Apply automatic changes

Author: wikijm

S1PQ-rules-windows-image_load/image_load_clfs_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\clfs.sys" and ((src.process.image.path contains ":\\Perflogs\\" or src.process.image.path contains ":\\Users\\Public\\" or src.process.image.path contains "\\Temporary Internet" or src.process.image.path contains "\\Windows\\Temp\\") or ((src.process.image.path contains ":\\Users\\" and src.process.image.path contains "\\Favorites\\") or (src.process.image.path contains ":\\Users\\" and src.process.image.path contains "\\Favourites\\") or (src.process.image.path contains ":\\Users\\" and src.process.image.path contains "\\Contacts\\") or (src.process.image.path contains ":\\Users\\" and src.process.image.path contains "\\Pictures\\")))))
 ```
 

S1PQ-rules-windows-image_load/image_load_cmstp_load_dll_from_susp_location.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and (src.process.image.path contains "\\cmstp.exe" and (module.path contains "\\PerfLogs\\" or module.path contains "\\ProgramData\\" or module.path contains "\\Users\\" or module.path contains "\\Windows\\Temp\\" or module.path contains "C:\\Temp\\") and (module.path contains ".dll" or module.path contains ".ocx")))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_amsi_suspicious_process.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\amsi.dll" and (src.process.image.path contains "\\ExtExport.exe" or src.process.image.path contains "\\odbcconf.exe" or src.process.image.path contains "\\rundll32.exe")))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and (module.path="C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not ((src.process.image.path contains "C:\\Windows\\System32\\" or src.process.image.path contains "C:\\Windows\\SysWOW64\\") and src.process.image.path contains "\\BackgroundTaskHost.exe")) and (not (((src.process.image.path contains "C:\\Program Files\\Microsoft Visual Studio\\" or src.process.image.path contains "C:\\Program Files (x86)\\Microsoft Visual Studio\\") and src.process.image.path contains "\\IDE\\devenv.exe") or (src.process.image.path in ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe","C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (src.process.image.path contains "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or src.process.image.path contains "\\WindowsApps\\MicrosoftEdge.exe" or (src.process.image.path in ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((src.process.image.path contains "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or src.process.image.path contains "C:\\Program Files\\Microsoft\\EdgeCore\\") and (src.process.image.path contains "\\msedge.exe" or src.process.image.path contains "\\msedgewebview2.exe")) or src.process.image.path contains "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" or not (src.process.image.path matches "\.*")))))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_pcre_dotnet_dll_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and module.path contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\")
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_sdiageng_load_by_msdt.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and (src.process.image.path contains "\\msdt.exe" and module.path contains "\\sdiageng.dll"))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_tttracer_module_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\ttdrecord.dll" or module.path contains "\\ttdwriter.dll" or module.path contains "\\ttdloader.dll"))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_vss_ps_susp_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\vss_ps.dll" and (not ((src.process.image.path contains "C:\\Windows\\" and (src.process.image.path contains "\\clussvc.exe" or src.process.image.path contains "\\dismhost.exe" or src.process.image.path contains "\\dllhost.exe" or src.process.image.path contains "\\inetsrv\\appcmd.exe" or src.process.image.path contains "\\inetsrv\\iissetup.exe" or src.process.image.path contains "\\msiexec.exe" or src.process.image.path contains "\\rundll32.exe" or src.process.image.path contains "\\searchindexer.exe" or src.process.image.path contains "\\srtasks.exe" or src.process.image.path contains "\\svchost.exe" or src.process.image.path contains "\\System32\\SystemPropertiesAdvanced.exe" or src.process.image.path contains "\\taskhostw.exe" or src.process.image.path contains "\\thor.exe" or src.process.image.path contains "\\thor64.exe" or src.process.image.path contains "\\tiworker.exe" or src.process.image.path contains "\\vssvc.exe" or src.process.image.path contains "\\vssadmin.exe" or src.process.image.path contains "\\WmiPrvSE.exe" or src.process.image.path contains "\\wsmprovhost.exe")) or (src.process.cmdline contains "C:\\$WinREAgent\\Scratch\\" and src.process.cmdline contains "\\dismhost.exe {") or not (src.process.image.path matches "\.*"))) and (not (src.process.image.path contains "C:\\Program Files\\" or src.process.image.path contains "C:\\Program Files (x86)\\"))))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_vssapi_susp_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\vssapi.dll" and (not (((src.process.image.path in ("C:\\Windows\\explorer.exe","C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (src.process.image.path contains "C:\\Windows\\System32\\" or src.process.image.path contains "C:\\Windows\\SysWOW64\\" or src.process.image.path contains "C:\\Windows\\Temp\\{" or src.process.image.path contains "C:\\Windows\\WinSxS\\")) or (src.process.image.path contains "C:\\Program Files\\" or src.process.image.path contains "C:\\Program Files (x86)\\") or not (src.process.image.path matches "\.*"))) and (not (src.process.image.path contains "C:\\ProgramData\\Package Cache\\" or (src.process.image.path contains "\\temp\\is-" and src.process.image.path contains "\\avira_system_speedup.tmp")))))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_vsstrace_susp_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 06-01-2026 01:24:49):
+// Translated content (automatically translated on 07-01-2026 01:25:05):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\vsstrace.dll" and (not (((src.process.image.path in ("C:\\Windows\\explorer.exe","C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (src.process.image.path contains "C:\\Windows\\System32\\" or src.process.image.path contains "C:\\Windows\\SysWOW64\\" or src.process.image.path contains "C:\\Windows\\Temp\\{" or src.process.image.path contains "C:\\Windows\\WinSxS\\" or src.process.image.path contains "C:\\ProgramData\\Package Cache\\{")) or (src.process.image.path contains "C:\\Program Files\\" or src.process.image.path contains "C:\\Program Files (x86)\\") or not (src.process.image.path matches "\.*"))) and (not (src.process.image.path contains "C:\\$WinREAgent\\Scratch\\" or (src.process.image.path contains "\\temp\\is-" and src.process.image.path contains "\\avira_system_speedup.tmp")))))
 ```