From c20c39865c25e395191b2de70fa17a420d19b699 Mon Sep 17 00:00:00 2001
From: Jan Starke <jan.starke@posteo.de>
Date: Mon, 5 Feb 2024 21:46:56 +0100
Subject: [PATCH 1/4] add pf2bodyfile

---
 Cargo.lock                               |  71 ++++++-
 Cargo.toml                               |  13 +-
 src/bin/pf2bodyfile/cli.rs               |  25 +++
 src/bin/pf2bodyfile/main.rs              |  38 ++++
 src/lib.rs                               |   1 +
 src/scca/access_flags.rs                 |   5 +
 src/scca/check_file_signature.rs         | 101 ++++++++++
 src/scca/error.rs                        |  79 ++++++++
 src/scca/file.rs                         | 242 +++++++++++++++++++++++
 src/scca/get_version.rs                  |  23 +++
 src/scca/mod.rs                          |  14 ++
 src/scca/read_string.rs                  | 109 ++++++++++
 tests/data/scca/DLLHOST.EXE-766398D2.pf  | Bin 0 -> 29700 bytes
 tests/data/scca/RUNDLL32.EXE-411A328D.pf | Bin 0 -> 64266 bytes
 tests/data/scca/WMIADAP.EXE-F8DFDFA2.pf  | Bin 0 -> 18810 bytes
 tests/data/scca/WMIPRVSE.EXE-1628051C.pf | Bin 0 -> 35022 bytes
 tests/data/scca/WUAUCLT.EXE-70318591.pf  | Bin 0 -> 50736 bytes
 17 files changed, 719 insertions(+), 2 deletions(-)
 create mode 100644 src/bin/pf2bodyfile/cli.rs
 create mode 100644 src/bin/pf2bodyfile/main.rs
 create mode 100644 src/scca/access_flags.rs
 create mode 100644 src/scca/check_file_signature.rs
 create mode 100644 src/scca/error.rs
 create mode 100644 src/scca/file.rs
 create mode 100644 src/scca/get_version.rs
 create mode 100644 src/scca/mod.rs
 create mode 100644 src/scca/read_string.rs
 create mode 100755 tests/data/scca/DLLHOST.EXE-766398D2.pf
 create mode 100755 tests/data/scca/RUNDLL32.EXE-411A328D.pf
 create mode 100755 tests/data/scca/WMIADAP.EXE-F8DFDFA2.pf
 create mode 100755 tests/data/scca/WMIPRVSE.EXE-1628051C.pf
 create mode 100755 tests/data/scca/WUAUCLT.EXE-70318591.pf

diff --git a/Cargo.lock b/Cargo.lock
index 75ebced..0b4bdca 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -732,12 +732,14 @@ dependencies = [
  "getset",
  "indicatif",
  "lazy-regex",
+ "libc",
  "lnk",
  "log",
  "matches",
  "more-asserts",
  "nt_hive2",
- "num-derive 0.3.3",
+ "num",
+ "num-derive 0.4.0",
  "num-traits",
  "ouroboros",
  "phf",
@@ -1636,6 +1638,40 @@ dependencies = [
  "winstructs",
 ]
 
+[[package]]
+name = "num"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b05180d69e3da0e530ba2a1dae5110317e49e3b7f3d41be227dc5f92e49ee7af"
+dependencies = [
+ "num-bigint",
+ "num-complex",
+ "num-integer",
+ "num-iter",
+ "num-rational",
+ "num-traits",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-complex"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ba157ca0885411de85d6ca030ba7e2a83a28636056c7c699b07c8b6f7383214"
+dependencies = [
+ "num-traits",
+]
+
 [[package]]
 name = "num-derive"
 version = "0.3.3"
@@ -1658,6 +1694,39 @@ dependencies = [
  "syn 2.0.37",
 ]
 
+[[package]]
+name = "num-integer"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+dependencies = [
+ "autocfg",
+ "num-traits",
+]
+
+[[package]]
+name = "num-iter"
+version = "0.1.43"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d03e6c028c5dc5cac6e2dec0efda81fc887605bb3d884578bb6d6bf7514e252"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-rational"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0"
+dependencies = [
+ "autocfg",
+ "num-bigint",
+ "num-integer",
+ "num-traits",
+]
+
 [[package]]
 name = "num-traits"
 version = "0.2.16"
diff --git a/Cargo.toml b/Cargo.toml
index 32f34b7..67bb835 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -77,9 +77,15 @@ name = "lnk2bodyfile"
 path = "src/bin/lnk2bodyfile/main.rs"
 required-features = ["lnk2bodyfile"]
 
+
+[[bin]]
+name = "pf2bodyfile"
+path = "src/bin/pf2bodyfile/main.rs"
+required-features = ["pf2bodyfile"]
+
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [features]
-default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep", "ts2date", "lnk2bodyfile"]
+default = ["pol_export", "mactime2", "evtxtools", "regdump", "hivescan", "cleanhive", "ipgrep", "ts2date", "lnk2bodyfile", "pf2bodyfile"]
 mactime2 = ["gzip", "elastic", "chrono-tz", "thiserror", "bitflags", "encoding_rs_io"]
 gzip = ["flate2"]
 elastic = ["elasticsearch", "tokio", "futures", "serde_json", "sha2", "base64", "num-traits", "num-derive", "strum", "strum_macros", "tokio-async-drop"]
@@ -93,6 +99,7 @@ evtx2bodyfile = ["evtx", "getset", "ouroboros", "indicatif"]
 ipgrep = []
 ts2date = ["regex"]
 lnk2bodyfile = ["lnk"]
+pf2bodyfile = ["num", "libc"]
 
 regdump = ["nt_hive2"]
 hivescan = ["nt_hive2"]
@@ -165,6 +172,10 @@ nt_hive2 = {version="4.0.1", optional=true}
 # lnk2bodyfile
 lnk = {version="0.5.1", optional=true}
 
+# pf2bodyfile
+libc = {version="0.2", optional=true}
+num = {version="0", optional=true}
+
 [dev-dependencies]
 
 # mactime2
diff --git a/src/bin/pf2bodyfile/cli.rs b/src/bin/pf2bodyfile/cli.rs
new file mode 100644
index 0000000..269177d
--- /dev/null
+++ b/src/bin/pf2bodyfile/cli.rs
@@ -0,0 +1,25 @@
+use clap::Parser;
+use clap::ValueHint;
+use clio::Input;
+use dfir_toolkit::common::HasVerboseFlag;
+use getset::Getters;
+use log::LevelFilter;
+
+/// creates bodyfile from Windows Prefetch files
+#[derive(Parser, Getters)]
+#[clap(name=env!("CARGO_BIN_NAME"), author, version)]
+#[getset(get = "pub (crate)")]
+pub(crate) struct Cli {
+    /// names of the prefetch files (commonly files with 'pf' extension in 'C:\Windows\Prefetch')
+    #[clap(value_hint=ValueHint::FilePath)]
+    prefetch_files: Vec<Input>,
+
+    #[clap(flatten)]
+    verbose: clap_verbosity_flag::Verbosity,
+}
+
+impl HasVerboseFlag for Cli {
+    fn log_level_filter(&self) -> LevelFilter {
+        self.verbose.log_level_filter()
+    }
+}
diff --git a/src/bin/pf2bodyfile/main.rs b/src/bin/pf2bodyfile/main.rs
new file mode 100644
index 0000000..93f9877
--- /dev/null
+++ b/src/bin/pf2bodyfile/main.rs
@@ -0,0 +1,38 @@
+mod cli;
+use cli::Cli;
+use dfir_toolkit::common::bodyfile::Bodyfile3Line;
+use dfir_toolkit::common::FancyParser;
+use dfir_toolkit::scca::File;
+
+fn main() -> anyhow::Result<()> {
+    let cli = Cli::parse_cli();
+
+    if cli.prefetch_files().iter().any(|f| !f.can_seek()) {
+        anyhow::bail!(
+            "{} cannot read from a stream; you must specify a file",
+            env!("CARGO_BIN_NAME")
+        );
+    }
+
+    if cli.prefetch_files().iter().any(|f| ! f.path().is_file()) {
+        anyhow::bail!(
+            "{} you must specify a file",
+            env!("CARGO_BIN_NAME")
+        );
+    }
+
+    for input in cli.prefetch_files().iter() {
+        let path = input.path().as_os_str().to_string_lossy();
+        let pf_file = input.path().file_name().unwrap().to_string_lossy();
+        let file = File::open(&path)?;
+        let executable = file.utf8_executable_filename()?;
+        let run_count = file.run_count()?;
+        for time in file.last_run_times()? {
+            let bf_line = Bodyfile3Line::new()
+                .with_owned_name(format!("Prefetch: '{executable}' (run {run_count} times, read from '{pf_file}')"))
+                .with_atime(time.into());
+            println!("{bf_line}");
+        }
+    }
+    Ok(())
+}
\ No newline at end of file
diff --git a/src/lib.rs b/src/lib.rs
index 7576a65..d13cb0a 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,6 +1,7 @@
 pub mod registry;
 pub mod common;
 pub mod evtx;
+pub mod scca;
 
 #[cfg(feature="elastic")]
 pub mod es4forensics;
\ No newline at end of file
diff --git a/src/scca/access_flags.rs b/src/scca/access_flags.rs
new file mode 100644
index 0000000..e1f78ca
--- /dev/null
+++ b/src/scca/access_flags.rs
@@ -0,0 +1,5 @@
+
+pub enum AccessFlags {
+    AccessRead = 0x01,
+    AccessWrite = 0x02,
+}
\ No newline at end of file
diff --git a/src/scca/check_file_signature.rs b/src/scca/check_file_signature.rs
new file mode 100644
index 0000000..837a013
--- /dev/null
+++ b/src/scca/check_file_signature.rs
@@ -0,0 +1,101 @@
+use std::{
+    ffi::{c_char, CString},
+    os::raw::c_int,
+    ptr,
+};
+
+//use libc::wchar_t;
+
+use crate::scca::{libscca_error_t, Error};
+
+#[link(name = "scca")]
+extern "C" {
+    fn libscca_check_file_signature(
+        filename: *const c_char,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    /*
+    fn libscca_check_file_signature_wide(
+        filename: *const wchar_t,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+     */
+}
+
+/// Determines if a file contains a SCCA file signature
+///
+pub fn has_file_signature(filename: &str) -> Result<bool, Error> {
+    if filename.is_ascii() {
+        let c_filename = CString::new(filename).expect("unable to create CString");
+        unsafe {
+            let mut error = ptr::null();
+            match libscca_check_file_signature(c_filename.as_ptr(), &mut error) {
+                1 => Ok(true),
+                0 => Ok(false),
+                -1 => Err(Error::from(error)),
+                _ => unimplemented!(),
+            }
+        }
+    } else {
+        /*
+        let mut encoded: Vec<_> = filename.encode_utf16().map(i32::from).collect();
+        encoded.push(0);
+        unsafe {
+            let mut error = ptr::null();
+            match libscca_check_file_signature_wide(encoded.as_ptr(), &mut error) {
+                1 => Ok(true),
+                0 => Ok(false),
+                -1 => Err(Error::from(error)),
+                _ => unimplemented!(),
+            }
+        }
+         */
+        unimplemented!()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::path::PathBuf;
+
+    use crate::scca::has_file_signature;
+
+    #[test]
+    fn test_missing_file() {
+        let res = has_file_signature("invalid_file_name");
+        assert!(res.is_err());
+        let error = res.unwrap_err();
+        assert_eq!("libscca_check_file_signature: unable to check file signature using a file handle.", error.to_string());
+    }
+
+    #[test]
+    fn test_rundll32() {
+        let mut d = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        d.push("tests");
+        d.push("data");
+        d.push("scca");
+        d.push("RUNDLL32.EXE-411A328D.pf");
+        assert!(d.exists());
+        let filename = d.to_string_lossy().to_string();
+        
+        let res = has_file_signature(&filename).unwrap();
+        assert!(res);
+    }
+
+    /*
+    #[test]
+    fn test_rundll32_äöü() {
+        let mut d = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        d.push("tests");
+        d.push("data");
+        d.push("2020JimmyWilson");
+        d.push("RUNDLL32-ÄÖÜ.EXE-411A328D.pf");
+        assert!(d.exists());
+        let filename = d.to_string_lossy().to_string();
+        
+        let res = has_file_signature(&filename).unwrap();
+        assert!(res);
+    }
+     */
+}
diff --git a/src/scca/error.rs b/src/scca/error.rs
new file mode 100644
index 0000000..55ded81
--- /dev/null
+++ b/src/scca/error.rs
@@ -0,0 +1,79 @@
+#![allow(non_camel_case_types)]
+use std::{
+    ffi::{c_char, CStr},
+    fmt::Display,
+    marker::PhantomData,
+    os::raw::c_int,
+};
+
+use libc::size_t;
+
+#[link(name = "scca")]
+extern "C" {
+    /// Frees an error
+    fn libscca_error_free(error: *const *const libscca_error_t);
+
+    /// Prints a descriptive string of the error to the string
+    /// The end-of-string character is not included in the return value
+    /// Returns the number of printed characters if successful or -1 on error
+    fn libscca_error_sprint(
+        error: *const libscca_error_t,
+        string: *mut c_char,
+        size: size_t,
+    ) -> c_int;
+}
+
+pub type libscca_error_t = *const c_int;
+
+pub struct Error<'a> {
+    error: *const libscca_error_t,
+    phantom: PhantomData<&'a ()>,
+}
+
+impl<'a> From<*const libscca_error_t> for Error<'a> {
+    fn from(error: *const libscca_error_t) -> Self {
+        Self {
+            error,
+            phantom: PhantomData,
+        }
+    }
+}
+
+impl<'a> Drop for Error<'a> {
+    fn drop(&mut self) {
+        unsafe { libscca_error_free(&self.error) }
+    }
+}
+
+impl<'a> Display for Error<'a> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        const BUFFER_SIZE: usize = 1024;
+        let mut buffer = vec![0; BUFFER_SIZE];
+
+        unsafe {
+            libscca_error_sprint(self.error, buffer.as_mut_ptr(), BUFFER_SIZE);
+            buffer[BUFFER_SIZE - 1] = 0;
+            CStr::from_ptr(buffer.as_ptr()).to_string_lossy().fmt(f)
+        }
+    }
+}
+
+
+impl<'a> std::fmt::Debug for Error<'a> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        const BUFFER_SIZE: usize = 1024;
+        let mut buffer = vec![0; BUFFER_SIZE];
+
+        unsafe {
+            libscca_error_sprint(self.error, buffer.as_mut_ptr(), BUFFER_SIZE);
+            buffer[BUFFER_SIZE - 1] = 0;
+            std::fmt::Display::fmt(&CStr::from_ptr(buffer.as_ptr()).to_string_lossy(), f)
+        }
+    }
+}
+
+impl<'a> From<Error<'a>> for anyhow::Error {
+    fn from(value: Error<'a>) -> Self {
+        anyhow::anyhow!("{value}")
+    }
+}
\ No newline at end of file
diff --git a/src/scca/file.rs b/src/scca/file.rs
new file mode 100644
index 0000000..baa0909
--- /dev/null
+++ b/src/scca/file.rs
@@ -0,0 +1,242 @@
+use std::{
+    ffi::{c_int, CString},
+    marker::PhantomData,
+    ptr,
+};
+
+use chrono::{DateTime, Utc};
+use libc::{c_char, size_t};
+use winstructs::timestamp::WinTimestamp;
+
+use crate::scca::read_string::ReadString;
+use crate::scca::{libscca_error_t, AccessFlags};
+
+#[allow(non_camel_case_types)]
+pub type libscca_file_t = *const c_int;
+
+#[link(name = "scca")]
+extern "C" {
+    /// Creates a file
+    fn libscca_file_initialize(
+        file: *mut *const libscca_file_t,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    /// Frees a file
+    fn libscca_file_free(
+        file: *mut *const libscca_file_t,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    /// Opens a file
+    fn libscca_file_open(
+        file: *mut libscca_file_t,
+        filename: *const c_char,
+        access_flags: c_int,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    /// Closes a file
+    fn libscca_file_close(file: *mut libscca_file_t, error: *mut *const libscca_error_t) -> c_int;
+
+    fn libscca_file_get_format_version(
+        file: *const libscca_file_t,
+        format_version: *mut u32,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    fn libscca_file_get_utf8_executable_filename_size(
+        file: *const libscca_file_t,
+        utf8_string_size: *mut size_t,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    fn libscca_file_get_utf8_executable_filename(
+        file: *const libscca_file_t,
+        utf8_string: *mut u8,
+        utf8_string_size: size_t,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    fn libscca_file_get_utf16_executable_filename_size(
+        file: *const libscca_file_t,
+        utf16_string_size: *mut size_t,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    fn libscca_file_get_utf16_executable_filename(
+        file: *const libscca_file_t,
+        utf16_string: *mut u16,
+        utf16_string_size: size_t,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    fn libscca_file_get_last_run_time(
+        file: *const libscca_file_t,
+        last_run_time_index: c_int,
+        filetime: *mut u64,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+
+    fn libscca_file_get_run_count(
+        file: *const libscca_file_t,
+        run_count: *mut u32,
+        error: *mut *const libscca_error_t,
+    ) -> c_int;
+}
+
+pub struct File<'f> {
+    file: *const libscca_file_t,
+    phantom: PhantomData<&'f ()>,
+}
+
+impl<'f> File<'f> {
+    /// Opens a prefetch file
+    pub fn open(filename: &str) -> Result<Self, crate::scca::Error> {
+        let mut file = ptr::null();
+        let mut error = ptr::null();
+        unsafe {
+            if 1 != libscca_file_initialize(&mut file, &mut error) {
+                return Err(error.into());
+            }
+
+            let c_filename = CString::new(filename).expect("unable to create CString");
+
+            error = ptr::null();
+            if 1 != libscca_file_open(
+                file.cast_mut(),
+                c_filename.as_ptr(),
+                AccessFlags::AccessRead as c_int,
+                &mut error,
+            ) {
+                return Err(error.into());
+            }
+        }
+
+        Ok(Self {
+            file,
+            phantom: PhantomData,
+        })
+    }
+
+    pub(crate) fn file(&self) -> *const libscca_file_t {
+        self.file
+    }
+
+    /// Retrieves the format version
+    pub fn format_version(&self) -> Result<u32, crate::scca::Error> {
+        unsafe {
+            let mut error = ptr::null();
+            let mut version = 0;
+            if 1 != libscca_file_get_format_version(self.file, &mut version, &mut error) {
+                return Err(error.into());
+            }
+            Ok(version)
+        }
+    }
+
+    /// Retrieves the run count
+    pub fn run_count(&self) -> Result<u32, crate::scca::Error> {
+        unsafe {
+            let mut error = ptr::null();
+            let mut count = 0;
+            if 1 != libscca_file_get_run_count(self.file, &mut count, &mut error) {
+                return Err(error.into());
+            }
+            Ok(count)
+        }
+    }
+
+    /// Retrieves a specific last run time
+    ///
+    /// The timestamp is a 64-bit FILETIME date and time value
+    ///
+    /// Files of format version 23 and earlier contain a single last run time
+    ///
+    /// Files of format version 26 and later contain up to 8 last run time
+    pub fn last_run_times(&self) -> Result<Vec<DateTime<Utc>>, crate::scca::Error> {
+        let max_run_counts = if self.format_version()? < 26 { 1 } else { 8 };
+
+        let mut times = Vec::new();
+        for index in 0..max_run_counts {
+            let time = unsafe {
+                let mut error = ptr::null();
+                let mut filetime = 0;
+                if 1 != libscca_file_get_last_run_time(self.file, index, &mut filetime, &mut error)
+                {
+                    //return Err(error.into());
+                    break;
+                }
+                filetime
+            };
+            if time != 0 {
+                times.push(
+                    WinTimestamp::new(&time.to_le_bytes())
+                        .unwrap()
+                        .to_datetime(),
+                );
+            }
+        }
+        Ok(times)
+    }
+
+    /// Retrieves a specific UTF-8 encoded executable filename
+    pub fn utf8_executable_filename(&self) -> Result<String, crate::scca::Error> {
+        self.read_string(
+            libscca_file_get_utf8_executable_filename_size,
+            libscca_file_get_utf8_executable_filename,
+        )
+    }
+
+    /// Retrieves a specific UTF-16 encoded executable filename
+    pub fn utf16_executable_filename(&self) -> Result<String, crate::scca::Error> {
+        self.read_string(
+            libscca_file_get_utf16_executable_filename_size,
+            libscca_file_get_utf16_executable_filename,
+        )
+    }
+}
+
+impl<'f> Drop for File<'f> {
+    fn drop(&mut self) {
+        unsafe {
+            let mut error = ptr::null();
+            if 1 != libscca_file_close(self.file.cast_mut(), &mut error) {
+                log::info!("{}", crate::scca::Error::from(error));
+            }
+
+            error = ptr::null();
+            if 1 != libscca_file_free(&mut self.file, &mut error) {
+                panic!("{}", crate::scca::Error::from(error));
+            }
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::path::PathBuf;
+
+    use chrono::{DateTime, Utc};
+
+    use crate::scca::File;
+
+    #[test]
+    fn test_open_file() {
+        let mut d = PathBuf::from(env!("CARGO_MANIFEST_DIR"));
+        d.push("tests");
+        d.push("data");
+        d.push("scca");
+        d.push("RUNDLL32.EXE-411A328D.pf");
+        assert!(d.exists());
+        let filename = d.to_string_lossy().to_string();
+
+        let file = File::open(&filename).unwrap();
+        assert_eq!(file.format_version().unwrap(), 23);
+        assert_eq!(file.utf8_executable_filename().unwrap(), "RUNDLL32.EXE");
+        assert_eq!(file.utf16_executable_filename().unwrap(), "RUNDLL32.EXE");
+        for time in file.last_run_times().unwrap() {
+            assert_ne!(time, DateTime::<Utc>::default());
+        }
+    }
+}
diff --git a/src/scca/get_version.rs b/src/scca/get_version.rs
new file mode 100644
index 0000000..7d9616a
--- /dev/null
+++ b/src/scca/get_version.rs
@@ -0,0 +1,23 @@
+use std::ffi::{c_char, CStr};
+
+#[link(name = "scca")]
+extern "C" {
+    fn libscca_get_version() -> *const c_char;
+}
+
+pub fn get_version() -> String {
+    unsafe {
+        let slice = CStr::from_ptr(libscca_get_version());
+        slice.to_str().unwrap().to_string()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::scca::get_version;
+
+    #[test]
+    fn test_get_version() {
+        assert!(get_version().starts_with("20"));
+    }
+}
diff --git a/src/scca/mod.rs b/src/scca/mod.rs
new file mode 100644
index 0000000..b7001f2
--- /dev/null
+++ b/src/scca/mod.rs
@@ -0,0 +1,14 @@
+mod error;
+mod access_flags;
+mod read_string;
+pub use error::*;
+pub use access_flags::*;
+
+mod get_version;
+pub use get_version::*;
+
+mod check_file_signature;
+pub use check_file_signature::*;
+
+mod file;
+pub use file::*;
\ No newline at end of file
diff --git a/src/scca/read_string.rs b/src/scca/read_string.rs
new file mode 100644
index 0000000..f774076
--- /dev/null
+++ b/src/scca/read_string.rs
@@ -0,0 +1,109 @@
+use std::{ffi::c_int, ptr};
+
+use libc::size_t;
+use num::Zero;
+
+use crate::scca::{libscca_error_t, libscca_file_t, File};
+
+
+pub (crate) trait CharacterType: Zero + Clone + Eq + PartialEq {}
+impl CharacterType for u8 {}
+impl CharacterType for u16 {}
+pub (crate) trait ReadString<T: CharacterType> {
+    fn read_string_with_conversion(
+        &self,
+        read_size: unsafe extern "C" fn(
+            file: *const libscca_file_t,
+            string_size: *mut size_t,
+            error: *mut *const libscca_error_t,
+        ) -> c_int,
+        read_value: unsafe extern "C"  fn(
+            file: *const libscca_file_t,
+            value: *mut T,
+            string_size: size_t,
+            error: *mut *const libscca_error_t,
+        ) -> c_int,
+        file: *const libscca_file_t,
+        conversion: fn(&[T]) -> String,
+    ) -> Result<String, crate::scca::Error> {
+        let string_size = unsafe {
+            let mut error = ptr::null();
+            let mut string_size = 0;
+            if 1 != read_size(file, &mut string_size, &mut error) {
+                return Err(error.into());
+            }
+            string_size
+        };
+
+        let mut buffer = unsafe {
+            let mut buffer: Vec<T> = vec![T::zero(); string_size];
+            let mut error = ptr::null();
+            if 1 != read_value(file, buffer.as_mut_ptr(), string_size, &mut error) {
+                return Err(error.into());
+            }
+            buffer
+        };
+
+        assert!(buffer.last().unwrap().is_zero());
+        buffer.pop().unwrap();
+
+        Ok(conversion(&buffer[..]))
+    }
+
+    fn read_string(
+        &self,
+        read_size: unsafe extern "C" fn(
+            file: *const libscca_file_t,
+            string_size: *mut size_t,
+            error: *mut *const libscca_error_t,
+        ) -> c_int,
+        read_value: unsafe extern "C" fn(
+            file: *const libscca_file_t,
+            value: *mut T,
+            string_size: size_t,
+            error: *mut *const libscca_error_t,
+        ) -> c_int,
+    ) -> Result<String, crate::scca::Error>;
+}
+
+impl<'f> ReadString<u8> for File<'f> {
+    fn read_string(
+        &self,
+        read_size: unsafe extern "C" fn(
+            file: *const libscca_file_t,
+            string_size: *mut size_t,
+            error: *mut *const libscca_error_t,
+        ) -> c_int,
+        read_value: unsafe extern "C" fn(
+            file: *const libscca_file_t,
+            value: *mut u8,
+            string_size: size_t,
+            error: *mut *const libscca_error_t,
+        ) -> c_int,
+    ) -> Result<String, crate::scca::Error> {
+        self.read_string_with_conversion(read_size, read_value, self.file(), |s| {
+            String::from_utf8_lossy(s).to_string()
+        })
+    }
+}
+
+impl<'f> ReadString<u16> for File<'f> {
+    fn read_string(
+        &self,
+        read_size: unsafe extern "C" fn(
+            file: *const libscca_file_t,
+            string_size: *mut size_t,
+            error: *mut *const libscca_error_t,
+        ) -> c_int,
+        read_value: unsafe extern "C" fn(
+            file: *const libscca_file_t,
+            value: *mut u16,
+            string_size: size_t,
+            error: *mut *const libscca_error_t,
+        ) -> c_int,
+    ) -> Result<String, crate::scca::Error> {
+        self.read_string_with_conversion(read_size, read_value, self.file(), |s| {
+            String::from_utf16(s).expect("unable to convert from UTF-16")
+        })
+    }
+}
diff --git a/tests/data/scca/DLLHOST.EXE-766398D2.pf b/tests/data/scca/DLLHOST.EXE-766398D2.pf
new file mode 100755
index 0000000000000000000000000000000000000000..a2a50b66dac7ccb8838e322c396b314873e53b65
GIT binary patch
literal 29700
zcmdtr4SZMg|NrsxS)bM_7gJ#hpDAg&vaU1{>v~;Jty(Fq%g^L$5>1MUGAT{M<Z2R4
z!X!*CnuN(klQ6lOgh@1nmH7M~uXCQ~Tk8A${lC8Kd;8t~$L)CCKkxVZbI$v`&-=X3
z`*S{PJKAxap*?zZJAxRT<~Ti_0sNQZ40eV(X--?Gmy^!AZ|Mkg_CzB4Qas%>?$M}C
z`4cX;S5>SnSreljCy%u%&2d^cbe#B1#|e<Wt-j+NNi@%2{aXK&wi^S^{JDL2NrD&8
zhL&Fw%av@@R$JQJ|Dqh{feE&^pqp;TXzOIwPOO%n9c}qh&SU)FWa}o@(^xJ4q$n@H
zh?llaTYHn#nP~Y}>-}4KnV|J4@;i9hPOtHRt=1#07P9qt-e>i&_un_x5O5A9zd5os
zmvno-<#*WSp*{JpKwGOw_m6MnM9U92)#Tf`wskl=@$;vBZTUf`F7Js)wmwI`zx|G3
z5_tc~<a0{h^~50O*pf+G6lBBT6kHG4I+uKZ`(5?^)5!PRe+T*g_7AJ=y?-_Nhx1-r
z(`tL~k0R}aaU`(+mv9WSb&c|E|6h#v@?YOCKc0%({z-CjCVBbq@S-lXbuRg*S~6+h
zk1+(Ck8muqbr<=5``@qp9ppD7&(?G6?CT$e>OY6mW`6xQkng|$HSPcS{qj3<5Pttk
z`-u&*|2E_|K(-c;@4tVy_J0=nc5T>NkArag4|STY?dOpnBG1;T<o6<y?fl-G|FQkY
z$oJdtck+`gnF3eo{ZEtc_m3=2qJMsNE5DTdV|k0M<>W8Y`-@KT&fhljk0Q<1-?`5H
z`q!Oo1q03=^8NmidC0!})6_qL^a+~XT{rEQzip!T{(9v5?R&<d`|7ty^*cs=%Idw0
ze1HFAT6y&wK)%2K!w%b*-&NZmPQJhY?EUgvW_tS{O}_OVTet3)|4W9KKZ$&6Z(9dY
zQEMj-`5#M|{GGhAbuRhch*s8LhS%QL|LV~Rt=aa^pG^K|q}f_dey;=a`%roR{7&RV
zPB<WcF!`sDW@~FYS-%7FuOi>?f9rtXetmR)tQDKudjin`t5+A-k%%3myRASZ!XY}N
z-1O-Ys_RU39S*T+XNK!YgiFJj=Q=iG^<Ct8dc@jwiR(zj&eKw*)0LbxN~c>m>ts%`
zvq9!`xMOk@b)adTElRg*d8=%Fd%JAM`Gee$xJPc}M(-HyK4oLFZPWU61Nms&SdPO@
z<zsM5xiPl!*xuU&cag16beE6A{p92E5ZSKZQF1&UFQ0&?$W8H7*U^Dyc!ttX#Ixn*
zc%FO`UL?1`OXLK+R6ZH6kXzzaax1(>ZjIN;ZSV%UE#4$s|Joua;;nK!yj^aOe~|5Z
z-6LC{voYV=&Bn)ivW?XZWV^36mTe4cD%<_IrQ8K~kx$3n<uh<UxhozbpNU7wXW{X3
zGM*xL!!zXWc(&XF&y#!NMY3I=OXS{osoV#zkW=s~xi4NL_rvSt{&<5t0B@29;;pWu
z1B38(r4PnYT$I*^skpIxHXh<SHZlayR{Bu9#C3Ea4KJ04VH<O8JHxGvJOXc!)A4qB
zB>q7jWo5X~qZld9!H068+jd6dBW1g-9VefQo6BQy8#x1alE>k$@_5`!o`46+6Y(&4
z5*{N@#*^eQzEIA@m&xbhS@IM-M?N1fkT1Zu$`|6h<%{qG^2PWIISaR8V6$Vt1kaME
z;yLoAc!4|(KOkR*pOi1hAIQ`3XL2_FTD}4Y>UsN`f$Pc<mLueuq}yWknMEWSheKBp
z?V7RltBKv^9HRA=sKE5dHAHK7D>IuoMZT73$7AW&5pCbL%{fFXXX$f^i{$HxOXOVQ
zQuzkr3V9xJm3$*{jXa;YPF_IVB;Q2bA}=IvmGg*u<eS~-)yL{mPh-w4xPiPFFLE6n
zxD|WjWH@vi_QtVr=yvRl8_|J$T&_NU2d<Fq_$uW)akYFGc4~WdxEsdE_uyFhUK}SE
z;CT5yoFH49CCc~XBzYN5mLI?=@`Je8y&fZx<+wyH#HI2>xJ<V5P%b}=E98~9Qho$i
z$&ccm>hsp$2JGi3@~jU$PPE1Bo?H0|Vm)~^v4Q*~v9bIVv8nttv87y0Z0|Z8dWP6V
z>1&AH<!6cg<mZS(<mZW_<QItJ<+a2qatU#&>u~5r;%wKE$U5RY`6c2a*E=KYiA$9J
zGI6Q=3UP(}D$(j^*GMVRwq<Sd8gYYcag+Qyaf|#0ajX0$al7kq=q;k(pEqK^KbPUg
z>f3MQ?yh%6Y}-SW{tou~d30biK0C^*&%1b}{2m@BzmLz8%kd@h2lxuv>U)j+A-+NW
z2;VG!j31Ie!H>(I;%DRv{G$9B-Yr`n3)J%J`8nyf1Zl%<M7o~qFNm@7m&7>vD`LD{
zNlcKxCML?(u1WGY#2k4CF<1VUXyc3R_d8;~ypvcUR}l;4?}<h755!{mN1~Op?d&2}
z%RdqM*yN`F3}fV9aI9=)<K*2qUfzQf<X>?H?PlBGi!<flaF+Z#&XyxMN4EXjvj%%_
z0O!e3IA5-XD`a~VP$}ETdV3CG@3luD)p8wdAB-&Bjwwd2i(_Rwzj1PX(s`?UjT~a-
zWh--td>HAr*mZO`4$9U}ewib1Bc<E*aje`BpCLEGJ>?_u0Qo4KCLfKb$=3EW<zw(-
z*{->}<R*Bt>)6P#cpAqQ6^M--hiA&i<Ll%Qe${m(V&`+Cd;)%7Zi+vZo8hnI6Y);D
zIsQdH3EKxXYo8Xl4h>|sK61G0*vQE^B)7z;$oBEMkIJ{kgXK1OgxnU-lI?N8961p$
zklW!~WjlB8$Q?+x#p=@$lkB<^ZX}<I{qxlspQ!XC+*&>j`{%I>?y2<Cv40-Vz-dbF
zibu<5;)(KE_yRc@Pm{ahnX-+e*U3Hbe7PrHEce29$@V;OncN4jlvD6(xi5ZB?uXaQ
z{qY;}0Q`|W5O0$Q;T^7{1B3A{ITi1f&&GCrT07g=Z`YD}DAD@8IgMz2)I5x6{mDF>
zXy@KMf@tT-oKCbhHIF3P@ta2xt*+*Ch_+qxXris=F~o`Txx@?PvBYU|263i5j(D9s
zo;Y8&$8U>e+umLBB;qo8GI6CGCa#t<iO<RB5!cI8h;PW}6F19N$B*O-iQD9hh&$wq
ziM!-1Vj~7GJKjt1vGP=WqI@ZCEl<N8T}KBl!vmClIZl(O<I!?9o+w{|FOX;8Y4VkL
zrfh9FU!H{*%U9vMTt^44#w(ScgICMf;OFGoc)ffr-Yj2-Ka%I*ZLXsObMX$PUyt|7
zx%d!`OE=(ST}KDz;S-g9Bkn2B$Lr+<_zn3cyiHz+cgT5omwYqcD=)$wgWh?$1+SME
z<IS#_|KpF8ejDB<-;VA1wVl&^e4Xalci{Q*61+^l6R(u5Z?2Z_#@pn3@UhX}Ht)sL
z<N`cXz7O}*e0wP#E#Hsl%huo5%Mai)xLH~~AH@Frd^uj`rbh<~@k*6>2yd2G;2rYA
zxOH7`J1cQd*U^DTaGLz6rPuSyJcdWRjt&&ziAsMQPm@>SmGTpKv%DIABtMC_$xq=O
z^3%9ceQ#gII75C0UnH-=m&?!Mt7N;@=gQCHo8%YpH}YEiqg;Z2m0!fQ4)ON84%e4o
z!VP5`Kbpud<7V<JxRv}W?jV=qq4I0^9C-u2RDK;_E5Ctnl;6a+$Zz30<&F4$xePxn
zzm1=eH{oaHckt`-X8ex)F8)w{5C1B^k82(3wL>|sFMog=%3E*~`9s`Hwz0F7{4wqz
ze}Ye!KgB)d3fy1*3=fsJ;&bHB@dVk%<MZV&@TKyX_)7UJe63uGAC|wy&&u2J=khoB
z8`;MAALVcHukv@e)?r?o?8NouD%?>19ygJHz>DP{@m=yRyiEQHuatkrtL0ztbF$5&
zmLKlzcQ@&_*!8{#GsL?76?5sh-iw>Mj*a|=Tgt!Vekv2eLuA{?^%|=K#D#Jc@picu
z@m@JdTrSrpJ|;&KpO)(o*UB-(_hdVk1{$C1k!Fh>OMTo_J_L7{55;~x55uF}^yt9h
zc)ZHQ;wkbGc&gk0&yXA9d9Gt4jqnorNW4O2j>4<tqwyNoM@8cBI;9_jH^`0gCb<c&
zt^38X_)z&ce57pO_Z}yQaC12xw~<f4o#dvttK1Ctl260~<>q*pd=efbx4?7c1nkex
zt^Ge%dP~x6vG#9;?WMUj=q$IvXUT1GFWI&;NKUjj%I&bdwC%J9UE~h9pWG2|kvriH
z>JO*lDAlbq_Mb~9;aH{Hey`R2v<vCB*uGB3P31FiOV{C0SM1dx96A$sSNd7lt4}zT
zjK?dz8=j)=bjN;Q>VcOiy(eBO_rfdW-q`Cu;ZPsEM(HVdo!l4ueWoAw+o3<+>Xr$I
z2H-s^KM+T8t=cgT!VToXxUrmyo62Y7ma;v+Z0|Z88j8EfX}G&Q4EK|V<00}0JW5W-
z<K>ZfiaZKWb<O-A&yYvs+42}XPd*nflE>mDuEU`Wyh7>Y@G5ycUL#My>*R@egFFdu
zk|*OWau{!wGx2uWo@xCcPr-ZS^Kq1|wDSc-8=K4*5^WqYUqrNP-h45!shmZ$Ysu0t
zAzHsTPbFF(HD5}!{$!p;v~zF1jA-Y{d^yqD)I6PN$8XLiT3yXo5N*5W8AMynR}yE-
zGl}!$S;R%IdHzpaqV%hYYm}Zt^u9j|hpxd*-Rm(NvhB5$uf^@<>u?u&4(=|`#r<4I
zBG+T@d#Fex7f(^TJtLeUTOH@gH{x~je7x0lIJ5w7SNcuZA0HOtrtX*!4&~vN^3Axr
z#tJ*`S2VA_1-~UP#_!3u;vMpB*nTF&+Vgf?M|13a+(NzspCVgZc9!qNXUTWrKJwjo
zuzU|5A>WI~$^|$q--j=jm*VO2{rGBm8NObA056mu#J9`K@x5{(UM}0S*tPNs{Hpvg
z-YBoc5&02ZN1qWM#gpa7@I`VFULrq^m&&W~3i%1VPPQ@pIDOW5l5|_5Y4fMBy|ng!
z8c^JQeprlS<!5l5Z2dQ0eikRl&*4P*d7LD_fc@txYw<SHZC@pLhx{V;o~!WuAKNoi
zD`QJYW5s&XZL##1G2PSkEBH6{y;t#Nx=)qjS@LUmj=TXE%eMW))%V^Y-4=Ux`X=_<
z;Vta9!$$14Lm7@&`M0s(4x6yw4z_*29X6A0i`D;K?AQN298&uGxP@GfPmw>s{(N8y
z?xXY%@c`NOHAMcHbX#m+pJ01w{uI=cD{uq(GweSr*oqtJ+W#DT&kcC~kNxKcU*Og%
z^QDzh`+sF+<Vq_ee~tUg+woBO8+?vz_4nsa-;!>N)%iQ@%?-k#op^?uzB5vV=eZ7t
zzQ>E?AMg^r_eZ=`>AUb&rT>Jt%Rl2E<X^Bi2iO^@#*NkYcH^e<9^6I#6)#si?8WwT
zU{>ef@LKtIe6@d!_<Gqoz(U!+Z@FEL!uQIx@NzkbACqh2r{!q8QLcmEm+jgAr*d8V
zm0S<+l<VVPWIO+->bf`-pD7=Pd+&F>+$7ug3AWhr9)azp**<6RvEFq<+)%bY)l5DT
zw~~*-6Xc`uEwX(_Vc+lCHjlyg%XZIvSZ;!!kgcEE_mNiqIQ)`q{mQ;Sv-A+@wwU9w
zy)>Ty{CYOU9hBY-pDtV9_vi4<@fT{hlklNxlNR_9IRQT@pNyZETjH1HRybPYk6llP
z$yVnXa$C}Ev3j0@?WH*p`0d;d`}Mc^LKBtgfc<0Xi2Y;fgnOvWskpz~84s0{@Hz5n
zc!F$mkn`o!@s;u!_*%IuzEM6CFO==LZkLlux5e&3-7uGidtBYIKlb*({&>|B`{Qsg
z?2lc&u|FpF!SQUz#_$yEkI8+pKPLCX{+Qe!C#(DboFWgzsq!G4E)T{Taw^W0&&FA@
z&A+ncp*TlQ!@2S>oG07Q3+KxtaDkkT3+0ixNFIfY<#TX}JQ|nEV{n;#E-shH;tDwf
zSIXmXl{_9-%M-A}SZD1y5y!}raI8ET$H`$FFK6Ne`8=E`Pr*s@`8Zj=0H??o;#Bz}
zoGxFCGvq9sDPMxK<f%AYz7)^IcD+o)IZD3_+w*iwzZ~Z(eLA-1;Fg|^^OSxC&X;W-
zT_9hH3+0)(NS=j@<*Tqg8?|j-jZ2iCgYB87rC)<fl|CEWvq($77MCggI$SQ#!S*cA
z%FM+TO1~ag%DLE{msyz`aFx>M;cEFtY!{xL-}yL3UV!Uid+$v+R_P0IoNU)}ynHk1
zw%B$S;TZWAd#}9M-YegV<K^3Mf_ytpl=E?td<RZvAh7K(!5Q+MI8(k0+s{^8nY(ee
zd=JiX{b}T0oGTaLJo!FcsPap3k$gWcmY3lY`2k!iKZwiZ<=B3H+v-q=E98f8rMv=H
z$q(adc_mIi%6so4I75CEXUf**S#lBSw%9p(9NSCtDlkxf0uPf{<1zA+c#`}S&XR5W
z{&-$Yx-GWNXE3MQ^%_i-T|bNcarimh*i8?Ip2zLw7jQp$EuJTr;6?I_*qgJ3L+kKT
zrN4xiyN*QG<EQ19@ml#6{FeMGeowYz`CNXDbX)9LHeml)UdLWNBat_77nOMvdv%UP
z-ooCTFdW*5qugsM94f=@T}L8s<Lz!<B(jP4gZvJ0kG$EU<_zy*|2f-xxPj8&$BpH3
z?0wc|{(`;F+R=e6xV_4Ji2KPO;UV(Jc$EAJ9xs22FOn<p<??6v9(gN%%XM_%b6kdF
z0y);45&L;O^B1JsV(s}QZs|H4`U;PdEAdqMYdk~ct(|7e-(aslL?Sz|-ygokOH}4N
zd>kjt_O%mV=sFy#!j~!idpt|&*7kGcAMpZt7q-v6_OoF>Vf&0>{u$fn0o(pB*yir$
zYFwMuyqlOHTRWU9|4OvQ%Iw87kL%yCKmYk1&sTZ``#-~Ag_kKkfLF@aNBo~#sD+>P
z-^+gO{%-rKO}Z`SXv}6^*TFVsT6zplmg{1Fj%W4v=Xmu=x5e7w5bSLy9J1%=^_6}Y
z_Rs0zc)Zf>+3*zk2<)G0>&xD`4u=}z*(%crd*?bFvS;)DxjqW7P?@9gDmf09$X4eK
zvRxmxSe={Tt+IUvwP!b$ejK*z#C*J!k?m)2yz4X^ipSn{8V;R+z3Vg_a<4gFM+L@*
zni0KgGaRzdwd>sUaHzSZyL0$(=p@`&Zh@Q13Am+vvf2GUYkbJA<MU4N>edQhBHL%>
zD`fj#Vq8<NOj|22pJL_ZM0|tX4&N->*sxpffRAYAZO6WoKSs9iI{M0|;<M$>c%+<!
z$H}MR^W-l0n&#d%PscaNXW%>JuJ|?iO#HTd7XCm^#-GXE@Yiy8{Jq=*@0NSwz)9YI
zd*NMjZ@gFTgM&OkvGbmS50U%gMzW2U$IA9hV)n^idFx{<Wc!}S7TeAs93>CN_2g9i
zt9&-D<=zXzAsd71%l4e3p`3=jXIbHpeRtGC>9*g~<PoIXV*5?U{(eVd`!3wlZCr0f
zhS{E-oFUtGM#^JI_qM}Wg}v=WB4e>v|41YQ`_GQX;WT%@k;r(QAy2@W*v9;c_&lZC
zzHH85>61yXrf&xWQI4foWk%tElS#Ta4-7cxVQ(H-%b9|`d0;K)d>qeqf`MAj1=yPh
z)^aYy-aN3Dd%yDLfwi2ANl#Y!ESw@=f>Y(GI9<LJXUNmA9gFSjGHmrX+dVK_o{n?m
zY@91!f%D`UIA6XJ7sxYlp*#y0$yecG`D$Du=ipNL8eAsN#^v(0xI(@TSITp6l{^<$
z%hzLveqzU!i(}*)aI8EJ$H_P1czHffkQd-Y`6iqsFT}}m9!`;O#;NimoG#yjGvviM
zQ@#~v$+zKb`F31MXSKeRkL?+s`3`K)<IGF2Q_DNXJ8_JB7mk(h#&PmJI9|RN+kM>H
zrvN9)_u(XYDNdH}$0_nMoGL$n)8z+ohP)hS%7r*feh6pFD{zkdFwT`%;yn2goG(9$
z3*^Uep<INE<i~Nbyb71dPvBB{H7=8%#O3l+xI%s!SIWh>N`3}c%WJU1YHj!|F-Crl
z7%M+djFVp=#>;Do333TBQGSt_B(EbT%P$dA<n_c<`DJ3d{0cEcewCOhmlCt&*NEBj
z24ar<Ix$y%gP143Nz9kuA{NLSiG^|*u}FTKSS)WMmdNiAtsd4^n~C-w^Si`y`8{HV
z{64W#w)`sj17fwjh3M4ww(}v5kw3!r?_6yAALBUr6C5vpiW6kpr~Nw@EB_fzlDFby
z`E#5iZ^Nnb7dT!15@*O?;Y`_%BTN1oXUp4hj{FVIm3QDg`CFVXe}@a?ow!i8wkeXo
z$HnpwxJ3RDm&&_vnfwzjmw(0;@-Mhjw)U=)cjIb#4|bxxcKa2_$a`_D{2Pvwf5-81
z1SiN2+q2*0VC^5kNpciUmTTb@Ifzr`+BjW~#u;)QoGHiPEV(Yumh0ghxjxR755ak|
zJ<raU55ooW;kZza#YOTFxLCG%af#dzm&%QBnS3NJmyf~~^3k|bj>A>*F}PZ`xwccs
zYqusiMm`qD%E#e2`FI>Jhj4-%j}zq+aFT5E_hh*lPLWT<sd96iE}w)m<Q6znPQY36
z$v9iK&jdMgE1WC0#(8oZoG-V<1@bAlP)@`}aywisx5p)N2V5$5#AR|PTrS&pJ{59j
zTq!5vD)}^AEqB2-v9o@AI*yUgz_D^y94FiNNb&MnI6+RviE=lbBzMQjau1v$_r$4k
zFPtvhcT*X1ADk(t;4Iexr!UTy`{5k9KhBj0;5>OC&X)(_0(mellv8n$d^RqYhu{)<
zC@z)l_imKQ!*IE5bLI+p1nH2rjdI7=Sa~Graq=h}FQ0=G<k2`$9)pwQb8)gf7N^J=
zI8`2p)8+9vL!N*$<%u{;o`kbytACChCf%!l(7g|M^$$Adk?z$$=uE-!Zuy{dKKAM#
zbS}VN{e#Yh*sFigxd<n#{KeR-f6%?Rc=ZoDmyqt&Kj=)w87hA%_Ua#WreUxCLHB0_
zy!r>7%Sq2s`RO=U&c=E26*ym>feYj-aiKgD7s<15v3wOSk*~(3at<z&ufgT=Y+NB<
zi!0^paFsj<SIcv;<IbOh&h^-v^9SAgsyF8kIyaE+&H01QJRGm`H)3zjA9R1d-kb9W
zodu+ObN--n6HZq7h1i?(2i<$MH|GyJH<Rwo`Gd|PoT2i!U~kSJbQWW8&L4Dc#onAh
z=-g)Ixi1C-LFaZWFXvl%`3@^DFTpwToj6y%3+Ksq<9zuZTp-_z3*`b_B;SXN<)yep
zz8{y$%W#?e04|pw#1-;#TqzggD)}K?Ew8{1s~zvdM7vL$R}$@>YJP-h_doNa#CZ8J
zqTN?4y@+V{0Q2KS8?Vi)h{^I3L>mV!eKpa>Ec27ZbonV_hWs=!Q!XZE$<Gk8<u$|{
z`B`GF{2Vb)ex8^wzd$UI*Affm5@M13BGL9|bz4WYJo8J$Qh7bGOn#YIF26#okY6QM
z%J#l0`88s-yn*PrbBUnyI*yUwz_Ie1I8J^G$IBaWf^2n3l;6fl@+O=tzk^fc%{Wzl
z7pKeb;SBkGoGIJ!Wyv4lY<UaLkw3(_@<%vN{ut-WpWp)dQ(P!pn-$5Q;bM6!E|EXS
zrSdjhCVzp;<u7rC{1vX0?L1V;U*l?dJ9gZ;M9}#L$H+Tyto$vGlfT39@=lx}+qq4Y
zzsE`P4>(!=5vRzzaH{+hPM3ei8S*bUQ?~w+CGW=B@*bQc|B7?vy*N+)4d=_h;{rK?
z3uTA)D3SxXSdPLaaxGjc2XUEP8<)%W^CJ~<9b75L;3~N;u9oXzyGh&iRUgO5hu~QG
zP#h=Q&!oi5_Oo&cax6}ikHATC1Dq^3#3^zkoGKrQ)8(UZhI};6l;d!gd<@Q(8{-_g
z3C@-6-+1N8$KibWcw8XcFH0(v<8hIE0xp)D;u5(TE|pKjWpZ;|E}w)e<QBM6PQX?2
z$+%i>iR~9%S^KxbF>-4hE4RUMa$6iPpMn$QM4TwM!%1>`oGf?1DRM`gDtE%^@~JpO
z?u;|#B%CFmhO^}^I7dDm=gMc`Jh>~*m(Ron@>#f0PR2!YH(V@t$0c$PTq^g(WpXcE
zF89V2vdu*+<rLDBX=-cdzBonhhg0SLI9(oqGvt9dQyzq~WZQnWoJu;U)ZPBsI948l
z<K&?@UQWXa@-Unz564OJ2%IdZW53QLv0vv=*st?BI78(}W53R0uwUnMv0vx0I7j6(
zaIQQK=gH%7zB~aJ$P;m)JP8-clX0;e#wBtlE|t&2W%3kUE}xGp<O^`6d?BuqFT&OG
z#n{o@G7I~2-Ak}P*PV*}x$dPnUgf7@f3ABO_UF2nV}GtY9Ve@NHumSbS73jxYd@Fg
z&vmcF87go8meil?&cgm&*X=VZb2aI<*zYLF!BO%x*!x~4HZmJGQ2MpFi+mmKF3-XJ
z<hgi=d_DHQtBsB1;_*tq0o%W+v;EG)_V3@!H)8L*_1MUK+?)zo`U2cWz6tl17ve#(
z9oJRzXs4&s%Ng$Ub$Sp-({H;`r=I-Rm!Bu>PtIVzYZ}JSrS#(GEk-*dNFPM*U^JB1
zL!FVVY2*&%=M}BQAYOUDHMOlG|MC_6y?g1;_J**pUewO^Ta)|h#uaR>(TgJ+N;{>X
zfwWUi?sNa+>(0Jx?=`u<0i4ku>}P<xpFu?XNrS)ty#1@+r~CKsX&^^1oMRfoS*yvG
zv+JW*jrYMmTtR(nd@sY?em11W_cMSis(+216+4ntrycj|nmqSI*oW7{I@aiZ`ZC^l
z<7-VGja@N4xLSJG=&^WhHk5tU<gwUU8Ohm6<IY?2qh}AsfbQ=2nZ|D-uF2!-#yBvX
zBeFYEP2czIo?~}A|978zV|Pv56}&OD8}p2`8b7LiJ;O$bnmkuS=;PgJ!$Gv+-?yJW
z^tHimuO2`j7{wmah=bXS&Bg}1_dA=T_1W*W&Axh5av1NmyJ5}U-}jA(L)hm)>SJ@m
zzwhV|o^K9y=d3;4k?Zf<k2lX9%I7tk<#yvpdh)x`J33>L&6S66WY*ff-S+(Bthg=t
zgDGc6Kgen0zOq@dy~pNNW7$$Cep7xY&Z2Fz9cxEQ^<Zo5*iUatbfV3Y+<9$h$|REB
zmeo?sW7)24yBF%ldwX)#bZ3hl_&o%j$#2L1d+^G(HQL?(K>nY`-fMo$NMSD{sFjUS
zf8Y5y_`Lgb6}!HM*XW*7-7{y`PfZ__jTZxHzrLK!nru6}X6%zw&G!fE_x4%IX5lsa
ziD?8!)6+diHQmSivLE}*Yh&$S8QV^zWo-QT^LJFg@7vhao!(++awM|*f{j+G{AX=p
zZ9bYj|Fhj_ckHr}!#?YIpJc6{b^j0Q@W(OlpFIiiO4#TAG}WSyJDMImg0?x}xk4L0
z9qjvj-v$q7wZ3GdsMXxN!!>8@vl)?XaS&IGx3Bd7;Ar-5(SB^rM(>eMyjw3Dv%UN4
zf2U>tdR-1~;e(&tjG(o=Ijh$Xti&HvhU>oL^`t-FOTBTkk9)@K{^|F}e^xuYm!(ky
zyQccnTf8SsHcuJso?+_^qnTR|WL`6b`<wMz+uonA)&INS4&$z$=8ll|)N9{3Jd}HR
zCVM=Zb;+}DuAP0%#=wnllq|{Twf#H0Le?X3E7t#Qu`>VLV$a<E-189c-+v^tQTt?V
zHQvkfK3lRo^1zVA|9d|E-|aam%F?6$@ppK7jki*PfBan?|L^CFoam+de-Ec)*n92&
zeH;Jp*!X|1=7e!x{ukO_&Lr=(|Mz74zZ>KKeVEsj@Bh6Q|L?lYR{HO~z4u?G*Si({
zzpqkvvX}4wy_9XL?;@4+|ISHQrTc%k<d+QZefIx<XYv2u$G=nd?<_NqK4s^nHQxbR
z?5)^>?@HVU>K67}esc4JPP0GRgGSSDY<_y+)ymW4ziCUO-BJ3FGiUpIKYy;L|Eqfb
zv#r~+=>10(`-bMfx3_;jhVj(?PuF4J{eZu#^%vfK@La)RtoXAnvadD=Z|}glhyA^r
zn%w^Wa~u1&jDKZc|LU%9|IV}~wtH|}CH+_S^T#%``Qo4ZZf5`U|F7EYz+>Bgpa1Mi
zweQ6KFVy3}S(5!ujsJ`FI(V*TzlrG2*7T1vq5ov0|Kk=$bNBdH&!+y9k^bM``hicr
z?ECt^)*1(Yp0VHQ^mlL5?{D7cmj7h5Jg|)peoo?*IPg;#|I+#|AC0%={~w-_*{2Av
J<?Iv4{{YMRg5v-H

