Apply automatic changes

Author: wikijm

S1PQ-rules-windows-image_load/image_load_clfs_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\clfs.sys" and ((src.process.image.path contains ":\\Perflogs\\" or src.process.image.path contains ":\\Users\\Public\\" or src.process.image.path contains "\\Temporary Internet" or src.process.image.path contains "\\Windows\\Temp\\") or ((src.process.image.path contains ":\\Users\\" and src.process.image.path contains "\\Favorites\\") or (src.process.image.path contains ":\\Users\\" and src.process.image.path contains "\\Favourites\\") or (src.process.image.path contains ":\\Users\\" and src.process.image.path contains "\\Contacts\\") or (src.process.image.path contains ":\\Users\\" and src.process.image.path contains "\\Pictures\\")))))
 ```
 

S1PQ-rules-windows-image_load/image_load_cmstp_load_dll_from_susp_location.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and (src.process.image.path contains "\\cmstp.exe" and (module.path contains "\\PerfLogs\\" or module.path contains "\\ProgramData\\" or module.path contains "\\Users\\" or module.path contains "\\Windows\\Temp\\" or module.path contains "C:\\Temp\\") and (module.path contains ".dll" or module.path contains ".ocx")))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_amsi_suspicious_process.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\amsi.dll" and (src.process.image.path contains "\\ExtExport.exe" or src.process.image.path contains "\\odbcconf.exe" or src.process.image.path contains "\\rundll32.exe")))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_azure_microsoft_account_token_provider_dll_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and (module.path="C:\\Windows\\System32\\MicrosoftAccountTokenProvider.dll" and (not ((src.process.image.path contains "C:\\Windows\\System32\\" or src.process.image.path contains "C:\\Windows\\SysWOW64\\") and src.process.image.path contains "\\BackgroundTaskHost.exe")) and (not (((src.process.image.path contains "C:\\Program Files\\Microsoft Visual Studio\\" or src.process.image.path contains "C:\\Program Files (x86)\\Microsoft Visual Studio\\") and src.process.image.path contains "\\IDE\\devenv.exe") or (src.process.image.path in ("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe","C:\\Program Files\\Internet Explorer\\iexplore.exe")) or (src.process.image.path contains "C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\" or src.process.image.path contains "\\WindowsApps\\MicrosoftEdge.exe" or (src.process.image.path in ("C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe","C:\\Program Files\\Microsoft\\Edge\\Application\\msedge.exe"))) or ((src.process.image.path contains "C:\\Program Files (x86)\\Microsoft\\EdgeCore\\" or src.process.image.path contains "C:\\Program Files\\Microsoft\\EdgeCore\\") and (src.process.image.path contains "\\msedge.exe" or src.process.image.path contains "\\msedgewebview2.exe")) or src.process.image.path contains "\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe" or not (src.process.image.path matches "\.*")))))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_pcre_dotnet_dll_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and module.path contains "\\AppData\\Local\\Temp\\ba9ea7344a4a5f591d6e5dc32a13494b\\")
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_sdiageng_load_by_msdt.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and (src.process.image.path contains "\\msdt.exe" and module.path contains "\\sdiageng.dll"))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_tttracer_module_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\ttdrecord.dll" or module.path contains "\\ttdwriter.dll" or module.path contains "\\ttdloader.dll"))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_vss_ps_susp_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\vss_ps.dll" and (not ((src.process.image.path contains "C:\\Windows\\" and (src.process.image.path contains "\\clussvc.exe" or src.process.image.path contains "\\dismhost.exe" or src.process.image.path contains "\\dllhost.exe" or src.process.image.path contains "\\inetsrv\\appcmd.exe" or src.process.image.path contains "\\inetsrv\\iissetup.exe" or src.process.image.path contains "\\msiexec.exe" or src.process.image.path contains "\\rundll32.exe" or src.process.image.path contains "\\searchindexer.exe" or src.process.image.path contains "\\srtasks.exe" or src.process.image.path contains "\\svchost.exe" or src.process.image.path contains "\\System32\\SystemPropertiesAdvanced.exe" or src.process.image.path contains "\\taskhostw.exe" or src.process.image.path contains "\\thor.exe" or src.process.image.path contains "\\thor64.exe" or src.process.image.path contains "\\tiworker.exe" or src.process.image.path contains "\\vssvc.exe" or src.process.image.path contains "\\vssadmin.exe" or src.process.image.path contains "\\WmiPrvSE.exe" or src.process.image.path contains "\\wsmprovhost.exe")) or (src.process.cmdline contains "C:\\$WinREAgent\\Scratch\\" and src.process.cmdline contains "\\dismhost.exe {") or not (src.process.image.path matches "\.*"))) and (not (src.process.image.path contains "C:\\Program Files\\" or src.process.image.path contains "C:\\Program Files (x86)\\"))))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_vssapi_susp_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\vssapi.dll" and (not (((src.process.image.path in ("C:\\Windows\\explorer.exe","C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (src.process.image.path contains "C:\\Windows\\System32\\" or src.process.image.path contains "C:\\Windows\\SysWOW64\\" or src.process.image.path contains "C:\\Windows\\Temp\\{" or src.process.image.path contains "C:\\Windows\\WinSxS\\")) or (src.process.image.path contains "C:\\Program Files\\" or src.process.image.path contains "C:\\Program Files (x86)\\") or not (src.process.image.path matches "\.*"))) and (not (src.process.image.path contains "C:\\ProgramData\\Package Cache\\" or (src.process.image.path contains "\\temp\\is-" and src.process.image.path contains "\\avira_system_speedup.tmp")))))
 ```
 

S1PQ-rules-windows-image_load/image_load_dll_vsstrace_susp_load.md

@@ -1,5 +1,5 @@
 ```sql
-// Translated content (automatically translated on 29-12-2025 01:39:26):
+// Translated content (automatically translated on 30-12-2025 01:23:15):
 event.type="Module Load" and (endpoint.os="windows" and (module.path contains "\\vsstrace.dll" and (not (((src.process.image.path in ("C:\\Windows\\explorer.exe","C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe")) or (src.process.image.path contains "C:\\Windows\\System32\\" or src.process.image.path contains "C:\\Windows\\SysWOW64\\" or src.process.image.path contains "C:\\Windows\\Temp\\{" or src.process.image.path contains "C:\\Windows\\WinSxS\\" or src.process.image.path contains "C:\\ProgramData\\Package Cache\\{")) or (src.process.image.path contains "C:\\Program Files\\" or src.process.image.path contains "C:\\Program Files (x86)\\") or not (src.process.image.path matches "\.*"))) and (not (src.process.image.path contains "C:\\$WinREAgent\\Scratch\\" or (src.process.image.path contains "\\temp\\is-" and src.process.image.path contains "\\avira_system_speedup.tmp")))))
 ```