%@|n+<Ddme$^Km*<6K{E{T7=l}B|~Ji
z{EM1DBB9lqVjS7HqrwO!b_DWC369LhC!4aB<Z69c#Anze2^xr%q*kSftq$wiN#449
z&!4Kg3vBLS6U&F|?1-(gtXSiUH~g3O*>wIWp2hC6C!$(xbt(DpuiM^mKTR!5v?CFf
zZ0<m8uIzUC5Nr0dy?nX6{IJdy=;ii9_=%ccb>x)uqU5uzk0sie6oRTlVK;Gy(7HTl
zE3c6+9?c3XbGQcNI)<Ofwxc3vO97j7zV!zGSl^>E%k4^qcddd~CTM|NR)r(ew9$oS
zhkss9%28^vb=CPy;C@xk77?wW!EF3v{pU3bkVfobw8HMMOc%f})+Bgs)~Aa?^WauO
zUUA{bA6?|9rSsMqF%4h<`tn2^!pUx&ZE{!ng``~C^KW$6;0gB<gI;BKVw3;Yu1Pm2
z<WYxv(ZX)>3Vn+!S%<ox=n6Vfp;dJ`n`3u{5!K=!>tFZe$gSNKy3pPb@_`pe#`uL;
zvd|t1i+Ms1z=!w}+=ZR%A)neVdG8dn5(bEc0mRJ0)1R}o?5R+#OX>+ZoC7(sU$1Cm
zmKqXb!SZ^_mk&&Dy5vxppoCl8>b?pp;FWLp-O?+%G~3h@q4`TMg>t`JZz$5MA^(FT
zdn-(?ql9z{<w(;$(IsW0%Z@7XCk8`l-A2uAVVun~9Db49N8Xlm3N^8(v#M)4J$WOV
za7u^13aMJBzEG`0GmhNQS0ROXNywwkIWn|$$ltZMmx%Lv>JN4D;jE%-)M~}4kF*Uj
zXX*VEW{zHeNOrCbhd1djUkcfGw`7Bj7_Kx3Bc{QZ+i|we9Yf4mPJabqY+@ix7Oqf<
zMM&3lhAzEh6yVDVezqfrzlxFHD`f`mkMM;qbeWr27j^ASY@yPt@{U-Da0b_<#NtqP
z*S=`!Ct9AJd>2CZVm^lmqB*NG|JY~`HZ@Lup>CER^rJC|wql(U`<a|@?Mf^%E2{zW
zt>w>cr%a@q1?U7?+(};U#@V8Jg&6+TNy6wF^D^k_o9b{PF`?A<;M5fcDr{0a4TSYu
z_TtF9eM5{`%0T&OVP=rMaUF!A3*g1|82vN9t>!XFq0_MUAPDoYFGt44LYTvY6rA}D
z!A)Y=jv*K>@4*WB-N?Z})`{cDbA#ol^x8nPFxuG$zyM+y%yA&G)o1O8$mbT-j^F)A
zY}8;TmR7<C6Pxs{PyYISOO^!DPyEDj84=Hw91yQCE?eVKP<hO@4?*7iHD113y!^BF
z_hTW#WlRGxS4v?4@gVaWh2<$}Xtbs5RX&}EWgqUtX6I;&=?@*rHL)3{FwhahFwkD3
z$irONl3@x3@N7b+jpoQo!{u{U<E)Kl6JdlDtf=BOGVx<M+qU8IacbkPeyc{qJ<N^&
zcL&&HJZHN;36-Y0P2?wW=%Vj$sB5AyXvMvM<;k4VXBO6#izDQ>&yIRK*OBja)R`7-
zr~ZdBYNSHtf5}J;z|O=1c#+?ak4Y~xH4^~0npprhXX6v(Gp$YQ-O^}Z+Y1VX3H98V
zBu;5LD!RI~Fr7z1nCv+P!r<Q5P6}U;yde03c^qD6wEXsb`@}7!T0o8JSmne6QeVc|
z&M!vtoiSS8dmOu3SD1jIUJP21^2s7j89qi~g3cTR)lMwo$fhe09+d7fEIk(RF3UJP
zFB!Fvmow#SAtjR&OVIi8YUm<{%|a_U<;+zfChYrIg+<9_93+~P%;ENHpwNtx3RU1k
z1Yfg?!(G;e7&FW93V%IdJm3*)IDGne`K2iI%iFLpn4%3#A?9}x>p0tr3D~QZo*-Xi
zv|k@)XbVa@g%dsH-TDGb>ANJ@-3d^w!$yugIx*Uuz1f27*>9qP@3Phl>DrG(%xbar
zwPkYwul#pmdXpg0_N^S*WKwi-*;Q@wiSb*Ovedk&V)`jq8EI{*zYDtDnIx}^UCH8K
z=qllT&_(p!<Q<%{(`5PK*W9a{Pj9wg&|x##&DkD;O*-B=PJv~{@8w9VgP21q_X%e`
z2?(Vg$|N0MtaN}=Za<89^=pc}wTc^!{Z99Y9Msw7UOmX%W+F8iGgU#q!&9N(w<8>B
zI!!(~cvtDkWO|Fr2X+<<x`C;jE#o9kDK>`72eB^eBOB1$8+7_3Zi_0N;FJ{-6;z8#
zglc6@apaan`RRTs@z7Ly3j7VsEN)cv&TzKc(-q1qeWyc?CuceGz;uO5!cRhWNaM(`
z848Qhv>8A)yGTfPb~gjTx9n2+f#?(aa?wZ_U?~hB=2cJ9i84aA%#%E!i4$dz8$cvF
z$%zai@?yVcMoVv-&sA6!P!nu<|6gZU9@N#5gdbiAaw$=cC}6~64G~scyu}pq69x2#
zx~%9f;Hx!gR#6iZj}%dq#L^`kLKrSV1q2UJL_vY&@)j_}h#I4=iBS|J>Kc!z=zhZ>
zIzK952C7~Ge|+ET?&<F7={Ij4E<RCgCr(t+FC!&d$|aF7(L3K!F`P)wc`Vt?qQt|n
zIws=wZOGvPU*&s=D{C2LRFs6TRz*RWgBKXmGFqaUIyV}~;_n&K;|l7Atba(%()AR6
z>@tJ9Y!)xbv>9$eSuntQ7=WLF&R%6~{y!o9PyAc_`TVAUYj^4Cn`Q78etgeeW0ZkE
z!;}4DB+7`dVxV9APb}G9j8XfD?(7VSzdq|4gsH`Hg>Qt+B>iLHGJ&xY&5FcWh!J*^
ziD6pr-j&qHN@!v8HQ+buNN7AJ*rg5bJ;~~?CEz&}?pEIl*N=-6@0TSm{;}K^hM130
z;ftSTcPOJ1X}XI=R%D!b@EkvBcaa`PYY*Sydz*EQjM9`yv}(Nx)U&_Gkoz7Wl2eJe
zFjGy2`q8tsf5ggyZ-h+zAEo>Yv5yyj@MjmCIi0>KNf#A-^=a^svWa&W@8hnWY95jP
ziI~$TB#3u*EXLYBq`mdvHX?NXjk1j(rxL{Lshf-DIZgwc1=#pRSM!vziNCe;RU#Dn
z=sC3lK2-J6y<<CN7lds#Sq^zTAP?W}bbG<51Cvx6(Fsa<;9WchY)^3Uo@lO+@+4LK
zQ)rIK=rpAfrzAMcnq-Nox)i`pJ-U!TC!r5+vPI$nl;;*8pLAu&#4X~rn?rb>c`h_I
zMEvnidRU*a4NehnnT$PL5%m(IVcq8QtrZ50EiXl)W%o-8w6ZW}$nmM-o;oxoZt!7f
zMUN8UXQTn9jO}Eqc;95U(VQRXW-<Ck4qv*s^ki(lTg4weR`ve%ur1`;)n>L_WX{;0
z_0eD*xK%uF*_`nCd=&(wuS)WH`9^O>`SCW13S{p#nEjvyL%!H1UM=fo-EE>7ukD8f
z+^reghVA0cRJbSNTpZXEpcU_$MtvDulC8#o^i7kP{<LXO?P)&-Pfe4Eu*($r#Fio7
zO&9mY)qVG^`~WIw+H4-E?a$cq)5YV}ZkI<i{f0H&iOhGSW9=E6TZY7Z8JYpD$_FuI
zO@@R$jCTMTF@z!eIcPfe;^pWYOD=gpotL=yq<eHIqrSOAB4PB;gixvjLoUsfP$!!r
zeTPxxaPlluye9hIb%;qY2E!7?As>77j*KldOG1v4EXc9fnIXrIL?V#-1dr!Vz_BBw
zS&f99;w|}tXQ{o0V-T+3;&a?TM^QFMa(Ar8jJ&r?BG~5bf-v_-x5B%Tb$JpW25X>j
zLmXj}gS)%zmRKyW-VJ2Mc!u<TUt>xxKNVl{YD=@1_Cmlu#;EdnM-S(iP+`K|G{z)w
zk9dL}<M`HPA6V8KwES}BUpUN!QvP?3M1p=h8~T~zFcXSQoUAeJ&_mcsJ+@z^sU#eF
z^1Y36oNPj=f6bPNJ;xjfRp&vG!%0Yvcm#F1RqIK27t+ocZ=Bevludj;)VRG6!P$#~
zoJi?(3=$0<(E{-0W3Nv}Lymj6csVSmG0NWiB<!Kx2Vv52CJGhCX{M%ohX(1wpl()S
zFwEIDvq!lP3C%^FsQs%3FW*b(>3pHc=OT1Gk8$VqOqoR~#qE737b>3eWpa$&FJ34F
zcgiU34iV_?R6c1Q_ao8!RpBq!#pOYQfpaOwiFoCyHp1Q9Xdw0SNz{HUsjlE}VW7<c
z+%h|W-SR{HBaGZlkzdSX$j1l7OUCOX3!c;HIN#=p*Cmy)tv@JU&Zdp{!7d$!r^k=;
zb8h*3#%7W)Q9^j-L#v`7>gSGx<V*CcE>YyBg>-%xM(hj3H5iw?`yqX<LwBa|3(-D{
z7~9q*2#SINiOH&=0Kyzt%-|E2A$Q1pB`7*JCV=kgY(y)bkEu0F7-iWZi7KG!5QK?X
z#*mhuU;<0d2@rqle$!$2_Dd3d2tg6JQqz@0eyTAdx2{UOvS(cg32K)!2?AEan!$zQ
zsnmK!+Q9$}4m~uBpF(ec$|&y?O6)BhRs><Tu42fQMdG#hhjW9Crb3Phkb|G%N<L$3
zFTf@oz+;Lb$DGd@GOSp9E7he5+q+r7J?L{feou_STE-T$USm#Xr-)Z6-)2uab`P%`
z(XA;wWk@Ka)c*pM4WJa(ul_&K@ANtbA5o&(3L{sS069C1A&-`bpLVf6BfOS2dR^%#
zaeES+zGQ5L8#TR%VS;$?c+D19i@$@CerTO{zNQVWl!m0CRJ=qvH`Qgv6ws}OAMq(O
zcO#=*Tqe=y$u5JnwBZbSDH6f8!d_gzTN_vBP)DM>(fM5C8bN%@CFbwqa>y|*ipkNf
zLVQBHzwTfWearD9*o3#ofX$383T*9rkD~lG`m`^psel}nF%&s~Ok6z8fLI=pNZnpX
z05^|qg<H&;zht?gVu$EZ6g|aKQ8wI7nUjQ<vvq!JJ@q=dc76+WQ1@m*(ySh@8?dvp
zVzr=$&f<E-qsgS_$D`h%(peD4qpH~?9j;g0x}3QuhZJe&=_!-&T$^98KS=d_gR@wI
zbK%*E#g##N$}L=cdn;MbyOr~8;(e?=E7G=K%OHdvQ>{CfFPz5kWyjP%wLgB$Y{cw1
zpz+DmTW@VdmNaOMNYHWBOqe8vlFYc$hUB3PiNgty<jvRWNHTKy@(()V5TuauIquNm
zGb356{Eh$E172HpURtKXoe_#cFFwWnT&F|alLReokNCB_4jdKv&^TOAF+nqkPjn9b
ze3%8yvS;)m!%nGYqKlxJ$rool#o1_+6%!rK=$$0=l*~hmQ!w3iKVK$@(`j{(uq%X|
z2K2~{zrCSD`YM0%Z-N_E0<VVny@3y?6zPSqP@p04>c^sWPBL5D_`Y)i=~ty%k?P9!