literal 0
HcmV?d00001

diff --git a/tests/data/scca/RUNDLL32.EXE-411A328D.pf b/tests/data/scca/RUNDLL32.EXE-411A328D.pf
new file mode 100755
index 0000000000000000000000000000000000000000..78cac7b15d12b09663ad8522057d9d3a765d626c
GIT binary patch
literal 64266
zcmdVj2Y40L`nK^&LWwAd*dn$qqDD{*O#`;j15zSI1A;`bAhw7tVvE=!ibiY^Tf`Qz
zMQjmU#D>@qTf`Qz0X9Tb#P;3Ko@X5*o^w1>{PPXhW`22R?U{GhtXVUAX0o$+6h(u&
zb?dSb<3>M6(ZFa()IaJT_2pmts9n@1>JjDh3PVRwy!`jy!_Q%S!~U<PPHNY@i+*0r
z>ttS)8%EK78$?luo1>`vzEM;(KZ;U_PtJ&<){Ny@d);-_fHtp+e;88vNw2jrq%+er
z&p20O7S!QFAtlnZw!E6~n#`*mFHL`NxR4Tc;{R5>TJT!ND@?EQ^wGq2;<Y)igITNg
zjJ0wXUB!QBBL8p7OUrqV393)cf0C!)$d6if177Wj_hqc<54X}>(xSWhpDIn}{}OS{
zU(;_nLP&`o;s0%UZN{quE2;PEo!j{RHCWraKCf4puH|d`vm^KqE#!Z_zcH`Q^_T}^
z&Hs5-2Gi3iya`f%w=n&HWHgF)_x!i=^!14kWFh-|`c|Hv#q_4c^!^{1uH`fP=sD+~
zQ|JAoC^U#^grZIS{=xj9oOb5bs9_Xo`)T^io?gNas$bR7bxiN)>BBtzdZugnOp3DE
z2;u#0J^gN`tNv9#vzb1avGV)kd;UX@GCkD)iR-O+f3e^HJkzO`<a-)4il^)St#)Pt
zTkS<g>=w!OFJt-utSQ&}{qyQf&!!Uh^YkY?eIe78zm_qF=>t7|%O;vjTJ#g6lhHA}
zPA1V_o_>Mfe;mnZ+vxob*vO%M{NVh?Gd*nIa;Asn@9Fnn!t{;xUS8Q$R2gF}dF)dD
z<DEBo{*0ortZ113_1ney-Nl5k{`FXqQ2)<({*N+U^Va*XV*1f`iQoSe6EcaZ4hm_=
zA-^Tge<9OZ?d1NE-YlXwi}SnB@Bg0Z+BdZQA7FZT|2ba%`s@?RPxaH66;=L9=21^?
z&U7|=GQZE5uKbxCWqSGBGd*noA}aDMO{c&eUj9x@SN-cfMKsi~{rC3#+c913k5QCC
zq9MOCJw3<MRY#Rf@6A{<yVvvY&vZ6hGKcPTLZN=!`TYkmUF)a$zs2-}80-DJCEHJv
zXe<*{H_Go4`f0T<<)7#GAJ6oyiP3bU4qHSV8{+zXF!}!U=n|%f`u~jSVf{M${Zp8(
z_iFy<H;*{h#6LWm%)efA3)3$qG>%uxEm!ofw~ki(sTXBYxoXo{ye2ZeBV*01sDY-Z
zMyD`c((4DNtH0Lt9aH1!MNHp=(5}43ZWUY8&+_~4WxCpzUh|mVp0RT6F^d0~>)T9M
z{pi(|iU`Y}bXYw71EwdS>gXQ+)B81p4o3(n(Qizr*(6_^ZL?ziPF$$z^`edFc(iTx
zI-TiSPrZL~y*U5PnXdZN>w`M)-`n%wj_EC#)`C}eI`Xjm_R0M-HR{21Z6CevVtUAb
zsn>shrZd}!O&4V(R!pyO{U7J$Yack5=^Yp=zZVV@Qle9t9@g*c#ERuNsUPQmG1Jxl
z^g3X>c>UGBwmXCX@4uGm=}51~JYDnubW}Y3W~QG5nH05Xv7-Kl9vV;Ik&4s2wGWjr
zJ*?m0@8jtmnXWdWyq7XP<UgWy3X#<4Sf<k~lgE&Qw_h=Ry~7ETUkTH-?#gc#)5G?;
z*7biG(@$fXj<K!S5Mg?Q(FAz^1~i;Bq}RoDrhk7}Jbgo^YyQk8`kLus`~B$Y8BAAx
zDs#XNEAm_D^N)5+r;3uV>N?X$9YK)g@8S6?|5iJ$$nQ>X-yEig`oEaz?I@SZtJurW
z_4~E_B~0I)u?l=ULP&}BXZl4+MNz>{QN%8kTvtui@E+4u(|S!|dQZlh|Bd_bAJO-j
zuH`G1nHg_CmHo7U|Cs(M)73ULTv2EGH_q=jrfc6w4m+=Sf2s3JXXXt&`DmuAel`E&
zM=F>SHDNltMRIt9={=IsDEdu_GJRL3vxwwS&}zl|Pw@LYFkSQ0FpKGGU;6p{G5S9(
z>d15sJISG4>lM>~a(=y-u5%_0*D*chH^J*y#`GiN$x*#sR=j_k4K@G9(eF&Z)YFfx
zGd;7Nrq_!uVZ%`*In*$HU!*COuK%l;9_lxrPBP>_f0W*m65Y%6HX_4Jrib&pEfy<M
zKYE|(+W)lu4yWMWj5YtZ<Me;S=u4(gLK@~Xy)R=;nU?I|>P4rr@!D!4!|A)Ncz>tl
z{Od*2n6B-o`7dMoDfYr`G?%of($o1NTENbi%~(@@I$V*I=pm-p6B&lFpbEyCK7EM(
zUq70`bPkKjZG0DvzY9(-Ok;-En7#pHEkBEmlfzi=48!|O-;p0w2h*9Z_iOr29rb@&
zl(zng{CB5vRsWjT6BGE4lIt=3Xmkj#hnTMStH6%Q?Uxpv#B|MD{YPgyH>w~x|Fd!d
zI+y92BGu6pribJ62UVJ$8eQY%>!-f#ym^e3+57wI{|3>GOlK1%bNZU;TE6<{>Y;%8
zsbIS5PdSg{KpLhuPtp4uMt3oNYoy@^PuG;hXNok6Uhw?&(|9%xDJGZS*5|KtnXcS5
z|Ie7dmp!e6=8_iG)Omja9l3TJO*z%)7a!G`zE$TH=l=~neG$`JQGO#{RZJh^_aEu=
zr%l+n+P}5@L-*um5AyUanXdh}KCd<;H<+=Ozn!P=%5>GAh8m_1XRPVnJ$?5&^PkMl
zaTe3Gth9|(s$R4=({=39_MOZ=8MfcSe!og-NJ~jg(fg9`#VVi5e~N4SG_sXvCQeUD
zN!DwYt#$0^GQTrq<3_wU<eo-(nzHAgl00Wk{+yDQLW;>_ke1aLx8Nl!@2<AmXdk;N
z<6*YyeH1S;PEkFMb$nyS<LpfskGIv9C)k|sCO<#xz1l~o@RBnaPvxZ?)OSs@n=_ut
zOJz6}jAq+gF;;U>d9_vTTC&c2I@{agu66?VvA4tejHdD}@FJ}FZ;zMQE%9=f*#T?+
zQF-+XjqIIpXFC)3v3JJ9>{fV`-5QUzcfsRqy5LBk*))H;(`bUNeqkb3ZghjuWXILF
zPH~*>Et+ZTI5Rt0CMDVD$89MkxqrrODJ6NV-;j2qd9rIqo7?QBZc8aqXiI8uor!Bu
zTVhvAwrQE&BK{1-eAoq&=Zl)B4nf*Zvie1>vz)`Yo85)+AiFE$(YB_aV0UMHn%#r(
zId)IR7umfSU(QSUsO!Ae@!pJ|w)-%C*WQou$97-FU+~g<`!U|w+r2;D(jI`fx7EkC
zxA(_;+5>SnTkEu+tv+Rtt^R3!Z<hn`#@=2B;?cJHh|_F!)92X3@a6VF_)c4W((73H
ztN(o0J{Zq;nUQ$8U4Yddv@H(78CctQ6y6eRKHBaH$JJ+QXh@qpjBz@z`uK3h>I>u}
z7;C?k$1qOVM>5v_p!itEYP<4LjMdKMqZ!Yk153xp;JH}s|5*H%eH^ZFnL_-5<HzG#
z$JO6_=D6C<0>@9pUpsyhUhMeE_y@;N!OI*k!aDC%4yR(RuyPv@8(_uN9(C@i_~|$^
z>6GXUoMoShbxlfjtK&kBU5s<>vvHn10q5K2-~#(xJjOl`7ux6JBKrbdY?t5?`$Al5
zYn$qPQ~7AW(V%U5F=N8XZ83>)*ru1@uuU(;30~S>rHnJ}%NU1kIvIy;s(o<`FD>f|
z#@c4`m5eKChdMT0g&)AG&#Q42R(+P?#~i-~S35ohKjXOe?^%vthjr~#^SK_+ar_4S
zhT~fI8pq3tYtXvi#5k<`R2<g*W*pZ27M$Rvb-$HySohm-Sohm;SoaDXuVY%u9XMXE
zl;m+NUYC^UPU3O?DbZax&N<%i;yhELdx&dLp7$~ic~;_(=Y2TjIUOf>DbM>Ehddv^
zA<qYK$nznreL(g0FykU#+AdX$OL=K~CEJWWgRutX^C;tx&to{`^EeLqJb@Ful+Tll
zLq63w<nt5``OL)ot{>;~G|s`w;TfE3Ka2D1=WxFLJT9<j;W73LxX{-5LXrI<F1BC7
zCHBj>)P4n**{|Yqdk)rlvvPY4SK4!NmHj%dw%@?B>^Jco`z>5!zm02c)%gPZ9pV~P
z=kpkcI)4|3I)4v`I)5K0c&W}mU>xfFLmcY77Kb|j2v_jZy3A*+b<;lhF=MTp+Qui0
zmACvU;~HKn^BH3;Pw~$g*YZ+)0b`X@Jh?88FJi1g>+%KTur6QXur6QWur6QY1TU@2
zH;lu&EXHA7zQti(mf%ueT9@w_m)T1-PK(?2_jm)W+<w4Kv2y+qZ{qke93K-?Q+~o*
zIldgn$Hdf>pK(jaf5GuNd1}h9co)Zi!}0k!^?-H%M$3&-$Qf(7q#EtzI8&k=$J20k
z$MsP<*Ku8T>+85K@#Q(*5D#`-b)N6|dc-xT&Ku!S=j-E8=NsTq=Z$fK@~U%vgbQ`9
z%Mqc@o8nOC`j~Sj{i@ch87{`@oLA@^DxAA+f=e9V6ze=z<u}8nj&F{`Ic)|mb9@V|
z^IMf~j>{d_dD&FQwZ0XOZ%tf-)>oGh!uoED!}=z0Sl{h%g7RA57C5Z0&h^6jw!~q5
zcfffKw2mp!j(8AOZad+8$1`z(t=kA=Y<)&4v~_v1$le7P+q+_2lhpj%;8J@xTxM&1
z%k8$rHE4bHxhJfz&QHVo>Z7*ScLTPIE?Xq*-EmmoJ#bjxY#i3NlgjW?Th(VNt%KHA
z=e){K-ixvB1FFp4j5S}y_hGDgDXz;A`dM-1pW}EJ#u}7=SH-Zlh0dcx{@rodUOjNa
zWqRU}e=i*J&&47C-ngQka!5&j=DPzc2c4T&I^Gvo+5K>}-5<}g2jDq&9<H(X$F=rA
zyujA^{$g9}yUb2rmh$=@K$)<<2jZ~4`8cfaP#o5G7!K=u5Dx1*9EbHCfm?4Auj9eE
zy*(1|X&2x^tU5Ua7uln5u{|1>*oWd$`!HN)ACAlIBXEVSOQV(ck+{kpi>vLU@GSdi
zJjXr;*VxD6TKhP>z%Im#?c?z>dmPrqUai*&INd%GH?>c~8TQFIVV{CC?IN6IpNg~X
z@i@mm4d>dY<2?HeoNu3r3+%J-7`qr3+Gpb;djc-D&%q`3xwzCm50}~J<8u1~Tw$xd
zRoWL4*P#7tA`b2CA{^S=#W=LLNjO1y?Sq%#(B3Y^p}m#j(B3Y?bLz)+J{iA;wSQfX
zYaG7<*V<R&1@={Vv3)gOW|!f}{o6G--JXJ*+SlR?`#PMkweFer4a7BQ-EYKU-OF)U
z_nUB7_o+BRd9C}+IIR0EIIR1vIIR0^xHx&7O^I&D6MX!wz$K2~flKXaxXiv2m)m#Y
z3Ol*&?0bl7Q2zJgkbfl(`QL{_{?l=S^2+~yto+sIKY*3L{2&hbKZMJOtABnN>$8@&
zT@}9Gegv1h%nW?1<I1zb@yCd3P@a$DkmnOP<oP5Hc~;{D<(21CSb54baj55~ame!-
zd>&<#+q1X?Yaf3Om)goFUYC?;7I6(K{{mJHTKCy_W5-oq`Di{bxxDg!8HfB|@q3lq
zt2pF82Pb&1;;-S5|6CmMe;tSX-@r|i=O-!An|LFix4eZj9Df@p>>8YDzk{=E<(zH5
zOI(9;eh-J7-^W^C<@Ny%Ie&-~j@ROl^G7)3JRgUgKgKt(EY;yBI6m*<ejSd_wNj$b
zaHaG499P*3aJ8+RXW5I0Yf#Q#;E?l|IOO~l4mp2~6O`Awe1k*Ii*d;LTO4v;g5x?&
zOZg6O&vKRjQoMuxJ&x-(E#(KitK&c7xSrEemf?<$uc-61l;y-VDF2^v$p04{^8Xcw
z{C~p<$}9ihamYVn-XVWo^bh%`;$<C~FKsdn|BRJ?J*<nhir2^Kb_3khZiqANbeyo)
z!<lv?oMr18WVXEl&aoTgT)PR*vp2-~w%T%mt+qVIZiWkOUDqtKH^IgBrnto3442xQ
z<1$<OM7g~MuCSZqN_$IOWp9P6?XB@FdmB8*-WJ!`Y9qDwc6fo^0x!1Jc9z*Ku^uu}
z{i_|N+dJZ>_D(p%R{KiWJL62d70$9-<7|5uoMWp!=Gtv=p1m8+x7AJy?6!D}-3}Mp
z?QxOa0T<h9*CqDuxYXVQm)YuL%I!|L!tRVK?LBdoy%(;w_r|mAeefK6UtDA7;99#2
zUSM~{i|uZBncW?0CsF<P!0C2R+|=%cGwfWPuzTZ7yARH?_ruwCUz}t2!?|{UoM#Wf
z`F0*Iu=mGf?18w@9)yeR!MNBSf=lcJaH)MDF0=D-xjhtD*u!w8eGsm)hvRB{1fFFd
zjOW-RagAMoYwbhu0(%r*Y>&pv>_f30vQhmXhSTlCaZ~#UoMDf_3HwN#X^+KO_E9+7
zJ{srP$KYK1Se$38AI`T6iEB{bcs$O)>SM>@gna@I{q2c3^tUHrRx4TlWV{*uvgUIN
z&cIs7BAl>K#hJEp$g)o(u0h9w({VT!oPoo!;7lBHI}0Z$uRM!!$n9(#a+`odZs%Z~
zb11iSvCcVkUFAHia|^}K$2wO~`~s|V0>w*kt>YJB9m^G;h;?jM`HQfQ!HQpubxc)!
z64tR(ajmb8g^FKFT!YrP6o>V_42SidjKlg~juVvE`d)#<`d*2{`d)>@`d*E7j;rOC
zVVy6^*Wl`84yh@+4)na^*J7RL>D=`?9O~+N9M@H9$_-fORhrL@IIgSIlyV%-!?lj#
zJbWr~4O+*WaahM&a9GD%aahOOaDwt$$J=pO#|j+Q@eUl;aT<Px^2+B<JPWJ6DTg`s
z-NZF0hkJ0y;a(hasKg<M`*4Et%3(SVIoyv!4iDgv!-F`kH=dorIww{>597GrQj+I!
zab5BJIq_P`D9;%<Za;C(ahpj=-m3{YKTesD^AlJ(>)iWE9L~L~@utMJT&=s-MQv;*
zaSdAcr*W9iGdQgKvpB5#b2veHt^4yhtotk+*8K$>)_peKhR=pt?u$5){G6DU@)B<0
z_{%u{{Fs*V3U1~2t2oQ$=iqjZzlO6NpNl&?{yNTa{0-dI@i%d<<8R?Uj=zob9IwFx
z9e)SsJ3bE&bNpRg;P`uZl;iK?F^+$L$2$HYE_A#Wk8}JZT;%wCJl^q-ak1l{;0ca@
zic1{-3{Q0Yb6o290zBDqZQnA-7ZKN>?fV4|+xJTxw(nOsY~QbOg7VtF-{7!)7vr#f
zzr|tuF2Q$GUfcIOT#40gm*Og0`Bd9K5Z9o5e#9Z4WjN&X6At+-#|g?SpPzBa=NBCE
z`4xwJe#7dE)wX|UtUgz{MSQ+je=6%ipJabZ8QqgtKd5*bRzIls*2C(*6t9ofe<|Jo
ztKU()Ay&Vmcsf>pq4;`O{e|Ls?nC>z;;M%#$8|qMgX*C%4)xFkhkDR+BB361&m=*4
z)x$<O)I&2I>S1FX>OuEaGE;Q_B`sxBybD$io2fijZhH2lgX0-E+wm>%UXCm09LM#X
zf(GTR`!gZut#QbC8ys@p7AGjLoD+CQtQ@w(%3pm{3*5?aElca7+;pEuLle9M){lDc
zj(|&6|Ef>rpz@h6uiSRVA-7gI<klL8+;qPv!F!e4u2}iVZE&d1-EgQ+-BUV?GRmPX
zF2><FQew9!u0c8IzEj9S&xnN_cE=%yJ#d2ZT5dKDIdsAyht4?UuqWP@ZJ``=|0;pC
z?tA0y9p49QyDPpgZtZxoZXNGJT!ZrLibI~=aL7~l!9t!raDwv6vnLLD_QE00TpaT3
zjf)z`ZLbe5#;U9RaEYz^X{B~QTxKgz{mzWa4<N2Vc_#0<Vdbzt@sQ_09P%856E36s
zav{$lIOKT%4tXAkbq!bbnU717^^+0}#ijNzTxKV8vxgJcpxj2_P=^QOklRQcax1_I
z$}9gvaL8>G4!MoSA-6+uIpvkxVOYlx`EabhUi<YCSpB==W3c*YZTBOw`entHv-(!W
zk0P!?IUkKf&d1=8^RYPOd>l?tUO5+H<*fZt^Hk2-M&pQU&^%ATVV)=AFwc{4nCHnj
zL3z#d6ddZI2#0z&6^D8lk3Z!;j@IQg{FQw=j_>uPrJRA6IDRIM@B5^soQ0P=UX0ao
zs2<M7saW%zfYTj62RCy3T-?<0^KdiA&&L^#Ux1rCUV;;jUx-^cJ`ra+ei3fv_{BKO
z@kzLy<Eq<i$1f$WL3LY-L)~76L)}isp>8k73CgQ(ufU;huf(Blufm~juf_vX;(92<
zd05-@8k}z{p91?@;u@6CbvWd6Jr4QYfI~hv;soWDPdN_x+=N3uQ*p@WW}HWPwQVgo
zA1j|*iPMCW&(7V3o7uPH=5_^cVc&suOwqG;({MYiZG9*1Y~O{u+IQnV_C0u*eJ>uB
zbV^i-$70R%K0MB4rsMIB-;XCa{s5ln_=9+|{ScmFKa8ikd=;MN_#=3_Jp<3MAH}on
z$M9UN^?Dr7bNmTB-+mG=va9hD`zgHKo{1Z=eYIXs<7QaTB0htgJN_(gVLyjk+0Wy4
z_AK1legSv2XX8Hhi+G^@5*}v1j7Qn8;Ia0rc$_^4kGEgL6YRNoqWwCaY`=l0*l*&g
z_FH(G{WhL%*WelUJ9wr&56`yW#dGcV@I3o{Jm3BRFS0+xOYB;_-2Mosrp9$XA2+f;
z#?9<caC7@p+`|40x3WLS?d%1(v%L^^wHM(&_7`}d{UsiT)qcLhqa6PlkF~$S<L$+G
zg8eO?XfMH&?eFjudnul3e~+ixKj7*1k9dZ?49~QG!n5t=c&`03o^Stx7umn!RJ~}!
zzcFscOY8MJ<K~V>90%Gtu7~@_+NpR-(tJd~>W?&^dRT2&^Qn(jPHw=sk$$F3L&j6=
zbjDM8smywer`akyo0rP3&v;%k&hM}>UgUUV#^E^C1czhChIp8d3r%tO+`192Pv@&;
zHN%au=D#uC)ZPSdZEuQqus6f{{VSE<9P4+f<P5yGy#?-JH^=?#E%6Y0D?Gy98XsnF
zgO9Pd#V6Sbe1^RpKF@A}C)wNMEA5u}dV2?atGy#WW4$=%o$z^fCZ1&Ptnzj%{Gi<$
zzhm!$KeBhl3+*;IrBOWp-SB$0jz=5WZHa48y|u$M!=&3|iX`0uH@7?D7FgSBcih?D
z19x?qY~083PI#c*84t7f#G_n(FFe-X8;`U1!Q)+iUp&F_96Z_Xf~VMB@l?ATo@RH)
z)9oI3hTRj-w0q&%b}pW4_r~+=K6pOXy6=aV+kJ5={h{Lha3lAP{c$sU0Pf>5d3d0`
zKOW{X1MviV5T58VgYjg02%cgefT!9A;u%=mF(1!!d?@am8s|0)_puMc>OYn9a6Hx?
zfz=l&elT8QkHj^+H2(s|we}&5^~{puqZsQvR_`6nc$wpeGS>O3${dDujw&CHbzUkT
zfpsn_kHI?sl#j$Z=ak1{ooC8NVVzsbN8=p(7@TV#i>n&OWsbwub|Ic+ACL9B1Dek`
ztltrkPr$YIiCDi2p!i8x&;QFO<L=&<wNLe}W2!A#=2XgPQ2FsV#81PG96ud5v(LcI
z?K5!;`z+kbF2?QbvvFs80`6*`gZtR$;(_*gc$j@Y9%WyE$J!-$9M*Qc5KnM?BA#ep
zgeTh<<0<weJQeG`m*8oRUy7$YUW#Yfm*JT%Ga1jeFUNE3EATw~N<81b3Wt5|Y8>{p
zGThwz!Zo;+_k}6Av*Xv|u8v=a!@hYv*1oCjbpsyeGB@HWj+f*4j^Bj$PmRk@#Y63z
z@geptSog6s&s*{F_HFo7`*wV`U4eDqMdk0nmtocCG_3mpir<Ovv+u%>*mvWn?0c}T
zKdQXiXNu1UDv4{TNBllavrT$B)@L8Z@5lP=BR_x>_JcUnehBNckIFoZ_1Q<R!o~I@
zxWt};OYKK-nf(|pw;#t9_7k|$eiB#N)p)V}6kcY}#1Y#?IXsQi?PqXP`&pb}KZg_c
z^H|rK^xj#xfO?Z(z+>#$xX^wP7uhf2V*6#RYqomtD_GZN<yWz;$I5eXt^FF-H4w$;
zVqN!;U&p%EA-{nmww?SYPPgB}O>J%83_ICR^A>IQcPP`yo`;*+@8ah6d$@)DKJII4
zo`dZViEGe2YwMK%2)84y&sp<vSNmf;(EbDu^LszVqwLS{So?E4&R&4W+Y9jodl8;!
ze}SjjU*hTZS9qrVHJ)vMgXh|daeZD|mv0$2wwEy8)c%g~*7j1yJJ{bd-qrqraYy?{
z#(Ud3?)9*LV%*PO&UlFZGvg8VFO1K#e`P$$R{g&p%vghRP996`6pnR`Y+VNm+cXWg
zaJ(LFW!J}j>;_odNb_unr`kF`UyvHd*TcHkpfb9ir27l<`dIfA<PGrcc4Mr22Z}er
zx?dn~h@Z4|%-6ju#kG$5j3ev1lm>ZYOp&BF!92>5^rm=Udo$d_)_nTgI*-tx`D}s1
zd~|)Qv*TOhP!C(-d5&+5^;t>p-3F(+{<p=AY@M4l4cmp~o}+S<*Jm9K^7dGpOm2xc
zuy??l*gN8_?49r~w$67tVC_>o<Gmc$^|tPIYaI5|U2xb>cf}{VOdEW<y&Jy5);ZL5
zc3XT4*0OZn?n}qp<E3^7tb3eVmyTH1O61+Ku4~A9U|oZdbzY|H1#%~>&-QX>tk2={
zo>-rm<-M>z-^zRAhOXOva4&mbJiykup3Zkwz6(CX?ux^H)D4IIs5`#WWz<g8x9Yt;
ziEEI1;m}TW{uuVD-gtn^^uY((`{9vxUwnk!51(T9$GXp=`47Ms+IjdgTlrjL4<xQZ
z<p*K)fjaIF#*-Z%f~Pos0G?_ei09k+c#+Ew#Y=2`{$B1f2jOszG#rQXq7nFZZ;ONR
zz4l0~b5P}0fG@BQ!8*57d=%Dsm^>QmoJl?u-)<j<@3jxdI&V;!Bk<ey7_8%s;z#1o
z?Xg(>xZ+3QAMK;D+M?peFjl*fk7cZFEUTU`u?rb%Q2cnzDkeP+x3*8fqwN#%&Gt$7
ze*0vs-(%E#PQg#xMfi2BeM-xH$MNyRHK_b)xP|wr)A2C-3_Qv{6OXgc!sG2?+|Zvv
z&c^x<AI)<D-q%*2)XP2>53tX}2ioW3+wBYRlXeMy-o6mOYEQ(6bF!#qU4)OdwT@f+
zn!_aG8X8b0S>IUYFC|X#<T*?!ZfakKGwjJYVPB3j?JIDWeI?Geufp$P&HrlriCu<6
zKXwfc{n!-zo69I?-G9`3uOqHOz8;76a0AxySn(UNw!K`=SldayiLvTbp31n&*8Df*
zxdp{<Ar|I;D?XYZv|rzb)j!L(WA({$1-`|;1K(v&!w=YZ;>YZ}@JsgH_zn9W9O~y@
z9O|bMtA5lz@58Dec{={Zz8}|f{XBp-uph*m*bm{Y?1ynnTXmp&^jh~vu<pytGqCQ(
z%a7vj_G5TB*1A8AuShy2dIDeP_>=fO$E$H)?+Z`i!C3jv#KY~U@fG$n_<^K({vSVM
zKZo_~i<bL5uE&O#XW^Fi3wRfMHr~sA5f8Ut!iU-~<D>0Y@H6(Scq`hH=069wv|qy=
z?78?*`*nP@{RY-KqTc%^-h`L@7UR9_w;6Z0YZ!lGzr%Q`J&*BLey-+Se6jr=zQTSV
zUuS=SAFw~fU)r^Jsr?cD#h#D1qOVYHALEv`a@ouN6!*11!-MV5@m=-;tnUTWd=}zg
z>_vDuorvOJ;1lgH@#*$g_zL@Le4YIbe!yOgAG5#3@7YW6C-!%Esjd3^#r_`GqpwpA
zKj01QAMsZ9GThSs2_I@N$4A>gV|`z!=JN}_!u}OsXa9z8v46)8*b(*pn4N;3u~YF&
zb{c-eu7~wKTUu6q{EOWH*W*M-@rHN<I~{LguZOp?8{wAr`gj+61AH>SZ?1i?G5!K;
zA8&%cv(*>=oGg=?(iEp{5SQ5quWvWQ8`~RWeYcY4vkBhb-W0dT%6T(<ki9uRjb|+s
z&%o!{Ti}oF=J-3Td2We+wv+orlQ_OL@%3#z>$kDJE#A^j;4AFy@O5?ze2cw3zRPZj
zAFy}8kJ&m#+`eJF+?|MPP;Qx+ZX@ZPv7UQWycKS5x5j(gyWsFSaaa6lvajIxe{o~l
zjo!N(*0Dj(!s^H6wpe|x+zzXMl-pyq54i(lZA)1>>lr_Jcg7mzJ(985*?21bs^XpS
zbh|T-uP5{UKUnu8Rc0@&dx!GgSoitleN^7w7wi6+;yE~cF6)AuvA&9T#hvYLc&6Q5
zWxQTJaC5sSZejPrt?XRId1;=#6?gm5J*y+Pi{ty@<L$oqRJ$J@+CuFxCF+k4!J5wi
ze59R+kGJ>77uo~yWww4V{3m-b-e~)HK11*p_5rxJeIVZ7&c{RTq4*Gc7(RQ4cs>W=
z3+>_f8hZqO!9EzjW{<@0*ai3_`w+a)9)-WPN8_LDLvhNE@p2EtOYOt)FZL0*-cE6u
zF?a*}NW6(X7H?%Ag(vJBmp>X$vyZ{8TE+FRwmQK+j(BLRg}6CCXd4}m`(SOOaah+w
z)Q6mahdF*C9_9E+c%0)W<MH+>c!FJoC)%gt@YzlK%@oH^!;7$%bvoWUHO}D-JOV4X
zGx0HwpM~|i2g<V;pJAVk&$B1sN%lEd&uXjux%hkgJgjF-6+a)>Pm6s4&a_o;2iq4C
