diff --git a/decoders/demo_decoder.xml b/decoders/demo_decoder.xml
deleted file mode 100644
index d2c710d..0000000
--- a/decoders/demo_decoder.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-
- ^launchservicesd
-
-
-
- ^ddaolimaki
-
-
-
- ^mDNSResponder
-
-
-
- macOS_launchservicesd
- \[com\.apple\.launchservices:(\w+)\]\s*DEATH: Removing app App:"ddaolimaki-daunito"\s*asn:([0-9a-fx-]+)\s*pid:(\d+)
- subsystem_category,asn,pid
-
-
-
- macOS_launchservicesd
- \[com\.apple\.launchservices:(\w+)\]\s*ADDING { "CFBundleExecutablePath"="([^"]+)", "CFBundleVersion"=[^,]+, "LSBundlePath"="([^"]+)", "ApplicationType"="(\w+)"[^}]+?"pid"=(\d+), "CFBundleIdentifier"="([^"]+)"
- subsystem_category,executable_path,bundle_path,application_type,pid,bundle_id
-
-
-
- macOS_ddaolimaki-daunito
- \(LaunchServices\)\s*\[com\.apple\.launchservices:(\w+)\]\s*LSApplicationCheckIn\(\)\s*,\s*app\s+being\s+registered\s+is:"([^"]+)"
- category,executable_path
-
-
-
- macOS_ddaolimaki-daunito
- \(AE\)\s*\[com\.apple\.appleevents:(\w+)\]\s*eEntitlements\s*,\s*token\s*(\d+\/\d+), designatedCodeReq = {[^}]+, "kTCCCodeIdentityCanSendToAnyTarget"=(\w+), "kTCCCodeIdentityCSFlags"=(\d+), "kTCCCodeIdentityDesignatedRequirementData"=\$[A-F0-9]+, "kTCCCodeIdentityExecutableURL"="([^"]+)", "kTCCCodeIdentityIdentifier"="([^"]+)", "kTCCCodeIdentityIdentifierType"=\d+, "kTCCCodeIdentityPlatformType"=\d+, "kTCCCodeIdentityPromptPolicy"=(\d+)
- subsystem_category,token,can_send_to_any_target,cs_flags,executable_url,sender_identity,prompt_policy
-
-
-
- macOS_ddaolimaki-daunito
- \(LaunchServices\)\s*\[com\.apple\.launchservices:(\w+)\]\s*CFDictionaryRef copyApplicationInformationDictionaryGivenASNUsingLocalCache\(LSSharedMemoryPageConstRef, LSASNRef\)\(\), information in shared memory with seed \d+ was still valid, so using cached info {[^}]+?"CFBundleExecutablePath"="([^"]+)"[^}]+?"LSBundlePath"="([^"]+)"[^}]+?"ApplicationType"="(\w+)"[^}]+?"LSASN"=([A-Za-z0-9:.-]+)[^}]+?"LSLaunchedWithLaunchD"=(\w+)
- subsystem_category,executable_path,bundle_path,application_type,asn,launched_with_launchd
-
-
-
- macOS_ddaolimaki-daunito
- \(RunningBoardServices\)\s*\[com\.apple\.runningboard:(\w+)\]\s*Identity resolved as app\
- subsystem_category,bundle_id,uid
-
-
-
- macOS_loginwindow
- \[com\.apple\.loginwindow\.logging:(\w+)\]\s*-\[PersistentAppsSupport saveLogoutPersistentState:finalSnapshot:\]\s*\|\s*previouslyRunningApps:\s*\(\s*{\s*BackgroundState\s*=\s*(\d+);\s*BundleID\s*=\s*"([^"]+)";\s*Hide\s*=\s*\d+;\s*Path\s*=\s*"([^"]+)";\s*
- subsystem_category,background_state,bundle_id,path
-
-
-
- macOS_mDNSResponder
- (?i)(DNSServiceQueryRecord).*mask\.hash: '(\S+)'.*PID\[(\d+)\].(\S+)\)
- program_type,hash,pid,process_name
-
\ No newline at end of file
diff --git a/rules/demo_rule.xml b/rules/demo_rule.xml
deleted file mode 100644
index 62d4cb5..0000000
--- a/rules/demo_rule.xml
+++ /dev/null
@@ -1,60 +0,0 @@
-
-
-
-
- macOS_ddaolimaki-daunito
- (?i)app being registered is:(".*ddaolimaki-daunito")
- Possible FrigidStealer malware detected at $(executable_path)
-
- T1204
-
-
-
-
-
- macOS_mDNSResponder
- DNSServiceQueryRecord
- ddaolimaki.*
- FrigidStealer malware is making a suspicious DNS query to $(hash). Possible data exfiltration to C2 server.
-
- T1105
- T1041
- T1071.004
-
-
-
-
-
- macOS_ddaolimaki-daunito
- .*Finder
- .*
- FrigidStealer malware (ddaolimaki-daunito) is attempting to use Apple Events, potentially for unauthorized inter-process communication or data exfiltration.
-
- T1543
- T1055
- T1559
-
-
-
-
-
- (?i)Removed job for.*ddaolimaki.*
- FrigidStealer malware process terminated after data exfiltration.
-
- T1489
-
-
-
-
-
- macOS_launchservicesd
- (?i)(?i)"LSBundlePath"="(.*Safari Updater.app)"
- Foreground
- com.wails.ddaolimaki-daunito
- Possible FrigidStealer malware running in $(application_type)
-
- T1541
-
-
-
-
\ No newline at end of file