z0*j7POJMy{h4i$b8EHv^pU>@1hE}UaLtZ5e-QT(ig!oqjpZ*%(m*iB7+`c6^_2}&l
zi>Tnvf9$faJ!^d5@07YqMR|m?Sq8RRz;110sEgBFVpD}QT~H+w+bt&e_6%eQd`@0e
zs}90m;6p)4%^+J6en#ylV6r#wXJSPf&#3PTpjs?7@f+N5N;ArqeD;k*0<5G+|H1Tr
i%}6U^Tceu3_q$U>S3DoV#%BE{efRlYl(Hay{P%w(px>7O

diff --git a/rules/rules_windows_generic.json b/rules/rules_windows_generic.json
index 2d7eba3..acd78d2 100644
--- a/rules/rules_windows_generic.json
+++ b/rules/rules_windows_generic.json
@@ -6764,7 +6764,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_reg_add_safeboot.yml"
     },
@@ -9352,7 +9352,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_schtasks_susp_pattern.yml"
     },
@@ -16798,27 +16798,6 @@
         ],
         "filename": "registry_set_fax_dll_persistance.yml"
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_set_cve_2020_1048_new_printer_port.yml"
-    },
     {
         "title": "Potential Persistence Via Excel Add-in - Registry",
         "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82",
@@ -16876,10 +16855,10 @@
         "filename": "registry_set_persistence_outlook_homepage.yml"
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -16890,12 +16869,12 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
         ],
         "filename": "registry_set_change_sysmon_driver_altitude.yml"
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -16933,10 +16912,10 @@
         "filename": "registry_set_lsa_disablerestrictedadmin.yml"
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -16947,7 +16926,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (NewValue = 'DWORD (0x00000d3d)'))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((NewValue = 'DWORD (0x00000d3d)')))"
         ],
         "filename": "registry_set_change_rdp_port.yml"
     },
@@ -16989,23 +16968,6 @@
         ],
         "filename": "registry_set_office_disable_protected_view_features.yml"
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_mal_adwind.yml"
-    },
     {
         "title": "Execution DLL of Choice Using WAB.EXE",
         "id": "fc014922-5def-4da9-a0fc-28c973f41bfb",
@@ -17544,7 +17506,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_susp_run_key_img_folder.yml"
     },
@@ -17658,7 +17620,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))"
         ],
         "filename": "registry_set_disable_winevt_logging.yml"
     },
@@ -17720,7 +17682,7 @@
         "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml"
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -17735,7 +17697,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_timeproviders_dllname.yml"
     },
@@ -17852,10 +17814,10 @@
         "filename": "registry_set_persistence_typed_paths.yml"
     },
     {
-        "title": "CobaltStrike Service Installations in Registry",
+        "title": "Potential CobaltStrike Service Installations - Registry",
         "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
         "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
         "author": "Wojciech Lesicki",
         "tags": [
             "attack.execution",
@@ -17866,11 +17828,11 @@
             "attack.t1569.002"
         ],
         "falsepositives": [
-            "Unknown"
+            "Unlikely"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_cobaltstrike_service_installs.yml"
     },
@@ -18044,7 +18006,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_add_load_service_in_safe_mode.yml"
     },
@@ -18160,10 +18122,10 @@
         "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml"
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -18174,7 +18136,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
         ],
         "filename": "registry_set_change_winevt_channelaccess.yml"
     },
@@ -18449,25 +18411,6 @@
         ],
         "filename": "registry_set_uac_bypass_wmp.yml"
     },
-    {
-        "title": "Add Port Monitor Persistence in Registry",
-        "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e",
-        "status": "experimental",
-        "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.persistence",
-            "attack.t1547.010"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
-        ],
-        "filename": "registry_set_add_port_monitor.yml"
-    },
     {
         "title": "Suspicious Shim Database Patching Activity",
         "id": "bf344fea-d947-4ef4-9192-34d008315d3a",
@@ -18601,7 +18544,7 @@
         "filename": "registry_set_winlogon_notify_key.yml"
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -18615,7 +18558,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')"
         ],
         "filename": "registry_set_disable_windows_defender_service.yml"
     },
@@ -18789,25 +18732,6 @@
         ],
         "filename": "registry_event_silentprocessexit_lsass.yml"
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_event_mal_flowcloud.yml"
-    },
     {
         "title": "Potential Qakbot Registry Activity",
         "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56",
@@ -19190,18 +19114,18 @@
         "title": "Security Support Provider (SSP) Added to LSA Configuration",
         "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
         "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
         "author": "iwillkeepwatch",
         "tags": [
             "attack.persistence",
             "attack.t1547.005"
         ],
         "falsepositives": [
-            "Unlikely"
+            "Unknown"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
         ],
         "filename": "registry_event_ssp_added_lsa_config.yml"
     },
@@ -19583,26 +19507,6 @@
         ],
         "filename": "file_delete_win_delete_exchange_powershell_logs.yml"
     },
-    {
-        "title": "Files With System Process Name In Unsuspected Locations",
-        "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
-        "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
-        "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1036.005"
-        ],
-        "falsepositives": [
-            "System processes copied outside their default folders for testing purposes",
-            "Third party software naming their software with the same names as the processes mentioned here"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))"
-        ],
-        "filename": "file_event_win_creation_system_file.yml"
-    },
     {
         "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique",
         "id": "07a99744-56ac-40d2-97b7-2095967b0e03",
@@ -19783,25 +19687,6 @@
         ],
         "filename": "file_event_win_wmiexec_default_filename.yml"
     },
-    {
-        "title": "EVTX Created In Uncommon Location",
-        "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
-        "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
-        "author": "D3F7A5105",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1562.002"
-        ],
-        "falsepositives": [
-            "Administrator or backup activity"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))"
-        ],
-        "filename": "file_event_win_create_evtx_non_common_locations.yml"
-    },
     {
         "title": "Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -26156,6 +26041,25 @@
         ],
         "filename": "web_exploit_cve_2024_1709_screenconnect.yml"
     },
+    {
+        "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection",
+        "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15",
+        "status": "experimental",
+        "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.initial_access",
+            "cve.2024.1212"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))"
+        ],
+        "filename": "web_exploit_cve_2024_1212_.yml"
+    },
     {
         "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
         "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -26193,6 +26097,26 @@
         ],
         "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml"
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -26602,6 +26526,28 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2020_1048.yml"
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml"
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -27157,6 +27103,25 @@
         ],
         "filename": "proc_creation_win_malware_blue_mockingbird.yml"
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_event_malware_flowcloud_markers.yml"
+    },
     {
         "title": "Trickbot Malware Activity",
         "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27",
diff --git a/rules/rules_windows_generic_full.json b/rules/rules_windows_generic_full.json
index b0da70e..64d706e 100644
--- a/rules/rules_windows_generic_full.json
+++ b/rules/rules_windows_generic_full.json
@@ -7257,6 +7257,24 @@
         ],
         "filename": "proc_creation_win_findstr_lsass.yml"
     },
+    {
+        "title": "Potentially Suspicious Electron Application CommandLine",
+        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
+        "status": "experimental",
+        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
+        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Legitimate usage for debugging purposes"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))"
+        ],
+        "filename": "proc_creation_win_susp_electron_execution_proxy.yml"
+    },
     {
         "title": "Potential Product Reconnaissance Via Wmic.EXE",
         "id": "15434e33-5027-4914-88d5-3d4145ec25a9",
@@ -8341,24 +8359,6 @@
         ],
         "filename": "proc_creation_win_pua_rclone_execution.yml"
     },
-    {
-        "title": "Potentially Suspicious Electron Application CommandLine",
-        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
-        "status": "experimental",
-        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
-        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.execution"
-        ],
-        "falsepositives": [
-            "Legitimate usage for debugging purposes"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))"
-        ],
-        "filename": "proc_creation_win_susp_electron_exeuction_proxy.yml"
-    },
     {
         "title": "HackTool - Quarks PwDump Execution",
         "id": "0685b176-c816-4837-8e7b-1216f346636b",
@@ -15277,7 +15277,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_reg_add_safeboot.yml"
     },
@@ -19908,7 +19908,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_schtasks_susp_pattern.yml"
     },
@@ -20299,25 +20299,6 @@
         ],
         "filename": "proc_creation_win_cmdkey_recon.yml"
     },
-    {
-        "title": "CMD Shell Output Redirect",
-        "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a",
-        "status": "test",
-        "description": "Detects the use of the redirection character \">\" to redicrect information in commandline",
-        "author": "frack113",
-        "tags": [
-            "attack.discovery",
-            "attack.t1082"
-        ],
-        "falsepositives": [
-            "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment"
-        ],
-        "level": "low",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))"
-        ],
-        "filename": "proc_creation_win_cmd_redirect.yml"
-    },
     {
         "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE",
         "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429",
@@ -24415,10 +24396,10 @@
         "filename": "proc_creation_win_sc_sdset_deny_service_access.yml"
     },
     {
-        "title": "Suspicious CMD Shell Output Redirect",
+        "title": "Potentially Suspicious CMD Shell Output Redirect",
         "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892",
         "status": "experimental",
-        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location",
+        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -24429,7 +24410,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))"
         ],
         "filename": "proc_creation_win_cmd_redirection_susp_folder.yml"
     },
@@ -33796,27 +33777,6 @@
         ],
         "filename": "registry_set_asep_reg_keys_modification_session_manager.yml"
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_set_cve_2020_1048_new_printer_port.yml"
-    },
     {
         "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG",
         "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701",
@@ -33950,10 +33910,10 @@
         "filename": "registry_set_persistence_outlook_homepage.yml"
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -33964,7 +33924,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
         ],
         "filename": "registry_set_change_sysmon_driver_altitude.yml"
     },
@@ -33989,7 +33949,7 @@
         "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml"
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -34030,7 +33990,7 @@
         "title": "ServiceDll Hijack",
         "id": "612e47e9-8a59-43a6-b404-f48683f45bd6",
         "status": "experimental",
-        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.",
+        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -34043,7 +34003,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\')))"
         ],
         "filename": "registry_set_servicedll_hijack.yml"
     },
@@ -34087,10 +34047,10 @@
         "filename": "registry_set_terminal_server_suspicious.yml"
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -34101,7 +34061,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (NewValue = 'DWORD (0x00000d3d)'))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((NewValue = 'DWORD (0x00000d3d)')))"
         ],
         "filename": "registry_set_change_rdp_port.yml"
     },
@@ -34220,23 +34180,6 @@
         ],
         "filename": "registry_set_disable_function_user.yml"
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_mal_adwind.yml"
-    },
     {
         "title": "DNS-over-HTTPS Enabled by Registry",
         "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5",
@@ -35030,7 +34973,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_susp_run_key_img_folder.yml"
     },
@@ -35182,7 +35125,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))"
         ],
         "filename": "registry_set_disable_winevt_logging.yml"
     },
@@ -35339,7 +35282,7 @@
         "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml"
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -35354,7 +35297,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_timeproviders_dllname.yml"
     },
@@ -35412,7 +35355,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_disable_administrative_share.yml"
     },
@@ -35435,6 +35378,25 @@
         ],
         "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml"
     },
+    {
+        "title": "MaxMpxCt Registry Value Changed",
+        "id": "0e6a9e62-627e-496c-aef5-bfa39da29b5e",
+        "status": "experimental",
+        "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1070.005"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\MaxMpxCt' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_optimize_file_sharing_network.yml"
+    },
     {
         "title": "Winlogon AllowMultipleTSSessions Enable",
         "id": "f7997770-92c3-4ec9-b112-774c4ef96f96",
@@ -35562,7 +35524,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_disable_defender_firewall.yml"
     },
@@ -35677,10 +35639,10 @@
         "filename": "registry_set_persistence_typed_paths.yml"
     },
     {
-        "title": "CobaltStrike Service Installations in Registry",
+        "title": "Potential CobaltStrike Service Installations - Registry",
         "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
         "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
         "author": "Wojciech Lesicki",
         "tags": [
             "attack.execution",
@@ -35691,11 +35653,11 @@
             "attack.t1569.002"
         ],
         "falsepositives": [
-            "Unknown"
+            "Unlikely"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_cobaltstrike_service_installs.yml"
     },
@@ -35761,7 +35723,7 @@
         "title": "Register New IFiltre For Persistence",
         "id": "b23818c7-e575-4d13-8012-332075ec0a2b",
         "status": "experimental",
-        "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files",
+        "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.persistence"
@@ -35771,7 +35733,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_persistence_ifilter.yml"
     },
@@ -36021,7 +35983,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_add_load_service_in_safe_mode.yml"
     },
@@ -36231,10 +36193,10 @@
         "filename": "registry_set_office_outlook_security_settings.yml"
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -36245,7 +36207,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
         ],
         "filename": "registry_set_change_winevt_channelaccess.yml"
     },
@@ -36732,25 +36694,6 @@
         ],
         "filename": "registry_set_net_cli_ngenassemblyusagelog.yml"
     },
-    {
-        "title": "Service Binary in Uncommon Folder",
-        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
-        "status": "experimental",
-        "description": "Detect the creation of a service with a service binary located in a uncommon directory",
-        "author": "Florian Roth (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))"
-        ],
-        "filename": "registry_set_creation_service_uncommon_folder.yml"
-    },
     {
         "title": "UAC Bypass Using Windows Media Player - Registry",
         "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93",
@@ -36823,9 +36766,9 @@
         "falsepositives": [
             "Unknown"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_add_port_monitor.yml"
     },
@@ -36943,10 +36886,10 @@
         "filename": "registry_set_persistence_scrobj_dll.yml"
     },
     {
-        "title": "Modification of Explorer Hidden Keys",
+        "title": "Displaying Hidden Files Feature Disabled",
         "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42",
         "status": "experimental",
-        "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.",
+        "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -36957,7 +36900,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_hide_file.yml"
     },
@@ -36980,25 +36923,6 @@
         ],
         "filename": "registry_set_wdigest_enable_uselogoncredential.yml"
     },
-    {
-        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
-        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
-        "status": "test",
-        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
-        "author": "Sittikorn S",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1221"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_cve_2022_30190_msdt_follina.yml"
-    },
     {
         "title": "Tamper With Sophos AV Registry Keys",
         "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101",
@@ -37057,7 +36981,7 @@
         "filename": "registry_set_winlogon_notify_key.yml"
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -37071,7 +36995,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')"
         ],
         "filename": "registry_set_disable_windows_defender_service.yml"
     },
@@ -37380,25 +37304,6 @@
         ],
         "filename": "registry_event_silentprocessexit_lsass.yml"
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_event_mal_flowcloud.yml"
-    },
     {
         "title": "Potential Qakbot Registry Activity",
         "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56",
@@ -37541,10 +37446,10 @@
         "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml"
     },
     {
-        "title": "PortProxy Registry Key",
+        "title": "New PortProxy Registry Entry Added",
         "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c",
         "status": "test",
-        "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.",
+        "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.",
         "author": "Andreas Hunkeler (@Karneades)",
         "tags": [
             "attack.lateral_movement",
@@ -37558,7 +37463,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')"
         ],
         "filename": "registry_event_portproxy_registry_key.yml"
     },
@@ -37577,7 +37482,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))"
         ],
         "filename": "registry_event_runonce_persistence.yml"
     },
@@ -37920,18 +37825,18 @@
         "title": "Security Support Provider (SSP) Added to LSA Configuration",
         "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
         "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
         "author": "iwillkeepwatch",
         "tags": [
             "attack.persistence",
             "attack.t1547.005"
         ],
         "falsepositives": [
-            "Unlikely"
+            "Unknown"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
         ],
         "filename": "registry_event_ssp_added_lsa_config.yml"
     },
@@ -38840,7 +38745,7 @@
         "title": "Files With System Process Name In Unsuspected Locations",
         "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
         "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
+        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n",
         "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -38850,9 +38755,9 @@
             "System processes copied outside their default folders for testing purposes",
             "Third party software naming their software with the same names as the processes mentioned here"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))"
         ],
         "filename": "file_event_win_creation_system_file.yml"
     },
@@ -39152,18 +39057,19 @@
         "title": "EVTX Created In Uncommon Location",
         "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
         "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
+        "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n",
         "author": "D3F7A5105",
         "tags": [
             "attack.defense_evasion",
             "attack.t1562.002"
         ],
         "falsepositives": [
-            "Administrator or backup activity"
+            "Administrator or backup activity",
+            "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"<log_name\">_<uuid>.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))"
         ],
         "filename": "file_event_win_create_evtx_non_common_locations.yml"
     },
@@ -46678,6 +46584,25 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml"
     },
+    {
+        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
+        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
+        "status": "test",
+        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
+        "author": "Sittikorn S",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1221"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_exploit_cve_2022_30190_msdt_follina.yml"
+    },
     {
         "title": "Potential CVE-2022-26809 Exploitation Attempt",
         "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16",
@@ -47230,6 +47155,25 @@
         ],
         "filename": "win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml"
     },
+    {
+        "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection",
+        "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15",
+        "status": "experimental",
+        "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.initial_access",
+            "cve.2024.1212"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))"
+        ],
+        "filename": "web_exploit_cve_2024_1212_.yml"
+    },
     {
         "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
         "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -47267,6 +47211,65 @@
         ],
         "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Lure Document Execution",