z*P!wfF>g)!BHRco&x>)me?19nA6NNHa4XN}QmlK{ikITk>MTpotSCO2xCZ%h9F}zj
zj+d31awTr&GFM@3N0q-Cx3J4_E3CS`2Dfv33hwOqwYaN&9qwaakF`zp-W%{Za+7bw
zEt36eYDzh7W#5F`*;DaA`(`}Kz6Fo7Z^cvX+pw;QYyP+6nRW%%wPwZd!0MOeX}Fzz
zC+=+Dh5Oid<AL@)Sm%6t@4Z-knq0}am3<%M)P`|<I@WintIYklnf(CP_sA;#Ans#7
zga_IW<6(9c9%Vm*r~BM#2A=J6k4JGc_p6WL(8oTG+d2LO?qffR2inzmnEezUWzWQu
z?Wgg4`x(5%eijepn5%Vp4iB@R$K&i-c)a}ro?y?$6YUrAWcwvN#eNx2wO_&0>{szj
zdk$X02Vmv!8eVSC#i<*`@z?Pv`wcwSeiKiz-@;SvxA8Q)22Z!&!87c6c&7a>o^8K}
z=i2Y%dG-gmGdr8|{1ErX+Sh9F{`N<BsLRa9hdBN*KGN||@HO_Q_!0Xv{DS>C{>WZ{
zJ8{yZ<u1g%?L~Nh`wM)e{Utu${tBOJe~mA+zro+yi}6qPw|Kox;$<ztL+$VIsrFKQ
zpZz_4#Qp()WdDd4+RN~T{DO+|{|SF<FUK2g7RP_aZS7xhC;L}?y!{(K)&3p7U`Om*
zuVHPA6#R~@{rDq04KK9o;m(`K<?G|Fb_3i8D^Fcd8t8aB9_ILZc&x3yVVu1_o?z>E
z@gY_|jfrcJo8Zugs|;OQGTyXKnT_g{QGXNq`HeBnA(`7ISpB^6+!VL*d^W>9?alE3
zTgw_^Z$Vsx@@bAkK3n3jEPZAT%i0=;Wo?6XOwn?;#o?He!0jC04u@k(3mlFq+v9Ld
z(dXb{F24gFW$%c`+B@NKb|#);?~Lc#t?&}NHP-VXTCZKOo)3|C#kx<eoZH}3R#@@f
za3eblH?!N~R(7)9?DoVp=)D~<;iNm_miF#=H(T%RXlK`XZ>Ku%?Tl6Dn&+N4u0y{6
z6QAYf?v0<Mp{UG0_<38`HFw}xrnr`M6#IkRg}4UY8|{iY)Fj;vhii=8ak$3V11DUj
zC(g8c;c$&n^AFb;dlT27WhIY$_I|{-wRJsXC%YdGb<!V)dsVvr+RJ6~a9>-?8ffcS
znteu`{~%oZ1m|aLM_nUX@M7#CxcZgY2jIN*Qj=wLO?S=~vGZ|8^Vmai!q)M*%svR0
z+r#k!djwu=AB=OijOQ~F=i3E1uXP+h1gCe4JqkCqN8>E}P@HWahI8!0ajty?&a=nh
zeEUdTXphAu_EEUZJ{nip$Kc}baX!c5Qu{buV;ACD`*@t*BQ8G<H?>bt`Cf7SM7-EO
z2`{rx#(DkXGN<5Ty9np^kK?D}Xh7`oILAH>7uu)e8v6`fYoCb=^5XZNg-h&WTxy?<
z%k2rc%034#v(LqPNJVYwJe+HvkFy5G@e35UOK_fjA<nla;sX03Txeg6i|t9c#J&X2
zvM<F8>{8rxP`upBaHc&Om)Mu%Qu_*AW?zZR?W=HweKoGM%W#!_4X&}L;9C1yyuiK=
zFSf78%j_F)Iv1B!Z#Uu$yBsI%n{cK*6=&Nw<6Qd|Twvdd$Jn>wLi=`HWLMyF`wm=T
zPs5e=ow&-r3s>8B<Hhzpc$s}Kj)uhRQi;>;`*2fxI?k}~#|irZoMk_VbM1%l82e#d
zXjkD9`w?7b&%i|o#W_5R^SD^Ax_u0%^PyLM99P&+;7a>RTx(b3oP*=?PvKm9CN8v}
z#>MtCxWs-ISC5R}`y8HQKaXqdS$LWK0@lMo%564Iw_n5s_Di_fei@h8ui#qyRlLBS
zgVRUF^L!0Awddlh(Q*8BTy4LB=h$!JTKg@$z<wJ?hsN)%!A<RVaE3h(7uxUQB3s9x
z;yPwd$z$jTl+mDbi4QR!g_EwuuXDUs{3HCXJs;~CB>hhP$9PMBcK!r!V{2Inm-&pi
z2F>SlOgQNUm`lY;FT|XxC%p)_w!gsL>@V>b_E%W<S~SnEvF?k=-(cOtkQZa!Z;-#m
zx;G#%!5ea3A%BNAx0hml{#X2atk3H54_Ke8<sY#=1Ix>>KCj9@;jX;o<&68-KQmU}
zs`xLA)sM)(GS)sXtFBJvT5;0EG{`#1(fOF1BKv$V73+CO#nZ5!hm`AK-QSn%<M6Db
zzKdGVIx5}}>$~S<EmyxYD6dCcgWL#*ZL~f<+wl$Xg?3|ntF8G=w>KoNLHkittRLl#
zfX>t8W?1KG^2Rt}Z-O)JO|j0?RAw`*^E7#LoX^RnoPi7ME$|q-IWDxf#6|X2xY*tr
zm)P6jQhQrmVJEQuu85Yk9j>xl;A(q&Jj-s0=h!>o8hb}vYwv^?*!nK;#rDp4ncWKK
z^O;V|ZH)`;UGNxNbzW$<A+AB&ZZ{mZT^0`eS6kfAW!hnVZc_R7_)uH(JhqNuGKbwM
zqe12Oz+wK`ILyBj4*PFsyrs+UiQC(IVcpBneD=m+zupJ$=lH&Oke!1Mvb*5Xc2|6q
z-3^~+cgN@0J@7?#PkgDZb-dcvcdKjA?*{h9VPETmHA(fqA7Ha2bJla;p$+TzOPV>}
zABXll04Mz3Je+Cok3)MNh(miGgmYYGFwV90J1cqi0XW}25Et0_c#J(17uv&ck$n&@
zwuj>qdju}E55{HoNL+3g;0pT?TxpNORrY9HZ6Atf*@xjd_Tjk3J_6U;`mXu~_K|q8
zJr*yskHQgsl(xmuSkL;(`h6We>nrQ|6g}%JABPimA=b0LiXV@&>~T2TJ^|<0C*oXN
zzXOzKpN#YEQ*eP@gvZ#Y;zD~oF0xO<r(?DG({ZumXW(-kKNFWYeipvi@nT%+_}RG3
zo`B2kb8v-yF0QoC!&UbA_%W;;F2L1}>%0G-ar{C&%khc$CC4wqa~!`I*Vy{~rw?7`
z5?t%}rFel|iobE0%kW~yC*x)I<ybqOw$T+h-PZ3^={kmTz6v*W{A!$GYhO;-*XX@&
zGgDOFzE<V!>u|!p9%tG&;4J$_oNbrm9Q!7mYfr^__RTooz6BT9x8gDOZMe|B9T(XZ
zxY)h}m)O&AseLCdv+u&?_T9L`z6V#@_u?wM5?9;z;aT={JjcEtXM0;bfOG5zajyLk
z&a)rJ`F0g9uphz2Y4LWPfh+7sai#qjuCgCjdCqmT-Jihv<4N+9G6xm88mHS&;imRX
zoMAtW6ZSJW(|#6b+0Wr@`*~b!&ysnrK+AdoSK702mHnd1aBikDFX3hO%UFMqOYv85
zQ~On%Vb8${`!$?t&&65x>p0tf1LxRp;#~VJoM*p{^X(d3V84UM*z<6q{Vp!D-^0cB
z`?$pZ0GHYy;xfAym)jrV3VS}Tv_HmG_9wX7{uIx$Kf`nE&vA{t0N2_J@dA4hUTlAX
zm)T!p?bxdGuW-8kHEwEugEQ>KIAMQ_Gwmff%l-~$+e>jV_e3=R@9`}A2Rz6A5!cwu
zaIO6lUSKcBi|wEBGW!>-lLpQISFFENEB}TwZS`qccKCy0Dx*KprMJten3R)F!x?rx
zoUrTTOuGTjvK!)TJ00iP>)~9x5ze#M$N9FNfhw>Y<1uy<Txf5Ii|nSj*xm@2*v)XM
zy)iDcH^Jrhrnti13|HEl<0?A?SKC|QS$1<g$KDdx*m`cO*4A^Z3+!$1VtZS>%ue9Q
z{o8gp-EM)K+S}s{yCqK8JK#)vN1SEvghPLuiE|v^8HfJ16%PGvYaII9U2uWR?~2FR
zZE&Hz8!oc5aIxJMm)Pxasofrz*&T4X-4R#VyW>iG4_swu<7&GTo@IB&bL>5FjlCDH
zwfDvg?0xWJdtbcF&cTt7?_F>>H|UDP`9L=u&Ih{Vgv<B9nRZW{W%t6_b}r7bd*fWY
z59X3;a{t;7=i7a8f!z;}vHRmfdjKx7^Kh}fKQ6Hc;!=AMF0%*Ya(f7_un)kM_JO#{
z&d1gEP&~^XhUeG^;Tn55uC+(t1@^&su{{zmvkP$K<Mkm}zmKN=XB5`&qsgPOt_8`5
z;)Hz|)^jF`AC9x^BXG7o2ItsE;#_+y&a;og`S#Jcz&-|#v5&=t_Hnq#F2u$5@wmhu
zhfD1faG8A~F1Js@QN1|-lX1Fz3fAugX}yYYhJ7kd*yC}geHzZPPsiEz892v26X)7z
z;XJz-=i6uF0($};W1oWy?Q?OFeI72h&&O5v1-RNS!L#fO@f>?1uCXt|wf4n$fjtQ?
zwsp)}W?xENgX*Ugr`wm|ruJl<VPB3D_7ynOz7l8Int!%^HE|94Tu_E-s!3mi!{_uV
zm_ukXek~67d9TAQ9KRm7vTwlc>>F{o&s&be{oI@Ic$b-qC)hXRiS{kH1$~!tyA`)5
zIr%ocr+qu_W>?_->^tz~_B4F0eJ9qwsrlT6Big5YH%_<j!A)(|mG&K#sZ@Er1>c96
zP14hGsH^*NsH+EXsH+EY3zvTghq`(ghq|i5p{^dmU0r?#?qffS2ilL}P@j+EQI0=>
z$J$TgP|wwPg5yu&iS|r9!+sjiwV%QB>}T;J`#HSaejbPGsIzdmj`{))*HLF<{mzu?
z?L{26=}UN=<1gcx_A5AiR(%z>OO4+<2Y0q#!!zu;Sl?@@`M-|8v){l!+i&9Sy&d1e
z?d`Ymo^}o1&wd9FvghG6_D9YCUA(dV9^TScJ2}AqfVc*g{}7Wx(zUpe{SglBWIk^0
z_{X?~{RwVme~R1KpW)r@&+$I?0^HqRhzHn<a30qEg)eYuKgv1Z@vn$$P|jcDkn=Y<
z<h&S%oWI2(=OsAg`5kWO`7Fhw?C<eJ`v*MN{t?f&m*FM$PdK!t<+z>O#?LrhhyMkS
za{O03-Tn>Fuz$y)U1>#TJD!5)+NpS+ordSz_3$FQK3-xsz+I^z)m1}0)=tOcY<*|U
zc)JmvV6Ts7+xoqMd3IyG#BPF@+Z*CWZih|rSX<vi6MttB*Z=V}$2Z0k>&Ln2cM&Gr
zo8lSvW_Y%}IbLFC;N|ufIMw%Jn&U?HmWp!_(z@&S8+2_#-WqE^m$$*%C*^H%a{s{z
zthTQBc39h0Zh^<~lDAhGyCvgA_705uaGgPAcEqFXo$y#Y6EEUAgUalT$8l{zZiT}$
zhplmV&QQOH5uP*L6*uRAs`72{SbI0zna`VwXW?OXTO6J<Y^U;$x5wk`4tS#75l^;v
z$5ZS*@Gy2N%|9E@wmac@c4xfA-V=}7IxfE#9%t{3oALLUG@pHN3wvKY!_JX;_(o;A
z;3+L)cg4-OkKGMVv%BNDb`O=`AuiJsPqllgjGc?ea>Akc_r}v&#qNWr+xy{0bYv>i
z7q_$f;ZM1-p?H5hqC@Nf_%J&U-)irV-?s<i@9jbOS9>t7&%;%k=Mdc3J^*iOABcCg
z^KnOeC>~)C!-v@i;b-mP_+@(pe$ze}zi*Gkjp?kFLjm5@J_K)VkHS0Hqw(E)#N`jg
zU)hJ@9-OpkK8NFe_7Ql9JqC}kkHoKci_4G2@7hP<kL{!J7xppuJNsDtvwa*+<DjDD
z7UK2o<MGC}_T4S*6Y%!-iFlBG5<bX28J}REf={!H@W(ykW$D<|r%&wh#5E{~(=fY2
z(x>CG_8EAIeI^d)CuiYQ_uIud98=E5%^aVATiEB|VfMLrlzkqaY@d&(*%#pHb_t$q
zUx>poWg-s8k&AFM_w5(s=Jq5!-M$3RurI|k?NYqRz6^)s#bn$$Ev}Qxaaa2aJl?(%
zPq44TlkKZ<IF6LzvGwBlT!X{2_fznA$FIc`?CWsz`f>T|v3@5=+vo-yp1r>jhiC80
zac7sg33s)p;_w{)&3KgKx8Sk%t$3V$8y;`pj?cC$uzv4aIoyHuJHWEqQnrs@cM{j2
zdz5!!4qwU7R(E5%e12b-@Bhc4jophkBOd0Hfps2rA8`%(Ts9qt`P`2+AH^TQDlb2X
z=^B$(K3Vp|#5Jf)6%O-x1c&*ke3;LpF0cF_t5g2*I_00hq5P9L;rUnNki%0r<S-Lw
zyUf$LskiSlirdfP9IU@n{2cD$`14qwwN)pxaBs(7z<G|(#``<|BF=aGB|OyemvMpP
zui!%*e--Pqx#m9yAL+R2q|ouX#5Jf+UdN#h-@u^`-^8I#-ogpWtIprXp-yUWsFQba
zsFQj4Ov<Ybyo-ym@_7$Wa9sJ6IQ{`~4a(<39P+8fA)k+M$Y(xIP+s|bj6*)3;E>O!
zIOOvg&Y^89htF{rxAO(KhrJNzy38Wn&+#vCp5tHQA&!5A^Bw;hk8u1OT;TX(e3;|k
z;xUdd!N)lM9WHcyDL%>Z?{SgiKj1SQ{}C5Ez6_t|_)oaR@#T1u<3Hn4$A7_BI{qsz
zbNn}az2m>*a>sQa>{iE9aE0TkSij>L_VG%`>k-$W?N}d&?brZoJF2f}h{JOly0^yT
z{QsJdwy(BPBjOq~pY?H=&jvWOhsHRxhbA~dd9{ZPacB>^Ul-cLMmV&GX1M*>c)1(n
zJ?%~K#z)2RO>qX+{<|4Y*qh@_TlWC7>@9G%-5lrGTjE@ME1YL<jq~koaDlxo9%Jji
zVxheqF0xzTVtadBVz<Pl_71qr-VvAEJK+jj_bMyxopF`j3Rl~$@hp26JjdP@*Vt`v
zt-TvwVC(+pV!JI~X1BxoathULdz@}}z)kIrIK$o@C+t0NrmcIbS#~F!ZFj~w_MSM`
z-V5j1d*gh2A6#JT@4An%b8w;E1sB;}ak1SEm)PBLsoevY**$T&-3wRPxwz8qjjL>Z
zZmYKU!?WzZc#ho<*Vz4WtvvuQu=DU@dw;yl9*Co3;`$$i)9t~ysXYW|*azT*eIU-X
z^Kq6v6ldGRaE^Tt&b5c*JbMJrw-3ez_DDR&F2IHMA-KraXW3$VG%m3Z#ijOPxXeBr
zm)l3+3VRH$w2#D9wmu(M+ehJ9_R)BbeGIO#kHxk2ad?4Uh!@+(<7M_Z9330i{|PwV
zJ`p#yb$raQ^_>SA)E}Or@>qRck;>br;?N(C#|g(z!=XPs9f$t#3>^ByGx21~t3N*r
zPqmA21y-MYHon903AobnbMSqRE9WZ5&m*ouIiHV1&KKa2a|sSPUx*Ww*LqFFA?J&5
z$oXO%a-M{*Y7*ys3BJd^6jx&9T#6rd{4!kS_+<Q~<Co)V$FIQ8JANge<@i<jRmZQ!
za~v<jZ#%AauW@_|aSd9RYjIfj>u^~2>v3538*o@(%_ppHIdKiD!<%rJ&r}@db2AR}
zxdkUEujSr~!#r=pnr9Q@w_`r;|Ld5m`cz%rL0p5%Ov8NKNtU@2b9nz(dF7z;ce}in
zbq@}?-HStRl{n;f9}f9U$6+1s$I3zTc>w3w58_<=A)IGFjPva(Twp(f$JjG)q5UW>
zvLD06_T#w3egc=;PvSDW8W*L+xjlu8?U^{-%YGV%d)d$6GM9N4m)p<ba4-9L9PVY$
z!nu4t)w*lDSKG6RYtVLo5vOC7c?mbQU&a~sD>z}liZkswILm$wXWLqqzIRFc`|HFt
zXjyOIu&g(+mZfvHw=kFAlI7pVo7$R>a!`AChqwmKXC4moc^8MA-@_s2_i=*qTCWdq
z$oWGYa<0X7bJln9E9d#dHE3BM<FKqxa9Gx-I4tWkoS?jx^*Ij9T7bi{7UH_g((jLH
zSzi#>pk;lD!?M1@VOd|}u&i%zg7R9{VjPzBEe^|Cg2S@D!x!*@S<70AOR(zmdwh}O
zKj2cwf5ewNz6_T+{u92|@#VPO@t^U{j{kxy9RC&H>G*HB((&K%{f_I)B&!@x!H+tg
zimM$@!%sV256^PEK7P^h26&F+4e{%ar{fyO*Te5R-U!z^zCQlg@eS|-#~b4>9B+ab
zJH8?Q&he&rnd2MbpB-<8^}$2+yfIG0s(-cTbjLSU83t|l&2ZT6o8z$EGqAS1_K_{{
z7FhFXj=9YIuX!f0mbDde4VvfHILvb!9Ok(#4s9uc6O>n5+75@d)B=aLv^@@OsU^NU
zC0_0hSpAHayCc@$UsrBB;VQ>7vHotl;ydGN$6Mj29B+;FT#e?l3)bH$4|O%i@ixRY
zXuWpBVZE|&Sg*D?tXDgnpuE<rJr3*D0f+VKh{JkmyBy@}7<&-cpk-y_u&hovEUPot
zvb0_H#Noc%UYJY!|H?mswO;!W*Pwasi^Du~aF}No9P;mq6O>o}-EhdiI}Z8xz#;#h
z_!7#i-g@CutmWq7s~zu+%N*~6Z**MiUhepC?pF4Q4v2d5n+rXn;T#{kaBs3Z|9bN~
z3;Qu;0Ke}$gx|C1!9B&{e1~Z7s6SH&ph5gRC>qLZFjM>SI}s`|h~sJx{&izsfBb0(
zN7+9|x>3F__f@;|e_yg%^BHv^8)bdKT3<>YYcXVvFXg~wZST%G)^OHg5dXSRXTAS{
z<qW1RbV;_1Ro^~&%ws^*D><irwDF!~-j^*h2xrnFvbm4GGix>=*>3tX?wKs3_LxYn
z^B?ChoElb}=}u+`L~Yl2E!1tx2a>};GChDLu1hu0gSGFS-0S*Nv#XxjU+>M`*dBd(
z4NTU#_R}70vmR?~Kdsxg`>|Eqvu6ERUiZ~lt3S4vHPPaFCF@)L)DT)jH(H*0lP<Uo
z5w+P>-v(<w+wRGIE#9`h$hixBwA%5i=lIv{L?yb=BG<+KLPt1ly8+aLj${4Fb6wnS
z>Sb2vNVw)(Qa@UF++V9#T%8uQ=5y=G8Ay*c*rxl@g1fPf16XGrgVaX)vxLDMn|dbO
zwc3vQtAU&s=}6px5?Q?3^M8AeM4gDLPssE8MpCi|{c~^rsi#=go^#FDo$^vft9s70
z<}>O|t>v#%8O5zYtzTy%I^)V)r}B%BJNfiz|3shBg|;#v>Pk%vPqu3PtR5jjyVp5b
z)=Kf=$$e=kbvBsybxZcU>r#8uQG8v>N9Pp!#H2I3)j6kK^Lu74J;naCvF>dBRj;v?
z&mjI=Z>v6Z5H-<{CHCc*J)AyNwKI~)Aoj<;M6{mj!{Vd4&OCb4&ienGp1KX?wXbyH
zU7^n&`LDiP{dX2~9+~XHyYl|_d?M+{XA-sW_KZ8QjP^uUZJDcHV{3j(_F?_|v4#h7
z{A#}%+j7lkHiRv-CO^;qFD*#tTD{rsUD?uVM}ui;x^khb8gY--hU*zC+J}w;?P!Hv
z`FlRn9vtsAeGej?h^WW=Pjg(CT0y+N-B{m$;<)j@f2!A2BpoTVEe6t3<KynS`3Y-a
z^0@X-9ee-xI*hN3<gtJETE~teI=@?;GtQNdAOFi9o=1Dq9@&jOyUoA$>9Cg$NghG!
z?)9CL$Ab8rK0YS=^*;aima#7N1G&lmPG=nbS?_i4Du%8k=**+bI@eDrqjl@}sbl);
z96$fpBf72z_T!(<wCY}0)92n5pAU4drq9tj(&*E(e%ATf0kk#U0noMEo@`sSJzeu(
zm-Y%>CDOULu2AdKj?M)BsePkv9qR1%uRmk0ct?DlR@eHvQnN$ZKKgvK?p$$*x3#Xq
z=}ydkWVUWyO^T1@b!&aqTjk2fsz2W&(-p}0+RNHpN?gmjhNb?h-D>P-f4xTW9jW*{
zTA!`8z5CG`|Ecv0XYp%ud3E~+T^sDnp0+mbR}M_}IC1-kx7(`j$A7)ubU#D;;@WN>
z@g0=4y_CKjTlQP4ZBF%-$5BC_3s?2(>0fUZUFXo<fPwTAYjZihlly2dT0kzXd3COD
z{`ETPSfzVrx^um@+kx7&`XF7)U%NG^PlEAw(%pcy*CMo~;wLQD=2Fz|bgtHOt*(nc
zmFb$=+C3u0OX)&iI(V%wYsI<j+FmOysV`^yYv&1&KR^4hwp-ikd}{gYK1X*iSLZta
z|GI>c$)09y)>VA}DV#;G%_Zqmnx1)yucxogCFvYEcdhm`aqq0V32Spb)c?nKx>o-z
zv?aZ~?me&md1c&U;!o^(^cVUh{>RVxy3(yrJi5xIPbA^VtQGg7+VE+z8}Zf8=Fgvj
zbX_if)-b-4vo^O-{JCTZ>%aE<P1RQ~wxXVRTiZv2_}NWeY3Z{DTezMXim%@2)B3Pv
z+lhMvJ-w;tA9OWGPoAy#S()^t<PhGgGp@Dw=_p=j<*+(ej{bemUiWFV?p&)H%y!f<
zWbK|quINAX*<x+(2kO`LG;IGh+V83@=sa6j&2(lrkanT_r&-ioJH~C2wb*+N^dkRm
zN!>V#v}1XDaF2G)Eh+9j<9;)Kl6mDw{5)>lujxvMa%)39=sx+{=r7}QbM1Y4x_ZsE
zlK*xm{?E@n#cLhzqyO>Qr$1)6I%jr&JWl=bO0%9Z96}AO*lUK<_EwIq`nAuMdxkYv
zKf3d@I#)ec&g{>}RBeIyx`D1x=pI(Q%q*T_(9f&hYQl9Qoip^It?Se1Q0@UJCtU~A
z9RXeG*Hcn@GF!cY&MpQpRt?5S3*9*wmVAe<RO`9A-jvaiV}S1r=pEraM9a!f&ao}|
z>&|=Jrs^JPbWWolN6XN8UVNO=`Ck0gO8k`c+SnflvxM+8p!#jy<yf8lvTh9z;@GNV
zPJ+4~z+4mlNl&rpDa82sdDYL#HNN5+rF0-A{@i}+KAWYh!-LtM1~ShT=Y1-nEvnCh
z`d`~2i~d#5Ido!~S!`oH@z{a*9{lT(Y+pT-Q}qOQHt*MYP*+NIqi^n%e9l78)x=Xf
z@m^gI()qIHr@grgQ#;U;cV+H-@Sbe`skiBx?AyDnfj(8eirS9WIP~e^u9eP2`%&ZZ
zmDXL!KzmTf<a%~VUa83AovYuD{+vU+$F8_m6*B0StlPFMRe9*@(%Q=4K-N4wv#Mu<
zR@6dwwoZHu@5ENnRiQPL!=HODwX<DmhicP0yHqQW`w{I^;dg}kQDRljBkJy3dCWu4
zmFe?G{JTc_JtsYTlE=^g=~;{TsQ}##>`SKmt$~)HKCx#q1NB_GGp6VCRl|y}eoOmz
z=Srtht7_NU%d%-x?WyxUlKWW~)Pd!8<fmQ9q$lx?Xm|eC(W4_jXYuav#M2pMuA_~%
z&YHSA5g*?MaU@VH2uA^(Tj|-6;ZaNejU*oTOoOnFYFZ!l5^+z`mR6%2)pm5{M`wpU
zSr6s9`gQu}y*KPTx^Ak^eW5mX<)?1RJleAl>AAu+weS2n2i1T4`wi;fbcPZ7kS=UZ
zZ8dG#PHe%om&1R$XSFL^L(j*nHafDcbj^27_91mYv8{aev+8F%E1zloxz1J7I)V*l
z+YaELj*%;V`$cQnldbaiTb!1(W`A2QzGAG;vbp3No}G>RIem&A>i9_V)$w-KYi-Tv
zu3lPCVW?+Zy=y6}pPTAYX9;@JGrrCjA3=2F(7gurQ0fH+lCz$AZ$o|drR4ub8~9JT
z*3D06)BR}?@ws_i(|YDg*D}}rHR+K&XC3hWL8dyF(Nluj*VM1*dYXR2dQH`F-E*7&
z{gc_+`kb%_YZjlgw&!@$j^j^T_FO$bpPf9@@5He{=M=g=q|XjIHf2+;D=)ooUD{jX
zyJ7K}nXI!#{g$KZPDlE%e~%$+zTzR8^61M?PT1nrl#5=fo}%Bo&*8g8YIwEA`Wu1&
zZBUuN8vfpI#`E0(%<yntDW36l`^4yQp~flEgTv!-mB*8=ihq8%mEMsS-Eu_y^Yi*5
zC(1wPpTGECKc_~mc8<%HY!{Co_4_g%zr*o+J>IQ}$~B4dT<+0iyk2zcXvOPAMGZ7g
zjdo0p$7lKH9-|1e{7Hw!;||W_#D)5~UNpI0Tz+rI+b>l-HCpQTS9ty}`29`l$K|&>
zMCDSVPd)#khsHk-POe`{G@^A}Zaq~Z<*xPo8;p*B{@(NZ(c^`#$5AeKr<Yso>EDis
z-*;njJETMlx6%BymEz%v2^yzFJGP7C)kF33`h0J{er^~|>k!8Wxjxf2($Dpx<cRk*
z(~pcl+(2j$)h5Sj(MKK+ODJAHI^5$i9{-*kr$zgFzMpwMGpB2Q4WrlgQlMc}wRb$e
zUw;^$<qp|UKi7+fdi;8_T$8A2GLiM7(hN;+5Pgtb&w5d<*Z1^Py+0*7!{dn_U+nQD
zkM*}BRBo$e6{SR7lJ!zAy1;qv?Vl_Bv;NMq%IohcYdrL8jW>xN|1AFb1&?=HFaBBI
znWJ(u_-+i1pY*tA<M`*+$vyt>d^^Vfc9x-U@%VfD^2&Ga>Ru83<F_dMrzdpv7YhFA
zW!8NvIHGU=zg&L&6!MCvk|WN2)}?&n{8l_Ay*As(f4auO5o@j0$$whr$}M|sw$uNd
z!;14|{q>Hu)h_;*<=6de!8bFnGr9cnZ1ul=cF^}!{oNW|aSp4$VzTP*{?GR&^cPXq
z#(Y=40<SZ@e_}bqlV_p2YOZ^(y3)`0PX8Y*`QP1Rh`0~+e^U?tE}Or;;}Jy%|9_S5
z%6Dk^R{wt}|3BW-(_hH?XSVYnm#eK@_g*4@y<nZlW956A`pfU@LjA0qS2*s5tL(Zu
ze(3)vnf~=%;fOm0t5fTB?-51OE^BOFaZW4lH$~C5e|z44yfz&rzdJ2{CQ8>Mbqx5s
z-{BYEL$3Rz;Hn%g|Cm=eF4moEXmjDa;MC?aS9ATfoIieBM8tKZzq{@KockZ=`R8w-
zh@yS}fu*RI*Ol3S_bmnbyMt?gJ^xz<tM)w!{C$#tB=5iXo7qt`dL7JaIM+<W@1uwB
zDfz44N#}2At@fJy`I(XMU04y<Y*)9{{pY#sD5ZN4b-!tARn9P0-k<;85?6drOx@?(
z)<j>W>qB*)Kv@(0?8@_8@%>CI?oF<V+*f{PLw^f%bz8#9^Bhj?gy%q_Xt%X6e?4gt
rzMXbeuCc7#vi`gVb(f$|%`29t@4sDhTVlnXZ)O?~`m$h#l<5Bf)J|25