+        "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca",
+        "status": "experimental",
+        "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.execution",
+            "attack.t1059",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\' AND CommandLine LIKE '%.doc' ESCAPE '\\')"
+        ],
+        "filename": "proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml"
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml"
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation",
+        "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961",
+        "status": "experimental",
+        "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.persistence",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\') AND NOT (((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))"
+        ],
+        "filename": "proc_creation_win_malware_kamikakabot_schtasks_persistence.yml"
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -47700,6 +47703,28 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2020_1048.yml"
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml"
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -48255,6 +48280,25 @@
         ],
         "filename": "proc_creation_win_malware_blue_mockingbird.yml"
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_event_malware_flowcloud_markers.yml"
+    },
     {
         "title": "Trickbot Malware Activity",
         "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27",
@@ -48983,6 +49027,26 @@
         ],
         "filename": "proc_creation_win_tasklist_basic_execution.yml"
     },
+    {
+        "title": "CMD Shell Output Redirect",
+        "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a",
+        "status": "test",
+        "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.discovery",
+            "attack.t1082",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))"
+        ],
+        "filename": "proc_creation_win_cmd_redirect.yml"
+    },
     {
         "title": "Curl.EXE Execution",
         "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d",
@@ -49331,6 +49395,26 @@
         ],
         "filename": "registry_set_office_trusted_location.yml"
     },
+    {
+        "title": "Service Binary in User Controlled Folder",
+        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
+        "status": "experimental",
+        "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1112",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND NewValue LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))) AND NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\')))"
+        ],
+        "filename": "registry_set_service_image_path_user_controlled_folder.yml"
+    },
     {
         "title": "Shell Context Menu Command Tampering",
         "id": "868df2d1-0939-4562-83a7-27408c4a1ada",
diff --git a/rules/rules_windows_generic_high.json b/rules/rules_windows_generic_high.json
index 2d7eba3..acd78d2 100644
--- a/rules/rules_windows_generic_high.json
+++ b/rules/rules_windows_generic_high.json
@@ -6764,7 +6764,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_reg_add_safeboot.yml"
     },
@@ -9352,7 +9352,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_schtasks_susp_pattern.yml"
     },
@@ -16798,27 +16798,6 @@
         ],
         "filename": "registry_set_fax_dll_persistance.yml"
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_set_cve_2020_1048_new_printer_port.yml"
-    },
     {
         "title": "Potential Persistence Via Excel Add-in - Registry",
         "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82",
@@ -16876,10 +16855,10 @@
         "filename": "registry_set_persistence_outlook_homepage.yml"
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -16890,12 +16869,12 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
         ],
         "filename": "registry_set_change_sysmon_driver_altitude.yml"
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -16933,10 +16912,10 @@
         "filename": "registry_set_lsa_disablerestrictedadmin.yml"
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -16947,7 +16926,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (NewValue = 'DWORD (0x00000d3d)'))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((NewValue = 'DWORD (0x00000d3d)')))"
         ],
         "filename": "registry_set_change_rdp_port.yml"
     },
@@ -16989,23 +16968,6 @@
         ],
         "filename": "registry_set_office_disable_protected_view_features.yml"
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_mal_adwind.yml"
-    },
     {
         "title": "Execution DLL of Choice Using WAB.EXE",
         "id": "fc014922-5def-4da9-a0fc-28c973f41bfb",
@@ -17544,7 +17506,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_susp_run_key_img_folder.yml"
     },
@@ -17658,7 +17620,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))"
         ],
         "filename": "registry_set_disable_winevt_logging.yml"
     },
@@ -17720,7 +17682,7 @@
         "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml"
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -17735,7 +17697,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_timeproviders_dllname.yml"
     },
@@ -17852,10 +17814,10 @@
         "filename": "registry_set_persistence_typed_paths.yml"
     },
     {
-        "title": "CobaltStrike Service Installations in Registry",
+        "title": "Potential CobaltStrike Service Installations - Registry",
         "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
         "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
         "author": "Wojciech Lesicki",
         "tags": [
             "attack.execution",
@@ -17866,11 +17828,11 @@
             "attack.t1569.002"
         ],
         "falsepositives": [
-            "Unknown"
+            "Unlikely"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_cobaltstrike_service_installs.yml"
     },
@@ -18044,7 +18006,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_add_load_service_in_safe_mode.yml"
     },
@@ -18160,10 +18122,10 @@
         "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml"
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -18174,7 +18136,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
         ],
         "filename": "registry_set_change_winevt_channelaccess.yml"
     },
@@ -18449,25 +18411,6 @@
         ],
         "filename": "registry_set_uac_bypass_wmp.yml"
     },
-    {
-        "title": "Add Port Monitor Persistence in Registry",
-        "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e",
-        "status": "experimental",
-        "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.persistence",
-            "attack.t1547.010"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
-        ],
-        "filename": "registry_set_add_port_monitor.yml"
-    },
     {
         "title": "Suspicious Shim Database Patching Activity",
         "id": "bf344fea-d947-4ef4-9192-34d008315d3a",
@@ -18601,7 +18544,7 @@
         "filename": "registry_set_winlogon_notify_key.yml"
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -18615,7 +18558,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')"
         ],
         "filename": "registry_set_disable_windows_defender_service.yml"
     },
@@ -18789,25 +18732,6 @@
         ],
         "filename": "registry_event_silentprocessexit_lsass.yml"
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_event_mal_flowcloud.yml"
-    },
     {
         "title": "Potential Qakbot Registry Activity",
         "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56",
@@ -19190,18 +19114,18 @@
         "title": "Security Support Provider (SSP) Added to LSA Configuration",
         "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
         "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
         "author": "iwillkeepwatch",
         "tags": [
             "attack.persistence",
             "attack.t1547.005"
         ],
         "falsepositives": [
-            "Unlikely"
+            "Unknown"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
         ],
         "filename": "registry_event_ssp_added_lsa_config.yml"
     },
@@ -19583,26 +19507,6 @@
         ],
         "filename": "file_delete_win_delete_exchange_powershell_logs.yml"
     },
-    {
-        "title": "Files With System Process Name In Unsuspected Locations",
-        "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
-        "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
-        "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1036.005"
-        ],
-        "falsepositives": [
-            "System processes copied outside their default folders for testing purposes",
-            "Third party software naming their software with the same names as the processes mentioned here"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))"
-        ],
-        "filename": "file_event_win_creation_system_file.yml"
-    },
     {
         "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique",
         "id": "07a99744-56ac-40d2-97b7-2095967b0e03",
@@ -19783,25 +19687,6 @@
         ],
         "filename": "file_event_win_wmiexec_default_filename.yml"
     },
-    {
-        "title": "EVTX Created In Uncommon Location",
-        "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
-        "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
-        "author": "D3F7A5105",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1562.002"
-        ],
-        "falsepositives": [
-            "Administrator or backup activity"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))"
-        ],
-        "filename": "file_event_win_create_evtx_non_common_locations.yml"
-    },
     {
         "title": "Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -26156,6 +26041,25 @@
         ],
         "filename": "web_exploit_cve_2024_1709_screenconnect.yml"
     },
+    {
+        "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection",
+        "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15",
+        "status": "experimental",
+        "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.initial_access",
+            "cve.2024.1212"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))"
+        ],
+        "filename": "web_exploit_cve_2024_1212_.yml"
+    },
     {
         "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
         "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -26193,6 +26097,26 @@
         ],
         "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml"
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -26602,6 +26526,28 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2020_1048.yml"
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml"
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -27157,6 +27103,25 @@
         ],
         "filename": "proc_creation_win_malware_blue_mockingbird.yml"
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_event_malware_flowcloud_markers.yml"
+    },
     {
         "title": "Trickbot Malware Activity",
         "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27",
diff --git a/rules/rules_windows_generic_medium.json b/rules/rules_windows_generic_medium.json
index 943fab9..24756c7 100644
--- a/rules/rules_windows_generic_medium.json
+++ b/rules/rules_windows_generic_medium.json
@@ -6532,6 +6532,24 @@
         ],
         "filename": "proc_creation_win_findstr_lsass.yml"
     },
+    {
+        "title": "Potentially Suspicious Electron Application CommandLine",
+        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
+        "status": "experimental",
+        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
+        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Legitimate usage for debugging purposes"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))"
+        ],
+        "filename": "proc_creation_win_susp_electron_execution_proxy.yml"
+    },
     {
         "title": "Potential Product Reconnaissance Via Wmic.EXE",
         "id": "15434e33-5027-4914-88d5-3d4145ec25a9",
@@ -7595,24 +7613,6 @@
         ],
         "filename": "proc_creation_win_pua_rclone_execution.yml"
     },
-    {
-        "title": "Potentially Suspicious Electron Application CommandLine",
-        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
-        "status": "experimental",
-        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
-        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.execution"
-        ],
-        "falsepositives": [
-            "Legitimate usage for debugging purposes"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND ((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))"
-        ],
-        "filename": "proc_creation_win_susp_electron_exeuction_proxy.yml"
-    },
     {
         "title": "HackTool - Quarks PwDump Execution",
         "id": "0685b176-c816-4837-8e7b-1216f346636b",
@@ -14180,7 +14180,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_reg_add_safeboot.yml"
     },
@@ -18479,7 +18479,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_schtasks_susp_pattern.yml"
     },
@@ -22831,10 +22831,10 @@
         "filename": "proc_creation_win_sc_sdset_deny_service_access.yml"
     },
     {
-        "title": "Suspicious CMD Shell Output Redirect",
+        "title": "Potentially Suspicious CMD Shell Output Redirect",
         "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892",
         "status": "experimental",
-        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location",
+        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -22845,7 +22845,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))"
         ],
         "filename": "proc_creation_win_cmd_redirection_susp_folder.yml"
     },
@@ -31276,27 +31276,6 @@
         ],
         "filename": "registry_set_asep_reg_keys_modification_session_manager.yml"
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_set_cve_2020_1048_new_printer_port.yml"
-    },
     {
         "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG",
         "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701",
@@ -31430,10 +31409,10 @@
         "filename": "registry_set_persistence_outlook_homepage.yml"
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -31444,7 +31423,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
         ],
         "filename": "registry_set_change_sysmon_driver_altitude.yml"
     },
@@ -31469,7 +31448,7 @@
         "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml"
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -31510,7 +31489,7 @@
         "title": "ServiceDll Hijack",
         "id": "612e47e9-8a59-43a6-b404-f48683f45bd6",
         "status": "experimental",
-        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.",
+        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -31523,7 +31502,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\')))"
         ],
         "filename": "registry_set_servicedll_hijack.yml"
     },
@@ -31567,10 +31546,10 @@
         "filename": "registry_set_terminal_server_suspicious.yml"
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -31581,7 +31560,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (NewValue = 'DWORD (0x00000d3d)'))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((NewValue = 'DWORD (0x00000d3d)')))"
         ],
         "filename": "registry_set_change_rdp_port.yml"
     },
@@ -31700,23 +31679,6 @@
         ],
         "filename": "registry_set_disable_function_user.yml"
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_mal_adwind.yml"
-    },
     {
         "title": "DNS-over-HTTPS Enabled by Registry",
         "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5",
@@ -32490,7 +32452,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_susp_run_key_img_folder.yml"
     },
@@ -32642,7 +32604,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))"
         ],
         "filename": "registry_set_disable_winevt_logging.yml"
     },
@@ -32762,7 +32724,7 @@
         "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml"
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -32777,7 +32739,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_timeproviders_dllname.yml"
     },
@@ -32835,7 +32797,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_disable_administrative_share.yml"
     },
@@ -32967,7 +32929,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_disable_defender_firewall.yml"
     },
@@ -33082,10 +33044,10 @@
         "filename": "registry_set_persistence_typed_paths.yml"
     },
     {
-        "title": "CobaltStrike Service Installations in Registry",
+        "title": "Potential CobaltStrike Service Installations - Registry",
         "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
         "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
         "author": "Wojciech Lesicki",
         "tags": [
             "attack.execution",
@@ -33096,11 +33058,11 @@
             "attack.t1569.002"
         ],
         "falsepositives": [
-            "Unknown"
+            "Unlikely"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_cobaltstrike_service_installs.yml"
     },
@@ -33166,7 +33128,7 @@
         "title": "Register New IFiltre For Persistence",
         "id": "b23818c7-e575-4d13-8012-332075ec0a2b",
         "status": "experimental",
-        "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files",
+        "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.persistence"
@@ -33176,7 +33138,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_persistence_ifilter.yml"
     },
@@ -33426,7 +33388,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_add_load_service_in_safe_mode.yml"
     },
@@ -33636,10 +33598,10 @@
         "filename": "registry_set_office_outlook_security_settings.yml"
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -33650,7 +33612,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
         ],
         "filename": "registry_set_change_winevt_channelaccess.yml"
     },
@@ -34097,25 +34059,6 @@
         ],
         "filename": "registry_set_net_cli_ngenassemblyusagelog.yml"
     },
-    {
-        "title": "Service Binary in Uncommon Folder",
-        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
-        "status": "experimental",
-        "description": "Detect the creation of a service with a service binary located in a uncommon directory",
-        "author": "Florian Roth (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))"
-        ],
-        "filename": "registry_set_creation_service_uncommon_folder.yml"
-    },
     {
         "title": "UAC Bypass Using Windows Media Player - Registry",
         "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93",
@@ -34168,9 +34111,9 @@
         "falsepositives": [
             "Unknown"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_add_port_monitor.yml"
     },
@@ -34288,10 +34231,10 @@
         "filename": "registry_set_persistence_scrobj_dll.yml"
     },
     {
-        "title": "Modification of Explorer Hidden Keys",
+        "title": "Displaying Hidden Files Feature Disabled",
         "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42",
         "status": "experimental",
-        "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.",
+        "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -34302,7 +34245,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_hide_file.yml"
     },
@@ -34325,25 +34268,6 @@
         ],
         "filename": "registry_set_wdigest_enable_uselogoncredential.yml"
     },
-    {
-        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
-        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
-        "status": "test",
-        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
-        "author": "Sittikorn S",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1221"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_cve_2022_30190_msdt_follina.yml"
-    },
     {
         "title": "Tamper With Sophos AV Registry Keys",
         "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101",
@@ -34402,7 +34326,7 @@
         "filename": "registry_set_winlogon_notify_key.yml"
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -34416,7 +34340,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')"
         ],
         "filename": "registry_set_disable_windows_defender_service.yml"
     },
@@ -34705,25 +34629,6 @@
         ],
         "filename": "registry_event_silentprocessexit_lsass.yml"
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_event_mal_flowcloud.yml"
-    },
     {
         "title": "Potential Qakbot Registry Activity",
         "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56",
@@ -34866,10 +34771,10 @@
         "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml"
     },
     {
-        "title": "PortProxy Registry Key",
+        "title": "New PortProxy Registry Entry Added",
         "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c",
         "status": "test",
-        "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.",
+        "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.",
         "author": "Andreas Hunkeler (@Karneades)",
         "tags": [
             "attack.lateral_movement",
@@ -34883,7 +34788,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')"
         ],
         "filename": "registry_event_portproxy_registry_key.yml"
     },
@@ -34902,7 +34807,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))"
         ],
         "filename": "registry_event_runonce_persistence.yml"
     },
@@ -35245,18 +35150,18 @@
         "title": "Security Support Provider (SSP) Added to LSA Configuration",
         "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
         "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
         "author": "iwillkeepwatch",
         "tags": [
             "attack.persistence",
             "attack.t1547.005"
         ],
         "falsepositives": [
-            "Unlikely"
+            "Unknown"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
         ],
         "filename": "registry_event_ssp_added_lsa_config.yml"
     },
@@ -36108,7 +36013,7 @@
         "title": "Files With System Process Name In Unsuspected Locations",
         "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
         "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
+        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n",
         "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -36118,9 +36023,9 @@
             "System processes copied outside their default folders for testing purposes",
             "Third party software naming their software with the same names as the processes mentioned here"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))"
         ],
         "filename": "file_event_win_creation_system_file.yml"
     },
@@ -36402,18 +36307,19 @@
         "title": "EVTX Created In Uncommon Location",
         "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
         "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
+        "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n",
         "author": "D3F7A5105",
         "tags": [
             "attack.defense_evasion",
             "attack.t1562.002"
         ],
         "falsepositives": [
-            "Administrator or backup activity"
+            "Administrator or backup activity",
+            "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"<log_name\">_<uuid>.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))"
         ],
         "filename": "file_event_win_create_evtx_non_common_locations.yml"
     },
@@ -43754,6 +43660,25 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml"
     },
+    {
+        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
+        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
+        "status": "test",
+        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
+        "author": "Sittikorn S",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1221"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_exploit_cve_2022_30190_msdt_follina.yml"
+    },
     {
         "title": "Potential CVE-2022-26809 Exploitation Attempt",
         "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16",
@@ -44306,6 +44231,25 @@
         ],
         "filename": "win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml"
     },
+    {
+        "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection",
+        "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15",
+        "status": "experimental",
+        "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.initial_access",
+            "cve.2024.1212"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))"
+        ],
+        "filename": "web_exploit_cve_2024_1212_.yml"
+    },
     {
         "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
         "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -44343,6 +44287,65 @@
         ],
         "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Lure Document Execution",
+        "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca",
+        "status": "experimental",
+        "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.execution",
+            "attack.t1059",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4688' AND Channel = 'Security' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\' AND CommandLine LIKE '%.doc' ESCAPE '\\')"
+        ],
+        "filename": "proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml"
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml"
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation",
+        "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961",
+        "status": "experimental",
+        "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.persistence",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4688' AND Channel = 'Security') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\') AND NOT (((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))"
+        ],
+        "filename": "proc_creation_win_malware_kamikakabot_schtasks_persistence.yml"
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -44776,6 +44779,28 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2020_1048.yml"
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml"
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -45331,6 +45356,25 @@
         ],
         "filename": "proc_creation_win_malware_blue_mockingbird.yml"
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '4657' AND OperationType IN ('New registry value created', 'Existing registry value modified') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_event_malware_flowcloud_markers.yml"
+    },
     {
         "title": "Trickbot Malware Activity",
         "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27",
@@ -46034,6 +46078,26 @@
         ],
         "filename": "registry_set_office_trusted_location.yml"
     },
+    {
+        "title": "Service Binary in User Controlled Folder",
+        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
+        "status": "experimental",
+        "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1112",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND NewValue LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))) AND NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\')))"
+        ],
+        "filename": "registry_set_service_image_path_user_controlled_folder.yml"
+    },
     {
         "title": "Non-DLL Extension File Renamed With DLL Extension",
         "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1",
diff --git a/rules/rules_windows_generic_pysigma.json b/rules/rules_windows_generic_pysigma.json
index bd2fa3b..b6582c5 100644
--- a/rules/rules_windows_generic_pysigma.json
+++ b/rules/rules_windows_generic_pysigma.json
@@ -800,29 +800,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "CobaltStrike Service Installations in Registry",
-        "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
-        "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
-        "author": "Wojciech Lesicki",
-        "tags": [
-            "attack.execution",
-            "attack.privilege_escalation",
-            "attack.lateral_movement",
-            "attack.t1021.002",
-            "attack.t1543.003",
-            "attack.t1569.002"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\'))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique",
         "id": "55e29995-75e7-451a-bef0-6225e2f13597",
@@ -842,25 +819,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": ""
-    },
     {
         "title": "OilRig APT Registry Persistence",
         "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5",
@@ -1005,25 +963,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Security Support Provider (SSP) Added to LSA Configuration",
-        "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
-        "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
-        "author": "iwillkeepwatch",
-        "tags": [
-            "attack.persistence",
-            "attack.t1547.005"
-        ],
-        "falsepositives": [
-            "Unlikely"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Pandemic Registry Key",
         "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed",
@@ -3183,6 +3122,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Malicious Driver Load",
         "id": "05296024-fe8a-4baf-8f3d-9a5f5624ceb2",
@@ -9614,7 +9572,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName='reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName='reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -12164,7 +12122,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\') OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\') OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -19275,27 +19233,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Potential Persistence Via Excel Add-in - Registry",
         "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82",
@@ -19353,10 +19290,10 @@
         "filename": ""
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -19367,12 +19304,12 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\'))"
         ],
         "filename": ""
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -19410,10 +19347,10 @@
         "filename": ""
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -19424,7 +19361,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND (NOT NewValue='DWORD (0x00000d3d)')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND (NOT NewValue='DWORD (0x00000d3d)')))"
         ],
         "filename": ""
     },
@@ -19466,24 +19403,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "falsepositives": [],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Execution DLL of Choice Using WAB.EXE",
         "id": "fc014922-5def-4da9-a0fc-28c973f41bfb",
@@ -20022,7 +19941,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((NewValue LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\'))) AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (NewValue LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -20136,7 +20055,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue='DWORD (0x00000000)') AND (NOT (NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND (NOT (NewProcessName='' OR NewProcessName IS NULL))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue='DWORD (0x00000000)') AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND (NOT (NewProcessName='' OR NewProcessName IS NULL))))"
         ],
         "filename": ""
     },
@@ -20198,7 +20117,7 @@
         "filename": ""
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -20213,7 +20132,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND (NOT NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND (NOT (NewValue LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR NewValue LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": ""
     },
@@ -20329,6 +20248,29 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential CobaltStrike Service Installations - Registry",
+        "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
+        "status": "test",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
+        "author": "Wojciech Lesicki",
+        "tags": [
+            "attack.execution",
+            "attack.privilege_escalation",
+            "attack.lateral_movement",
+            "attack.t1021.002",
+            "attack.t1543.003",
+            "attack.t1569.002"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "RDP Sensitive Settings Changed",
         "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c",
@@ -20499,7 +20441,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue='Service') AND (NOT (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue='Service') AND (NOT (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -20615,10 +20557,10 @@
         "filename": ""
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -20629,7 +20571,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -20904,25 +20846,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Add Port Monitor Persistence in Registry",
-        "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e",
-        "status": "experimental",
-        "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.persistence",
-            "attack.t1547.010"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND (NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\' OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Suspicious Shim Database Patching Activity",
         "id": "bf344fea-d947-4ef4-9192-34d008315d3a",
@@ -21056,7 +20979,7 @@
         "filename": ""
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -21070,7 +20993,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue='DWORD (0x00000004)'))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue='DWORD (0x00000004)'))"
         ],
         "filename": ""
     },
@@ -21460,6 +21383,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Security Support Provider (SSP) Added to LSA Configuration",
+        "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
+        "status": "test",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
+        "author": "iwillkeepwatch",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.005"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND (NOT (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "WINEKEY Registry Modification",
         "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5",
@@ -21698,26 +21640,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Files With System Process Name In Unsuspected Locations",
-        "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
-        "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
-        "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1036.005"
-        ],
-        "falsepositives": [
-            "System processes copied outside their default folders for testing purposes",
-            "Third party software naming their software with the same names as the processes mentioned here"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND (NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique",
         "id": "07a99744-56ac-40d2-97b7-2095967b0e03",
@@ -21879,25 +21801,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "EVTX Created In Uncommon Location",
-        "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
-        "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
-        "author": "D3F7A5105",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1562.002"
-        ],
-        "falsepositives": [
-            "Administrator or backup activity"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE TargetFilename LIKE '%.evtx' ESCAPE '\\' AND (NOT (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -26586,6 +26489,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND (NewValue LIKE '%-nop -w h%' ESCAPE '\\' AND NewValue LIKE '%$env%' ESCAPE '\\' AND NewValue LIKE '%explorer.exe%' ESCAPE '\\' AND NewValue LIKE '%Start-Process%' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -26837,6 +26760,28 @@
         ],
         "filename": ""
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\' OR NewValue LIKE '%.vbe%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -29611,25 +29556,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "CMD Shell Output Redirect",
-        "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a",
-        "status": "test",
-        "description": "Detects the use of the redirection character \">\" to redicrect information in commandline",
-        "author": "frack113",
-        "tags": [
-            "attack.discovery",
-            "attack.t1082"
-        ],
-        "falsepositives": [
-            "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment"
-        ],
-        "level": "low",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND (NOT (CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Detect Virtualbox Driver Installation OR Starting Of VMs",
         "id": "bab049ca-7471-4828-9024-38279a4c04da",
@@ -30630,6 +30556,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "MaxMpxCt Registry Value Changed",
+        "id": "0e6a9e62-627e-496c-aef5-bfa39da29b5e",
+        "status": "experimental",
+        "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1070.005"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\MaxMpxCt' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "New ODBC Driver Registered",
         "id": "3390fbef-c98d-4bdd-a863-d65ed7c610dd",
@@ -31210,6 +31155,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "CMD Shell Output Redirect",
+        "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a",
+        "status": "test",
+        "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.discovery",
+            "attack.t1082",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((OriginalFileName='Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND (NOT (CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Curl.EXE Execution",
         "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d",
@@ -35088,6 +35053,24 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potentially Suspicious Electron Application CommandLine",
+        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
+        "status": "experimental",
+        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
+        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Legitimate usage for debugging purposes"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName='chrome.exe' OR OriginalFileName='code.exe' OR OriginalFileName='discord.exe' OR OriginalFileName='GitHubDesktop.exe' OR OriginalFileName='keybase.exe' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName='msedge.exe' OR OriginalFileName='msedgewebview2.exe' OR OriginalFileName='msteams.exe' OR OriginalFileName='slack.exe' OR OriginalFileName='Teams.exe')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Potential Product Reconnaissance Via Wmic.EXE",
         "id": "15434e33-5027-4914-88d5-3d4145ec25a9",
@@ -35612,24 +35595,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Potentially Suspicious Electron Application CommandLine",
-        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
-        "status": "experimental",
-        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
-        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.execution"
-        ],
-        "falsepositives": [
-            "Legitimate usage for debugging purposes"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (((NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\code.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName='chrome.exe' OR OriginalFileName='code.exe' OR OriginalFileName='discord.exe' OR OriginalFileName='GitHubDesktop.exe' OR OriginalFileName='keybase.exe' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName='msedge.exe' OR OriginalFileName='msedgewebview2.exe' OR OriginalFileName='msteams.exe' OR OriginalFileName='slack.exe' OR OriginalFileName='Teams.exe')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Remote Access Tool - NetSupport Execution",
         "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f",
@@ -42695,10 +42660,10 @@
         "filename": ""
     },
     {
-        "title": "Suspicious CMD Shell Output Redirect",
+        "title": "Potentially Suspicious CMD Shell Output Redirect",
         "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892",
         "status": "experimental",
-        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location",
+        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -42709,7 +42674,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName='Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName='Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -46211,7 +46176,7 @@
         "title": "ServiceDll Hijack",
         "id": "612e47e9-8a59-43a6-b404-f48683f45bd6",
         "status": "experimental",
-        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.",
+        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -46224,7 +46189,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND (NOT (NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND (NOT (NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')) AND (NOT (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\'))))"
         ],
         "filename": ""
     },
@@ -46691,7 +46656,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue='DWORD (0x00000000)'))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND NewValue='DWORD (0x00000000)'))"
         ],
         "filename": ""
     },
@@ -46767,7 +46732,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue='DWORD (0x00000000)'))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue='DWORD (0x00000000)'))"
         ],
         "filename": ""
     },
@@ -46867,7 +46832,7 @@
         "title": "Register New IFiltre For Persistence",
         "id": "b23818c7-e575-4d13-8012-332075ec0a2b",
         "status": "experimental",
-        "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files",
+        "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.persistence"
@@ -46877,7 +46842,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -47284,40 +47249,40 @@
         "filename": ""
     },
     {
-        "title": "Service Binary in Uncommon Folder",
-        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
-        "status": "experimental",
-        "description": "Detect the creation of a service with a service binary located in a uncommon directory",
-        "author": "Florian Roth (Nextron Systems)",
+        "title": "Windows Defender Exclusions Added - Registry",
+        "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529",
+        "status": "test",
+        "description": "Detects the Setting of Windows Defender Exclusions",
+        "author": "Christian Burkard (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
-            "attack.t1112"
+            "attack.t1562.001"
         ],
         "falsepositives": [
-            "Unknown"
+            "Administrator actions"
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND (NewValue='DWORD (0x00000000)' OR NewValue='DWORD (0x00000001)' OR NewValue='DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND (NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')"
         ],
         "filename": ""
     },
     {
-        "title": "Windows Defender Exclusions Added - Registry",
-        "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529",
-        "status": "test",
-        "description": "Detects the Setting of Windows Defender Exclusions",
-        "author": "Christian Burkard (Nextron Systems)",
+        "title": "Add Port Monitor Persistence in Registry",
+        "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e",
+        "status": "experimental",
+        "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n",
+        "author": "frack113",
         "tags": [
-            "attack.defense_evasion",
-            "attack.t1562.001"
+            "attack.persistence",
+            "attack.t1547.010"
         ],
         "falsepositives": [
-            "Administrator actions"
+            "Unknown"
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND (NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\' OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -47379,10 +47344,10 @@
         "filename": ""
     },
     {
-        "title": "Modification of Explorer Hidden Keys",
+        "title": "Displaying Hidden Files Feature Disabled",
         "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42",
         "status": "experimental",
-        "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.",
+        "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -47393,26 +47358,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue='DWORD (0x00000000)'))"
-        ],
-        "filename": ""
-    },
-    {
-        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
-        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
-        "status": "test",
-        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
-        "author": "Sittikorn S",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1221"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue='DWORD (0x00000000)'))"
         ],
         "filename": ""
     },
@@ -47570,10 +47516,10 @@
         "filename": ""
     },
     {
-        "title": "PortProxy Registry Key",
+        "title": "New PortProxy Registry Entry Added",
         "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c",
         "status": "test",
-        "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.",
+        "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.",
         "author": "Andreas Hunkeler (@Karneades)",
         "tags": [
             "attack.lateral_movement",
@@ -47587,7 +47533,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -47606,7 +47552,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND (NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND (OperationType='New registry value created' OR OperationType='Existing registry value modified')) AND ((TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND (NOT ((NewValue LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -48136,6 +48082,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Files With System Process Name In Unsuspected Locations",
+        "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
+        "status": "test",
+        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n",
+        "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1036.005"
+        ],
+        "falsepositives": [
+            "System processes copied outside their default folders for testing purposes",
+            "Third party software naming their software with the same names as the processes mentioned here"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND (NOT ((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\') OR (Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR Image LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "TeamViewer Remote Session",
         "id": "162ab1e4-6874-4564-853c-53ec3ab8be01",
@@ -48230,6 +48196,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "EVTX Created In Uncommon Location",
+        "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
+        "status": "experimental",
+        "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n",
+        "author": "D3F7A5105",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1562.002"
+        ],
+        "falsepositives": [
+            "Administrator or backup activity",