literal 0
HcmV?d00001

diff --git a/tests/data/scca/WMIADAP.EXE-F8DFDFA2.pf b/tests/data/scca/WMIADAP.EXE-F8DFDFA2.pf
new file mode 100755
index 0000000000000000000000000000000000000000..d462a3bc8579493a72bc2462253d6b114f25dba0
GIT binary patch
literal 18810
zcmciK37k*W|Htv~3|Yn+vdh>tmV_dud}oYhjHMatpcqS%Bvg`RB1>aUiY7&tNQ$JA
zG&HFsMU*5(Qz9vnO4RrMU!Qy5Cmz55_V_(&e%IsrJiq7M<(zZRJ>Prp%-nLJP$)Ga
zA$%!uZ2M5CN2p_{eJC7i&D<r_Fq9bT$$VkD7G|9DybCFTX7_&~dg-A<XYJD|<{Hdh
zE(wKd<qw65HVcKO77v9MvY{x_bMu8lWce=HvPN3_hP$FdGpDvCDdb`!<@;&>@P8B7
zp3OEjw*R6-p%nwHWcmH{CdlT&%vUp8{+I%mA02v;|4laUVYc?L{Myk${(3$()!c?8
zs_y4c)cW7@v99J<$hZBldMGiS|JZ7A(kdXEFDJuozsJlVzYh5gpw08hcja59@^>Xa
zmOPsy<lFXb2Tjfd7)^djX!Br>gO%0t-y39z3Oz`EFJ$v>^4<EyFCl{kzaUgWHaF+k
zy8NcMlEC`s$S;9xUP8WW-_hS$e*REl_EiA+Go8SWv+aLg{$Tqha12Q{4<X;J-%{JJ
zK>l^)+592-uKwed-<AB!$g{ZxJ8}74e<6YL-A4W-Wb-rRyY2TH803FXei3MM(SjH1
zch`_0|5x(atv`<@-<AI=t$+Ta_4kqQ_Mea*tY3gOb?p;hDA<2A>s0F><X=WU$^N`b
z`PM#1w0@O~@{1SN`YfL@C|JK1`6T=EXmE`sv;I$ggZzf%yYlC1eak<o@;4#hm9HHK
z!S#=2T0fqAs^!n?$#0?U$Ekm|C%+VFHrJ&Q-TJ?4{odr?M4rv_$oKm{`=6xpuOYuG
zc{ZOTKaogwDAI=iIDYSw@7iZ-QTm`Iv%mzczn6R)%WOVNzB_;Ft9;*(Z~L@)Sg{M`
zuQh`NwqK4u>*|+FzAJxowa?`j<tH<yRc0+V`PXE<*!pgCl;>HwtsTs^Ohw<>9-9bN
zm+e@@`3^_yoUrzcj>`6|3`xE{&+41zI~=iNJ5uSkpRqDc<@agZ7u61B`sopmDum|w
z_B@Ik%98CEFO_X9SS?$-t(UFro8;2O9Jvf}hivEB9=R;>fLxB4E0-r8mn#rY%N2>|
z<Vt?Dx=;74O=D<CtBZ{@rF=)c%W*}eTmPso$Kp7-8g49G8@G^a;CQ(vPLgZk6uCA|
zlk4Dgxh@_mUx7!;ad@m;4^NWo<4oBfr{#vEXUSLMrLv77tL3Zkdbu&)BwK&Yk*!be
zkZpX~Bip%tK(_ClT-nZ%<FcI(r{xy-oNVK%jYHPv*W(zuB`zi3fGf&3;_7lM94Ciy
zV>uqTkP~pc+!`mzc7CVGc8U*`+v2fuJ3L8lk2B>YY~O)a<_<VZPR2{+j(D})39pws
z<4tlGoFm_acgQJtkDQ7R$X#)++zlU>yW?n1bSqB}TuSbVE6Vo08qEM;%cS8Lxi`*|
z``{h24V%a1n{hD)16%hNe3{%2SCRYUT5>vWAP>M-%L8#s*@n$Tc`)uM--^4*LvUaD
zHatikitmtb$9K!a@Ob$SJVhRkXUTWsN97UtN%=0kLLP~a$fIxr20yF&XgprN8&8q%
z!L#Ih@d|kiep$W`e<qK`U&;65@8oefDkj+1cwAWam@btkl5UfgCxckZceeKcvAS>1
zn?$s8%$Au<jF%rICixCWrVy>4*)mg!)+fx<h<5zU(}_dnhltiLmYzwpI+$k=ZGYyO
z#Ch^8VwOCcxKy4)TrJNfu9qJsZjx;qIr1aKJ@S0w0r^p4uJ3T<F=C9ylLfexyb#ax
z9gaMX)1s}M;fR%MzxwtQ_^`YPACsTNXXU4`UA$Nw7sEpG5?oS#8kd)?uCekmTvuL>
z8_6qhbNLzEN?wWE$*b_jg28^D#am@-zwPpKc(=R;@0Xv)hvgUWF?lUMC9lJ+)z7Vu
zC0}Hk%CGNBM4PPc8!XB%6Jz98h^6FLi52CI#Om^E#5mcGb7T2+VhedQF<yRym?UQt
zQ{*kgG<hpAU4D}|RL&ue^c{}8MVzGcZNyCZZQ?xn9b%UJE^(>6ow(X}w)Y-!z0!9O
ztq#_g-Y44rtbKM8EzkS`agY2V@qoOGm@Drlo|Zo%x;|{{xjwuXS5$xg7`Ko=!SV7w
zoFadUgYWlnWIw(sIw;R)xR-2Y=`Vkd?cT)7d=TFye}V6lzr+v7hwwx4Vf?WC6@FIE
z#V^WV<JaVG@SE}x{JU&@FDhS9hNGn0l%Mh(Bhn>(e@84SA19WVzbD4ZCx~_BABc_Q
zABoN7lf(@96mh!z6LGF=$7G@WGjWN0hPX=pg}6@smAFy<jcD7o@}DKzZ2q0dWxnro
zu#kKnmz4j&<>fzdtQ^60We@kG-E5n-y&-ZG9wA5LF>*efA=|C)blGmJ=gRhoV4++P
zAC|3*$K=BJlx+R<tXu@!jfj<}C@v%y!zE=qzUAc-q_e8u->lv-zQd7AadqF>p7s4W
zxioI9<;&m}@?|()E{l_Vha=^1ifnC}CRf1evYk&u<w|(0Tp3T2tKdxeay(D2inC-p
zJ~_TUuNvMVSI5?e?3}8B-T7M+Tb`xYBF4$JiLGR7t9G&-bDM1WE3m7ht>@}e54-Z$
z$3fXVuK`}_uN#gu#JSqemH4>a2)lA#h0kgE#yA*@!jUG}mA@%=<-Z!cvFIASlH+UT
zY=+m$&G8obTKul>aKzU8RK5-$lCQ@n<(Bw2`37t^vNqn{hzsTqY;9Im4&!EWJib>>
zz!QCYUTZu}PQ-I$dtSCcZi^Sob{tm9?eSVU3BM|Lz`NvR{Hfd#ACf!aqjG0_QtpC(
zlW)S;=zHJB@*Ct-+(x#(F<b6Nx=q&R-7%Z--2)eud*U*3FI-tp!}Wb<d%bZ}rT4+t
z%YAWc`DUCf--5f!{qShHKOQHi<3+x+J$pQ8=arRnATj6zo;L{Z@{g(K4aPx#@Vr}b
z&>uW+2tKN1Zo@&}@Vuco=o_AQI}ZAW=MBR_-|)OUa9g$QaNJqG6Zeou;PLWZc#1p{
z&yq*sM`dgOz4G0p+hp~+2UASn_u?Y*7+hMu57&^#;(GG^cz`?(KO&FEc5Q0gpMaOi
z6Y+C$27XC?0Nb^cEk6mrB~QkCeP>(oJ-ZIDWu}mBlX)tR^PTNY!|_U=j)QT=^B%$@
zm7a;+csK*QF=r-rW6mtRTHBnBqy5?Q<`CoLxkPJgE5pM?YZvo8qSe9t2+{Uuo=>zq
z^P|Kp`7z>Zc>!^~ypXs_ew>&i+j=|XCy0CGMZ^R0lf+#4DdKT?G4Zs#gm_MV+G2E2
zwxu{mUWQA_%W*|{1+FeXgX83txUswnw~(L3@v_x5Nq!Ee$ZK$LkK=jI<8-CJfQQO!
z@kn_c9xK0yC&|`+net0GOWuH2%P-@kd_jF*!71{qc&xk;XUebP9N9l6I*(o_Jzn07
zbLBVihXsP|XXAbH7JNe9iqFVz;)1%bvEy7vehXhIZ^O;xxABegJGia<F77OE$35it
z@GY|Som=Ji@tyKcJW>7tPm@2ybL3rkfxH_pmOsKPW$TYy<h}S^`D46G{sepSK3tFs
zWjilE#e?Pjc)0u-&XTQ<FO@&XtL1|@N4Bw|O5tFeUy^Q<ZT}FiE+57zzO%iraGGrA
zO}du(8V{Af!EOvWg2yWTTb$`T965@Eaf9oByk5(EhjU~*7k9|t<2~{Te2Mzc54f28
zBfd;NiL1z`u>G9S>h%+DAlvzUwfr+~DWAcK@-Mif{44Gz|Aza@XR-TE`5n9O6l>cr
zw9I+ZZL%`_fjPZ=|A}Md2u_kc9JD#t|13O>+18CB&XJ>u3*>yn#d3b)O8FAvTDbu6
zRk<K>i(H7fPqs3<=ZZ0;*<|}IV)=4W&`d6dZ<LGUMA^2}NiJzC%9mpMXxp^$vV~k4
zySkUb2b6vp-l6fNEOyT}%VGCyvpg=TcDDUa*0obb(rvPRRkC&E%D}aG6<o?s&-U!+
zp>c9m?8+94<F#%zoF-St=~})99;x)2c&uCtPm*inEV&L|E!V~C<tuQG9EW$v_3$3w
z*<O8oKyH9@wM;{NTD}sWlN;e^>vOcjRoH#U+4qn8UTcEwc-t~fiFRzvR}*bH^EJdF
zax>xxxjAu+d@V6UZb6(bUq_rPUr$^pw<Io+Zy>IcZzQghTM;+PVd7Rfp1563Anul1
z6ZgxB#KUqM;xV}`(e7cbUhS~m!<yS;yN5L=;aIr?eppV%kINnL({d;LtlSyDD0jiH
z$v5FQ<rMs$oQgk^tq;5LtsCh!S$Vo+7V+H!yKBy#xRTO);Tpcfku>bCKYQaQTBZ-a
zPVS2n<ePB^t$Pa|rSyK-jbr`s5uI!4xR}nh0r+`&AbwdMgx`<{<G1BoaRGg&55dJ{
ztNU1aDCss?-EYV2*7q<R-0y@Vci`ZDC)*p2YigN0vAf3^frERQaO5uBN6U=F1LaY8
zm^>Q0`<=V-IHli%AC&LKGvzUOzI-2EB#*_*<@@m(c^uv#kH?$k33!`45%2UJj%472
zN`C-<BTvF7d}n);@frC+{D(XR=hwME6&IDK;WF}cTv@hfel_JxTwk7no60ls_3|v-
zTAq!Q<vF;kJQw$oAI1aad3c!o2p%oZ$K&Kj@q_YXc&5An&zBeCMe^f#xtxX9$WP!6
z@*=!heiCn!pTaxk#rR`+2|nmM+j|;+qx7Ztgzs=<8LrH1KU-f;tSPS`+IVe!_!**&
z9p;t9uJS6Poimnh&sMGe=GDY)@^i#*<Tb<-^7F($<QIq^=MUChi?``qTZdcg8t+Bi
zuSl@WdOTcy3Ev}cz!T(`@l^R0JX?Mhe=l#uKg+M-^YSK~uV}EZ*KrYfGcGN^fh)<`
zxQ4t1*ORy6Ci0s&RnEb^<+t!C+1hNf{5GB;zk?r<-^EYJ+wn5_J^Y-!1HUA{k6)K}
z;`ikb@aOV}_`JLe=PMS}eK#&5e}qfRdvGOrFRmefjO)pt;3o1ue4YF$PLTKG4)SL>
zRX%`w%b()`@<DvN`~@B*e~Isx58<EX!}z@X70y>Ys8=p7B7cob%hpdT$w%;f`CGh5
zK8lyi$M72YJG?<YjyKEpy|A)GuwU!@HrYAy19snuKjPj>KZys(r|?9bvp->b_F?Ou
z#`c`T{4-uGpTTy2Zt1^ZyMHs=<emxqM!HRweipkj{EjKIpMDOz?`T`MywdG_waM1~
z^P+Vlm{TX%*G22v#`h{c3V$uz?*e=;=fgk9`LVkWyabn|{Dl~o{4&S|Nw=v0W$>?q
zu$8AU>D(In&-r6)UAYLh^83&KajaYn*OiOoMsf+<T()Z~_x*J#cHduipK*d^Y`>*(
z@crd^Ww8A$#L{i5s`f8Sx=of|4%<hwU9bJAajyctTjQSnPQ-Y*5}qPg#v5hZehFP~
zTu!=8R>!K?wL>g+?NAN7cBqbHwR{ci+My<P?O@w??NFO^o2<-ruzfVw1y$uMa2+`g
zUn$qa?mnwNZmaYLI9axRrN~#3Zj(JrZ-lMOnXkfB-FIUg^tW)t*5&l_)0_UaF4zBm
zt;_X4cK1!qa8b*n{LP7W%*@vkt$occh}IV7>xfov^Yz5aI$kYtP5A~}M!peukXzwY
zIgESDR%UnKoj|%xw*A&PsITWGVprxi_!=$K7T+MZ!%4Dj)3sp|={DImJ7D{0P6qBg
z?TFnu-U++w@Xol2mhXby_4Z9TLFx7^t%ID3Q{}GMjbq*L0Ht@wx63{7{c=w{S?+~r
z$Z2?vZ1q|o_aWUTJNNry*H$-U*XM7+uHE`!*Z=$DQmkw3kdEECFaXDrZs*QG?9PQj
z*qsZ5u{#%T#jUjb5Zq3_4R?`;;-2#DxSu=>50US{Bjn+DjC?1~kVoL@@?ChYJQ6RI
zN8u&%XuL|k8?Te^!5ig!@m6^Z-Y(yVcgyyCbiaH*J}i&J$K>(&lso~Sl_%m5<DRu=
z1}-E&fNeat^hvn9JQ>Hz58}G=6x>Ljikr*Ra4UH_ZYMv4yU3Zir#u7qlV{=~@+>?;
zo{h)IbFjOHpNlh;{xEje^Yid@r9Xn*wf%fNSLu)9h4N!~iM#->k{9B2^5b};oQ2(W
z{u6ks(idTO&Hp6cuJotyU)TS5x6+s3{qocJ5Vrom6dzXlGJH&4j_vuQEwcijQu;Ia
zth^H2iD$=g6)q${i({~@yBe2N`g6FvZ0B;U{5<J4*>+yQh2*uiuDs6Hm0!fM@_JlX
zehD{{H{j;-%eW^4fo=a4+)sWL50N+G5%OzzjJyeF$gkt+@@70&egm(Pv++843*IPi
z#arb!@pd@}@0Q=f`{ix;u>3YYCclGE$?xK`@^;*_Y*5Gda6fqm9wJ+tkC1ngZj&9O
z53qeSe+W9tyKpyoH|{Hcga^rc@Cezq@5b|wNw>+i`3dGw``(9x?`WR?V>b@(#}&2A
zXSlk20LRIn<Hqtq+(P~W$ID;hB>50_--Cy7n$o|*>2fZ1b@>|Kp>(UuX!!`~Hd$T1
z#jY+#G0pF%AH%LL-(gpm<Ji^Zd+h3R0=v5WfL&dF#I7zUv8&4|?CSCpc6B+8gSupU
zKjWc(d9uATc%=Lb&Qv*n#q;Ff@KX6KUM>HQ*Za=)&f!h+d7LBvfp^G%;yrQ%ACNtq
zE8Byw<8l-}E!(s37=N4zNAlrPzCABLt|;4c#Cw>n{R<E$$oBK|sd6FWY`HM;G1;E4
zKP49-{wNnEmgOSSwrM|msVx`B4doKp{hot8n|HtGa4B}b=THiF((<M8&2kw$Shk<%
z442E|`!0G;cvLP=x=mJ|3YezzT@gPaSHkCIyY|ed_NjthyIH@jrgZy#lZ<UPCbSC0
z;t_noo2%jd{F0!#I&N1s%6ARirF>w!p6w~yHn-P~_Lu1sYR%6_y7TvM3B*2J^MvV_
zt@+oUYrhWUbmm&V8)HZ!{kso;E7v~MiQLX8mCvdC)l@1^G80*%iN8cAKDB0@Wd4#a
zi1u{zpWaIc_LxFR64{UKH!t^Pe-&u0kx0!_X{UC6ZNquG&x`99&oQyR=Vcv}Iid;d
zC)wXmC!$^X|MSPK2cx0&73)d=^Iu*5^ZT^F?Ceh6>?r1SU+GA@b*Cj$=qq`7ysST1
zPwdS8@^()tv|CW0rg>VUZhjw6$@3%Bmfn!}{UDiE>yYQ|)g^QlSIBwU&)oT%Ku_z)
zc$=5|vTvG1&eLx6=)68pgMH=oUhF%vap;yjuT3ZR(>_m+jeS4ZINF6HloD!_r~7J8
zPYbRl^0K$tNS#1W%iFpHqh~7n%FDXg_}q(Q)0J=6yuViHLT!R?)4Z)yGPSX5lCJ#a
zbYAYsjd6BO5?q~hp*=hEoG&l;df}L*a^&)IPbvQKN@VnI_Ydx;Eu(d3zrQ6j_N4j8
zsXZy3{JVnA{uPkjE401nv)u)>VaaZ+Yga9Kcb$3RswIVecBEW(kCK<I?E21yUKCsj
z{%7`St!h_-|B0R(+~NKGF`y>Lr43~cezPTbeqN4GS+9SvWm1J*Q8RXK&05Ik4DNsJ
zIU~2+p(~jGugRAA|E7QM4kNgCZ)h7mXitzrp;qaB2nFv);OB({gU>bXha60GX9h8N
z{{p{9QJM-cx%aKO_o~#6w)E(bdrwNDzul-%4}blrkbA$0dyk2GUx|A!iF^Nud(Vh_
zpNM;J$Y1XVu|F6KMTOk^KHPgf-1|EcwBKs|gXNCsvwOdWdyj^DUxs@xhI{{od(VY?
zpM`sGg?m4Rdk=+s--LUwL}qlbzxw<xv6ZilVjX@j#6Fkj=ld3`{>}SPdvnaccg+9$
rbB_Ogw6ph}<lWZo3CqP}sXZP4yL<cBXEy&t`~2%RFN}iL!`<{>TBl><

literal 0
HcmV?d00001

diff --git a/tests/data/scca/WMIPRVSE.EXE-1628051C.pf b/tests/data/scca/WMIPRVSE.EXE-1628051C.pf
new file mode 100755
index 0000000000000000000000000000000000000000..be882a22fd9c4ff5facda90466c200c5046d0706
GIT binary patch
literal 35022
zcmciL37k*m-~aJ5V??MlR6?01MMKh%M8w!9TZ1f7)1agcZIh5DN-9a4q>?sCC2i6s
zZ9|*1iHf9>HfftA^MAe1d0#*N_x-r<`*GjDzRvG=x}M+9b)D;+bDit#XX=0`iu!cu
z(0*Uiccw&9|ENdQE$ST=L?=gmqE1m0#sQ3BXay#2D=!bfLptsBN7L(8Y`DLEZ(%%%
zv3k`g%BvJb4U3}a#q22BG%1SGh<{xniYk)I2OeE-`OqfsrbX9X)rFr?Nc%vQNyTst
zm5z1Axk}Tc=>DNvnv6(!Z5WScJcIEVM&%dpq5Smdb^a-7T*Y`Cqw)_=Px9a3XG_MW
zjGYM`ORD_KJ-r&Pp~t7mZ<b_7or(apHXwEgI#?sqsl7G*1=k5_QCITSP=_<#OkB&C
zPCC!ae*^i464Ue%?X3DWeY0N^EFym&sBr}O&69Ane7KMny-fbC=uE~{yG*}#MKY+U
zKXs{ojjb|v*56zcF#TBa)t5BRB|o(9h2JVaBf6ISJ&?xAY+$vMmTyKzQvZ#(3L%Xn
z$q&=Fas79Ye*$^OGp-~*Y@hMYUqk+Z<n5<2%p~OZ{fz+2_Y3)S!{`FWdE|%s2M$Z}
zFJYbOw(+=krJd_HdPI_6LO!#N$BW4i%YU?|znc8k<TqhlO@7#Zhh3XYzl?ms@z}HS
z&h~HV>6epFI35>+u>6+{O{Ra3{ILD%@0l#Ww*MigC;97lnSQGC)xKX9CHb4kuLm`5
zA-@wT+0l;9{DbzXl(BRE<JbslALUORp5*UCK9j}c2J%}dOo5+=B>A<-58JOd4H^1Z
z8?RqB`P%jxm+X?C<MwSx{=e3*+Ro|kb^XVZul7+JP9s0GZ;tnm6UfgbPh-YjJE#BC
z)1O4Xj!hcRBR}5%SpE{PpZaWQ|BuMmzO40|;QaaIhyLAl@16U9W6%FN@(D*QTJ$^!
z%Qx2f%gOIT9!ZqTiiZ5E?jO}FCi}nId>;8aerV4aUC2Ms(d4Us4YjH#>!<wVbg&`+
z1oG9k8cN7l|546^Zr@Ji(*@$;NAlHwmH%ri{WCr4N`B*5QPi6i)$vU^qrLnWl3$bG
z8eS#8E~)avFok?=KMgx}nZCzJMbe_%$Y-|kFoum3>hE;6LTS;1<ZIh%_?mpRkLoY>
z^pBFS?W19EjpSIZ{5GEcY4X`@@vwTA{4JjT74p?THS}dgbgb9(A3FbS^68fGu#$Wo
zXOus(NdK%Ht=?t+`TOn6ujTo#C%-{FHSI&b_76=NhDvN4ZCj1GoGrut-Fmo6q(yt~
zl7AQZVgG4+W|Ci(d>!B7r8!_{|2fUur#|`GKUMz(^2791e@mu6l6)319yXD$`Kzw?
zTz{^oSAo8@cCOzEcPo+>wI)CGpLfU))4%WKZ%cmIeyvzg&0qB&<Nn!+eEuH~_wACu
z+56{-WQP8;ckP|^pX%uck+1zv!&ve|{X<UFT+*Vmcd36P`P#pgv$}|XpwZ;(w}$R@
zlH;3xZ^%!kA47iVAB)Hj>sQh3H;(+!eh1U}L;fQ}RbyIo1^Hq5rjj4#Kj@4ke+K#5
zJ{q>}lE0t#&pXKH|M4*Bpq<lCcl+K$X6XOR$Pe@H=k<GteDz;#|0Y}ng!~1b{z>w~
z_L)U~SiY}M(=5}X=g8;(@sQ3*BIK8Q`@BqMSpJc_<d63BE65M)zl!`Y|LLB7E%|i2
zcxaoov;Jyc|E;^!{{Z=6`gewDlC<bA^4TroA@h)(`9FF6_GRU??iwbLANJoQ5=Ax0
zKgvJK$XByz%ZEYM^cB*&$Eo^4dRlq8`n=9571EY(*Rh+f701;VvSYtp&Z0#*v3HcK
zjdNp{muq{qvekC^w(2fmtdLe(sBNZYk*kr8VbpweEE{X<xL?AkGTKL`I<DjC3|nnK
z%g!X7%UB`pt@SlX=R01LbdkLu=@MJ*y3E!#T4A%B$Je@A9vyquI9{7{gUzlIZMNyw
z(N>!-8f~+6O{&Y}^t2u2bd9J=?DFy~oM|6|Yunj4+ddTM*!6L)eHhlMOUrgR&a)d}
z?b3=j#0B;dc#xfgby!!KMtG#H^WPZzNIceVf=g`mp{cgcp)>5G@hm$R&$YE5&9`;T
zT4bw#FR@$TW%jXng{^ClRrYasjok`wuyxJ3*;b$5YPZ4L?6z3fidx?ja22~9&a~U(
z+IAk!wmaY)yCcqx{dRdL+{*FJIM42a^X;y<!0v_z#oke#kBhMOsT1)?m+6kj+C6ZI
z-4jo>d*K;&Z#>IB3D30)@O--uUS#*hOYDAlnSC-|VfV+Y>;ZVQJrJjJFi;x~!nN&F
zu<i{MAB=VHR3WWhq{Chn4j77`if7rU;T3iv-hkB(r{m3z7vZh;P`r%;Oog--Wy2Kb
z03++Lx6M8SSL9%$<HMPFFRb~F!28)};e+gv_%Qoye58F2KE^&5x3SN|o$T{*4|^2u
zXOG51>@j$_eE~k#z7StzUxdfo7vstHCHQ)~7~f)Fitn_?;`{B(@P}CIJ`R6okH=rR
z%mjQS2Vk|y<#@b35l^<Sz}MR)_<s9J{FFTje_~I@U)WdSZ|$pbT9ss8Q}CX4Im5p8
zRN@-6Jl85^)bd|Pn(6rUq_yp7q}lcjq&bW#Kb=&^0@ZUPX`VfUG~d37RQrR<+)S#z
zE8jv|WZz0U(!PyU+fQX?lB%uc+eu68S)`hW;&+hhw>+D4u6-xzeETlaMfTmKOYAwM
z%j|ndSJ|p#jeRfa2F40$8PR>D+hUg%-cOpImbAkIxC+)XJcu*xdAN35rbXF9c&x4E
zDzP8NGwcO;R_u)E5j@xNN3o7$+V392tG#b7#Ov+H@g`gAT4q0ib>XOGdlKr|hx`=Q
zJ)itEu4O-iv+TvVq5UjwYODQP+Rx#3_VZZxajNqLyqM#I{32dzzl2NerFf<NGS+ho
zmDe^|Z@+>!*{|X)_G`GK_b>JB?z@<#it8yQ)u1|;E45dUR<YkC&9vVlt!=+enr**B
znq$99nrp8lZDqelnrEvY<=gL*7T6z<4zfQaEwVo%9ch0|I)+jGZ8d3$<DZaDwbzi&
zu-B5#vOguAYkx*M-~OC*k-d&|38U&?Pr8gz?ehic3VQ?TD*H=P%}-@Ek}6OBiZt~3
zuW{(}-(dB5mDz+_+27(kdowPuzr%yDjwj#aF|k{e{eVwOPwM#*543;6r`ucbS@zF(
zw7nHyYX5?-uz$tZ*uP;t^V4$vjvuoBz>nKy_*wf;{Ib0bzlXKVf8jqJ-;UENBz69c
zD`Az{f%mc1SL@l~1|WlFNMpU}!jY`wN_D#eu4U^{WtOeSq77|5;%#bI!Y%E}c%r>0
zo?>geO}DG!nRYci$KDIiv-ide?S1fKyE@)t?~BW9^#!e))};oimP4*ds%hl?NNd^q
zlV;fmkT$fHUr5`k{DF9ct^PI2u7iv1x_F{}5T0TmjHlc6@Jw6tTyGzOH`&>Ei+w0A
zv+H9$gwXOFhAZ2L<Lb7yZ!KHv!K85?I|5g+b8x2J2-l9iqr5TBj=iS*NStFg!Feu!
z6wbGs;sX0<Jjl+)MRqeh(r%8&*vH_pb_-l$AB(5jE%6Mj^UiU2maTpIcSh|ytx0#p
zUR!=V=^p7xyba#lZj1M~Pr!P=plRFT!|nFCiLK*A3%dhuYj?yw?N0b)TaReMb$Ay%
z*KutNU59J=yAjv02lLIx+Se))*W;V&c6VIM?t!!Ho>=>u%J;%e?cTVheG=AosgSm`
zP{%fH7tOa1)^?Hm;v%~r4%_8q9JWh;oNSjJ<pXfo76Y-ih1yNW%djm@!E+rSjOW`!
z@Cy4>yum&VZ?+5ZR{M0k%`U>)$22d!-qH4!hmnqD)Vd5OeUN^x_!;;y`%L_jJp#XB
zpM~GGN8*pMo)4Uj*V*UbpX_t-ANF}z4?<M_e5`i?@+e%-9*y;kUU8j6F0n7bmt!sG
zh4^awB7B2=F}}^d1mA5J;|J|a@ng2y;2HZe{H{F?e{7G(>+A{m8~bwnlRXjtVPAn;
z_}Zxix3#ato$X0j&$-nPC*x_3UxlYTel?zHPr-BSYw$dKDqd(`ix=D1;idNVc+MWl
zyryBjv(kLEPc5{k6W5@&y%Do2v1j0F_D#5^eKW3W-+~)sogZ(-%^klDA8*gZ9qrq3
zcY7A@Yu|w{v}faS_MLb(R{eM31@_(edwUM9$*3~-kZS+eGorbqq2Jz%L%+QbtKVvU
z@5k!5@&ouA`$4QetoS^vJ}f_k)raNzSns>!hjABs0q$i#g8SQ#;_>!lc(T0^UvEE-
zZ?UzF-nXA1u0iv960-=gpTbq`r*RGY8GNX{7&o$?#Y62S_$K=~ta~uk|2)3eegQvh
zzlfi(U&6X)Q2C|!6<f=!Yh1;b5!WEUf~#O{qgQdJ{Tj}8nb&cS{RVCodrf&M&Wrtd
z`Es0(RnH1s<nnLgaO`~xm$=N^c&hyl*0ER5N#4ae_G;Ny;<@&Fc)q;~FN(dk{C&K{
z@elAa`$N3S{s^zJKgJudmUA`U9DDipPw+OES%cH#vAldOX%$A5|CBV-@y|$W+n<wW
z+v`Yk?DeF%jGFcf(pL5c(meZ1(tLX(X#rz;+S>B3NC!FoHEEIk4e3aG6X_U6wbi$z
zW9`kPCH8luQ|<3bXV^cG&a!_bop1j{y2#!_y2SpObeX-CbcOv3=_>nI(lz#Pq#Nwt
zNwrK`&Ob;sy<A4R&HhtqdJ<Qxiv1VPw728h_TM<$-hp%Ma-3`H;;@ySMw(}9KKXV9
zQr-J&c``@`*%e8PY+ZAWv@4O0u`82~wf7_~v9;_|?W&}+>}sUT7}X#4B3%{7*Ocoz
zZnNY2kY-j$%2daC4yp3{;%qw;=h!uHu3ZziviHMzwyq8HvDWbbTwvG2gIwl7Jks&n
zc&uFqPqpjfSuTGNUSjKdbD7K3!^tz!(!wmf!DSA?n_VUwZ*%-mobF?3eVmQ8zK7u)
zTi398F4F*4;T)<m4RLMz2%K%_;2Cx!yu@yd*Vsqm*E!FsO>|xSj(rsV$Zm?iw~xlZ
z+PS!rpOZAh4eaLlDEk<EtgUP96YOJg7rQ0yWgmz8+pX|vc58g5eLOzjZi6qeb^U(1
zeFDDPZijEM+vD5pJbbs^0Y7MW#4p*M@Edk#{I1;vm)l)&B`);UhTU*~tnHGIPqR<N
zXShsve4gC{m$;1XIi}jZ@GO_<jpy1Y;rVs}US{{fo3ZBG7pL=_R_=$Z*t(C&v~?al
z2y2-K5Z53N#M$;B+{!)$53&d2B6|oPX`hP2Iqoz(*6~7IVxNw6zSF#l@LYQ+4(GLD
zI61GCmk-BFT;>eC%svyZut(r<jynri^gc2Y?`5Bj_p{Hz2ifQ1!|e0$k@orc7<&|M
zV~@t2>@m29eF5%gUx<g;7vXRnbukXtQJ3J)T&5U*WnYSau(gdIaUZ*kxCXV`IIN%Y
zcu>WjfNR^A<7|5(&bP0?1$GI(no;#!NqU1liS#ymGU?s+RiqEvn(i@s3h6WUHKZ@u
zQ%OIvwJtiIYhKq8(;#23e0v%=*4DC|U{A-LY}M1#o}mfto3MVW&YM9i`xYG5{Z_oj
zajoA9FV9RIj=i_z@IFiDtLnRKiz_*1s{Yx;HOO~rTKg^#wuRa()A2bt$G!)LWt)rh
z9KRQ9Id$!KA08CP*OlLoi(KXbJjT{`7;DeNCH6yjsy!divLD9tWA7+mfEPLb2wq}8
zikI2iwkzy~c$NJ)-e51nTkR+CHv37O&h>}d=P5i0>pAe#xX4z23D-i4ak&0@7FS`^
zv`a`c?dM2y?dM6g&#TM}q}o5_7fH1*$?Ag>?WLsZql&*ws{SM|BaOE`eg$hgDgG*{
z+EjjxRO>IlPO4><-yl`Jaw(}sc{%Aydj;ug`%TjI_FJTz?6*nvd{5K9gY|q*ei!Tc
zo~-(^?Dz1E_9}e4{XV|O{s2E@e~2HqwJ$zve~e$YwT${MQ}g-+>l;j2Lq+%hwZt_j
z{wbzN?9Xtxr~4e&aeN&<H1@i3t#`P;`vNy}nGLwL{Uz>TZ^ReaU*XGQuPy%?--LBu
z`v%`@t1We}r}($HS=`4;3pe9%jQtLWW9;{MFYn7g;79Bq@l*Cs_yv0le$D<F@8Rp8
zt$1%+Z8g^ZmAD4A)o++4jQu+f&nW)D;Tc64uJ1B`Vm+_WwA*laM)4Q!==gRVo=g0V
z2Rpt453|ehIkq-dcy^J7$2p#kC)pM7b#?~6*{+CZ+k4>q>`Hint^WI@y(fO&u7Y2+
ztKzq?p6OM?AJ}{0PhDnjywTnVXZRSReWIGZFV?dZwU5pxb?q9szFiYHw)ex$?fvob
z_5rw~t^KUKeIV{@*T#eGI(V2}7oTGvgfFxY#^daIc#^Gs_d5F!e6yX6XWNJ3`|SF7
zfqfW$(motNZ#TfN+70nr_7V64I|qMiH^LjSj>C=d_x6#vCVfTmCb(|w7G+1_VOZ_l
z6kq5vN8@oWlZ$mO*EVg2Z?>D`+4eD5$5YkQ0_)hPc^!+jpKIEdSo@^n$6@V1inqca
zWF&5l2gld0Ey|9^`k+j8w!!DwZSlqS33!6t4qs)r$J6XQ{GHta|6+H<f7zXIg=)#X
zI^(K#7hJ>citE_j@S%1-Ze*W`o7vrQAG-%W#qNnOuzTUl?B4iF`y_m=U4U=0``|n5
zzW83dAAZ<A89!n7$IsaV@SFBPyw)Cs|FTcP74}NnVKA<055YC;Q*j;pG<>LCh#T3b
z<7RddZfy_69qeKFM0+^yW1oRfvCqUq?GgBF`z(BcJrZALpN)U9&%uA$=i&-`C+l?{
zu4<o;YuKZ39eXss*&c&u+ZW*b><jS%`y%|LeKFQI^Xj)69^5B!F>wuwUyAip9t%#f
zFT+FaarkoY*W<CC#jE@Te1m;CzT2LN^}JYRuE2VpC~FAMpspmYLGejgKjq1QMUH(H
z4(EDJt9Mu`Gew2%YcRWS9G{A-*w^Ar`#N0Pz8+`W({PS`1J1Rl<5u>KIM1Ge^X;2(
zfqgR`WZ!~|>|60j`!+nro{7iWx8o9f7M>b=UHKh&hU2sGtk`SH@5FN*zYEW|@5YPl
zIe3YE4_+2~UHM$R0#``OjPAv&Vz(%}53h-x5#5hB*bm^%_Jeq<Jr8fQAHur!u8_8W
zG#^*7AI6#9?hA13IGz<fg2%+pj2^{{VrRtf*)HbTtL?jx_yqfLe3iWjPqUxEx7ttQ
zyX>d%kM`4ee_uyEgAcbC<0kgAIJ}=)g2Vf%=WuvG^*rwB@-N_%vCbVY;!_=e37=sv
z#pl^C<4bqBX8Xo|g}4T-@2glp<=4O+_UrgB`wf+GdzRwRw%RWaaeM`F4XWo&mABsl
zoL=Ji+c@k~@8G_Uzl#UkEAhp)>Yrq<BCbL2n%~FiSo8V-^C&3(e&9o__s;s3;3KSk
zR{j`g*{g9w`xC79&MLD8>%FtQ7KiJ!Pw__Ln%8Ied;4?ztGy2EdlZ$?P|t1h1#u0E
zZ@~H~e+m9}KiP;c^7i@)kGH?ZlkIP?-Y16o_wjc8mbeBj^JW~{;X54K;d>m~;Rl@M
z@;~Cx4nN`04qI?&hoA9)DoOoYaiRSS9%28AN7=vOV*7VI(f$KZvCHsu`%gU2-i8<2
zf8oXUcD&U78<*NU@JhQJueNmqvfgGli8k4K=CQ@DfXnO*JYfH19d-X#XzzhX*xII}
z?8?M7sLl7pq0RLiCA4`}9NN4Z&T{#^aA@<racFbZAKF~cU^Hl3?~7Tr*qOMVT?03;
zYvQA9J@X6Ck@m-396tbew>7T<`#|CvG_Tq?>{E3x%@fD#;&2=|2#4dq!MLjXxxN>u
zVQ1mc{|~_p9M^o0vkxV%LG!JT!+a0JdN--~;kXeQaszz4t$GI9M-UJ7=)FOxrx6az
z-xyb;5mnETxTf6%*R_wr_3fs(v3<14FlyRdm9d+Vs$RvLlb&en8EPN91?efamU*(>
zk~A#yaf<On_2}<!!!ozVnZ$LRKOVPmnKrns-4^HDsy}SgcEmNP&i0s9iLG}j;W*p@
zhvRTZT*qZP;bwMc+}hT=^bU4ce4^bA_p$TwDYn{UsNEf(ZTG;J**)=<w%*TQYxl-C
z*jlgK>;mE%bo`Io7;7E-5)b>Jo=Jx`JQ;`mQSbcKo+>{8hkbJ(&LXaTc@Pf!rnXzy
zHwWXeZw|rjT>ezt)jkdPwhQq9`*d7r7vT~1P&~>WhKudtc%pp<o?@Sgr`sd&O#3W6
z#~z92*=OU0_BnX5eJ);VpNC8B^YKc16kctQ#_R1dc$0kr-eO;f%j}DA#Qv-Hyck!u
zFTvIAVqD9<6ld9EaYOqu+|(Y2TiWAsJ9`4|YG00f+Y|8s`wCoWm*5fhm3Wjr2^ZVi
zN5eCXtMEj}ug2l|#uPlo@oR8+)-e@Ncl=sB)4mSRv9HJT>}hzReFI)>Psic8$BlTY
z<1=u0267WFb^K-=o`>9mS2}(xUTxoo*J1VlnRvb9x8qIrEUfPUROSx6#qrs=%)S%r
zfTitw7p`pIjl*;7Ik>vx_uyK#_T?=5Ug8=wulsNX`+nTRegOBgAH+lKd3d<}5FTZ#
z{%~x0n79VjzW_7a*pFatLt{UR!!hA8T-))5INN?4=h%yIuKfgVWj~4Y?5A)zCO?hC
zG5Hxh$YmDeBKuh!)@2Dk*Kw`Oh4%BrHE3O4z+qip#Nk-?64tutInq)b*5zd!)@2#i
zx~R-6IIPR7IIPQSc)sWLI$mPGftT5(I9vm3IV-!*tRSvI?{wb8`YFE!c&vg;3*W{y
z9e)Scb^Kji-|>~WvE%RI=JqOly!}4zYkz=s@1XiW#KU4Q-~JIkCw5x={h-=Y%d?vJ
zIQtVk$zFr6v)AIA?N9M+`!jr>{W)G>uftE;>+$ok`ThsLYHz@Axy+aN1A8O>)cy*8
z@A6;cU+r)3_Si3%ZNeF}xz^=dm0{=6x^Gq)M)^BZ{T-9ae2?{aO!5!-=h&r%KjJhx
zkjnpr^*2ow($b<WSbx)`_|N!2dn;~l|AM>4UcUWTe3Jbe9%%oLPq+WTXW3<VwEZW(
z)ZT`#u>Zo>*jlICW0w~GjlZyW;C;EE(YL|n_~_Wnw@2J39cQQE_I5h%W>>(c+Zp&`
z9{Q+#D&h(D9{4J|5}syP#<$vg;=62ppYniR6+dcM!%y3K4>N}YP?fah<$GiOJ0U8k
zm6q>=7uwpV7Tfz0*Pvy~#H?oQ8n~KW6W6r&!*y*vd#G<8fE(MjaC7@We7vo1YC76=
zaCf^d?rR@}hs7=}JQ$C&>)|2plUaCp?9#$R@VU0W)49k#6py#-<H`16_<CE<OK!0n
z;5+Sx`2N_-w;zEYv2*YXb|d_n-59@ZABpvjRqd%~FtzQYa9dk{kJS!WPOGd<QQp<g
zC9Xl!Hp7HtH^+2ITv~Vx)^SzVa~&O5<zsQ4%eTb39#cKX;iYyftm`qwTVq|1$;adM
zb{ni~Fvaz(NY`MpmNOg^+7Z{FczdjKtDJ{Vv^!v3w=3QepK7a~Gi*J7(x5V3a9CfJ
zsqA>Sf0b!bmjACZeE*M=Hfd4T9fxyM53F;O&Ov&nm1Fn9NxQWu>y49kYf*L*PTH+S
zSpm*>`98S7?u!T6{cw@3=VT-8{&<W%0FSi?;u3oho@$?hXV`=BEPDu^YwOwDeET%K
z$S%Z7?9=fwy9lqahvHSSGoxX6jpM`dhS>YZ&+|4rekSp)_6WQ!c4l-IPM&$TC>x2B
z=bSCd&c@kspKnoi4$iU9#RayW5l*$w$206vc$PgH&$h>4U87b`n^=AUUgEg=gRW5(
z*K;gA+o_mVJ-Qg{-#H^+g4Z9AxESjXH!G%1j4s9VUQIj}Z+boPWq81wu?xrHIkBe{
z>e<+wcat&`@I3zDuVPwObU9vcPsB|>O5#`GV!H&l<Hn{U<*&rOV`oQ`@N|1JUT9y1
zOYN(1S5Ckc(=sEiZ*ki+ytMEd;u`b~|5U8~LcSJPx39ys?CWusJq<UsZ@^9M>A0nR
zBOZ{R)Hwqe+Be}5_RV;deG4wOZ^aX1=f;0uFvXrpT!WVLcAPA8Zt*OfEOT!09XMI$
z+~V0dD=wc~d?!wpIk)&OoGf#0@!dFC=G@{rc;+5S{rBKG_FNqP-r-&x{@&p}yx3*#
z$4l)8aH*{}Uun-Hu0hNH5O$jv&&O`_;)ii)^94A|<sZSJ%~fY;^T&v5P@M~LsPl0g
z>Rg0fXYms_D=A<6Bo1{xg+raHKWUQ|WzP`Tp!yf%Q2(<y)V~CW`k%vDN%`XEvFk5>
z0lWU<7qROvehCk7{Y!D7{W2b5FT<m3EnBhuDsc^3w%4$it?YH|Wh;9Fd)dlLahA(3
z$6mIw71+yG_9phSmA!@6yS(PR$$p2p2F>?f?D-b2#GY^Qd)V_WUWK!g^2P6C&$svk
z?D-adh&|upkFf5qRsY9W$1YjRu+;v9xCX`7U@t@2S{&B>QykX)Go0n}pJOjW**YB7
zUG;}`|AM#%J;&RC*#%>Ni8)Nh-iR~puW)VqYn*L=gU8yNaEbjbo@#H#Gwkp1Ec<&r
z*Zu)7v46zN?4R%odkap^O&QV8c#Y#*adHmIh<?G_9RC$3@8B|`-*9q1%7}i)dQYTv
z{{tuIri`czC+DV&=ue!Sn=+zpI5{_EM1SEyo_0Gfvj4^-?HzcGU5>}v5yy!VI}Io2
zxQr+r&vm>4-e70o&2~kszirSm>$|7D(-Ui(?r&EnuD($vE$&M3d*RBs3h{Qk#Jgg}
zs}a|r>%hG*)x_4fR7oG;-~WS?K2Ta%9oKf5eQ~axiSz6lINz>`3+(;yAbWpYWFLS>
z+O_Z)`#@Y`*Tz%rI(WWa7ca68!b|Lf@fy1xt`fH!-~Z!eyL0`IlkHwwn2is1nL}|4
zJKkS#74Cx$Bd$ShbvO=f)c{v<yde&4as<wIJO_vMZG_KqyfGeyRlkN}tb48|#5HJM
zN8vE9rkLBWIDRzdwNGqKo7`KK7B=&=6`8g<PL3N~|KsGi!Sz2*jvHM6<1Fe?`Ib02
zZj=@thm+$*X<;jz95+e}H7}J@`Qu47XgS;9u$(GW$?+3*DbsG3GVQUJLDS~pEV~2N
zGAP~=H?mcyp8qS}nYaeI3l8(`iZdPWhC^S?$I1O>viuEPraN&Bs;37I_4LHqj`zYj
zc5fW|@JV=v;{|vhCRROt@BwyTe3ab}A8VhCPq6#rF7^O?racg!Z)@Fev`-<fLGv1n
z3CA9SLq9wfhjus(U&W~Mg{0H$(@Af&i%9RXhmt;E4<mil9!~nSeFo`OY+%)SCZ1-G
zz_;3G;rH#4c&)8<X+x*fwC51lAfJnq`@zz}^Kd)I&&OTuQMk9QdIs!b828BwD5F7j
zUWh}T7vYl~zZfU?m8FH3;4>UA#^>4kHsNAh-;++TFT;~<EyH#8c;Xr~-w8Num&<YJ
zdlPXJm(jGx*d@D6d*v?EPQrS&tU4#-;kLG?p2sSFHNME6g2&s};IN!i@hy&Di|@3r
z!`$w~^<0nj@03xU>LdF1zsNV>m+k3zxqT!4*4Da&=Ycm7*Pv-{#-SZ<!3B=1--Z3?
zHeBTROgz%Q9gneR;n4n?*VT^CCayvAx)X<Ot-c)Uyc>r)=ipGM>Y3<i=MvYTdhW%c
zp8N0}j^B^}vbBG-=DeWt58@8?JlxY({mHdKY2ke08dUya9NJ_74*TpQIPA09=fbh;
zF`Vsb7vjV1$FYu+I$tcp;W+sOPWsrC_*kuDxXL_5T!WTD`*B!?XK<F|i*Y#iK8rQ2
z$}hqCdk|Uc)y96FxCX^vz@gn<#G%YfxRc8)#mTd~q@MncFC(r&^}K>ZJ+I=bj=zR$
z*stR{_8a&LyA)qzFUR-WTINOeo5VF}UT@*h4sYYIE#ARlTfB?Iwpgk1-oEdtyuC{0
z?e|sQ{s3p&AL1PQBb;l0j9b~OalZWtF0j|&@Jv$cGTre{iHCLh42O039EWvThr_z8
z$DuEMfpgss8*nT8OZ<Vo5r1lbg*Vz?<L~WnaM<@ZVID=qZTl_m?&aK!``X`Oy~kAh
ze~%~GKVW^2t@w}l4*Mtku)PI8VgHPuvehQb>|cm$P(8om(3gJ0;h6b54#&(ta5!d`
z;c#sH6Nmn@4Tt`tdA;EJw-eW(dHs#UymsKwZ_9D$w-M(+-A}4~8rHp^oQ`#$CRf0^
zr;;<U?tkQpSoae09=MX`hb!TI?8;cjBgOZ`I(Eoau=aDgD%L(JSHpRX@?NC*w*GzO
z*Vy}z-eXrMeaKcjTpGVSC@st+ra{ls6zB9FyC!jclUgw?E7}k1`%!s+tZzN#1MnQX
z7S=bEiXVvey`x+k>)S-R4qj^4#roz?@q@6w&yx?v`j$?vhu7O#c$0ky*7sy8la2N5
zmwYJJdvv)z);n+cFs%2}^5J-n-2m&oui_1{-qFfOV7*V3bMR8T5!QQ3#T#S2Q<RUy
zdjBUk!Rzg#u->aF-W2N{n0z$W`zkpXM->w{!<FskxVn7|u4T8tS@yBGq1_TUwU5Is
z?N+#*-5PhbkH@|3Hh6&D78lwl;1PB^Jj!m5i*5CpiS}UL^mO7%ts7tUbmHx4*Qh<$
z4ITMkH{J`JNKP-#A^mt4--+YbVE#K2-J+i4_CkI5-6tBz*q7WMd@rODJ^9s<X}WV>
zOj5m-{io-0B6BQYUY(ea=9|iSwdX2Wt<i}!>q9$rjn}q)O6R%j`sJ}rlK*B$>e{nA
zTeJi7>CU<}p<TN($5d>${ye!*Ur|r`ul|c9|9o$0PyaiawbOP?b#LiG%biSH7SLN#
z*(=o})E9d(ztqmDfObpPr+G@(s9)U63sSy?y3iX^-w(ReYA2?=y?XOsv}u~sxr9Bo
z13j$=M}}1PX`O32v7h#%N2hu}P3D#Ax#%pJ8=aQ&wdu)xx}|j6gnlqM>Kvbs`qIA(
z=o14{I@jcCqK}W=sqA|_ImY$k?3BM7=GBcoDY;%s<r?Ws)PX&z^FO$Sy0C|;m2{=h
zji*ZOslOYMp7FI{ulTH|E5t6l{MNOf`b<Bj(U~fBR~N~dst@a(%68Sca3H<EZ`=;4
zzB1Du(1X^~^+al~Is3DHIx>&mDL-0uU`~1TP4%9WQo5~n9<_pY$5Cr%59vc|rm`;<
z(AV3ufA!=_Ftzgu*MJ4gtp|I&?)g$V$FRM0r;yw;B-houYo5A0(RD~S`f6&ACt>{t
zvq$L6klbUZ`pTp;N0j!=trPqFK>CmFBU0J6Ix6e_OZ$GRuT*rOzI*QWlDpVcw%g9$
zvGb0(7k8Nd_j%T5t9Pbnr{ey;BfY8{OQ)wZdOp;i?X9iegkO46v^(b6Grqr5Z{B_L
z)D=-*{?}o*&Q(`<eb}0Lv~aTj?!GnFRi4fPy3g&+GVIRQ?iydG^y8m-9HV#dmhMeU
z>sn05vE4gooppP%rTfN9kjnPndCbu~JJZhp_oL1K{KQz#n{{>3nY#x4SBX<OuW&|B
z{S)e)Z5WQ*$=N-%*YJ7tO+B069cNh`0W`n%r2k|O*;!|}lMGM5mD7>4%K!g6mHj1o
z%G!_lYQGzp(!RNKUa7wJ)BTCA`;u$2)V80VQLBd}?`l#xubp>Ysct`=clA!DCr@8f
zxki0?!lEse+ADKy89iIr9dAdHd4;2JYS*g|ZKpReslVSiku8+^`KZtJ*bVd16TU8t
zdLo+YwhQl5JMM;g>3FBJWActOb?;I;#JwTepHg{rNZzR@&#Y59pXAD{2Yn*-@8*)L
zMZM8X?RAo_;`_5c$<x4p@(KBW{vtx>^}gJv^!73KpW9Z+xk1lSldlp6vql|wAE^H|
z<2va-<~QM7tm~Nn{atv{PU-<V2I(oWw$Na#Cpy}z`Y`IL!hiloBx!3s5y+w?I`cnG
z(+%qgGmxm>$F`?`B~PLB%uV~y;JAdQ>q4m`$?eM<Ree{Y_SBb+$=@{b=Y-L$=iYv)
z<iK~+u6=9iteO0t$oFab_f7DbOLPR|e>bSi|1|vXzDeL4FDle`q1S9I<m)fKZ5zr0
zMHx}?9!k^s?{X#S<^J8NNTt%E3-p0A={%QjrjPw7zkGNS-@9TmUGp=O-xunmVCtQr
zKl-Iy8^^~x?fY9&Zs4#a9X%pRkM{4wu1$Wo^zTcCCch6kJxRava_#7x{GRCL_<2b3
zyN##IalQ9Cp5yiS)4xkR-2|tNoj=xTRWC<t=ePCppBD1H9#h$-Y9D>erL?ot274yI
zYweY!_2@nS&NoN=8}a|m8V1vA|EqUp`tO_nd&~FV)vm9yc6}44uZ;iQx&6nZ+CR}g
R|FO=UPx^Q6H_86<{{a0gyR85K