+            "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"<log_name\">_<uuid>.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE TargetFilename LIKE '%.evtx' ESCAPE '\\' AND (NOT (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Potential Webshell Creation On Static Website",
         "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9",
@@ -49643,6 +49629,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
+        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
+        "status": "test",
+        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
+        "author": "Sittikorn S",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1221"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "Zimbra Collaboration Suite Email Server Unauthenticated RCE",
         "id": "dd218fb6-4d02-42dc-85f0-a0a376072efd",
@@ -49743,6 +49748,45 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Lure Document Execution",
+        "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca",
+        "status": "experimental",
+        "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.execution",
+            "attack.t1059",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\') AND CommandLine LIKE '%.doc' ESCAPE '\\'))"
+        ],
+        "filename": ""
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation",
+        "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961",
+        "status": "experimental",
+        "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.persistence",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND (EventID=4688 AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\')) AND (NOT (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Exploit for CVE-2017-0261",
         "id": "864403a1-36c9-40a2-a982-4c9a45f7d833",
@@ -50450,6 +50494,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Service Binary in User Controlled Folder",
+        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
+        "status": "experimental",
+        "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1112",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Security' AND ((EventID=4657 AND OperationType='Existing registry value modified') AND (((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND NewValue LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND (NewValue LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\'))))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Non-DLL Extension File Renamed With DLL Extension",
         "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1",
diff --git a/rules/rules_windows_sysmon.json b/rules/rules_windows_sysmon.json
index 322ddd6..fd8a09f 100644
--- a/rules/rules_windows_sysmon.json
+++ b/rules/rules_windows_sysmon.json
@@ -6764,7 +6764,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_reg_add_safeboot.yml"
     },
@@ -9352,7 +9352,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_schtasks_susp_pattern.yml"
     },
@@ -16798,27 +16798,6 @@
         ],
         "filename": "registry_set_fax_dll_persistance.yml"
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_set_cve_2020_1048_new_printer_port.yml"
-    },
     {
         "title": "Potential Persistence Via Excel Add-in - Registry",
         "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82",
@@ -16876,10 +16855,10 @@
         "filename": "registry_set_persistence_outlook_homepage.yml"
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -16890,12 +16869,12 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
         ],
         "filename": "registry_set_change_sysmon_driver_altitude.yml"
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -16933,10 +16912,10 @@
         "filename": "registry_set_lsa_disablerestrictedadmin.yml"
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -16947,7 +16926,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (Details = 'DWORD (0x00000d3d)'))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((Details = 'DWORD (0x00000d3d)')))"
         ],
         "filename": "registry_set_change_rdp_port.yml"
     },
@@ -16989,23 +16968,6 @@
         ],
         "filename": "registry_set_office_disable_protected_view_features.yml"
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_mal_adwind.yml"
-    },
     {
         "title": "Execution DLL of Choice Using WAB.EXE",
         "id": "fc014922-5def-4da9-a0fc-28c973f41bfb",
@@ -17544,7 +17506,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_susp_run_key_img_folder.yml"
     },
@@ -17658,7 +17620,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))"
         ],
         "filename": "registry_set_disable_winevt_logging.yml"
     },
@@ -17720,7 +17682,7 @@
         "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml"
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -17735,7 +17697,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_timeproviders_dllname.yml"
     },
@@ -17852,10 +17814,10 @@
         "filename": "registry_set_persistence_typed_paths.yml"
     },
     {
-        "title": "CobaltStrike Service Installations in Registry",
+        "title": "Potential CobaltStrike Service Installations - Registry",
         "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
         "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
         "author": "Wojciech Lesicki",
         "tags": [
             "attack.execution",
@@ -17866,11 +17828,11 @@
             "attack.t1569.002"
         ],
         "falsepositives": [
-            "Unknown"
+            "Unlikely"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_cobaltstrike_service_installs.yml"
     },
@@ -18044,7 +18006,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_add_load_service_in_safe_mode.yml"
     },
@@ -18160,10 +18122,10 @@
         "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml"
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -18174,7 +18136,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
         ],
         "filename": "registry_set_change_winevt_channelaccess.yml"
     },
@@ -18449,25 +18411,6 @@
         ],
         "filename": "registry_set_uac_bypass_wmp.yml"
     },
-    {
-        "title": "Add Port Monitor Persistence in Registry",
-        "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e",
-        "status": "experimental",
-        "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.persistence",
-            "attack.t1547.010"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
-        ],
-        "filename": "registry_set_add_port_monitor.yml"
-    },
     {
         "title": "Suspicious Shim Database Patching Activity",
         "id": "bf344fea-d947-4ef4-9192-34d008315d3a",
@@ -18601,7 +18544,7 @@
         "filename": "registry_set_winlogon_notify_key.yml"
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -18615,7 +18558,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')"
         ],
         "filename": "registry_set_disable_windows_defender_service.yml"
     },
@@ -18789,25 +18732,6 @@
         ],
         "filename": "registry_event_silentprocessexit_lsass.yml"
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_event_mal_flowcloud.yml"
-    },
     {
         "title": "Potential Qakbot Registry Activity",
         "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56",
@@ -19190,18 +19114,18 @@
         "title": "Security Support Provider (SSP) Added to LSA Configuration",
         "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
         "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
         "author": "iwillkeepwatch",
         "tags": [
             "attack.persistence",
             "attack.t1547.005"
         ],
         "falsepositives": [
-            "Unlikely"
+            "Unknown"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
         ],
         "filename": "registry_event_ssp_added_lsa_config.yml"
     },
@@ -19583,26 +19507,6 @@
         ],
         "filename": "file_delete_win_delete_exchange_powershell_logs.yml"
     },
-    {
-        "title": "Files With System Process Name In Unsuspected Locations",
-        "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
-        "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
-        "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1036.005"
-        ],
-        "falsepositives": [
-            "System processes copied outside their default folders for testing purposes",
-            "Third party software naming their software with the same names as the processes mentioned here"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))"
-        ],
-        "filename": "file_event_win_creation_system_file.yml"
-    },
     {
         "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique",
         "id": "07a99744-56ac-40d2-97b7-2095967b0e03",
@@ -19783,25 +19687,6 @@
         ],
         "filename": "file_event_win_wmiexec_default_filename.yml"
     },
-    {
-        "title": "EVTX Created In Uncommon Location",
-        "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
-        "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
-        "author": "D3F7A5105",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1562.002"
-        ],
-        "falsepositives": [
-            "Administrator or backup activity"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))"
-        ],
-        "filename": "file_event_win_create_evtx_non_common_locations.yml"
-    },
     {
         "title": "Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -26156,6 +26041,25 @@
         ],
         "filename": "web_exploit_cve_2024_1709_screenconnect.yml"
     },
+    {
+        "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection",
+        "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15",
+        "status": "experimental",
+        "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.initial_access",
+            "cve.2024.1212"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))"
+        ],
+        "filename": "web_exploit_cve_2024_1212_.yml"
+    },
     {
         "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
         "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -26193,6 +26097,26 @@
         ],
         "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml"
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -26602,6 +26526,28 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2020_1048.yml"
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml"
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -27157,6 +27103,25 @@
         ],
         "filename": "proc_creation_win_malware_blue_mockingbird.yml"
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_event_malware_flowcloud_markers.yml"
+    },
     {
         "title": "Trickbot Malware Activity",
         "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27",
diff --git a/rules/rules_windows_sysmon_full.json b/rules/rules_windows_sysmon_full.json
index b010f24..fae0a4d 100644
--- a/rules/rules_windows_sysmon_full.json
+++ b/rules/rules_windows_sysmon_full.json
@@ -7257,6 +7257,24 @@
         ],
         "filename": "proc_creation_win_findstr_lsass.yml"
     },
+    {
+        "title": "Potentially Suspicious Electron Application CommandLine",
+        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
+        "status": "experimental",
+        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
+        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Legitimate usage for debugging purposes"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))"
+        ],
+        "filename": "proc_creation_win_susp_electron_execution_proxy.yml"
+    },
     {
         "title": "Potential Product Reconnaissance Via Wmic.EXE",
         "id": "15434e33-5027-4914-88d5-3d4145ec25a9",
@@ -8341,24 +8359,6 @@
         ],
         "filename": "proc_creation_win_pua_rclone_execution.yml"
     },
-    {
-        "title": "Potentially Suspicious Electron Application CommandLine",
-        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
-        "status": "experimental",
-        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
-        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.execution"
-        ],
-        "falsepositives": [
-            "Legitimate usage for debugging purposes"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))"
-        ],
-        "filename": "proc_creation_win_susp_electron_exeuction_proxy.yml"
-    },
     {
         "title": "HackTool - Quarks PwDump Execution",
         "id": "0685b176-c816-4837-8e7b-1216f346636b",
@@ -15277,7 +15277,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_reg_add_safeboot.yml"
     },
@@ -19908,7 +19908,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_schtasks_susp_pattern.yml"
     },
@@ -20299,25 +20299,6 @@
         ],
         "filename": "proc_creation_win_cmdkey_recon.yml"
     },
-    {
-        "title": "CMD Shell Output Redirect",
-        "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a",
-        "status": "test",
-        "description": "Detects the use of the redirection character \">\" to redicrect information in commandline",
-        "author": "frack113",
-        "tags": [
-            "attack.discovery",
-            "attack.t1082"
-        ],
-        "falsepositives": [
-            "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment"
-        ],
-        "level": "low",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))"
-        ],
-        "filename": "proc_creation_win_cmd_redirect.yml"
-    },
     {
         "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE",
         "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429",
@@ -24415,10 +24396,10 @@
         "filename": "proc_creation_win_sc_sdset_deny_service_access.yml"
     },
     {
-        "title": "Suspicious CMD Shell Output Redirect",
+        "title": "Potentially Suspicious CMD Shell Output Redirect",
         "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892",
         "status": "experimental",
-        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location",
+        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -24429,7 +24410,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))"
         ],
         "filename": "proc_creation_win_cmd_redirection_susp_folder.yml"
     },
@@ -33796,27 +33777,6 @@
         ],
         "filename": "registry_set_asep_reg_keys_modification_session_manager.yml"
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_set_cve_2020_1048_new_printer_port.yml"
-    },
     {
         "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG",
         "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701",
@@ -33950,10 +33910,10 @@
         "filename": "registry_set_persistence_outlook_homepage.yml"
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -33964,7 +33924,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
         ],
         "filename": "registry_set_change_sysmon_driver_altitude.yml"
     },
@@ -33989,7 +33949,7 @@
         "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml"
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -34030,7 +33990,7 @@
         "title": "ServiceDll Hijack",
         "id": "612e47e9-8a59-43a6-b404-f48683f45bd6",
         "status": "experimental",
-        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.",
+        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -34043,7 +34003,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\')))"
         ],
         "filename": "registry_set_servicedll_hijack.yml"
     },
@@ -34087,10 +34047,10 @@
         "filename": "registry_set_terminal_server_suspicious.yml"
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -34101,7 +34061,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (Details = 'DWORD (0x00000d3d)'))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((Details = 'DWORD (0x00000d3d)')))"
         ],
         "filename": "registry_set_change_rdp_port.yml"
     },
@@ -34220,23 +34180,6 @@
         ],
         "filename": "registry_set_disable_function_user.yml"
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_mal_adwind.yml"
-    },
     {
         "title": "DNS-over-HTTPS Enabled by Registry",
         "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5",
@@ -35030,7 +34973,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_susp_run_key_img_folder.yml"
     },
@@ -35182,7 +35125,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))"
         ],
         "filename": "registry_set_disable_winevt_logging.yml"
     },
@@ -35339,7 +35282,7 @@
         "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml"
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -35354,7 +35297,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_timeproviders_dllname.yml"
     },
@@ -35412,7 +35355,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_disable_administrative_share.yml"
     },
@@ -35435,6 +35378,25 @@
         ],
         "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml"
     },
+    {
+        "title": "MaxMpxCt Registry Value Changed",
+        "id": "0e6a9e62-627e-496c-aef5-bfa39da29b5e",
+        "status": "experimental",
+        "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1070.005"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\MaxMpxCt' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_optimize_file_sharing_network.yml"
+    },
     {
         "title": "Winlogon AllowMultipleTSSessions Enable",
         "id": "f7997770-92c3-4ec9-b112-774c4ef96f96",
@@ -35562,7 +35524,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_disable_defender_firewall.yml"
     },
@@ -35677,10 +35639,10 @@
         "filename": "registry_set_persistence_typed_paths.yml"
     },
     {
-        "title": "CobaltStrike Service Installations in Registry",
+        "title": "Potential CobaltStrike Service Installations - Registry",
         "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
         "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
         "author": "Wojciech Lesicki",
         "tags": [
             "attack.execution",
@@ -35691,11 +35653,11 @@
             "attack.t1569.002"
         ],
         "falsepositives": [
-            "Unknown"
+            "Unlikely"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_cobaltstrike_service_installs.yml"
     },
@@ -35761,7 +35723,7 @@
         "title": "Register New IFiltre For Persistence",
         "id": "b23818c7-e575-4d13-8012-332075ec0a2b",
         "status": "experimental",
-        "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files",
+        "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.persistence"
@@ -35771,7 +35733,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_persistence_ifilter.yml"
     },
@@ -36021,7 +35983,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_add_load_service_in_safe_mode.yml"
     },
@@ -36231,10 +36193,10 @@
         "filename": "registry_set_office_outlook_security_settings.yml"
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -36245,7 +36207,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
         ],
         "filename": "registry_set_change_winevt_channelaccess.yml"
     },
@@ -36732,25 +36694,6 @@
         ],
         "filename": "registry_set_net_cli_ngenassemblyusagelog.yml"
     },
-    {
-        "title": "Service Binary in Uncommon Folder",
-        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
-        "status": "experimental",
-        "description": "Detect the creation of a service with a service binary located in a uncommon directory",
-        "author": "Florian Roth (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))"
-        ],
-        "filename": "registry_set_creation_service_uncommon_folder.yml"
-    },
     {
         "title": "UAC Bypass Using Windows Media Player - Registry",
         "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93",
@@ -36823,9 +36766,9 @@
         "falsepositives": [
             "Unknown"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_add_port_monitor.yml"
     },
@@ -36943,10 +36886,10 @@
         "filename": "registry_set_persistence_scrobj_dll.yml"
     },
     {
-        "title": "Modification of Explorer Hidden Keys",
+        "title": "Displaying Hidden Files Feature Disabled",
         "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42",
         "status": "experimental",
-        "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.",
+        "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -36957,7 +36900,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_hide_file.yml"
     },
@@ -36980,25 +36923,6 @@
         ],
         "filename": "registry_set_wdigest_enable_uselogoncredential.yml"
     },
-    {
-        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
-        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
-        "status": "test",
-        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
-        "author": "Sittikorn S",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1221"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_cve_2022_30190_msdt_follina.yml"
-    },
     {
         "title": "Tamper With Sophos AV Registry Keys",
         "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101",
@@ -37057,7 +36981,7 @@
         "filename": "registry_set_winlogon_notify_key.yml"
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -37071,7 +36995,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')"
         ],
         "filename": "registry_set_disable_windows_defender_service.yml"
     },
@@ -37380,25 +37304,6 @@
         ],
         "filename": "registry_event_silentprocessexit_lsass.yml"
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_event_mal_flowcloud.yml"
-    },
     {
         "title": "Potential Qakbot Registry Activity",
         "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56",
@@ -37541,10 +37446,10 @@
         "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml"
     },
     {
-        "title": "PortProxy Registry Key",
+        "title": "New PortProxy Registry Entry Added",
         "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c",
         "status": "test",
-        "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.",
+        "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.",
         "author": "Andreas Hunkeler (@Karneades)",
         "tags": [
             "attack.lateral_movement",
@@ -37558,7 +37463,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')"
         ],
         "filename": "registry_event_portproxy_registry_key.yml"
     },
@@ -37577,7 +37482,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))"
         ],
         "filename": "registry_event_runonce_persistence.yml"
     },
@@ -37920,18 +37825,18 @@
         "title": "Security Support Provider (SSP) Added to LSA Configuration",
         "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
         "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
         "author": "iwillkeepwatch",
         "tags": [
             "attack.persistence",
             "attack.t1547.005"
         ],
         "falsepositives": [
-            "Unlikely"
+            "Unknown"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
         ],
         "filename": "registry_event_ssp_added_lsa_config.yml"
     },
@@ -38840,7 +38745,7 @@
         "title": "Files With System Process Name In Unsuspected Locations",
         "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
         "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
+        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n",
         "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -38850,9 +38755,9 @@
             "System processes copied outside their default folders for testing purposes",
             "Third party software naming their software with the same names as the processes mentioned here"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))"
         ],
         "filename": "file_event_win_creation_system_file.yml"