literal 0
HcmV?d00001

diff --git a/tests/data/scca/WUAUCLT.EXE-70318591.pf b/tests/data/scca/WUAUCLT.EXE-70318591.pf
new file mode 100755
index 0000000000000000000000000000000000000000..28cb4d1a853ebcd3ba518268860a267a20977d7f
GIT binary patch
literal 50736
zcmdVj2S8V4|NsAkBMBR%4YEaMNtT8)v;l71<VZA2vPHJY7TNHVWsxniMYhNm*&<tH
zi)=u)$QIcmTV#uDkq!RO*Ez4xSF-!}{oePT+~4p2)W_?=`?}7$&UMbY&iKGKK@dzB
zJb2(1r0LHG!Q^04Fp$sSV017s=n)JJa`~(q`oP%Qrlxg~NS7XZZ>!7a^(@d&4Sc5Y
zDcB?k79<5h_C-NZ(<2B{mIgs9;wi*CkS6eXB>CP$3cJ6W5L|rzaDEKp>DF+gFtFkO
zNp3dD(OAn7AC$L%&pbX0`SjwWg}&`Dm1+|#;@^>cviNAkzDmh2+(`MYg0G@*IL%`T
z^>_Ymt)l#|`FTG+`|znFw72u;c>Hd}(unDk!*qL-k_1C%@DEcRPd?Qbek#b&_E3Rq
zKNk{$L&)C)b>Y*wbu_;6d;g&PR>6hjpNmf6GoSqU`b{}p`3b=$l<kN%=hM(E|Ku-}
z-zM0Jd`){RJ_oj0H~l_GDL)|?Oun|8K2MULt}w9$ZJ03_foT%qC$;Um`S0iPCy;+8
z`7`;PPrlY)<8RhB8vj+i7a^Kc@D2I#`Y-eL`Gb5dyFOD{h<N?Ha0CICZ&TJO73uRV
z`SI~5{z!oQ?&NnuYM<%t){VdMkx~9|^5fHANWSW?74zKr&?x^v@)Myx`X^q$pU#N#
z4<UaisLzq)4<%*v;E!Sa!~D-8KNn5pvxfZm@?ZUVl>a9A8fOPS(>7k0fAAhr{dA(v
zHE(^MZ<gQR_1l?zRy+KpvmxTs|KxCj%s-9%_DG+F<j3p(#QZ3~H~Cb1_-RF<`1bAT
z@iWL*o7U%W^5g5@J&yp>KY{%C{Fjp-um3wd{Zq)_ijw;DqoK$16P-Vwd{!&`ENYhD
z*Y$rzv*~ZP>AL0r#_NAA`C2!9P9;CS{_i^fR`TQfR~`BB<quM$`Yk6v-hPK|wr=@$
z8>Re&U@7@Jmg=*F{P^?_cK(ax$Jc**8dAJ|Yu!FxYnFc=`SI~*9?S%p{@cy+zac+f
zKV1)t^4}*vzI~>0FpG~r!|S)IS^l%+$Jg)M!=v#(CtqzxpKh##^3^_LNAM5x|CaoC
z{TGwpPhkpt=jCf`mj4I&J)Iw$93g>)>j3qc!9Vfk`^DpTB>w>N^m&PV)sObCxt{;w
z<j0q<Psbq0AYb!8+xf?m&t?lhx0Bz?`3pZ65`xpokMF;mY`Jd!w|M?V<e#n;W;m7n
zBT2Po<3j>7kG6CW455)~`YOI^WE5>h{^k6v&tmf9+m|21;R^CokUkwa$qgj+?85xJ
znoa*|@>M_0^Y12~Dvn~?aE!yvm#>`sZHejgF!}NN<;QS%fqecCKdCH4CT>3c*T~fN
z)lf?Q_N2|Hzmj~FS8OHuxune}@E-Z`<-3@LnBuZ3rlF4f`1G<k(Do!2|5^DTH5>m{
z^2e{2|7o-NkK8T@iZl`n)N_WWk`#R2Z2V~~yqZPx>3>OnRy0bGwnGr?Z$DT8Sn@qs
zd5VO??c}TenvdU`d^T%1B<~mmyRDa>O@6%mA>?1XUjB$?`3pD++_YZ)$Y%K~QiI@-
z_3}rNAFtoyo&UOi<C={>t@B^U&uNz5X_p|lWWDJh&@8`SmmoN2z5Mab=09N9zs~<a
z^3|p^Y((Yg_!O@X#ja{L{w(s>-#*upzc1z34TJr=uB-nN@4s)7&tWSZ%E;IDZ$AA`
z$=`^W+UU}>b?v{SkB?uH&;Q}jW%p?R)c6M-u24eo1DWl@T)Lv<>-?ttt&dbNA^4Si
z4ol(i4f*l*G5jcn=wEPh*dodfa=S&x2aW&z^eBHv^5e_<B>D0BneO@TL_WK1ICR@1
zI*zFPF?T4G5cF#{{@6X&jeo5gGWmOxA8)@)$yZq8&;2~g&m^B}4~LBI>&AB|IHK9~
zZzW&HxA^j^%#q}?*~9IVL?<j>Kg!c^5&7}@JC^+Q_is%ri#lwZuyeSLw7<x7YXY@R
zS?xR5Ry)YEwO#XV&7;89`WD(GL8Z;21l6|A_cgZ8@3pqh6?HbJ>!9A&IikUCVraCr
zZPm6~B{Ws39cUi7iBnD3F61q-`jD*?D#K$1yJ1*H*EHQCS7{roZZ#baqrrg4O*(Fm
z<fCyljqx^zy6{-9>Fbz0!*LE#VP9Es4mZIpJ~D@vV0P%ts#Masp_{69CY>L-Nz1js
z=1>q`?`T|h`|vtP*0x^EN6VvjvxJZ0T}hYP>}J6-dw0_1b~n-$HcdHLY11r&RW?m5
zSZ&i>f;IMDq-$-pF<m}s8PuMVu$G}0?qKUY+sW2G+1b|qrE4mcS6`)<y*D0UXW&70
zf2>ov$`8Q0-ja2_Hr3YgNv9jd_ro)7?Q64a9Rp|ES$M8J5YM*<;RW_!ywDzk7uiGc
zVtW`~Vh_hl?QFcv9)XwJBk>A*6kchM#;fcxc(pwiud&DBwRR3xA580e08X;U;|}%&
z+{vDZJKK|RH~T=`%btt}*y=+JvejQ0X-~!D?St@Cdm5f$AB<<(hv3<^4!3jdJUrh%
z6fdx6;DxqM4~uLaiWl2Q;3f8vc&U99US{Xx<@V8dg*_9mwvWNBILN6EkHsCZ+VgR^
zljFx@U9-1N$O=xty~22AP=E)7@yg&tJl>v#=SF3!PQr^qH#MD%lQ@WKUZ>!N_Ngjk
zpN5y)g?P1nI$jexvuZZ(%mG-_IRj6%&%_I`mj5i=X`{$z<CVBoLT1$*yw>p;?$9oZ
zpM%?Sz}7V9;!W*y@mBVEcn5nP-qk)IcegLVeeEK=pM4=7YR|`G?2GUu`(k{seF;9o
zz7!v4UxrVyi}6|Z<#?XG0AFHXfv>W!#5dSi;oI!1@u&7RxckOYJ(S?H>}&Bndm+BW
zz7F4JUymQMZ@}-^H{y@%oA4KQDNaa==5;gP*w%S%3;P!08nj(*RT?@oxQ&z|Vf=Q|
z4)z_So$NBw&XKF`B<&VDGdyn$h~iCmkq)x&CLL+tL#pG5=6f&c4EsLPnRYp;+Pccz
zPpWn)FCm?4KR~*`evnjkr!o(bF0vmcU2H!>s_|8(f^@0<DCsg=vE_W!&L1OP;rQdE
zEA1ypS4FORl5}<G%-|`~HFhQGTKnlR4d+{>`6MMo%kT{DU_XmHW6k$DJU?_+@H}4N
zGF4dT3zezH@nic7SjTq7wd~QcJu`R_$B(5i;pkYJS@km3F;nGV!O?LtGk6szaXeAH
z2J5)QejU7qyE(4<(D6jatJiTYR(-yK>+Cmiz5Nz$2%Q<cjdia;<!iAzl=3?;(N-NN
z+wbBO`#qd$zmL=G4{*BuA<nStaF+cM&bGDPO4>#1_%W`)T82+>rTr<cwm-u)_UE|P
zuE%xu7r5S5TWGMq#6!IAYrh-a%v66k-)~4YXc@j$YB!K3+24_Nu+_dg+250Pwtpb)
zX8%aq%l?UUfc-P+AiI%tr2Px&cw23Ds{JeJ4Es0InfC9bv+O@eXNS%Vnn>q59?%}=
z+X;Aq-3l+XTjNExZWS-Kb=!A|ty|<vLuUr<@G{2}@p5}(yu#MLwbE{nSJ|83)mUwN
zQ>^7s+un>czCUh`<NISW?i7~ccu6{dkJ`NQ$2;DUbZY3#sx3)pL=LthooR1Px-fFp
zHl&L}H#Mb@E{Wp7wxr8#&2xpl9q9qBqPDR;o?`ES54Cs1N83B$6YW&2ds=E&JL7Zg
z&iF!m7ks(h1>b4!ito2~!;jis@zZu1{>9!MCvbewyfpL=of(9;r>XNc#P_5O%|CQ^
zoNV{NDfV7C)lSE0c2Asc_re)=ZydAx;3B&(F1GvO5_@l4YG>dwyFV_swVf;MeQ<-l
zFK)E=!)o7Jul-5Y7UfJ*wHrB$RNGh{NSbO7B30cfKA1F*I+Tate0wM^u!rG7dpM5S
z*|^9afs5^txWv}&=Q?{duD8eF274@Sw8vpxlxul%aH4$xPPVmuQ|t-E88zJQ6LFF~
z33sp$#GUNPxU-#$yV+B4FI)T50Q(?3$exBr+6UwDww5Q?o=#kY+F>5%R1^A8yos%S
zbW2;0kG8iD$9sm(tU3bk>-dp)h<y|uZRg{O_R;ucTl@W)_A&TMTh9frw~xcOhR&=y
z9>0NgTsi^2=Q0KOEBi$Jo6FC_Kk!k1`y|qn*%li2WPGN53O>(16<1-^$!YjiyAZ!^
zpN>DYXXDT9Gw`?enfPb>EZk(DjoVStn*JQTIo9&T@J{wQcrSY{9`5qz;&JwQc(OeY
zpJktq=h+wFOY9<im8~}Lx;>w`1})D;m~iNe@s{=_czgR&+$D5o)n&Mk<HdMi`*J+Q
zUVzmGw2oKcX^vls54W$v$J$rplkIEpnRW?2&%PF4Y%j!D+SlRh?d$Qa_6_)M`$qhr
zeG`7%F2&E<H{+KgS1rQtIerWN#J&}8!bkOX8|jwz?WEh=caV0m%SiXM?<DPGFDBjB
zzKe8-eK+Z7`ySGX_PwOj?E6R$x64V7weKfA*<M0=ru_ivdG>>(7uye!UTHr}dcFM!
z>8*AJsg_CW`zWc#mzR=0Za+r)tgYBf_7kLU*iVwaXFo;yiCszhmHjm7mK-S6W|rYS
zvF7y*9%5@g6J6#xJk5R{AMP?$_;JUp@w1M<fM0TaIsPhiR`8<CeyaIu+55DK{4)N;
zeg&Vrk>XjwtN6^&^#AdYc2W7)aMX9rtXd(5*O-}Auj9P-(YmNUj<?^$r`m7fv+cL>
z`F1V7)P4tlX|KfJ+wbCEZPjt>O`>_dkK5ZH;Ewi(cssie?_z(1_pn#t-uB0MLg>sY
zZMTCQ{}i8Oe}>PsKgSo@_4o?=3w(>c8s8N<v+7IyfUUOhn9F>PU$no$zq-t~xb>#d
zIyT_;_IJ3Wy#{Y*e~)*uf53a#KjPl@Pk0~uXFS+$#G~wA@C17;KFIzRA7=lCkFkHp
zC)t1CGwde(7*=~z$KZR%6Y#HgE49tdqIGPI+uLn$N4qWF&fW-LX}81I+llyAdt-dJ
zorE8>+vCS=og?npJeu#O#5HIi+zjhSd2<l&!z5$%TeL1);LdgjtbU8)9dW!*qWwGG
zC)o-wa+$611$;F9ZAdS(Q%J9|w<W#F?nHWry&dU&_V%QY*gKFuW$#G(maTQvJx0wd
zm6!&3XWZHDj0a&Y|1Ma|EO)_E?OpK<dpA7O?uut&O*0M8c6@g{*Y1Yr+k4;zwvKrV
z?e2Jy-2*SS_rgo;biCB=iI-u`w-;V+_r@#iK6n7_Psg#oxGl#wmG6f)wfDwb*%^2T
zyFcF59)P>s`{2IzzIZ=-KRndlACIv!@gzG7A8ZfA^Xx%5-iOildf)LO#5HJ{hhqIG
z4+DGK!*QmajfdKr&RBb-Mzlv^{ix}T1_SIdc%(fRue8VE<!(PYxRsaf035%!toupH
zj%&W>`o4<JT^cm6Nw_m^osbY5h`TvH8TSg~l|e4n@~G`i!GmnwqnhFJ2jQ8v&WE!?
zXI34I=Q@4}o{u%1>3D&ihZlxr=6rZ4UgYvK@Z!*!RfpjvVflpc9J|zIjv&6wWsbxv
z?4xj0SD97$c&+0{<5sji^~q=Aq_7=U2FKtIjvtFV*~j6|_VKt|=%%I<@JOtBE5NfH
zKM~KiXW_Z_NqD|}GG1Vxf*0DS;>Gr9c!^zzm)fV}Ww!1MF1OFXE9^7zO8YFl%03&f
zw&&nAb_}nz&%v$qp>511)iGK=msH17`8-k``{a3~o$d2UbxcwG0#fb&auKQaRrx~F
zLH2yok@iKTYOgADF{#>?d<p3c`%==G_GP51UzI5)Rb9xJlWMu;1*DpXd<Cg~)^@*=
zbfM!{kuKq*?RYimvM`=mbq(q2FkTs6qest!5`t@qMbCP&!fA~3K6o8*J@?VPuE#S&
zXI9;SXFGl)j-CfKHQj{gJ6?(xVjT}}#!DSvgqPX3;MJist8T?>v6lHZ9N+hE$Ai4T
z-+^agl_|sX!+k%q>Q1~Qa%?ePX5WS5&x!8F&(pV5UEPCU3C;a~{FZ$m{>m=LKiK!<
z->~*^)oZ(UQJp-1yV?)pz3hkZ-uA;d(|!aGw=3{C`%ygEUW%vNkKv>2$MFgF6Zo{y
znN?5XIgUStFR&}|W%kqf8e47QCi@wDhy5&m%6<-4+0Wxw?JC@4SL1fvP*dA@0qea|
zc{x7bei1LUU&4#*m+@lz6}-&W@qCA{Z{O5ZLtKNV`5GP>n*Ki?kJYYT$1@y%1J8E(
zH?fYx+SYI3h4$NckzI>dx%@kLwY?IrvERkfF}A7cJ)9ICPcp0C$DMp^`2fd{r61w}
zj@RKk+|ED3_t~rPQ})L=x;H}qA4m5?GOIqt(fyFjs?TtA4<xhda~$0R$*ii!(LIpN
zsxNSK4<xfn`?v0UXx+cWd)r^()9kPDoX|~8-{1@EZ}DYz1HQ)o4&P+2!FSl-<NNF%
z@FVt*_*MHS{I>lw{?Km3pWDCSZ|$}CXZu&&&*%5w@c#Dic$lp=b7|bfHK@(#J|h2z
z*1cga<3hK>9qrb57rPDK!)}WYvp2$5*zK^MiE8?~H+hS_F}}-A!VlQ(v7X_n{3iGr
zTg$9xPKs|vT!Xwh){nC8cgB}<3%p$z&kUd8N6VR6)sc8_m){caV{e5AyZqL8l)Vi;
z$ksj7lk9Er8FnXpi@hCw%-$aF5w-td2YiOTBi4Nc+FP&_)-|)7inaaZopHRM*%^Q8
z?Yj%!)Z4BLz9e*Juq(dG-VNVicg6R(d>Vep-W@+-cf-%wd*F?H4Br!PW~=^Z+dYVD
zP@V6E2VfoN({XgnX=>_;r#jvX&vN<Rc(&aK&$avF`F1}X9gCWp_Qnex&%ir`^%Fg>
zI1X#R1BjpE_&)e7dtW@y-Va}5?~kv-8aET)U}xdm?1A_pdl1(CukwSj_EoL>5Ul-5
z9*W!Yk%y70u4N7SE`gj)s$nBMLNToPNX+3pyoWyuC)=ZOiaiFW+GBB=Jr1YaIXJ^U
z0LSkcsz34xam{N2{>q++f3PQEJr|5G^G;!#Y-*ZJT!Z4dSU<{B!0&F8Q}HQoKL_En
z>}hzOeK4-DRVSOfElnq`LC-JpaJ(K4#qoNWf#daX7*2Kh!*RSGj==GHI1<O};V7J&
z6iq)L=h;W&e0wG?u#dro_OUo-ABT(V<8iTl0xq))aJhXVuCQm}O8X>SZR<HejeQEP
zwNJ%$_G!4@F2oJ?>A2CJjdQn-*6|FSXY1KQzO6bhu+Jv0LFc<UIBJKPRWZyY!}vM4
zlRX!Aw$H`AB8Sf_1~@*C_)M&R=J|N7;}_so(ebUS2*>*a7vf%y&&M<Ei*R(klUa2!
z*7b{~c?piLSu%r5vHI<bUxwAc(Yh34^%dmHvCfM+mM*}p^ubq<CfQe#YTs7;DpJ*>
z#=V+U>nvYGs^ybQNW*F2Yw<$Il`gffBV82k7nxPp<HeDK8}LfUZ^VPb_McgG6CN2k
zD8=I)zZuVPd=Z{$--2h^x8nJ1FfH3{c#(ZOUToiim)T`_xqT;I5jj|lJG2j{6WoP6
z*>~g4_C2_peJ@@ax#~W=$}Y!iT;_f}HN1bAS+xYuuphuP?FaEJ`yo8nei+ZUAHfUk
z3cN6K@F-sDxaxkH{TN<uKaN-0PvBMdlX$iL6i(uPquNrX%7^zGGlQq`5)MGB+husE
z{S01aKZ}>!&*2sJ^H|@>(YRH(mtBnq*e~Eg_HsPZei4tcU&2S&FXQ9vSMXW(t9YJW
zgD<gP!&liW@D29s_%{0ue2=Z;LsExmncpI=LC5*G@iMG)UoBo`zk^rXE3x)#m3bGd
zZ!f=xyV>t!?eB_zfOSnPe~5K`DA!?4OY{ARbd{}iH6NAvm~@T(3F%t<Q&L_3s?2A&
zgZ(*PX4m5t_7_<1PpZ78z1IE`x8gjd_*b}t{Wb1ne}nbDrOJGZyJ0PJgG{?>osboL
zhmYPlifegKw7<uv+dtq7v8MAQzTEx^KW+bvU$7hTl+IE4U+|$=^Hm)j?f9?wMEf^<
zq09V^FL(S8{EOX$x7a0`jvl;ji?uunc!cAs*8}X<c#7QyA8NP7M`Mk<5k6<v$nEfj
zb|Svk-Wb1twfwqI`I_AxzhiHLKeBZ{_zQb8{GGiy{>9ck&V=2fX>Ngkz*-))h2I?S
zh}(3H%4~@@v2~AmOM7d)y}b>dyL(hV1uwR@#of9^)7QQ;*WQk}2JQRXWBn-a04}z7
z#JAeI?!4Ph#nE%&%&MKSuOq57{c4xlg}4UQTNm8g-W99Qqxfz(%kGLt*_zG-dw1d*
zv~1mQG@Z<<J+QBLs`kW(xs2|w&q;{N_rQ9tuW|RndIm42<D2ZBSkImn?}hbjQr0p=
z_Zu^-^lVdu;<{%aUxt2|Lvk438%Ni4(YWdds(k-u;|{=sJpFy}NPAyA-rf&SwfDy}
z>`Xk<&cd_ofq1q(2+y?#<N5XwywDzsSKGs|j%ixX;kXkkCTHXF@Yz;o)d*Z+kHnSs
zC|qri#x=H{SJc{Lah*L5*V{R`!9D;t+T*dlOsQp<fD`SBIN8=SkQ7_r7f-b(<1{-L
zr`uC-hCLN$*$3fldm7HM55{@+AvoWjjtlHOTxcJP^#v_0^9-D5ABKOj56AlMs>&RJ
zH}m=HNW8Uu6yDL!$Gh1_;~w@*+|ND+?{6QAhuO#BvG(!!KwItk92%&Wp@6ss`9vIV
z&$Do}5AyyGj`qRKs*~{{F0bhvX`f15gQjyDrYVIk#B|w0pN?nPv+;cU3>;lAXI7nw
z<NL)~IKE$;jpO^m9K77^HilQ&=iqpIo{QuA?74W5+xB^Qq&*MMw9m)0><jR0y9m#<
zFU05CT6gsaw7wS+*C1bv2iuq6*X>L3yY^-HW4joCZ(ojowHM%aUN6mSTl-4l8Z@t~
zaD01Rjkj_98oZNTf;s$$<u#qX?1jWNXgb$nRweZHc!_-jUTWWnCwhHv!qe<htb2}{
z&dpf&2jxY0GZs$11#fL@8TPSnBd$SZZpVxo`VPF(F2k$rJF(s=QTfGK?|;a5VZEy%
z-;MQNg?tazI|TB*xUZM(K0L|R@<jJoGOO+<u0iLcB{*81rltpQMmU|OrU!AB{SYp&
zAI63DBRFPP;3E4`toO7ueGTRIW5nb0eH_Q<`vi{mou;NIF}rU#?o;^ujUrd#OYNue
z)%G%cqx}rN-F_C|Yd?n{wx7r6w~MA(g)g<M@zwSV_;q_Ze%IEz#J?l+67l%Dyo{sv
z+0^t3&LTtW{wmJ4YjBRO>Ezlgh-*;!*Kxc~-oTeQ{wCIUU{vNUe4VZ7=(`z;*AmyD
zHt-IPrjuE<5)X3xT|Cl$50AGsoyqnG#5HI-AL96Q>TnmwKf>|-OXK!+{A1!8H0~!j
zKJKTut>d3zE<?jI8kbW_=z5Q<dre>9_`Rmpm`k_t9@LjueGHZP3a8p%<M_R%Z*aQf
zn!fs7D&Ig{gX-!#9N%7RaC8i5YWf~`b(tS<w2n<pKjQd%0zcv5F7q=UZEIdpeKs}y
zLR^FDVJ(i=!>_ng6u;m%+}ZveceDS%J?tjj&sGI$U6K;!XjV;GI58osN!LRfv|g=o
ze7)M>sGgge+G0+FVVRBac6K}5+fKy$*c;=)b`p;FQQPAQj&FhwvUSh<Fncq6jJ-KN
z!`63D&b7C|7umXoyUf;lU1M)aT!Ze%ZiS;dY--vX$J@p>IDXtn!SQyoEsh^UbX^#4
zGuz=*rm6O@J&w1T9dNwO?1<xSW+$BG@~Jr6-WliEy4K9Kcfomf7o2bJiVN)BaG~85
z$Lus*WbclPZC$^X*n8kodrw?ucgN*+4_smIg)41+r>ENPiEHd$xYq8C>+C+b-tLPV
zY(2kfwD-mV$9C0c22Qm5<79gPPO<mFsrJ4&&E5~E+j=IZbC9N)iL>l1oNW)pIrbo&
zYY)bG_7I$J55)zxp0nxvrRfjHXJYL;**NC-2z;L7BXN=AqwvL!kH*E0kHIDOSX^q4
z!)103F1HWB74~@iIMy;uz?F_q#CnHS@kzMa@dL5mJym=%u5mmU*V<F?hc2V<o7Opg
z5U#hUVZ9%z=^Tt396tm%+S9RiJk?bmPP7ljNm%2~z{!puhEr_q%c=Ge#5Jh=k+`*e
z6dq&e<4N|>_+Wb`KEgf*7ucG9{Md3FaSfXO@tE0$J^{y%4+S`WOgIro$Kj@?SvWfO
zHZ`4udwJZG@c>)TPvXbMQ}KR|pN6w=VnVE`5D#%&%a-l<Y~mWUY-iy3vYm<J%cf^C
zn@}k#b2i@6o`biyW4Mcb4&KwAt1_G?H14@7W1puo_B=ewJ|9o8FTe-cT4r4*XgU`X
z4{%%VyUxdn_C+|^z8I(2m*7<UQk-UAhSTk0oMB&%v+M;p+r9$l*jM6Q`zoAgUybwa
zYjA;Gf(z|yam-$bi|p%gv3)%*v2Vbo_KmpAz6qDxrMSYr8CTkiaJ794uCZ^$wf1ee
z&b}Sj+jrmwy9_tlcjADL>VGk5qJ0->vVAvcihU1hs(mkMntdN>x?N71Vc$=hWiKJk
zwjUtPu^%MOwI3qQvmYkSw;v%buq#Ll?MF#t_EOR!`!UjD`*G3|`w7xg`$^I=`zcZ_
zx9XviRP&IZCe_dKGSX`M8PXd2S<+hjInp}&dD42jinPJjG#c#}NCU1HH2vi`(S8vp
z+b`i1`(>PJzk<{3S8=+n<;t*M!&&wUoNd33bL=;8uKgy?v){t`_S?9?*18tj@8Fod
z5*OL;;$r(fTw=eEOYIMEnf)Oyw^e@?_D8tVUWKdek8zFt39hw2#dY>)xZeI8H`v-H
zjrJEf;F?SIzZxgnU*cr@E1Y6~jZ^J!aGL!s*6$zGbhMo_?C)@vy#{C7-{Tzn2b^pF
zi1X~9aK8OBF0j>h3hiHT%wCI&>|b%Q{TnW^f5)ZvAGpkJ!sT{A-Bj2KxYBNgtL@gf
z#%_aa?Y6ki*83y%c01f)C*nqXW2{cL>MaQ;+U;?&y$MdSH^r&8-bqQb^&UaGos2W=
zEpV3I0cYDCagMzu&b7C~dG^*g-`)ln*eSTs-WJDfy)Rj0Z-<NR?Qw~{11`09#AWtQ
zxZF;~752`!((a6_?Okw<-38a$yW%=~H(YOb#SL~EZnSsD0q+f}{=4Bsdk>s!?}=0F
z?l{%%fz#~0aJrq2Gwhx?%kG7<?cO-Y?t^pfzBteBhx6^dae<wI3+?_mW)Hwc_CC1S
z-WQkH`{7c1e_Uo~;&M9+SJ(q_rLAZ6)%IXqV-LZ#_E21B55x8LaNJ;L<3@V~R_9Fh
zujl`X_9&cekH#tX7@TU4#cB39oNnjf4Eq3_W$T@SY<mLEu_xkOdlJsG55)QQWL#k9
z;zD~0j@eUjk$n&@wx{6|`(RvZAA-y5>A2j^!xi?SxYE{p5Y_f!xW+yl*V;$mI{Qdm
zZy$vl?0np4AB}bMLiMkAD-!KvaI$?YPO*=}srK<W%{~FA+XXnoJ`rcxdS4^kJ_+a8
zC*xfE6r5+Diu3K$aDiQj3+>Z!%+`B(MfMrE*gg}N*k|EV`)pih&%xz(3|H9a;7WTg
zuC~v`HTHS9)}Dv!?DKKGeF1K;i*TcTA<oz&s{i>o%f1L_+ZW>;`x2aMUyAeW%W%G3
zjP<*$wM{R_h4um*v#-EK_LaEUz6zJvSL0Iq8eC?V;Bxy~TwyQ7mG*VG+P)sw*f-!>
z`$k-6--PS!QruwQj2rDmSidM$>vaoGv~R`9_H8)Dz8$C9ci=R;45!<7;tYE+&a&^q
z+4kKy$G!*W+V|o-`#zj+m*WEaeq3lT!7=**Tx36pi|vPSiTyAxwI9J{b_FiCAH@~+
zQe0_2hO6zzagF^1uC<@Ub@o%Z-mb(A_S3l0UWWBRTJ`@7PPCuJ$@X(N#eN>A+EqBs
zuEy#13pm4Gj<f6+akl*u&aq#{x%MkK&wdr>+cmhrehnAeD{#zy9T(Ye;9~ntTw=e4
zOYOIDnO%#^?RRj6y%Ja2@8W9vJzQhIk8AA@aGm`juD9!OgZ&Y1v{zw0zgGQ!jP?9l
z{sim!wfrg8^K1DttmoJA=UC6L<$A2=*YX!w&#&dxSkJHJFR`9q%U@wVzm~tox%M|$
z&$1Q&7VBBI+<^5gTmBB~S+=|e$L#NMk^KWMwtvJW_D{If{u!6qjkw(Y1y|T>ai#q$
zuC{-}HTLhg*8T(6*-g0K4(OXV*a^7NZiRK@TkFyqC)#arvfUP^*c;(gyB$um6LGq|
zG0w1)aF*R3XWN_L9D7roYj1}0?9Fk$os0|YEpVZ&-)R@KJK`dHOI&Pkg-h(MajCrx
zF0)f`xxFo}ush*OdplfhZ;xy29dNC^Bd)V|!u574Zm@U8jdo|OcOg{&yI{QwA$P&a
z_O3X^-VLYPU2&S7hSTlcafaOuXW4t;Y<o|fV|T~7b`P9q?}hX2bX;Kf#D#V*9J71l
zBD)VRw)^4|yB{vK_r_&*1}?Yz;|hBKuC({T)%L!)#@-Lt+WX@=I}_L2S-8O-h#T!e
zST}Z6=Yw&gt>3kfY!AgL_As1k565YCHcq!k;0${t&ay}0Y<o1$vB%(Cdo0eg$KiZC
z2N&1};6i&mj@c7%kv$O?+mmpKeIPEiC*v|Z7nj>paD_b;SK0^RYI_>4u@A<z_93{=
zo{sD7JltR(iW}`2SPvIf|A*m3`*56WAAwWsBXO#I6i&1Aak_mp&ah|VEc+OoZ6Aws
z?Bj5*eLT*yPr&(h0WPpl#D(@O9J5ctMfS<K*ggf9*r(!B`!rl;7vggJbX;N2#+CLN
zxY|Aw*Vt#_TKjBVXV1a)b__Sz=io+rF4iyNQT?Bb6YcYGvON!{*yrO^`vRP17vXgK
zLY!gG$65A8INQD$=h&CvT>Da-XJ3Z%?P6SDUycjy1vqA3fs5=baj|_BF0rr1rS>(r
z%r3#@_O-aeUWhC0>u|MwJ+85Dz_s>`xX!)_*W0DI!M+(c+KaG$LAC1t7My6`ij(cz
zaEg69PPOmAX?7V-x9`Lm_F|l6--Wa7yK#<v56-pk#d-F9INvVE1@`^8&|ZRL_5--c
zeh?Si58)E~VO(lIg3Ig*Ty8&#E9|AX(tZqA+mGWK`w3iYKZ)z?r*OSpi5u*vaihHq
z2Yh!%_5Tb`w4cSv_H#JJejcaVRXEMA#_9G8IKy6!v+Ngfw*3;$v0ujej*ph%6|C?0
z$gg63$49Qg`i_tM8ZNX~;F$e7F0$Xi#rB)H#C{8x+Hd1ByB3$*@8Al1C9bsJ#ntwE
zxW;}T*V-T8I{QOhZ`a`l`y<?FuflpEPwVwDPP9M4$@Zr>#r_PZ+MnYzyB??8U*HUT
zHO{iX#M$;&ILH1P=i1-kJo{UmZ#Uoq`#W4{ufZ|<dt7AyfQ#)Paf$sCF13HgWp*Pj
zw|~JE_F7zN|B9>a-*AonJFd0=z;$*LuD1j34L8K&JgaSNX0|~1jJ`ExH1OV0&<01(
znlpp8m|JUMd?U=MJG8#<?)Q<xd;Fap-<WteI|=u)+vDh&cxJE(9_09@c%;1<9&c}s
zr`pMQhP?%zX?MW0?2dT0y(OM&Z-wXETjK@xHh7Vpf*0G{;-z*cyxiUnuduhrEA1Wd
zDtkw~+TIDTu~YF{duQA#e0L%<=#2dyZ?FsYd%Qsx?DyNl-@Wa3dV}4F&-A!mvEOMA
zpPBfb_F#A7^IfJJUSRKm{Z4zZCtl=ucf8o{ftT2O;iYyuUS{{i%k5rxh20ykw)^1d
z9gocLcZ7Fn6}6du#5>u0<IZ*l?q>JLgX{r#q`eQGYVV8v?s52g$LBh}Kk@l?CSG7?
z;YId9yx1Ou{XTy%7%z2v2wr9n#VhP#c$GaIueP)C8hZpz3g55D3`XKX_9#5t*6(jy
zW{<)8o|yK#u~^^flE>kdb`I8enG`<&cj8&UJRWzpC*W@OL_FTs?_8g1ABbnzlkrSD
z7tgk*;05+nywE-fFSe)QCHBF1seK4uZcoR0KT^w?hg<PHQa%(X*)wnl`!L+uJ{)(m
zkHAyyBk>ITC_K~7$Mfx@@oIY})-zho_ZY0_sq(Q{?L$6}RNGS4@9I#!%O{Ykj^qMT
zt&e;n=^T3&=^ge-r1#k;lRjeWci2B=pGsO~pGNwsT}b+&eLCsq_H5E`?K4P!w$CJO
zvd<!I$FnCb+u3+?Tg$kO9m6}>=it5VxmbU%NaLQ1C)?-YqwIP30{eV?nSBB7pA?N-
zga_Ie;t}?IJjK2UA8KEWkG3ztC)$_d%k9hXwRSOn)V>_QU@yQ|@!UbnuXm8%<i5Im
zC2<XHu>K~1ew42U+<FOp4NkF3aH@SRPO}%{bo)A-VPB79_6@kmz7ZGOH{lYy6qnjJ
z<1%{@F1K&N751$-m1C)v`8J$p-;UF5wYv<v3}@MQ;%s{{&aqWLxy{V1!s*{b84dcL
z?7g^bTj~p|E#Hk5*SO`5-|zCO=OviKURdW3U^YwW2XP1cA>7G+7<aa{e{{1ea4-8&
zJiuOx2icF|k@n+wy!`~8YCnl**iYe^b|s!=KaCgK%W(W$`3#PqE1y*v>PqYQ9B#!*
z%Fp8@Tl;YbyBc@1RagGrM6jH=25rX|v3`_a0`YeEGLE;yS8%G!=-7~E*Wh?N)b!)+
za0PMxr~jN7ysk25$z6gsaL!^mId~J-vXUzE7LM`dkhTfC25;jcyB0U{(x=M2gY)?X
zoNW_QqwUTwlxmw03*IHJA>JMm*%(Q*jrW_yKft+^QTzE2Pj6N}&v7k(;O8%^nvMH0
z)^(1?{RHd!Bt9=)pD6y>f0b_)E?f2pEkmn>`u~cz3BJI3UYMBBruAy9XN0X2+Jxox
zoKNwuT)thxzQNa+O-Gr1gKx01+F~7dlN@ir+Fpu(ht;-Keht>PQ~Z0ZcCPpjIMwkV
zac9SW!fB4{Sl-R?My&0t>HLDVFK9Yzv9`71zhdndivNbQ9RD2;a{LdR?RXPr6NTji
zj@dbmCt&S6nocXM?WO6r#@de*Z-et3Z;NL*z7fuMT<4sbjwj**$2Z2>*EF3ZT<Cav
zJlpY2aLn;d@m$9@!$pqkJT~9)WL)g{7I=Z<9dL=`9q~fPx5PKuTj5fd*&5&BxXz7b
zj;G*z9p4t0W3`P=_#wx)!xb*SJ$}M*{f@3m$9KffIj-|<wd1My1;=;BHI8@2uQ|R8
ze#7p9Yh7kntl#&d`rHlI;Y||uZR(0wIi7~=9p4={U~SWGxX}*xJC13J?@3%k+k`E{
zzk!oz_aL5Z?}bzBbewAU#A$XfoNjCS8FnAy8rmjg2Yqog{p_G0j;5a-_Cca?v%`0b
zqHz<0{*=iI$4v|dsC-*ZCo$LuNAEc#2K(aZeTKwfKb+kmDziVX<~*hHnK-vov<z7|
zIyPnp194(_+)E4w;Z%Dt&aj8zhV6CSOALnMMtc}8?h?g^<3fHRk;-V@E34NzTK6d4
z+)+IwhQG5}@z#txhUpaXNlZv=H<t85K8kCa#g5DIapmUIjC%rQHMHiKKM||m5)+a)
zpM<x@ifh~y$JN&>qP)%#xwzP#f=leFxYRxfm)ZKe$L03HxWYaJSK8BYwVj7+>_c&_
zJp<R-hv9nraNJ-Yfg9~3aS*oQ<gkC5Xy+48wvWas_Dq~=AA{A8()u2Y)sK>o!|F%L
z$Kx#f1gw6P;ssd!DEUOJev~{5=h-LWeEVcvV4s2u?Nf1)eHt#d3vr2kIxe+m<1+gU
zTyCF<E9|pyrF}N8w&&m)JBDlRb8wwK7uVb8;s*OX+-T3kIzeiE&&T>6hpcM?eRo4v
z`_*?hWVPQ^dp=IHFT&~e#W=&(-`C2rFU8rmt}}9M?FYH`<v7n?fb;DuaDja#F0|F=
zWA@d=HMCAh4X(lJHzy{f?o@)+-&I`Y%N<|%U*)rc>oAj{Ojd9`PO@*n-9lFeH{xFQ
zO?a-$l;Y@ImKEHLqw`l*un4bmnOpE`k9#X#<M?g3GuuM*y&ZQ8T^Zbgr#fDSXF7f-
zo@Fn_vt8ycJlDP(tKX|>-h<WGZJkgV+>3QzNb&oy?)k{&c)5K));*lo39(=ao*TL{
zcmV4jh^F(P%CwIB5bkV0jP=g9$~=N~oi0~kU8ieak78Y?%S&;qu>V#WJcg6($8iVy
z3Eatk5_h(r!rkmj+{=C%4+@<XEW;!1XYhFYSv<>r4$roq$8+r}Jm0Ry3+)&1B6~U3
zdox;>7qQ-Pkzc}kA4Pr{w+`DLfBy@&w_n9C@|;ffQ-k%qFOlyGy@p?Rd<E9CKgD0i
zdiE#3f%WW9)}Uv9@>|3;Xqs<hHdp9cyvp0|9lV(Lb5v#}*56Q<-^FX}_wZW#ecX!o
zNmS+ooMeB9JJ@x&ll>9yY_Gz-?2mD8`xAVUt>xGIEt>vk#5KsD<M{H|W137D{{mBm
zTo+U}t;SqxgmFzL8LJ+?BCbKx`5L#jzrp%D9EyL7^*1f#2CUz|FMp@<uB$b8JNtXQ
zi>-MbVE;&5gU0;{6At||rh5{)5qGwK!SUnCTHModO*6y(jkpF)^LHGd<{vo8@g_{S
zC@iDk06PH>vRmPic56J|ZiA=VZSf3yBmA}Np&i!WHqbI8;vHBBS%2GbS33!Jx7*`k
z_9l3&t@YCHt=71k5!WDZjtPfO#_{FR-%Fg~cn3Vw?ucjETjJ?nwyp3{_SX0WdmDV3
zor34s+hY9=94$j9tlvc-Z-@2wUF7Yt{uYb81Af@nx`cllgSgD%a89fY-|v=HerL+Z
z*Q+z;|1iD_=w^4p@par4&vbk@JlF1u=i6y`iM=~sV|T;7yli{m=onrZ?1?+j=(RlE
z@l@`c$vyB4doMiGPRC2^o_ML<3oo;K<K=cA{Epohe`KppMzBL_Ud`(#gEAW0ay;yh
zwg1Wku=ZJbADm+Ei&O3WaGJe8PPa9E?JpWPi?{}PAdXLe5ROlOFpf`u2u^kRp*TMM
zVK_eh;W$41Y@F-zBXFKQ66f2aaDhD<7usWR%pQx2>~Xl*&cUVj0l3T_kIU@|xWb-@
zEA2_R+CC81*pqRsor~-2DY(I&iW}{Na6ns99ZtiE_Q5#WJ_M)O({ZYuhtupsak@PN
z7x#&#c^EFS567jpwqxnSsEo`~une)_D9UJ1KO`SV`&2BvudFP^XM$*di3P{t`Hmlp
zSJ}tmXn%<X$K$B46$?(lQU59yeorFmN5#T>)lokx7R;hd)Q^e<C*i2S6bnwq(Y_W7
zPQg*%CKjBEqrOcnI1NYrkXZQLi>MzG3r;5<^+RI8Y#jANV!;_W>W9RFGjY@pi3Mlj
zs2>sw&c;zcBo@rUQ9mRWexD=ihs1(&h)4a9STGky{g7C2E_NSd&UyF^`V6YWdDwl7
zIp^c|9KQg&zcHr>f8zLs*nN*V^YK@XYumXWGUsCA8nhiR!O8ZeIK{pUr`p9h&DQgQ
zbX(KRu&412>Y>4b!3ci)#8Cbc7+3n7&xY{d2!8LxD00T}`!*)=o$;ac(WeEIiH{|B
z9Gbw-6VNdJirnOIyrCX%BGVYb`En9DBPcPJl0zslk<SGF9Y?<A_SaYs;zPnS?cZOr
zDdD_^vh2OXWgp9&hp;xI`E4Ij%I_LNe{cQQpUWtwH=Z>f%6v56mYml>?oVnv4Q0(H
zum!Wx80xqs=h=My28G*mXp7EoG_7SY^BK*$^`Kryv!*Sv-6qpo2l5%r940cSp`4qB
zw#b~uum%S*pYh>*TCOE(&mG$0ZE!ey(1;eF%cQWCk8kn$jAoA-)uQcLYm&qDNqURU
zWjynUT3DYJozFnF{(<Z_Iu5n;(N4!X9plDPgW5w|de70(VB&vZt+Lrqb^cTxw&Yrk
z;M@?M3tMt7I=T&}-iB?!bs0_#jiXnfv%m<hY1Na6_bb!`(UDaBlHu-==x3eRhf#78
z<EXW?{F!5DxCAX(w-drMym~M#y|2ZOw_2wIH{h0>5Uk%{%3<rN583kVUp>}dJY8?;
zx*N-UT6Rw!${e(1TJ|V7ndwjPc4_H4i>@nlW*o<VQ4f7QEw3eddLx*Nj=4Gikv6B}
zQp>l9sQ$9qViQ@fmOKVcrsWL^kG?HC7uB1tBXuNd*><je(iCc~<<IpxH|h#_Ed9Th
ztUX;XX&dP(v}Nl~Yoz^XV%Rfl*(=WjS)1|9FFNzLWc}rY+o`4dV^JS{0`qFgby?TC
z{}Wg1x{6lq{b$xlZLcNgq}DbtJkw^k@O<J|Yq~EshBM$q(w1Da_;za9`%}7?GKeFC
zjt>WH(DnJ}?>g#ErTYHkSc)NBALy!}U(lbW>d&&J^E6@*J;J?%zF60n1A{)~^u@ix
zoW7JEObPW+ds2EJN=N-EH;DgQqK7h(YaF$NmfeqZ?9QdN>1v`S+nRc+-NW<vH14ge
zyF0r6@u&yOGKr&mOVnudbsfJ!*Y@9Ui8?>4Z=<W)(X`Bgtp9ZCN7u2@xqEuEbE|p`
zEq6~+S6}KC>#p^NJf=p|UDrd<T53+~BK_Ep^c+Fgg}QgGHSdA{y{7<On1-H5Y=}0r
zp|@<jy|>&}-Ed1hmhCWs)~LHEx_>eduiIuDt|k8Yd6N1L(K8{P{dCM8{(o{yuB(-Q
zzb4{$SfZzB!>QvQJh>amIu9j{ei|Dd6SM_%E>Ov6?}<M*n-<nl^mIhEHJK7)*mCOg
z=`Ly19;SsqM^`w}6~QF(M~COS=$Vnm(v^bFkkM1RX`JEYVVngs_^%K7gZXzzcpmJ}
zIZ>^-51+o|4heH~rq_A359h~z|Hrpm^VU2)yc+AtGWTU0s4vhP_h2pl{jK}wb{#*y
zsaF?&8aae*FoHWA(KXF9j(XbT6g`mbIE+0(M?oDG|NgOT{bR14dTKs@?|7@bk!mq&
zcZ2yiho#js;th8Uj^7o^r52{qSIJ<zO#cThygN&v^G5u+ba$3(5<lrmu{){ugh^q3
z57t}zl71e~Qp>s{*pv1=j5LEb&@WsowE?yI-bAK{?LlYYy-|ADGSpt8^3gdv>fubM
z^dRP#&a`_`Vi-RSWqRsMYEK!=di;5L;!mVERNv>%b*3$>mNhI~Q{B&t`WZu5wm$!4
zUFu$=-U`sMVi+|ynl(_XZTY$!685qOv#h<4{#EU&6=>;ow_*MD`}_OKU++*y*DpGv
z>bguV{0!PlFWQ2(v#tt;(8|<SbhPZw&x-U!T2ftMbmw2Sh;&K~3tL8Xg)uZZi>XD^
z|M&Vke{T2x+WQ#mUm5-5{^+`M-G6t?)Lzqv?a{Kw%zv~chW*#ITXdb)J=`mYvNis^
zC3HpC_dmEL{<Zy3=K>u=b)P}oVHis~I^1`MbEFzbKWJ#!{~F8{)P_A?Ww6cmX6icc
z4P`41B-I&wC?EaX68qSn>*ilMu8&}ex`(|)T`T?1$L;<szuIL+xL4|KhmPBQ*iU;h
z{#a^UJ)-HXX<zC*>dUBalTL{te0t-4l%3{zZpiE84cA+bt{nflJ+)7`mMy)f>YSk-
zM)Y2p?qh7YYuEpsdea#wgY{_HBb@HbMQ<QYqQA4@THBxZIJKAmcMqV)dcCP09DUT6
z%HfEls}}W!`cfM@7i(YY$)^uXJ(xX6XTD*SP+w_Xe<}J&`(Q8Xulatbeo=H**Hi{`
z?CD8MQD02^UOM~TpXa^dYUHoydEFz@I}*d0bIaZrjo!=}7}i-!uF-_>Dz7EypjJ9D
zyl<o{$d;Vbkg)AV{mzzu^GB^&J>CtsMt^S)RNp{v@92Eho#j%hr=w~~|J)uKzoLz<
zV4^)zcfGaWHQyt3pSyS1+g8t2`=d&!t@aQ9Rex2>qIY~Y^m`~#9mTKW*1hf05`B=r
z?*Gm2Q~%@Ra7*5y){!Ub=WXaa|GH*VYl+`K(zV<`?lkEMaS!5pSL^RzH~o1ox`(Z2
zXH#2f4$+Z%0>^~0tjD^w(DyX>HEqGd$6kJF?zXQcT=Y`qLVf>2-*GKy9euY;-|71A
zh7SK-rt@y)_vh@4o6kqT<6rOL2Yhd50}Zi%?frDVd%%oG^Qr8l->@0PZaa*X58Ci|
zij=krc54--bNutr8HA~zYd??D-aja96-+ri`uXH9l(q@_92Nb%piMOXe*Ss0w$aaJ
zp3e(MMCB&_7^NE@8KpZP8l|6let)RRG2g2_--Gvvrqkck{lxP>F+VET(?565i+;Yt
z@kFP6J^gPy{<}`YFVkqfM``*A!NE>zy&N<3NAHMtJuFIRc)V{tznItOJC}=1R=HNe
zFaCM1^Urp=@bhRow>W>*$Y{Qb{wqVz85%Dsc(6iawFx?U`94#a<sGA6fWg*o|C!SE
z!Rh^#(LNY8DN2*V@iz+EhiTjJ_q%Dl^@ly%DUuKjbGm+h{O7KGFH+^EIE}}5pogaG
zj(AW1fBpu^y8GVx*7v_Zw(fQOb9c@4EzbYMeAd4^ufOQ}zcJsxJ{8d4eEh$$B>(97
zg#POL|J|kgpP!!aP1*lnFaKYk{^;*B|EpW%&wV$2^X%_UA-*@Qd+MmaoV=l@`PaGV
zik9zR|Lr;bzu#Hsuf@0E)T4XA>)wbDSf9UJYw;(E|I@ep^mkhSQ}fb%{(J{J;5_ud
zH}`4urklUdu_5+=^{-L%9nQbMhU>q9|K}%>`djE5eje+tt^Tzujeq=%G3w`reUK~o
aqAWvfa#!_WVnN4F;m>*TpPz~PJpUhSHgBZ>