     },
@@ -39152,18 +39057,19 @@
         "title": "EVTX Created In Uncommon Location",
         "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
         "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
+        "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n",
         "author": "D3F7A5105",
         "tags": [
             "attack.defense_evasion",
             "attack.t1562.002"
         ],
         "falsepositives": [
-            "Administrator or backup activity"
+            "Administrator or backup activity",
+            "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"<log_name\">_<uuid>.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))"
         ],
         "filename": "file_event_win_create_evtx_non_common_locations.yml"
     },
@@ -46678,6 +46584,25 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml"
     },
+    {
+        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
+        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
+        "status": "test",
+        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
+        "author": "Sittikorn S",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1221"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_exploit_cve_2022_30190_msdt_follina.yml"
+    },
     {
         "title": "Potential CVE-2022-26809 Exploitation Attempt",
         "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16",
@@ -47230,6 +47155,25 @@
         ],
         "filename": "win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml"
     },
+    {
+        "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection",
+        "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15",
+        "status": "experimental",
+        "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.initial_access",
+            "cve.2024.1212"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))"
+        ],
+        "filename": "web_exploit_cve_2024_1212_.yml"
+    },
     {
         "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
         "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -47267,6 +47211,65 @@
         ],
         "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Lure Document Execution",
+        "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca",
+        "status": "experimental",
+        "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.execution",
+            "attack.t1059",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\' AND CommandLine LIKE '%.doc' ESCAPE '\\')"
+        ],
+        "filename": "proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml"
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml"
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation",
+        "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961",
+        "status": "experimental",
+        "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.persistence",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\') AND NOT (((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))"
+        ],
+        "filename": "proc_creation_win_malware_kamikakabot_schtasks_persistence.yml"
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -47700,6 +47703,28 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2020_1048.yml"
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml"
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -48255,6 +48280,25 @@
         ],
         "filename": "proc_creation_win_malware_blue_mockingbird.yml"
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_event_malware_flowcloud_markers.yml"
+    },
     {
         "title": "Trickbot Malware Activity",
         "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27",
@@ -48983,6 +49027,26 @@
         ],
         "filename": "proc_creation_win_tasklist_basic_execution.yml"
     },
+    {
+        "title": "CMD Shell Output Redirect",
+        "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a",
+        "status": "test",
+        "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.discovery",
+            "attack.t1082",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))"
+        ],
+        "filename": "proc_creation_win_cmd_redirect.yml"
+    },
     {
         "title": "Curl.EXE Execution",
         "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d",
@@ -49331,6 +49395,26 @@
         ],
         "filename": "registry_set_office_trusted_location.yml"
     },
+    {
+        "title": "Service Binary in User Controlled Folder",
+        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
+        "status": "experimental",
+        "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1112",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND Details LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))) AND NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\')))"
+        ],
+        "filename": "registry_set_service_image_path_user_controlled_folder.yml"
+    },
     {
         "title": "Shell Context Menu Command Tampering",
         "id": "868df2d1-0939-4562-83a7-27408c4a1ada",
diff --git a/rules/rules_windows_sysmon_high.json b/rules/rules_windows_sysmon_high.json
index 322ddd6..fd8a09f 100644
--- a/rules/rules_windows_sysmon_high.json
+++ b/rules/rules_windows_sysmon_high.json
@@ -6764,7 +6764,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_reg_add_safeboot.yml"
     },
@@ -9352,7 +9352,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_schtasks_susp_pattern.yml"
     },
@@ -16798,27 +16798,6 @@
         ],
         "filename": "registry_set_fax_dll_persistance.yml"
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_set_cve_2020_1048_new_printer_port.yml"
-    },
     {
         "title": "Potential Persistence Via Excel Add-in - Registry",
         "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82",
@@ -16876,10 +16855,10 @@
         "filename": "registry_set_persistence_outlook_homepage.yml"
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -16890,12 +16869,12 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
         ],
         "filename": "registry_set_change_sysmon_driver_altitude.yml"
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -16933,10 +16912,10 @@
         "filename": "registry_set_lsa_disablerestrictedadmin.yml"
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -16947,7 +16926,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (Details = 'DWORD (0x00000d3d)'))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((Details = 'DWORD (0x00000d3d)')))"
         ],
         "filename": "registry_set_change_rdp_port.yml"
     },
@@ -16989,23 +16968,6 @@
         ],
         "filename": "registry_set_office_disable_protected_view_features.yml"
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_mal_adwind.yml"
-    },
     {
         "title": "Execution DLL of Choice Using WAB.EXE",
         "id": "fc014922-5def-4da9-a0fc-28c973f41bfb",
@@ -17544,7 +17506,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_susp_run_key_img_folder.yml"
     },
@@ -17658,7 +17620,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))"
         ],
         "filename": "registry_set_disable_winevt_logging.yml"
     },
@@ -17720,7 +17682,7 @@
         "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml"
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -17735,7 +17697,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_timeproviders_dllname.yml"
     },
@@ -17852,10 +17814,10 @@
         "filename": "registry_set_persistence_typed_paths.yml"
     },
     {
-        "title": "CobaltStrike Service Installations in Registry",
+        "title": "Potential CobaltStrike Service Installations - Registry",
         "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
         "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
         "author": "Wojciech Lesicki",
         "tags": [
             "attack.execution",
@@ -17866,11 +17828,11 @@
             "attack.t1569.002"
         ],
         "falsepositives": [
-            "Unknown"
+            "Unlikely"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_cobaltstrike_service_installs.yml"
     },
@@ -18044,7 +18006,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_add_load_service_in_safe_mode.yml"
     },
@@ -18160,10 +18122,10 @@
         "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml"
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -18174,7 +18136,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
         ],
         "filename": "registry_set_change_winevt_channelaccess.yml"
     },
@@ -18449,25 +18411,6 @@
         ],
         "filename": "registry_set_uac_bypass_wmp.yml"
     },
-    {
-        "title": "Add Port Monitor Persistence in Registry",
-        "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e",
-        "status": "experimental",
-        "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.persistence",
-            "attack.t1547.010"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
-        ],
-        "filename": "registry_set_add_port_monitor.yml"
-    },
     {
         "title": "Suspicious Shim Database Patching Activity",
         "id": "bf344fea-d947-4ef4-9192-34d008315d3a",
@@ -18601,7 +18544,7 @@
         "filename": "registry_set_winlogon_notify_key.yml"
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -18615,7 +18558,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')"
         ],
         "filename": "registry_set_disable_windows_defender_service.yml"
     },
@@ -18789,25 +18732,6 @@
         ],
         "filename": "registry_event_silentprocessexit_lsass.yml"
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_event_mal_flowcloud.yml"
-    },
     {
         "title": "Potential Qakbot Registry Activity",
         "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56",
@@ -19190,18 +19114,18 @@
         "title": "Security Support Provider (SSP) Added to LSA Configuration",
         "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
         "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
         "author": "iwillkeepwatch",
         "tags": [
             "attack.persistence",
             "attack.t1547.005"
         ],
         "falsepositives": [
-            "Unlikely"
+            "Unknown"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
         ],
         "filename": "registry_event_ssp_added_lsa_config.yml"
     },
@@ -19583,26 +19507,6 @@
         ],
         "filename": "file_delete_win_delete_exchange_powershell_logs.yml"
     },
-    {
-        "title": "Files With System Process Name In Unsuspected Locations",
-        "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
-        "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
-        "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1036.005"
-        ],
-        "falsepositives": [
-            "System processes copied outside their default folders for testing purposes",
-            "Third party software naming their software with the same names as the processes mentioned here"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))"
-        ],
-        "filename": "file_event_win_creation_system_file.yml"
-    },
     {
         "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique",
         "id": "07a99744-56ac-40d2-97b7-2095967b0e03",
@@ -19783,25 +19687,6 @@
         ],
         "filename": "file_event_win_wmiexec_default_filename.yml"
     },
-    {
-        "title": "EVTX Created In Uncommon Location",
-        "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
-        "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
-        "author": "D3F7A5105",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1562.002"
-        ],
-        "falsepositives": [
-            "Administrator or backup activity"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))"
-        ],
-        "filename": "file_event_win_create_evtx_non_common_locations.yml"
-    },
     {
         "title": "Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -26156,6 +26041,25 @@
         ],
         "filename": "web_exploit_cve_2024_1709_screenconnect.yml"
     },
+    {
+        "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection",
+        "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15",
+        "status": "experimental",
+        "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.initial_access",
+            "cve.2024.1212"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))"
+        ],
+        "filename": "web_exploit_cve_2024_1212_.yml"
+    },
     {
         "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
         "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -26193,6 +26097,26 @@
         ],
         "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml"
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -26602,6 +26526,28 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2020_1048.yml"
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml"
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -27157,6 +27103,25 @@
         ],
         "filename": "proc_creation_win_malware_blue_mockingbird.yml"
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_event_malware_flowcloud_markers.yml"
+    },
     {
         "title": "Trickbot Malware Activity",
         "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27",
diff --git a/rules/rules_windows_sysmon_medium.json b/rules/rules_windows_sysmon_medium.json
index b5720ae..1bb02d4 100644
--- a/rules/rules_windows_sysmon_medium.json
+++ b/rules/rules_windows_sysmon_medium.json
@@ -6532,6 +6532,24 @@
         ],
         "filename": "proc_creation_win_findstr_lsass.yml"
     },
+    {
+        "title": "Potentially Suspicious Electron Application CommandLine",
+        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
+        "status": "experimental",
+        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
+        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Legitimate usage for debugging purposes"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))"
+        ],
+        "filename": "proc_creation_win_susp_electron_execution_proxy.yml"
+    },
     {
         "title": "Potential Product Reconnaissance Via Wmic.EXE",
         "id": "15434e33-5027-4914-88d5-3d4145ec25a9",
@@ -7595,24 +7613,6 @@
         ],
         "filename": "proc_creation_win_pua_rclone_execution.yml"
     },
-    {
-        "title": "Potentially Suspicious Electron Application CommandLine",
-        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
-        "status": "experimental",
-        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
-        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.execution"
-        ],
-        "falsepositives": [
-            "Legitimate usage for debugging purposes"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName LIKE 'chrome.exe' ESCAPE '\\' OR OriginalFileName LIKE 'code.exe' ESCAPE '\\' OR OriginalFileName LIKE 'discord.exe' ESCAPE '\\' OR OriginalFileName LIKE 'GitHubDesktop.exe' ESCAPE '\\' OR OriginalFileName LIKE 'keybase.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedge.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msedgewebview2.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msteams.exe' ESCAPE '\\' OR OriginalFileName LIKE 'slack.exe' ESCAPE '\\' OR OriginalFileName LIKE 'Teams.exe' ESCAPE '\\')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\'))"
-        ],
-        "filename": "proc_creation_win_susp_electron_exeuction_proxy.yml"
-    },
     {
         "title": "HackTool - Quarks PwDump Execution",
         "id": "0685b176-c816-4837-8e7b-1216f346636b",
@@ -14180,7 +14180,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))"
         ],
         "filename": "proc_creation_win_reg_add_safeboot.yml"
     },
@@ -18479,7 +18479,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND ((((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\')) OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\'))))"
         ],
         "filename": "proc_creation_win_schtasks_susp_pattern.yml"
     },
@@ -22831,10 +22831,10 @@
         "filename": "proc_creation_win_sc_sdset_deny_service_access.yml"
     },
     {
-        "title": "Suspicious CMD Shell Output Redirect",
+        "title": "Potentially Suspicious CMD Shell Output Redirect",
         "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892",
         "status": "experimental",
-        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location",
+        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -22845,7 +22845,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))"
         ],
         "filename": "proc_creation_win_cmd_redirection_susp_folder.yml"
     },
@@ -31276,27 +31276,6 @@
         ],
         "filename": "registry_set_asep_reg_keys_modification_session_manager.yml"
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_set_cve_2020_1048_new_printer_port.yml"
-    },
     {
         "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG",
         "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701",
@@ -31430,10 +31409,10 @@
         "filename": "registry_set_persistence_outlook_homepage.yml"
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -31444,7 +31423,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')"
         ],
         "filename": "registry_set_change_sysmon_driver_altitude.yml"
     },
@@ -31469,7 +31448,7 @@
         "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml"
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -31510,7 +31489,7 @@
         "title": "ServiceDll Hijack",
         "id": "612e47e9-8a59-43a6-b404-f48683f45bd6",
         "status": "experimental",
-        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.",
+        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -31523,7 +31502,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\')))"
         ],
         "filename": "registry_set_servicedll_hijack.yml"
     },
@@ -31567,10 +31546,10 @@
         "filename": "registry_set_terminal_server_suspicious.yml"
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -31581,7 +31560,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT (Details = 'DWORD (0x00000d3d)'))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND NOT ((Details = 'DWORD (0x00000d3d)')))"
         ],
         "filename": "registry_set_change_rdp_port.yml"
     },
@@ -31700,23 +31679,6 @@
         ],
         "filename": "registry_set_disable_function_user.yml"
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_mal_adwind.yml"
-    },
     {
         "title": "DNS-over-HTTPS Enabled by Registry",
         "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5",
@@ -32490,7 +32452,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND NOT ((Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_susp_run_key_img_folder.yml"
     },
@@ -32642,7 +32604,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details = 'DWORD (0x00000000)') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((Image = '') OR (Image = '')))"
         ],
         "filename": "registry_set_disable_winevt_logging.yml"
     },
@@ -32762,7 +32724,7 @@
         "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml"
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -32777,7 +32739,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND NOT (((Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_timeproviders_dllname.yml"
     },
@@ -32835,7 +32797,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_disable_administrative_share.yml"
     },
@@ -32967,7 +32929,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_disable_defender_firewall.yml"
     },
@@ -33082,10 +33044,10 @@
         "filename": "registry_set_persistence_typed_paths.yml"
     },
     {
-        "title": "CobaltStrike Service Installations in Registry",
+        "title": "Potential CobaltStrike Service Installations - Registry",
         "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
         "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
         "author": "Wojciech Lesicki",
         "tags": [
             "attack.execution",
@@ -33096,11 +33058,11 @@
             "attack.t1569.002"
         ],
         "falsepositives": [
-            "Unknown"
+            "Unlikely"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_cobaltstrike_service_installs.yml"
     },
@@ -33166,7 +33128,7 @@
         "title": "Register New IFiltre For Persistence",
         "id": "b23818c7-e575-4d13-8012-332075ec0a2b",
         "status": "experimental",
-        "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files",
+        "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.persistence"
@@ -33176,7 +33138,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_persistence_ifilter.yml"
     },
@@ -33426,7 +33388,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details = 'Service') AND NOT ((Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))"
         ],
         "filename": "registry_set_add_load_service_in_safe_mode.yml"
     },
@@ -33636,10 +33598,10 @@
         "filename": "registry_set_office_outlook_security_settings.yml"
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -33650,7 +33612,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND NOT ((Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))"
         ],
         "filename": "registry_set_change_winevt_channelaccess.yml"
     },
@@ -34097,25 +34059,6 @@
         ],
         "filename": "registry_set_net_cli_ngenassemblyusagelog.yml"
     },
-    {
-        "title": "Service Binary in Uncommon Folder",
-        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
-        "status": "experimental",
-        "description": "Detect the creation of a service with a service binary located in a uncommon directory",
-        "author": "Florian Roth (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND Details IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))"
-        ],
-        "filename": "registry_set_creation_service_uncommon_folder.yml"
-    },
     {
         "title": "UAC Bypass Using Windows Media Player - Registry",
         "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93",
@@ -34168,9 +34111,9 @@
         "falsepositives": [
             "Unknown"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))"
         ],
         "filename": "registry_set_add_port_monitor.yml"
     },
@@ -34288,10 +34231,10 @@
         "filename": "registry_set_persistence_scrobj_dll.yml"
     },
     {
-        "title": "Modification of Explorer Hidden Keys",
+        "title": "Displaying Hidden Files Feature Disabled",
         "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42",
         "status": "experimental",
-        "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.",
+        "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -34302,7 +34245,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details = 'DWORD (0x00000000)')"
         ],
         "filename": "registry_set_hide_file.yml"
     },
@@ -34325,25 +34268,6 @@
         ],
         "filename": "registry_set_wdigest_enable_uselogoncredential.yml"
     },
-    {
-        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
-        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
-        "status": "test",
-        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
-        "author": "Sittikorn S",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1221"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
-        ],
-        "filename": "registry_set_cve_2022_30190_msdt_follina.yml"
-    },
     {
         "title": "Tamper With Sophos AV Registry Keys",
         "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101",
@@ -34402,7 +34326,7 @@
         "filename": "registry_set_winlogon_notify_key.yml"
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -34416,7 +34340,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')"