literal 0
HcmV?d00001


From 3ae607e1ee9847a0af8b5ceb4e12025f1fc44147 Mon Sep 17 00:00:00 2001
From: Jan Starke <jan.starke@posteo.de>
Date: Mon, 5 Feb 2024 21:51:20 +0100
Subject: [PATCH 2/4] update documentation

---
 README.md            |  4 +-
 doc/cleanhive.md     | 36 ++++++++++++++++++
 doc/es4forensics.md  | 80 ++++++++++++++++++++++++++++++++++++++++
 doc/evtx2bodyfile.md | 39 ++++++++++++++++++++
 doc/evtxanalyze.md   | 88 ++++++++++++++++++++++++++++++++++++++++++++
 doc/evtxcat.md       | 42 +++++++++++++++++++++
 doc/evtxls.md        | 70 +++++++++++++++++++++++++++++++++++
 doc/evtxscan.md      | 36 ++++++++++++++++++
 doc/hivescan.md      | 34 +++++++++++++++++
 doc/ipgrep.md        | 42 +++++++++++++++++++++
 doc/lnk2bodyfile.md  | 34 +++++++++++++++++
 doc/mactime2.md      | 44 ++++++++++++++++++++++
 doc/pf2bodyfile.md   | 32 ++++++++++++++++
 doc/pol_export.md    | 32 ++++++++++++++++
 doc/regdump.md       | 36 ++++++++++++++++++
 doc/ts2date.md       | 43 ++++++++++++++++++++++
 scripts/update-md.sh |  2 +
 17 files changed, 693 insertions(+), 1 deletion(-)
 create mode 100644 doc/pf2bodyfile.md

diff --git a/README.md b/README.md
index d142116..4135f5d 100644
--- a/README.md
+++ b/README.md
@@ -15,8 +15,9 @@
 - [Overview of timelining tools](#overview-of-timelining-tools)
 - [Tools](#tools)
   - [x] [`cleanhive`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/cleanhive.md)
+  - [x] [`pf2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/pf2bodyfile.md)
   - [x] [`evtx2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtx2bodyfile.md)
-  - [x] [`evtxanalyze`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxanalyze.md)
+  - [x] [`evtxanalyze`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/avtxanalyze.md)
   - [x] [`evtxscan`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxscan.md)
   - [x] [`evtxcat`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxcat.md)
   - [x] [`evtxls`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxls.md)
@@ -42,6 +43,7 @@
 # Installation
 
 ```bash
+sudo apt install libscca-dev
 cargo install dfir-toolkit
 ```
 
diff --git a/doc/cleanhive.md b/doc/cleanhive.md
index 291166f..84b7f46 100644
--- a/doc/cleanhive.md
+++ b/doc/cleanhive.md
@@ -63,6 +63,42 @@ merges logfiles into a hive file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `cleanhive`
+
+This document contains the help content for the `cleanhive` command-line program.
+
+**Command Overview:**
+
+* [`cleanhive`↴](#cleanhive)
+
+## `cleanhive`
+
+merges logfiles into a hive file
+
+**Usage:** `cleanhive [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to dump
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-O`, `--output <DST_HIVE>` — name of the file to which the cleaned hive will be written
+
+  Default value: `-`
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/es4forensics.md b/doc/es4forensics.md
index ba37dde..03f5212 100644
--- a/doc/es4forensics.md
+++ b/doc/es4forensics.md
@@ -133,6 +133,86 @@ This crates provides structs and functions to insert timeline data into an elast
 
 
 
+## `es4forensics import`
+
+**Usage:** `es4forensics import [OPTIONS] [INPUT_FILE]`
+
+###### **Arguments:**
+
+* `<INPUT_FILE>` — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
+
+  Default value: `-`
+
+###### **Options:**
+
+* `--bulk-size <BULK_SIZE>` — number of timeline entries to combine in one bulk operation
+
+  Default value: `1000`
+
+
+
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `es4forensics`
+
+This document contains the help content for the `es4forensics` command-line program.
+
+**Command Overview:**
+
+* [`es4forensics`↴](#es4forensics)
+* [`es4forensics create-index`↴](#es4forensics-create-index)
+* [`es4forensics import`↴](#es4forensics-import)
+
+## `es4forensics`
+
+This crates provides structs and functions to insert timeline data into an elasticsearch index
+
+**Usage:** `es4forensics [OPTIONS] --index <INDEX_NAME> --password <PASSWORD> <COMMAND>`
+
+###### **Subcommands:**
+
+* `create-index` — 
+* `import` — 
+
+###### **Options:**
+
+* `--strict` — strict mode: do not only warn, but abort if an error occurs
+* `-I`, `--index <INDEX_NAME>` — name of the elasticsearch index
+* `-H`, `--host <HOST>` — server name or IP address of elasticsearch server
+
+  Default value: `localhost`
+* `-P`, `--port <PORT>` — API port number of elasticsearch server
+
+  Default value: `9200`
+* `--proto <PROTOCOL>` — protocol to be used to connect to elasticsearch
+
+  Default value: `https`
+
+  Possible values: `http`, `https`
+
+* `-k`, `--insecure` — omit certificate validation
+
+  Default value: `false`
+* `-U`, `--username <USERNAME>` — username for elasticsearch server
+
+  Default value: `elastic`
+* `-W`, `--password <PASSWORD>` — password for authenticating at elasticsearch
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
+## `es4forensics create-index`
+
+**Usage:** `es4forensics create-index`
+
+
+
 ## `es4forensics import`
 
 **Usage:** `es4forensics import [OPTIONS] [INPUT_FILE]`
diff --git a/doc/evtx2bodyfile.md b/doc/evtx2bodyfile.md
index c5e50e7..b6b08b1 100644
--- a/doc/evtx2bodyfile.md
+++ b/doc/evtx2bodyfile.md
@@ -69,6 +69,45 @@ creates bodyfile from Windows evtx files
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtx2bodyfile`
+
+This document contains the help content for the `evtx2bodyfile` command-line program.
+
+**Command Overview:**
+
+* [`evtx2bodyfile`↴](#evtx2bodyfile)
+
+## `evtx2bodyfile`
+
+creates bodyfile from Windows evtx files
+
+**Usage:** `evtx2bodyfile [OPTIONS] [EVTX_FILES]...`
+
+###### **Arguments:**
+
+* `<EVTX_FILES>` — names of the evtx files
+
+###### **Options:**
+
+* `-F`, `--format <FORMAT>` — select output format
+
+  Default value: `bodyfile`
+
+  Possible values: `json`, `bodyfile`
+
+* `-S`, `--strict` — fail upon read error
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/evtxanalyze.md b/doc/evtxanalyze.md
index 47dd0c9..ecca1e1 100644
--- a/doc/evtxanalyze.md
+++ b/doc/evtxanalyze.md
@@ -138,6 +138,94 @@ generate a process tree
 
 
 
+## `evtxanalyze sessions`
+
+display sessions
+
+**Usage:** `evtxanalyze sessions [OPTIONS] <EVTX_FILES_DIR>`
+
+###### **Arguments:**
+
+* `<EVTX_FILES_DIR>` — Names of the evtx files to parse
+
+###### **Options:**
+
+* `--include-anonymous` — include anonymous sessions
+
+
+
+## `evtxanalyze session`
+
+display one single session
+
+**Usage:** `evtxanalyze session <EVTX_FILES_DIR> <SESSION_ID>`
+
+###### **Arguments:**
+
+* `<EVTX_FILES_DIR>` — Names of the evtx files to parse
+* `<SESSION_ID>` — Session ID
+
+
+
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxanalyze`
+
+This document contains the help content for the `evtxanalyze` command-line program.
+
+**Command Overview:**
+
+* [`evtxanalyze`↴](#evtxanalyze)
+* [`evtxanalyze pstree`↴](#evtxanalyze-pstree)
+* [`evtxanalyze sessions`↴](#evtxanalyze-sessions)
+* [`evtxanalyze session`↴](#evtxanalyze-session)
+
+## `evtxanalyze`
+
+crate provide functions to analyze evtx files
+
+**Usage:** `evtxanalyze [OPTIONS] <COMMAND>`
+
+###### **Subcommands:**
+
+* `pstree` — generate a process tree
+* `sessions` — display sessions
+* `session` — display one single session
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
+## `evtxanalyze pstree`
+
+generate a process tree
+
+**Usage:** `evtxanalyze pstree [OPTIONS] <EVTX_FILE>`
+
+###### **Arguments:**
+
+* `<EVTX_FILE>` — Name of the evtx file to parse
+
+###### **Options:**
+
+* `-U`, `--username <USERNAME>` — display only processes of this user (case insensitive regex search)
+* `-F`, `--format <FORMAT>` — output format
+
+  Default value: `csv`
+
+  Possible values: `json`, `markdown`, `csv`, `latex`, `dot`
+
+
+
+
 ## `evtxanalyze sessions`
 
 display sessions
diff --git a/doc/evtxcat.md b/doc/evtxcat.md
index 3ebc824..d953c2b 100644
--- a/doc/evtxcat.md
+++ b/doc/evtxcat.md
@@ -75,6 +75,48 @@ Display one or more events from an evtx file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxcat`
+
+This document contains the help content for the `evtxcat` command-line program.
+
+**Command Overview:**
+
+* [`evtxcat`↴](#evtxcat)
+
+## `evtxcat`
+
+Display one or more events from an evtx file
+
+**Usage:** `evtxcat [OPTIONS] <EVTX_FILE>`
+
+###### **Arguments:**
+
+* `<EVTX_FILE>` — Name of the evtx file to read from
+
+###### **Options:**
+
+* `--min <MIN>` — filter: minimal event record identifier
+* `--max <MAX>` — filter: maximal event record identifier
+* `-i`, `--id <ID>` — show only the one event with this record identifier
+* `-T`, `--display-table` — don't display the records in a table format
+* `-F`, `--format <FORMAT>` — output format
+
+  Default value: `xml`
+
+  Possible values: `json`, `xml`
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/evtxls.md b/doc/evtxls.md
index e571dc9..ee566f7 100644
--- a/doc/evtxls.md
+++ b/doc/evtxls.md
@@ -131,6 +131,76 @@ Display one or more events from an evtx file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxls`
+
+This document contains the help content for the `evtxls` command-line program.
+
+**Command Overview:**
+
+* [`evtxls`↴](#evtxls)
+
+## `evtxls`
+
+Display one or more events from an evtx file
+
+**Usage:** `evtxls [OPTIONS] [EVTX_FILES]...`
+
+###### **Arguments:**
+
+* `<EVTX_FILES>` — Name of the evtx files to read from
+
+###### **Options:**
+
+* `-d`, `--delimiter <DELIMITER>` — use this delimiter instead of generating fixed space columns
+* `-i`, `--include <INCLUDED_EVENT_IDS>` — List events with only the specified event ids, separated by ','
+* `-x`, `--exclude <EXCLUDED_EVENT_IDS>` — Exclude events with the specified event ids, separated by ','
+* `-c`, `--colors` — highlight interesting content using colors
+* `-f`, `--from <NOT_BEFORE>` — hide events older than the specified date (hint: use RFC 3339 syntax)
+* `-t`, `--to <NOT_AFTER>` — hide events newer than the specified date (hint: use RFC 3339 syntax)
+* `-r`, `--regex <HIGHLIGHT>` — highlight event data based on this regular expression
+* `-s`, `--sort <SORT_ORDER>` — sort order
+
+  Default value: `storage`
+
+  Possible values:
+  - `storage`:
+    don't change order, output records as they are stored
+  - `record-id`:
+    sort by event record id
+  - `time`:
+    sort by date and time
+
+* `-b`, `--base-fields <DISPLAY_SYSTEM_FIELDS>` — display fields common to all events. multiple values must be separated by ','
+
+  Default values: `event-id`, `event-record-id`
+
+  Possible values:
+  - `event-id`:
+    The identifier that the provider used to identify the event
+  - `event-record-id`:
+    The record number assigned to the event when it was logged
+  - `activity-id`:
+    A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity
+  - `related-activity-id`:
+    A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier
+  - `process-id`:
+    The ID of the process that created the event
+
+* `-B`, `--hide-base-fields` — don't display any common event fields at all. This corresponds to specifying '--base-fields' without any values (which is not allowed, that's why there is this flag)
+
+  Default value: `false`
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/evtxscan.md b/doc/evtxscan.md
index 696e7c9..5a8c718 100644
--- a/doc/evtxscan.md
+++ b/doc/evtxscan.md
@@ -63,6 +63,42 @@ Find time skews in an evtx file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxscan`
+
+This document contains the help content for the `evtxscan` command-line program.
+
+**Command Overview:**
+
+* [`evtxscan`↴](#evtxscan)
+
+## `evtxscan`
+
+Find time skews in an evtx file
+
+**Usage:** `evtxscan [OPTIONS] <EVTX_FILE>`
+
+###### **Arguments:**
+
+* `<EVTX_FILE>` — name of the evtx file to scan
+
+###### **Options:**
+
+* `-S`, `--show-records` — display also the contents of the records befor and after a time skew
+* `-N`, `--negative-tolerance <NEGATIVE_TOLERANCE>` — negative tolerance limit (in seconds): time skews to the past below this limit will be ignored
+
+  Default value: `5`
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/hivescan.md b/doc/hivescan.md
index 3040695..30ff4be 100644
--- a/doc/hivescan.md
+++ b/doc/hivescan.md
@@ -59,6 +59,40 @@ scans a registry hive file for deleted entries
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `hivescan`
+
+This document contains the help content for the `hivescan` command-line program.
+
+**Command Overview:**
+
+* [`hivescan`↴](#hivescan)
+
+## `hivescan`
+
+scans a registry hive file for deleted entries
+
+**Usage:** `hivescan [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to scan
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-b` — output as bodyfile format
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/ipgrep.md b/doc/ipgrep.md
index 2f1dae8..0b70d63 100644
--- a/doc/ipgrep.md
+++ b/doc/ipgrep.md
@@ -75,6 +75,48 @@ search for IP addresses in text files
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `ipgrep`
+
+This document contains the help content for the `ipgrep` command-line program.
+
+**Command Overview:**
+
+* [`ipgrep`↴](#ipgrep)
+
+## `ipgrep`
+
+search for IP addresses in text files
+
+**Usage:** `ipgrep [OPTIONS] [FILE]...`
+
+###### **Arguments:**
+
+* `<FILE>`
+
+###### **Options:**
+
+* `-i`, `--include <INCLUDE>` — display only lines who match ALL of the specified criteria. Values are delimited with comma
+
+  Possible values: `ipv4`, `ipv6`, `public`, `private`, `loopback`
+
+* `-x`, `--exclude <EXCLUDE>` — hide lines who match ANY of the specified criteria. Values are delimited with comma
+
+  Possible values: `ipv4`, `ipv6`, `public`, `private`, `loopback`
+
+* `-I`, `--ignore-ips <IGNORE_IPS>` — ignore any of the specified IP addresses. Values are delimited with comma
+* `-c`, `--colors` — highlight interesting content using colors
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/lnk2bodyfile.md b/doc/lnk2bodyfile.md
index 3d528de..b5dbcdb 100644
--- a/doc/lnk2bodyfile.md
+++ b/doc/lnk2bodyfile.md
@@ -25,6 +25,40 @@ Parse Windows LNK files and create bodyfile output
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `lnk2bodyfile`
+
+This document contains the help content for the `lnk2bodyfile` command-line program.
+
+**Command Overview:**
+
+* [`lnk2bodyfile`↴](#lnk2bodyfile)
+
+## `lnk2bodyfile`
+
+Parse Windows LNK files and create bodyfile output
+
+**Usage:** `lnk2bodyfile [OPTIONS] [LNK_FILES]...`
+
+###### **Arguments:**
+
+* `<LNK_FILES>` — Names of the LNK files to read from
+
+  Default value: `-`
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/mactime2.md b/doc/mactime2.md
index a309f31..51cd312 100644
--- a/doc/mactime2.md
+++ b/doc/mactime2.md
@@ -79,6 +79,50 @@ replacement for `mactime`
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `mactime2`
+
+This document contains the help content for the `mactime2` command-line program.
+
+**Command Overview:**
+
+* [`mactime2`↴](#mactime2)
+
+## `mactime2`
+
+replacement for `mactime`
+
+**Usage:** `mactime2 [OPTIONS]`
+
+###### **Options:**
+
+* `-b <INPUT_FILE>` — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
+
+  Default value: `-`
+* `-F`, `--format <OUTPUT_FORMAT>` — output format, if not specified, default value is 'txt'
+
+  Possible values: `csv`, `txt`, `json`, `elastic`
+
+* `-d` — output as CSV instead of TXT. This is a conveniance option, which is identical to `--format=csv` and will be removed in a future release. If you specified `--format` and `-d`, the latter will be ignored
+* `-j` — output as JSON instead of TXT. This is a conveniance option, which is identical to `--format=json` and will be removed in a future release. If you specified `--format` and `-j`, the latter will be ignored
+* `-f`, `--from-timezone <SRC_ZONE>` — name of offset of source timezone (or 'list' to display all possible values
+
+  Default value: `UTC`
+* `-t`, `--to-timezone <DST_ZONE>` — name of offset of destination timezone (or 'list' to display all possible values
+
+  Default value: `UTC`
+* `--strict` — strict mode: do not only warn, but abort if an error occurs
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/pf2bodyfile.md b/doc/pf2bodyfile.md
new file mode 100644
index 0000000..1e5e039
--- /dev/null
+++ b/doc/pf2bodyfile.md
@@ -0,0 +1,32 @@
+# Command-Line Help for `pf2bodyfile`
+
+This document contains the help content for the `pf2bodyfile` command-line program.
+
+**Command Overview:**
+
+* [`pf2bodyfile`↴](#pf2bodyfile)
+
+## `pf2bodyfile`
+
+creates bodyfile from Windows Prefetch files
+
+**Usage:** `pf2bodyfile [OPTIONS] [PREFETCH_FILES]...`
+
+###### **Arguments:**
+
+* `<PREFETCH_FILES>` — names of the prefetch files (commonly files with 'pf' extension in 'C:\Windows\Prefetch')
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
diff --git a/doc/pol_export.md b/doc/pol_export.md
index a0f5dd1..880b833 100644
--- a/doc/pol_export.md
+++ b/doc/pol_export.md
@@ -55,6 +55,38 @@ Exporter for Windows Registry Policy Files
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `pol_export`
+
+This document contains the help content for the `pol_export` command-line program.
+
+**Command Overview:**
+
+* [`pol_export`↴](#pol_export)
+
+## `pol_export`
+
+Exporter for Windows Registry Policy Files
+
+**Usage:** `pol_export [OPTIONS] <POLFILE>`
+
+###### **Arguments:**
+
+* `<POLFILE>` — Name of the file to read
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/regdump.md b/doc/regdump.md
index 77d91d8..5ee419e 100644
--- a/doc/regdump.md
+++ b/doc/regdump.md
@@ -63,6 +63,42 @@ parses registry hive files and prints a bodyfile
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `regdump`
+
+This document contains the help content for the `regdump` command-line program.
+
+**Command Overview:**
+
+* [`regdump`↴](#regdump)
+
+## `regdump`
+
+parses registry hive files and prints a bodyfile
+
+**Usage:** `regdump [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to dump
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-b`, `--bodyfile` — print as bodyfile format
+* `-I`, `--ignore-base-block` — ignore the base block (e.g. if it was encrypted by some ransomware)
+* `-T`, `--hide-timestamps` — hide timestamps, if output is in reg format
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/ts2date.md b/doc/ts2date.md
index cf7a032..ef63264 100644
--- a/doc/ts2date.md
+++ b/doc/ts2date.md
@@ -77,6 +77,49 @@ replaces UNIX timestamps in a stream by a formatted date
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `ts2date`
+
+This document contains the help content for the `ts2date` command-line program.
+
+**Command Overview:**
+
+* [`ts2date`↴](#ts2date)
+
+## `ts2date`
+
+replaces UNIX timestamps in a stream by a formatted date
+
+**Usage:** `ts2date [OPTIONS] [INPUT_FILE] [OUTPUT_FILE]`
+
+###### **Arguments:**
+
+* `<INPUT_FILE>` — name of the file to read (default from stdin)
+
+  Default value: `-`
+* `<OUTPUT_FILE>` — name of the file to write (default to stdout)
+
+  Default value: `-`
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-f`, `--from-timezone <SRC_ZONE>` — name of offset of source timezone (or 'list' to display all possible values
+
+  Default value: `UTC`
+* `-t`, `--to-timezone <DST_ZONE>` — name of offset of destination timezone (or 'list' to display all possible values
+
+  Default value: `UTC`
+
+
+
 <hr/>
 
 <small><i>
diff --git a/scripts/update-md.sh b/scripts/update-md.sh
index e4be5a4..54228eb 100755
--- a/scripts/update-md.sh
+++ b/scripts/update-md.sh
@@ -20,6 +20,7 @@ cat >README.md <<'EOF'
 - [Overview of timelining tools](#overview-of-timelining-tools)
 - [Tools](#tools)
   - [x] [`cleanhive`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/cleanhive.md)
+  - [x] [`pf2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/pf2bodyfile.md)
   - [x] [`evtx2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtx2bodyfile.md)
   - [x] [`evtxanalyze`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/avtxanalyze.md)
   - [x] [`evtxscan`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxscan.md)
@@ -47,6 +48,7 @@ cat >README.md <<'EOF'
 # Installation
 
 ```bash
+sudo apt install libscca-dev
 cargo install dfir-toolkit
 ```
 

From e4a8bc21fe5e70c39255f3ef640f7ad3de0a2018 Mon Sep 17 00:00:00 2001
From: Jan Starke <jan.starke@posteo.de>
Date: Tue, 6 Feb 2024 15:18:28 +0100
Subject: [PATCH 3/4] add libscca-dev to workflows

---
 .github/workflows/cargo_publish.yml | 4 ++++
 .github/workflows/cargo_test.yml    | 4 ++++
 .github/workflows/coverage.yml      | 3 +++
 .github/workflows/rust-clippy.yml   | 3 +++
 4 files changed, 14 insertions(+)

diff --git a/.github/workflows/cargo_publish.yml b/.github/workflows/cargo_publish.yml
index 763bf6c..e9115dd 100644
--- a/.github/workflows/cargo_publish.yml
+++ b/.github/workflows/cargo_publish.yml
@@ -8,6 +8,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
         - uses: actions/checkout@v2
+        
+        - name: Install required libscca-dev
+          run: sudo apt install -y libscca-dev
+          
         - uses: actions-rs/toolchain@v1
           with:
               toolchain: stable
diff --git a/.github/workflows/cargo_test.yml b/.github/workflows/cargo_test.yml
index b1b08ed..5cf83f0 100644
--- a/.github/workflows/cargo_test.yml
+++ b/.github/workflows/cargo_test.yml
@@ -8,6 +8,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+
+      - name: Install required libscca-dev
+        run: sudo apt install -y libscca-dev
+
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index 34d1248..71ac140 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -8,6 +8,9 @@ jobs:
     steps:
 
       - uses: actions/checkout@v1
+
+      - name: Install required libscca-dev
+        run: sudo apt install -y libscca-dev
     
       - uses: actions-rs/toolchain@v1
         with:
diff --git a/.github/workflows/rust-clippy.yml b/.github/workflows/rust-clippy.yml
index 5008eb0..4185417 100644
--- a/.github/workflows/rust-clippy.yml
+++ b/.github/workflows/rust-clippy.yml
@@ -38,6 +38,9 @@ jobs:
           components: clippy
           override: true
 
+      - name: Install required libscca-dev
+        run: sudo apt install -y libscca-dev
+        
       - name: Install required cargo
         run: cargo install clippy-sarif sarif-fmt
 

From 4233859162961374f18d0ab56dbfdf2cd6776d89 Mon Sep 17 00:00:00 2001
From: Bitbee0 <92975980+Bitbee0@users.noreply.github.com>
Date: Tue, 6 Feb 2024 18:17:42 +0100
Subject: [PATCH 4/4] update README.md

---
 Cargo.lock           |  2 +-
 README.md            |  6 ++-
 doc/cleanhive.md     | 36 ++++++++++++++++++
 doc/es4forensics.md  | 80 ++++++++++++++++++++++++++++++++++++++++
 doc/evtx2bodyfile.md | 39 ++++++++++++++++++++
 doc/evtxanalyze.md   | 88 ++++++++++++++++++++++++++++++++++++++++++++
 doc/evtxcat.md       | 42 +++++++++++++++++++++
 doc/evtxls.md        | 70 +++++++++++++++++++++++++++++++++++
 doc/evtxscan.md      | 36 ++++++++++++++++++
 doc/hivescan.md      | 34 +++++++++++++++++
 doc/ipgrep.md        | 42 +++++++++++++++++++++
 doc/lnk2bodyfile.md  | 34 +++++++++++++++++
 doc/mactime2.md      | 44 ++++++++++++++++++++++
 doc/pf2bodyfile.md   | 32 ++++++++++++++++
 doc/pol_export.md    | 32 ++++++++++++++++
 doc/regdump.md       | 36 ++++++++++++++++++
 doc/ts2date.md       | 43 ++++++++++++++++++++++
 17 files changed, 693 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 9a87da7..dd5f737 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -732,8 +732,8 @@ dependencies = [
  "getset",
  "indicatif",
  "lazy-regex",
- "libc",
  "lazy_static",
+ "libc",
  "lnk",
  "log",
  "matches",
diff --git a/README.md b/README.md
index 90ef22d..e831147 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@
   - [x] [`cleanhive`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/cleanhive.md)
   - [x] [`pf2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/pf2bodyfile.md)
   - [x] [`evtx2bodyfile`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtx2bodyfile.md)
-  - [x] [`evtxanalyze`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/avtxanalyze.md)
+  - [x] [`evtxanalyze`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxanalyze.md)
   - [x] [`evtxscan`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxscan.md)
   - [x] [`evtxcat`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxcat.md)
   - [x] [`evtxls`](https://github.com/dfir-dd/dfir-toolkit/blob/main/doc/evtxls.md)
@@ -90,4 +90,6 @@ $ DFIR_DATE="%F %T (%Z)" mac2time2 -b tests/data/mactime2/sample.bodyfile -d | h
 2022-04-21 00:57:51 (UTC),4096,m...,d/drwxr-xr-x,0,0,38010881,"/srv"
 ```
 
-The value of `DFIR_DATE` can be any format string which can also be used in `DateTime::strftime` (<https://docs.rs/chrono/latest/chrono/format/strftime/index.html>)
\ No newline at end of file
+The value of `DFIR_DATE` can be any format string which can also be used in `DateTime::strftime` (<https://docs.rs/chrono/latest/chrono/format/strftime/index.html>)
+
+
diff --git a/doc/cleanhive.md b/doc/cleanhive.md
index 84b7f46..85e72ba 100644
--- a/doc/cleanhive.md
+++ b/doc/cleanhive.md
@@ -99,6 +99,42 @@ merges logfiles into a hive file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `cleanhive`
+
+This document contains the help content for the `cleanhive` command-line program.
+
+**Command Overview:**
+
+* [`cleanhive`↴](#cleanhive)
+
+## `cleanhive`
+
+merges logfiles into a hive file
+
+**Usage:** `cleanhive [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to dump
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-O`, `--output <DST_HIVE>` — name of the file to which the cleaned hive will be written
+
+  Default value: `-`
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/es4forensics.md b/doc/es4forensics.md
index 03f5212..25eacc6 100644
--- a/doc/es4forensics.md
+++ b/doc/es4forensics.md
@@ -213,6 +213,86 @@ This crates provides structs and functions to insert timeline data into an elast
 
 
 
+## `es4forensics import`
+
+**Usage:** `es4forensics import [OPTIONS] [INPUT_FILE]`
+
+###### **Arguments:**
+
+* `<INPUT_FILE>` — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
+
+  Default value: `-`
+
+###### **Options:**
+
+* `--bulk-size <BULK_SIZE>` — number of timeline entries to combine in one bulk operation
+
+  Default value: `1000`
+
+
+
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `es4forensics`
+
+This document contains the help content for the `es4forensics` command-line program.
+
+**Command Overview:**
+
+* [`es4forensics`↴](#es4forensics)
+* [`es4forensics create-index`↴](#es4forensics-create-index)
+* [`es4forensics import`↴](#es4forensics-import)
+
+## `es4forensics`
+
+This crates provides structs and functions to insert timeline data into an elasticsearch index
+
+**Usage:** `es4forensics [OPTIONS] --index <INDEX_NAME> --password <PASSWORD> <COMMAND>`
+
+###### **Subcommands:**
+
+* `create-index` — 
+* `import` — 
+
+###### **Options:**
+
+* `--strict` — strict mode: do not only warn, but abort if an error occurs
+* `-I`, `--index <INDEX_NAME>` — name of the elasticsearch index
+* `-H`, `--host <HOST>` — server name or IP address of elasticsearch server
+
+  Default value: `localhost`
+* `-P`, `--port <PORT>` — API port number of elasticsearch server
+
+  Default value: `9200`
+* `--proto <PROTOCOL>` — protocol to be used to connect to elasticsearch
+
+  Default value: `https`
+
+  Possible values: `http`, `https`
+
+* `-k`, `--insecure` — omit certificate validation
+
+  Default value: `false`
+* `-U`, `--username <USERNAME>` — username for elasticsearch server
+
+  Default value: `elastic`
+* `-W`, `--password <PASSWORD>` — password for authenticating at elasticsearch
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
+## `es4forensics create-index`
+
+**Usage:** `es4forensics create-index`
+
+
+
 ## `es4forensics import`
 
 **Usage:** `es4forensics import [OPTIONS] [INPUT_FILE]`
diff --git a/doc/evtx2bodyfile.md b/doc/evtx2bodyfile.md
index b6b08b1..558a606 100644
--- a/doc/evtx2bodyfile.md
+++ b/doc/evtx2bodyfile.md
@@ -108,6 +108,45 @@ creates bodyfile from Windows evtx files
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtx2bodyfile`
+
+This document contains the help content for the `evtx2bodyfile` command-line program.
+
+**Command Overview:**
+
+* [`evtx2bodyfile`↴](#evtx2bodyfile)
+
+## `evtx2bodyfile`
+
+creates bodyfile from Windows evtx files
+
+**Usage:** `evtx2bodyfile [OPTIONS] [EVTX_FILES]...`
+
+###### **Arguments:**
+
+* `<EVTX_FILES>` — names of the evtx files
+
+###### **Options:**
+
+* `-F`, `--format <FORMAT>` — select output format
+
+  Default value: `bodyfile`
+
+  Possible values: `json`, `bodyfile`
+
+* `-S`, `--strict` — fail upon read error
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/evtxanalyze.md b/doc/evtxanalyze.md
index ecca1e1..f430cd4 100644
--- a/doc/evtxanalyze.md
+++ b/doc/evtxanalyze.md
@@ -226,6 +226,94 @@ generate a process tree
 
 
 
+## `evtxanalyze sessions`
+
+display sessions
+
+**Usage:** `evtxanalyze sessions [OPTIONS] <EVTX_FILES_DIR>`
+
+###### **Arguments:**
+
+* `<EVTX_FILES_DIR>` — Names of the evtx files to parse
+
+###### **Options:**
+
+* `--include-anonymous` — include anonymous sessions
+
+
+
+## `evtxanalyze session`
+
+display one single session
+
+**Usage:** `evtxanalyze session <EVTX_FILES_DIR> <SESSION_ID>`
+
+###### **Arguments:**
+
+* `<EVTX_FILES_DIR>` — Names of the evtx files to parse
+* `<SESSION_ID>` — Session ID
+
+
+
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxanalyze`
+
+This document contains the help content for the `evtxanalyze` command-line program.
+
+**Command Overview:**
+
+* [`evtxanalyze`↴](#evtxanalyze)
+* [`evtxanalyze pstree`↴](#evtxanalyze-pstree)
+* [`evtxanalyze sessions`↴](#evtxanalyze-sessions)
+* [`evtxanalyze session`↴](#evtxanalyze-session)
+
+## `evtxanalyze`
+
+crate provide functions to analyze evtx files
+
+**Usage:** `evtxanalyze [OPTIONS] <COMMAND>`
+
+###### **Subcommands:**
+
+* `pstree` — generate a process tree
+* `sessions` — display sessions
+* `session` — display one single session
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
+## `evtxanalyze pstree`
+
+generate a process tree
+
+**Usage:** `evtxanalyze pstree [OPTIONS] <EVTX_FILE>`
+
+###### **Arguments:**
+
+* `<EVTX_FILE>` — Name of the evtx file to parse
+
+###### **Options:**
+
+* `-U`, `--username <USERNAME>` — display only processes of this user (case insensitive regex search)
+* `-F`, `--format <FORMAT>` — output format
+
+  Default value: `csv`
+
+  Possible values: `json`, `markdown`, `csv`, `latex`, `dot`
+
+
+
+
 ## `evtxanalyze sessions`
 
 display sessions
diff --git a/doc/evtxcat.md b/doc/evtxcat.md
index d953c2b..cad5888 100644
--- a/doc/evtxcat.md
+++ b/doc/evtxcat.md
@@ -117,6 +117,48 @@ Display one or more events from an evtx file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxcat`
+
+This document contains the help content for the `evtxcat` command-line program.
+
+**Command Overview:**
+
+* [`evtxcat`↴](#evtxcat)
+
+## `evtxcat`
+
+Display one or more events from an evtx file
+
+**Usage:** `evtxcat [OPTIONS] <EVTX_FILE>`
+
+###### **Arguments:**
+
+* `<EVTX_FILE>` — Name of the evtx file to read from
+
+###### **Options:**
+
+* `--min <MIN>` — filter: minimal event record identifier
+* `--max <MAX>` — filter: maximal event record identifier
+* `-i`, `--id <ID>` — show only the one event with this record identifier
+* `-T`, `--display-table` — don't display the records in a table format
+* `-F`, `--format <FORMAT>` — output format
+
+  Default value: `xml`
+
+  Possible values: `json`, `xml`
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/evtxls.md b/doc/evtxls.md
index ee566f7..71a1aca 100644
--- a/doc/evtxls.md
+++ b/doc/evtxls.md
@@ -201,6 +201,76 @@ Display one or more events from an evtx file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxls`
+
+This document contains the help content for the `evtxls` command-line program.
+
+**Command Overview:**
+
+* [`evtxls`↴](#evtxls)
+
+## `evtxls`
+
+Display one or more events from an evtx file
+
+**Usage:** `evtxls [OPTIONS] [EVTX_FILES]...`
+
+###### **Arguments:**
+
+* `<EVTX_FILES>` — Name of the evtx files to read from
+
+###### **Options:**
+
+* `-d`, `--delimiter <DELIMITER>` — use this delimiter instead of generating fixed space columns
+* `-i`, `--include <INCLUDED_EVENT_IDS>` — List events with only the specified event ids, separated by ','
+* `-x`, `--exclude <EXCLUDED_EVENT_IDS>` — Exclude events with the specified event ids, separated by ','
+* `-c`, `--colors` — highlight interesting content using colors
+* `-f`, `--from <NOT_BEFORE>` — hide events older than the specified date (hint: use RFC 3339 syntax)
+* `-t`, `--to <NOT_AFTER>` — hide events newer than the specified date (hint: use RFC 3339 syntax)
+* `-r`, `--regex <HIGHLIGHT>` — highlight event data based on this regular expression
+* `-s`, `--sort <SORT_ORDER>` — sort order
+
+  Default value: `storage`
+
+  Possible values:
+  - `storage`:
+    don't change order, output records as they are stored
+  - `record-id`:
+    sort by event record id
+  - `time`:
+    sort by date and time
+
+* `-b`, `--base-fields <DISPLAY_SYSTEM_FIELDS>` — display fields common to all events. multiple values must be separated by ','
+
+  Default values: `event-id`, `event-record-id`
+
+  Possible values:
+  - `event-id`:
+    The identifier that the provider used to identify the event
+  - `event-record-id`:
+    The record number assigned to the event when it was logged
+  - `activity-id`:
+    A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity
+  - `related-activity-id`:
+    A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier
+  - `process-id`:
+    The ID of the process that created the event
+
+* `-B`, `--hide-base-fields` — don't display any common event fields at all. This corresponds to specifying '--base-fields' without any values (which is not allowed, that's why there is this flag)
+
+  Default value: `false`
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/evtxscan.md b/doc/evtxscan.md
index 5a8c718..4fa1cbd 100644
--- a/doc/evtxscan.md
+++ b/doc/evtxscan.md
@@ -99,6 +99,42 @@ Find time skews in an evtx file
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `evtxscan`
+
+This document contains the help content for the `evtxscan` command-line program.
+
+**Command Overview:**
+
+* [`evtxscan`↴](#evtxscan)
+
+## `evtxscan`
+
+Find time skews in an evtx file
+
+**Usage:** `evtxscan [OPTIONS] <EVTX_FILE>`
+
+###### **Arguments:**
+
+* `<EVTX_FILE>` — name of the evtx file to scan
+
+###### **Options:**
+
+* `-S`, `--show-records` — display also the contents of the records befor and after a time skew
+* `-N`, `--negative-tolerance <NEGATIVE_TOLERANCE>` — negative tolerance limit (in seconds): time skews to the past below this limit will be ignored
+
+  Default value: `5`
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/hivescan.md b/doc/hivescan.md
index 30ff4be..412f28c 100644
--- a/doc/hivescan.md
+++ b/doc/hivescan.md
@@ -93,6 +93,40 @@ scans a registry hive file for deleted entries
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `hivescan`
+
+This document contains the help content for the `hivescan` command-line program.
+
+**Command Overview:**
+
+* [`hivescan`↴](#hivescan)
+
+## `hivescan`
+
+scans a registry hive file for deleted entries
+
+**Usage:** `hivescan [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to scan
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-b` — output as bodyfile format
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/ipgrep.md b/doc/ipgrep.md
index 0b70d63..43841d8 100644
--- a/doc/ipgrep.md
+++ b/doc/ipgrep.md
@@ -117,6 +117,48 @@ search for IP addresses in text files
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `ipgrep`
+
+This document contains the help content for the `ipgrep` command-line program.
+
+**Command Overview:**
+
+* [`ipgrep`↴](#ipgrep)
+
+## `ipgrep`
+
+search for IP addresses in text files
+
+**Usage:** `ipgrep [OPTIONS] [FILE]...`
+
+###### **Arguments:**
+
+* `<FILE>`
+
+###### **Options:**
+
+* `-i`, `--include <INCLUDE>` — display only lines who match ALL of the specified criteria. Values are delimited with comma
+
+  Possible values: `ipv4`, `ipv6`, `public`, `private`, `loopback`
+
+* `-x`, `--exclude <EXCLUDE>` — hide lines who match ANY of the specified criteria. Values are delimited with comma
+
+  Possible values: `ipv4`, `ipv6`, `public`, `private`, `loopback`
+
+* `-I`, `--ignore-ips <IGNORE_IPS>` — ignore any of the specified IP addresses. Values are delimited with comma
+* `-c`, `--colors` — highlight interesting content using colors
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/lnk2bodyfile.md b/doc/lnk2bodyfile.md
index b5dbcdb..28066ae 100644
--- a/doc/lnk2bodyfile.md
+++ b/doc/lnk2bodyfile.md
@@ -59,6 +59,40 @@ Parse Windows LNK files and create bodyfile output
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `lnk2bodyfile`
+
+This document contains the help content for the `lnk2bodyfile` command-line program.
+
+**Command Overview:**
+
+* [`lnk2bodyfile`↴](#lnk2bodyfile)
+
+## `lnk2bodyfile`
+
+Parse Windows LNK files and create bodyfile output
+
+**Usage:** `lnk2bodyfile [OPTIONS] [LNK_FILES]...`
+
+###### **Arguments:**
+
+* `<LNK_FILES>` — Names of the LNK files to read from
+
+  Default value: `-`
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/mactime2.md b/doc/mactime2.md
index 51cd312..b24ce55 100644
--- a/doc/mactime2.md
+++ b/doc/mactime2.md
@@ -123,6 +123,50 @@ replacement for `mactime`
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `mactime2`
+
+This document contains the help content for the `mactime2` command-line program.
+
+**Command Overview:**
+
+* [`mactime2`↴](#mactime2)
+
+## `mactime2`
+
+replacement for `mactime`
+
+**Usage:** `mactime2 [OPTIONS]`
+
+###### **Options:**
+
+* `-b <INPUT_FILE>` — path to input file or '-' for stdin (files ending with .gz will be treated as being gzipped)
+
+  Default value: `-`
+* `-F`, `--format <OUTPUT_FORMAT>` — output format, if not specified, default value is 'txt'
+
+  Possible values: `csv`, `txt`, `json`, `elastic`
+
+* `-d` — output as CSV instead of TXT. This is a conveniance option, which is identical to `--format=csv` and will be removed in a future release. If you specified `--format` and `-d`, the latter will be ignored
+* `-j` — output as JSON instead of TXT. This is a conveniance option, which is identical to `--format=json` and will be removed in a future release. If you specified `--format` and `-j`, the latter will be ignored
+* `-f`, `--from-timezone <SRC_ZONE>` — name of offset of source timezone (or 'list' to display all possible values
+
+  Default value: `UTC`
+* `-t`, `--to-timezone <DST_ZONE>` — name of offset of destination timezone (or 'list' to display all possible values
+
+  Default value: `UTC`
+* `--strict` — strict mode: do not only warn, but abort if an error occurs
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/pf2bodyfile.md b/doc/pf2bodyfile.md
index 1e5e039..f5ffc60 100644
--- a/doc/pf2bodyfile.md
+++ b/doc/pf2bodyfile.md
@@ -23,6 +23,38 @@ creates bodyfile from Windows Prefetch files
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `pf2bodyfile`
+
+This document contains the help content for the `pf2bodyfile` command-line program.
+
+**Command Overview:**
+
+* [`pf2bodyfile`↴](#pf2bodyfile)
+
+## `pf2bodyfile`
+
+creates bodyfile from Windows Prefetch files
+
+**Usage:** `pf2bodyfile [OPTIONS] [PREFETCH_FILES]...`
+
+###### **Arguments:**
+
+* `<PREFETCH_FILES>` — names of the prefetch files (commonly files with 'pf' extension in 'C:\Windows\Prefetch')
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/pol_export.md b/doc/pol_export.md
index 880b833..1803abb 100644
--- a/doc/pol_export.md
+++ b/doc/pol_export.md
@@ -87,6 +87,38 @@ Exporter for Windows Registry Policy Files
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `pol_export`
+
+This document contains the help content for the `pol_export` command-line program.
+
+**Command Overview:**
+
+* [`pol_export`↴](#pol_export)
+
+## `pol_export`
+
+Exporter for Windows Registry Policy Files
+
+**Usage:** `pol_export [OPTIONS] <POLFILE>`
+
+###### **Arguments:**
+
+* `<POLFILE>` — Name of the file to read
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/regdump.md b/doc/regdump.md
index 5ee419e..6744afa 100644
--- a/doc/regdump.md
+++ b/doc/regdump.md
@@ -99,6 +99,42 @@ parses registry hive files and prints a bodyfile
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `regdump`
+
+This document contains the help content for the `regdump` command-line program.
+
+**Command Overview:**
+
+* [`regdump`↴](#regdump)
+
+## `regdump`
+
+parses registry hive files and prints a bodyfile
+
+**Usage:** `regdump [OPTIONS] <HIVE_FILE>`
+
+###### **Arguments:**
+
+* `<HIVE_FILE>` — name of the file to dump
+
+###### **Options:**
+
+* `-L`, `--log <LOGFILES>` — transaction LOG file(s). This argument can be specified one or two times
+* `-b`, `--bodyfile` — print as bodyfile format
+* `-I`, `--ignore-base-block` — ignore the base block (e.g. if it was encrypted by some ransomware)
+* `-T`, `--hide-timestamps` — hide timestamps, if output is in reg format
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+
+
+
 <hr/>
 
 <small><i>
diff --git a/doc/ts2date.md b/doc/ts2date.md
index ef63264..c2ebada 100644
--- a/doc/ts2date.md
+++ b/doc/ts2date.md
@@ -120,6 +120,49 @@ replaces UNIX timestamps in a stream by a formatted date
 
 
 
+<hr/>
+
+<small><i>
+    This document was generated automatically by
+    <a href="https://crates.io/crates/clap-markdown"><code>clap-markdown</code></a>.
+</i></small>
+
+# Command-Line Help for `ts2date`
+
+This document contains the help content for the `ts2date` command-line program.
+
+**Command Overview:**
+
+* [`ts2date`↴](#ts2date)
+
+## `ts2date`
+
+replaces UNIX timestamps in a stream by a formatted date
+
+**Usage:** `ts2date [OPTIONS] [INPUT_FILE] [OUTPUT_FILE]`
+
+###### **Arguments:**
+
+* `<INPUT_FILE>` — name of the file to read (default from stdin)
+
+  Default value: `-`
+* `<OUTPUT_FILE>` — name of the file to write (default to stdout)
+
+  Default value: `-`
+
+###### **Options:**
+
+* `-v`, `--verbose` — More output per occurrence
+* `-q`, `--quiet` — Less output per occurrence
+* `-f`, `--from-timezone <SRC_ZONE>` — name of offset of source timezone (or 'list' to display all possible values
+
+  Default value: `UTC`
+* `-t`, `--to-timezone <DST_ZONE>` — name of offset of destination timezone (or 'list' to display all possible values
+
+  Default value: `UTC`
+
+
+
 <hr/>
 
 <small><i>