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details = 'DWORD (0x00000004)')"
         ],
         "filename": "registry_set_disable_windows_defender_service.yml"
     },
@@ -34705,25 +34629,6 @@
         ],
         "filename": "registry_event_silentprocessexit_lsass.yml"
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": "registry_event_mal_flowcloud.yml"
-    },
     {
         "title": "Potential Qakbot Registry Activity",
         "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56",
@@ -34866,10 +34771,10 @@
         "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml"
     },
     {
-        "title": "PortProxy Registry Key",
+        "title": "New PortProxy Registry Entry Added",
         "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c",
         "status": "test",
-        "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.",
+        "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.",
         "author": "Andreas Hunkeler (@Karneades)",
         "tags": [
             "attack.lateral_movement",
@@ -34883,7 +34788,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')"
         ],
         "filename": "registry_event_portproxy_registry_key.yml"
     },
@@ -34902,7 +34807,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((Details LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))"
         ],
         "filename": "registry_event_runonce_persistence.yml"
     },
@@ -35245,18 +35150,18 @@
         "title": "Security Support Provider (SSP) Added to LSA Configuration",
         "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
         "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
         "author": "iwillkeepwatch",
         "tags": [
             "attack.persistence",
             "attack.t1547.005"
         ],
         "falsepositives": [
-            "Unlikely"
+            "Unknown"
         ],
-        "level": "critical",
+        "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT (((Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
         ],
         "filename": "registry_event_ssp_added_lsa_config.yml"
     },
@@ -36108,7 +36013,7 @@
         "title": "Files With System Process Name In Unsuspected Locations",
         "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
         "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
+        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n",
         "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -36118,9 +36023,9 @@
             "System processes copied outside their default folders for testing purposes",
             "Third party software naming their software with the same names as the processes mentioned here"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR (Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (Image LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))"
         ],
         "filename": "file_event_win_creation_system_file.yml"
     },
@@ -36402,18 +36307,19 @@
         "title": "EVTX Created In Uncommon Location",
         "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
         "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
+        "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n",
         "author": "D3F7A5105",
         "tags": [
             "attack.defense_evasion",
             "attack.t1562.002"
         ],
         "falsepositives": [
-            "Administrator or backup activity"
+            "Administrator or backup activity",
+            "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"<log_name\">_<uuid>.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files"
         ],
-        "level": "high",
+        "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE ((EventID = '11' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))"
         ],
         "filename": "file_event_win_create_evtx_non_common_locations.yml"
     },
@@ -43754,6 +43660,25 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2023_21554_queuejumper.yml"
     },
+    {
+        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
+        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
+        "status": "test",
+        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
+        "author": "Sittikorn S",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1221"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_exploit_cve_2022_30190_msdt_follina.yml"
+    },
     {
         "title": "Potential CVE-2022-26809 Exploitation Attempt",
         "id": "a7cd7306-df8b-4398-b711-6f3e4935cf16",
@@ -44306,6 +44231,25 @@
         ],
         "filename": "win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml"
     },
+    {
+        "title": "CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection",
+        "id": "eafb8bd5-7605-4bfe-a9ec-0442bc151f15",
+        "status": "experimental",
+        "description": "Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.\nIt looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an \"Authorization\" header with a base64 encoded value with an uncommon character.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.initial_access",
+            "cve.2024.1212"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE ((cs-method = 'GET' AND cs-uri-stem LIKE '%/access/set%' ESCAPE '\\' AND cs-uri-stem LIKE '%param=enableapi%' ESCAPE '\\' AND cs-uri-stem LIKE '%value=1%' ESCAPE '\\') AND (logs MATCH ('\"Basic Jz\" OR \"Basic c7\" OR \"Basic nO\" OR \"Basic '';\"')))"
+        ],
+        "filename": "web_exploit_cve_2024_1212_.yml"
+    },
     {
         "title": "DPRK Threat Actor - C2 Communication DNS Indicators",
         "id": "4d16c9a6-4362-4863-9940-1dee35f1d70f",
@@ -44343,6 +44287,65 @@
         ],
         "filename": "file_event_win_apt_unknown_exploitation_indicators.yml"
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Lure Document Execution",
+        "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca",
+        "status": "experimental",
+        "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.execution",
+            "attack.t1059",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\' AND CommandLine LIKE '%.doc' ESCAPE '\\')"
+        ],
+        "filename": "proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml"
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')"
+        ],
+        "filename": "registry_set_malware_kamikakabot_winlogon_persistence.yml"
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation",
+        "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961",
+        "status": "experimental",
+        "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.persistence",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\') AND NOT (((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))"
+        ],
+        "filename": "proc_creation_win_malware_kamikakabot_schtasks_persistence.yml"
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -44776,6 +44779,28 @@
         ],
         "filename": "proc_creation_win_exploit_cve_2020_1048.yml"
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_set_exploit_cve_2020_1048_new_printer_port.yml"
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -45331,6 +45356,25 @@
         ],
         "filename": "proc_creation_win_malware_blue_mockingbird.yml"
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": "registry_event_malware_flowcloud_markers.yml"
+    },
     {
         "title": "Trickbot Malware Activity",
         "id": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27",
@@ -46034,6 +46078,26 @@
         ],
         "filename": "registry_set_office_trusted_location.yml"
     },
+    {
+        "title": "Service Binary in User Controlled Folder",
+        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
+        "status": "experimental",
+        "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1112",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE ((EventID = '13' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND Details LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))) AND NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\')))"
+        ],
+        "filename": "registry_set_service_image_path_user_controlled_folder.yml"
+    },
     {
         "title": "Non-DLL Extension File Renamed With DLL Extension",
         "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1",
diff --git a/rules/rules_windows_sysmon_pysigma.json b/rules/rules_windows_sysmon_pysigma.json
index ac92af8..26d3100 100644
--- a/rules/rules_windows_sysmon_pysigma.json
+++ b/rules/rules_windows_sysmon_pysigma.json
@@ -800,29 +800,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "CobaltStrike Service Installations in Registry",
-        "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
-        "status": "test",
-        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n",
-        "author": "Wojciech Lesicki",
-        "tags": [
-            "attack.execution",
-            "attack.privilege_escalation",
-            "attack.lateral_movement",
-            "attack.t1021.002",
-            "attack.t1543.003",
-            "attack.t1569.002"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\'))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique",
         "id": "55e29995-75e7-451a-bef0-6225e2f13597",
@@ -842,25 +819,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "FlowCloud Malware",
-        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
-        "status": "test",
-        "description": "Detects FlowCloud malware from threat group TA410.",
-        "author": "NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": ""
-    },
     {
         "title": "OilRig APT Registry Persistence",
         "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5",
@@ -1005,25 +963,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Security Support Provider (SSP) Added to LSA Configuration",
-        "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
-        "status": "test",
-        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.",
-        "author": "iwillkeepwatch",
-        "tags": [
-            "attack.persistence",
-            "attack.t1547.005"
-        ],
-        "falsepositives": [
-            "Unlikely"
-        ],
-        "level": "critical",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND (NOT (Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Pandemic Registry Key",
         "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed",
@@ -3183,6 +3122,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "FlowCloud Registry Markers",
+        "id": "5118765f-6657-4ddb-a487-d7bd673abbf1",
+        "status": "test",
+        "description": "Detects FlowCloud malware registry markers from threat group TA410.\nThe malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.\n",
+        "author": "NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.t1112"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "critical",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND (TargetObject LIKE '%\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Malicious Driver Load",
         "id": "05296024-fe8a-4baf-8f3d-9a5f5624ceb2",
@@ -9614,7 +9572,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName='reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName='reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\')))"
         ],
         "filename": ""
     },
@@ -12164,7 +12122,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\') OR ((CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\')) OR (CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadData%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%mshta http%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe http%' ESCAPE '\\') OR ((CommandLine LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Tmp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\') AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%curl%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -19275,27 +19233,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)",
-        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
-        "status": "test",
-        "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048",
-        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
-        "tags": [
-            "attack.persistence",
-            "attack.execution",
-            "attack.defense_evasion",
-            "attack.t1112"
-        ],
-        "falsepositives": [
-            "New printer port install on host"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Potential Persistence Via Excel Add-in - Registry",
         "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82",
@@ -19353,10 +19290,10 @@
         "filename": ""
     },
     {
-        "title": "Disable Sysmon Event Logging Via Registry",
+        "title": "Sysmon Driver Altitude Change",
         "id": "4916a35e-bfc4-47d0-8e25-a003d7067061",
         "status": "experimental",
-        "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.",
+        "description": "Detects changes in Sysmon driver altitude value.\nIf the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.\n",
         "author": "B.Talebi",
         "tags": [
             "attack.defense_evasion",
@@ -19367,12 +19304,12 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\'))"
         ],
         "filename": ""
     },
     {
-        "title": "Office Macros Auto-Enabled",
+        "title": "Office Macros Warning Disabled",
         "id": "91239011-fe3c-4b54-9f24-15c86bb65913",
         "status": "test",
         "description": "Detects registry changes to Microsoft Office \"VBAWarning\" to a value of \"1\" which enables the execution of all macros, whether signed or unsigned.",
@@ -19410,10 +19347,10 @@
         "filename": ""
     },
     {
-        "title": "Changing RDP Port to Non Standard Number",
+        "title": "Default RDP Port Changed to Non Standard Port",
         "id": "509e84b9-a71a-40e0-834f-05470369bd1e",
         "status": "test",
-        "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
+        "description": "Detects changes to the default RDP port.\nRemote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -19424,7 +19361,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND (NOT Details='DWORD (0x00000d3d)')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\' AND (NOT Details='DWORD (0x00000d3d)')))"
         ],
         "filename": ""
     },
@@ -19466,24 +19403,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Adwind RAT / JRAT - Registry",
-        "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5",
-        "status": "experimental",
-        "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT",
-        "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community",
-        "tags": [
-            "attack.execution",
-            "attack.t1059.005",
-            "attack.t1059.007"
-        ],
-        "falsepositives": [],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND Details LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\'))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Execution DLL of Choice Using WAB.EXE",
         "id": "fc014922-5def-4da9-a0fc-28c973f41bfb",
@@ -20022,7 +19941,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\') AND ((Details LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Details LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Details LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR Details LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (Details LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR Details LIKE 'wscript%' ESCAPE '\\' OR Details LIKE 'cscript%' ESCAPE '\\'))) AND (NOT (Image LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (Details LIKE '%rundll32.exe C:\\\\WINDOWS\\\\system32\\\\advpack.dll,DelNodeRunDLL32%' ESCAPE '\\' AND Details LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -20136,7 +20055,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details='DWORD (0x00000000)') AND (NOT (Image LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND (NOT (Image='' OR Image IS NULL))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND Details='DWORD (0x00000000)') AND (NOT (Image LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND (NOT (Image='' OR Image IS NULL))))"
         ],
         "filename": ""
     },
@@ -20198,7 +20117,7 @@
         "filename": ""
     },
     {
-        "title": "Set TimeProviders DllName",
+        "title": "New TimeProviders Registered With Uncommon DLL Name",
         "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85",
         "status": "experimental",
         "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n",
@@ -20213,7 +20132,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND (NOT Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\')))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DllName' ESCAPE '\\') AND (NOT (Details LIKE '\\%SystemRoot\\%\\\\System32\\\\vmictimeprovider.dll' ESCAPE '\\' OR Details LIKE '\\%systemroot\\%\\\\system32\\\\w32time.dll' ESCAPE '\\' OR Details LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))))"
         ],
         "filename": ""
     },
@@ -20329,6 +20248,29 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential CobaltStrike Service Installations - Registry",
+        "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130",
+        "status": "test",
+        "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\n",
+        "author": "Wojciech Lesicki",
+        "tags": [
+            "attack.execution",
+            "attack.privilege_escalation",
+            "attack.lateral_movement",
+            "attack.t1021.002",
+            "attack.t1543.003",
+            "attack.t1569.002"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\' OR (TargetObject LIKE '%\\\\System\\\\ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services%' ESCAPE '\\')) AND ((Details LIKE '%ADMIN$%' ESCAPE '\\' AND Details LIKE '%.exe%' ESCAPE '\\') OR (Details LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND Details LIKE '%start%' ESCAPE '\\' AND Details LIKE '%powershell%' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "RDP Sensitive Settings Changed",
         "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c",
@@ -20499,7 +20441,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details='Service') AND (NOT (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND Details='Service') AND (NOT (Image LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -20615,10 +20557,10 @@
         "filename": ""
     },
     {
-        "title": "Change Winevt Event Access Permission Via Registry",
+        "title": "Change Winevt Channel Access Permission Via Registry",
         "id": "7d9263bd-dc47-4a58-bc92-5474abab390c",
         "status": "experimental",
-        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel",
+        "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to Windows event channel.",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -20629,7 +20571,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND (NOT (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (Details LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\' OR Details LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR Details LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\')) AND (NOT (Image LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -20904,25 +20846,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Add Port Monitor Persistence in Registry",
-        "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e",
-        "status": "experimental",
-        "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n",
-        "author": "frack113",
-        "tags": [
-            "attack.persistence",
-            "attack.t1547.010"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND (NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\' OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Suspicious Shim Database Patching Activity",
         "id": "bf344fea-d947-4ef4-9192-34d008315d3a",
@@ -21056,7 +20979,7 @@
         "filename": ""
     },
     {
-        "title": "Windows Defender Service Disabled",
+        "title": "Windows Defender Service Disabled - Registry",
         "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a",
         "status": "experimental",
         "description": "Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry",
@@ -21070,7 +20993,7 @@
         ],
         "level": "high",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details='DWORD (0x00000004)'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND Details='DWORD (0x00000004)'))"
         ],
         "filename": ""
     },
@@ -21460,6 +21383,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Security Support Provider (SSP) Added to LSA Configuration",
+        "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc",
+        "status": "test",
+        "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.\n",
+        "author": "iwillkeepwatch",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.005"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE '%\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND (NOT (Image LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR Image LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "WINEKEY Registry Modification",
         "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5",
@@ -21698,26 +21640,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Files With System Process Name In Unsuspected Locations",
-        "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
-        "status": "test",
-        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\n",
-        "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1036.005"
-        ],
-        "falsepositives": [
-            "System processes copied outside their default folders for testing purposes",
-            "Third party software naming their software with the same names as the processes mentioned here"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND (NOT (((TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (Image LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR Image LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND Image LIKE '%:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND Image LIKE '%:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\')) OR Image LIKE '%:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE '%:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\uus\\\\%' ESCAPE '\\' AND Image LIKE '%\\\\wuaucltcore.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\$WinREAgent\\\\%' ESCAPE '\\')))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique",
         "id": "07a99744-56ac-40d2-97b7-2095967b0e03",
@@ -21879,25 +21801,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "EVTX Created In Uncommon Location",
-        "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
-        "status": "experimental",
-        "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls",
-        "author": "D3F7A5105",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1562.002"
-        ],
-        "falsepositives": [
-            "Administrator or backup activity"
-        ],
-        "level": "high",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND (NOT (TargetFilename LIKE '%:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR (Image LIKE '%:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR Image LIKE '%:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\')))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Typical HiveNightmare SAM File Export",
         "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7",
@@ -26586,6 +26489,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence",
+        "id": "c9b86500-1ec2-4de6-9120-d744c8fb5caf",
+        "status": "experimental",
+        "description": "Detects changes to the \"Winlogon\" registry key where a process will set the value of the \"Shell\" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior",
+        "tags": [
+            "attack.persistence",
+            "attack.t1547.001",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unlikely"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell' ESCAPE '\\' AND (Details LIKE '%-nop -w h%' ESCAPE '\\' AND Details LIKE '%$env%' ESCAPE '\\' AND Details LIKE '%explorer.exe%' ESCAPE '\\' AND Details LIKE '%Start-Process%' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Potential Raspberry Robin CPL Execution Activity",
         "id": "92020b88-9caf-464f-bad8-cd0fb0aa2a81",
@@ -26837,6 +26760,28 @@
         ],
         "filename": ""
     },
+    {
+        "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry",
+        "id": "7ec912f2-5175-4868-b811-ec13ad0f8567",
+        "status": "test",
+        "description": "Detects changes to the \"Ports\" registry key with data that includes a Windows path or a file with a suspicious extension.\nThis could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.\n",
+        "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO",
+        "tags": [
+            "attack.persistence",
+            "attack.execution",
+            "attack.defense_evasion",
+            "attack.t1112",
+            "cve.2020.1048"
+        ],
+        "falsepositives": [
+            "New printer port install on host"
+        ],
+        "level": "high",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (Details LIKE '%.bat%' ESCAPE '\\' OR Details LIKE '%.com%' ESCAPE '\\' OR Details LIKE '%.dll%' ESCAPE '\\' OR Details LIKE '%.exe%' ESCAPE '\\' OR Details LIKE '%.ps1%' ESCAPE '\\' OR Details LIKE '%.vbe%' ESCAPE '\\' OR Details LIKE '%.vbs%' ESCAPE '\\' OR Details LIKE '%C:%' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "CVE-2020-0688 Exploitation Attempt",
         "id": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a",
@@ -29611,25 +29556,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "CMD Shell Output Redirect",
-        "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a",
-        "status": "test",
-        "description": "Detects the use of the redirection character \">\" to redicrect information in commandline",
-        "author": "frack113",
-        "tags": [
-            "attack.discovery",
-            "attack.t1082"
-        ],
-        "falsepositives": [
-            "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment"
-        ],
-        "level": "low",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND (NOT (CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Detect Virtualbox Driver Installation OR Starting Of VMs",
         "id": "bab049ca-7471-4828-9024-38279a4c04da",
@@ -30630,6 +30556,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "MaxMpxCt Registry Value Changed",
+        "id": "0e6a9e62-627e-496c-aef5-bfa39da29b5e",
+        "status": "experimental",
+        "description": "Detects changes to the \"MaxMpxCt\" registry value.\nMaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.\nRansomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1070.005"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\MaxMpxCt' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "New ODBC Driver Registered",
         "id": "3390fbef-c98d-4bdd-a863-d65ed7c610dd",
@@ -31210,6 +31155,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "CMD Shell Output Redirect",
+        "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a",
+        "status": "test",
+        "description": "Detects the use of the redirection character \">\" to redirect information on the command line.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
+        "author": "frack113",
+        "tags": [
+            "attack.discovery",
+            "attack.t1082",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment"
+        ],
+        "level": "low",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((OriginalFileName='Cmd.Exe' OR Image LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND (NOT (CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Curl.EXE Execution",
         "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d",
@@ -35088,6 +35053,24 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potentially Suspicious Electron Application CommandLine",
+        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
+        "status": "experimental",
+        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
+        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.execution"
+        ],
+        "falsepositives": [
+            "Legitimate usage for debugging purposes"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName='chrome.exe' OR OriginalFileName='code.exe' OR OriginalFileName='discord.exe' OR OriginalFileName='GitHubDesktop.exe' OR OriginalFileName='keybase.exe' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName='msedge.exe' OR OriginalFileName='msedgewebview2.exe' OR OriginalFileName='msteams.exe' OR OriginalFileName='slack.exe' OR OriginalFileName='Teams.exe')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\')))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Potential Product Reconnaissance Via Wmic.EXE",
         "id": "15434e33-5027-4914-88d5-3d4145ec25a9",
@@ -35612,24 +35595,6 @@
         ],
         "filename": ""
     },
-    {
-        "title": "Potentially Suspicious Electron Application CommandLine",
-        "id": "378a05d8-963c-46c9-bcce-13c7657eac99",
-        "status": "experimental",
-        "description": "Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.",
-        "author": "frack113, Nasreddine Bencherchali (Nextron Systems)",
-        "tags": [
-            "attack.execution"
-        ],
-        "falsepositives": [
-            "Legitimate usage for debugging purposes"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (((Image LIKE '%\\\\chrome.exe' ESCAPE '\\' OR Image LIKE '%\\\\code.exe' ESCAPE '\\' OR Image LIKE '%\\\\discord.exe' ESCAPE '\\' OR Image LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR Image LIKE '%\\\\keybase.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge\\_proxy.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedge.exe' ESCAPE '\\' OR Image LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR Image LIKE '%\\\\msteams.exe' ESCAPE '\\' OR Image LIKE '%\\\\slack.exe' ESCAPE '\\' OR Image LIKE '%\\\\Teams.exe' ESCAPE '\\') OR (OriginalFileName='chrome.exe' OR OriginalFileName='code.exe' OR OriginalFileName='discord.exe' OR OriginalFileName='GitHubDesktop.exe' OR OriginalFileName='keybase.exe' OR OriginalFileName LIKE 'msedge\\_proxy.exe' ESCAPE '\\' OR OriginalFileName='msedge.exe' OR OriginalFileName='msedgewebview2.exe' OR OriginalFileName='msteams.exe' OR OriginalFileName='slack.exe' OR OriginalFileName='Teams.exe')) AND (CommandLine LIKE '%--browser-subprocess-path%' ESCAPE '\\' OR CommandLine LIKE '%--gpu-launcher%' ESCAPE '\\' OR CommandLine LIKE '%--renderer-cmd-prefix%' ESCAPE '\\' OR CommandLine LIKE '%--utility-cmd-prefix%' ESCAPE '\\')))"
-        ],
-        "filename": ""
-    },
     {
         "title": "Remote Access Tool - NetSupport Execution",
         "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f",
@@ -42695,10 +42660,10 @@
         "filename": ""
     },
     {
-        "title": "Suspicious CMD Shell Output Redirect",
+        "title": "Potentially Suspicious CMD Shell Output Redirect",
         "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892",
         "status": "experimental",
-        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location",
+        "description": "Detects inline Windows shell commands redirecting output via the \">\" symbol to a suspicious location.\nThis technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as \"hostname\" and \"dir\" to files for future exfiltration.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
@@ -42709,7 +42674,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName='Cmd.Exe') AND ((CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName='Cmd.Exe') AND ((CommandLine LIKE '%>_\\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_\\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%>_C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%\">%' ESCAPE '\\' OR CommandLine LIKE '%''>%' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -46211,7 +46176,7 @@
         "title": "ServiceDll Hijack",
         "id": "612e47e9-8a59-43a6-b404-f48683f45bd6",
         "status": "experimental",
-        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.",
+        "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry.\nThis is often used as a method of persistence.\n",
         "author": "frack113",
         "tags": [
             "attack.persistence",
@@ -46224,7 +46189,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND (NOT (Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\'))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\System\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND (NOT (Details LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\' OR (Image LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND Details LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR Image LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')) AND (NOT (Image LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND Details LIKE 'C:\\\\Windows\\\\System32\\\\STAgent.dll' ESCAPE '\\'))))"
         ],
         "filename": ""
     },
@@ -46691,7 +46656,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND Details='DWORD (0x00000000)'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%\\\\AutoShareServer' ESCAPE '\\') AND Details='DWORD (0x00000000)'))"
         ],
         "filename": ""
     },
@@ -46767,7 +46732,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details='DWORD (0x00000000)'))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (TargetObject LIKE '%\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND Details='DWORD (0x00000000)'))"
         ],
         "filename": ""
     },
@@ -46867,7 +46832,7 @@
         "title": "Register New IFiltre For Persistence",
         "id": "b23818c7-e575-4d13-8012-332075ec0a2b",
         "status": "experimental",
-        "description": "Detects when an attacker register a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files",
+        "description": "Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.\nYou can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.\n",
         "author": "Nasreddine Bencherchali (Nextron Systems)",
         "tags": [
             "attack.persistence"
@@ -46877,7 +46842,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\') OR (Image LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Image LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -47284,40 +47249,40 @@
         "filename": ""
     },
     {
-        "title": "Service Binary in Uncommon Folder",
-        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
-        "status": "experimental",
-        "description": "Detect the creation of a service with a service binary located in a uncommon directory",
-        "author": "Florian Roth (Nextron Systems)",
+        "title": "Windows Defender Exclusions Added - Registry",
+        "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529",
+        "status": "test",
+        "description": "Detects the Setting of Windows Defender Exclusions",
+        "author": "Christian Burkard (Nextron Systems)",
         "tags": [
             "attack.defense_evasion",
-            "attack.t1112"
+            "attack.t1562.001"
         ],
         "falsepositives": [
-            "Unknown"
+            "Administrator actions"
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (Image LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND (Details='DWORD (0x00000000)' OR Details='DWORD (0x00000001)' OR Details='DWORD (0x00000002)')) OR (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND (NOT ((Image LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Image LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (Details LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')"
         ],
         "filename": ""
     },
     {
-        "title": "Windows Defender Exclusions Added - Registry",
-        "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529",
-        "status": "test",
-        "description": "Detects the Setting of Windows Defender Exclusions",
-        "author": "Christian Burkard (Nextron Systems)",
+        "title": "Add Port Monitor Persistence in Registry",
+        "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e",
+        "status": "experimental",
+        "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n",
+        "author": "frack113",
         "tags": [
-            "attack.defense_evasion",
-            "attack.t1562.001"
+            "attack.persistence",
+            "attack.t1547.010"
         ],
         "falsepositives": [
-            "Administrator actions"
+            "Unknown"
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND Details LIKE '%.dll' ESCAPE '\\') AND (NOT ((Image LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND Details LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\' OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -47379,10 +47344,10 @@
         "filename": ""
     },
     {
-        "title": "Modification of Explorer Hidden Keys",
+        "title": "Displaying Hidden Files Feature Disabled",
         "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42",
         "status": "experimental",
-        "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.",
+        "description": "Detects modifications to the \"Hidden\" and \"ShowSuperHidden\" explorer registry values in order to disable showing of hidden files and system files.\nThis technique is abused by several malware families to hide their files from normal users.\n",
         "author": "frack113",
         "tags": [
             "attack.defense_evasion",
@@ -47393,26 +47358,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details='DWORD (0x00000000)'))"
-        ],
-        "filename": ""
-    },
-    {
-        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
-        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
-        "status": "test",
-        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
-        "author": "Sittikorn S",
-        "tags": [
-            "attack.defense_evasion",
-            "attack.t1221"
-        ],
-        "falsepositives": [
-            "Unknown"
-        ],
-        "level": "medium",
-        "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND ((TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND Details='DWORD (0x00000000)'))"
         ],
         "filename": ""
     },
@@ -47570,10 +47516,10 @@
         "filename": ""
     },
     {
-        "title": "PortProxy Registry Key",
+        "title": "New PortProxy Registry Entry Added",
         "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c",
         "status": "test",
-        "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.",
+        "description": "Detects the modification of the PortProxy registry key which is used for port forwarding.",
         "author": "Andreas Hunkeler (@Karneades)",
         "tags": [
             "attack.lateral_movement",
@@ -47587,7 +47533,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND TargetObject LIKE '%\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp\\\\%' ESCAPE '\\')"
         ],
         "filename": ""
     },
@@ -47606,7 +47552,7 @@
         ],
         "level": "medium",
         "rule": [
-            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND (NOT ((Details LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))))"
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND ((EventID=12 OR EventID=13 OR EventID=14) AND ((TargetObject LIKE '%\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND (NOT ((Details LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND Details LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((Details LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR Details LIKE '%C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND Details LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))))"
         ],
         "filename": ""
     },
@@ -48136,6 +48082,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Files With System Process Name In Unsuspected Locations",
+        "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d",
+        "status": "test",
+        "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).\nIt is highly recommended to perform an initial baseline before using this rule in production.\n",
+        "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1036.005"
+        ],
+        "falsepositives": [
+            "System processes copied outside their default folders for testing purposes",
+            "Third party software naming their software with the same names as the processes mentioned here"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND ((TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND (NOT ((TargetFilename LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\$WinREAgent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\') OR (Image LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR Image LIKE '%C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR (Image LIKE '%C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Program Files\\\\PowerShell\\\\7-preview\\\\pwsh.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND Image LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "TeamViewer Remote Session",
         "id": "162ab1e4-6874-4564-853c-53ec3ab8be01",
@@ -48230,6 +48196,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "EVTX Created In Uncommon Location",
+        "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb",
+        "status": "experimental",
+        "description": "Detects the creation of new files with the \".evtx\" extension in non-common or non-standard location.\nThis could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.\nNote that backup software and legitimate administrator might perform similar actions during troubleshooting.\n",
+        "author": "D3F7A5105",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1562.002"
+        ],
+        "falsepositives": [
+            "Administrator or backup activity",
+            "An unknown bug seems to trigger the Windows \"svchost\" process to drop EVTX files in the \"C:\\Windows\\Temp\" directory in the form \"<log_name\">_<uuid>.evtx\". See https://superuser.com/questions/1371229/low-disk-space-after-filling-up-c-windows-temp-with-evtx-and-txt-files"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=11 AND (TargetFilename LIKE '%.evtx' ESCAPE '\\' AND (NOT (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\')))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Potential Webshell Creation On Static Website",
         "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9",
@@ -49643,6 +49629,25 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)",
+        "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3",
+        "status": "test",
+        "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.",
+        "author": "Sittikorn S",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1221"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')"
+        ],
+        "filename": ""
+    },
     {
         "title": "Zimbra Collaboration Suite Email Server Unauthenticated RCE",
         "id": "dd218fb6-4d02-42dc-85f0-a0a376072efd",
@@ -49743,6 +49748,45 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Potential KamiKakaBot Activity - Lure Document Execution",
+        "id": "24474469-bd80-46cc-9e08-9fbe81bfaaca",
+        "status": "experimental",
+        "description": "Detects the execution of a Word document via the WinWord Start Menu shortcut.\nThis behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.execution",
+            "attack.t1059",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND (Image LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%.lnk ~%' ESCAPE '\\' AND CommandLine LIKE '%Start Menu\\\\Programs\\\\Word%' ESCAPE '\\') AND CommandLine LIKE '%.doc' ESCAPE '\\'))"
+        ],
+        "filename": ""
+    },
+    {
+        "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation",
+        "id": "fe9e8ba9-4419-41e6-a574-bd9f7b3af961",
+        "status": "experimental",
+        "description": "Detects the creation of a schedule task that runs weekly and execute the \"shutdown /l /f\" command.\nThis behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)",
+        "tags": [
+            "attack.persistence",
+            "detection.emerging_threats"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=1 AND ((Image LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '%shutdown /l /f%' ESCAPE '\\' AND CommandLine LIKE '%WEEKLY%' ESCAPE '\\')) AND (NOT (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Exploit for CVE-2017-0261",
         "id": "864403a1-36c9-40a2-a982-4c9a45f7d833",
@@ -50450,6 +50494,26 @@
         ],
         "filename": ""
     },
+    {
+        "title": "Service Binary in User Controlled Folder",
+        "id": "277dc340-0540-42e7-8efb-5ff460045e07",
+        "status": "experimental",
+        "description": "Detects the setting of the \"ImagePath\" value of a service registry key to a path controlled by a non-administrator user such as \"\\AppData\\\" or \"\\ProgramData\\\".\nAttackers often use such directories for staging purposes.\nThis rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.\nNote that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.\n",
+        "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)",
+        "tags": [
+            "attack.defense_evasion",
+            "attack.t1112",
+            "detection.threat_hunting"
+        ],
+        "falsepositives": [
+            "Unknown"
+        ],
+        "level": "medium",
+        "rule": [
+            "SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=13 AND (((TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (Details LIKE '%:\\\\ProgramData\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR Details LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\Services\\\\WinDefend\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\MpKs%' ESCAPE '\\') AND Details LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND (NOT ((TargetObject LIKE '%\\\\Services\\\\ZoomCptService%' ESCAPE '\\' AND Details LIKE '%C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Services\\\\MBAMInstallerService%' ESCAPE '\\' AND (Details LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND Details LIKE '%AppData\\\\Local\\\\Temp\\\\MBAMInstallerService.exe%' ESCAPE '\\'))))))"
+        ],
+        "filename": ""
+    },
     {
         "title": "Non-DLL Extension File Renamed With DLL Extension",
         "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1",
diff --git a/templates/exportForZircoGui.tmpl b/templates/exportForZircoGui.tmpl
index 2ecd5f9..a9e1686 100644
--- a/templates/exportForZircoGui.tmpl
+++ b/templates/exportForZircoGui.tmpl
@@ -228,7 +228,7 @@ var dictData = {};
 dictData["reconnaissance"] = ReconnaissanceData;
 dictData["resource_development"] = ResourceDevelopmentData;  
 dictData["initial_access"] = InitialAccessData; 
-dictData["execution"] = ExfiltrationData; 
+dictData["execution"] = ExecutionData; 
 dictData["persistence"] = PersistenceData; 
 dictData["privilege_escalation"] = PrivilegeEscalationData; 
 dictData["defense_evasion"] = DefenseEvasionData;