diff --git a/evtx/Maps/!!!!README.md b/evtx/Maps/!!!!README.md
index 8132a5c5..f8bd1afe 100644
--- a/evtx/Maps/!!!!README.md
+++ b/evtx/Maps/!!!!README.md
@@ -208,3 +208,7 @@ Edit 1_Security_4624.map and make your changes
When the maps are loaded, since 1_Security_4624.map comes before 4624.map, only the one with your changes will be loaded.
This also allows you to update default maps without having your customizations blown away every time there is an update.
+
+TIPS:
+
+If you are looking to make an Application.evtx map, please includence a Provider as they are many instances where the same event ID number is used for multiple providers. I've personally observed 4 Providers use Event ID 1 which without a Provider being listed for that map it made all 4 events, regardless of Provider, be mapped incorrectly. When in doubt, add a Provider to your map. Follow a template from a previously created map to ensure it's made correctly.add
diff --git a/evtx/Maps/Application_10002.map b/evtx/Maps/Application_10002.map
new file mode 100644
index 00000000..dbd74f51
--- /dev/null
+++ b/evtx/Maps/Application_10002.map
@@ -0,0 +1,66 @@
+Author: Hyun Yi @hyuunnn
+Description: Terminated due to non-response
+EventId: 10002
+Channel: "Application"
+Provider: "Microsoft-Windows-RestartManager"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "FullPath: %FullPath%"
+ Values:
+ -
+ Name: FullPath
+ Value: "/Event/UserData/RmApplicationEvent/FullPath"
+ -
+ Property: PayloadData2
+ PropertyValue: "DisplayName: %DisplayName%"
+ Values:
+ -
+ Name: DisplayName
+ Value: "/Event/UserData/RmApplicationEvent/DisplayName"
+ -
+ Property: PayloadData3
+ PropertyValue: "Files: %Files%"
+ Values:
+ -
+ Name: Files
+ Value: "/Event/UserData/RmApplicationEvent/Files/File[text()]"
+
+# Valid properties include:
+
+#
+#
+#
+# 10002
+# 0
+# 4
+# 0
+# 0
+# 0x8000000000000000
+#
+# 21064
+#
+#
+# Application
+# ComputerName
+#
+#
+#
+#
+# 0
+# RealPlayerUpdateSvc.exe
+# RealPlayer Update Service
+# 0
+# 3
+# 0
+# 262146
+# 4220
+# 3
+#
+# C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
+# C:\Program Files (x86)\Real\UpdateService\RealDownloaderUpdatePlugin.dll
+# C:\Program Files (x86)\Real\UpdateService\VideoDLUpdatePlugin.dll
+#
+#
+#
+#
\ No newline at end of file
diff --git a/evtx/Maps/Application_1002.map b/evtx/Maps/Application_1002.map
new file mode 100644
index 00000000..ff1cc433
--- /dev/null
+++ b/evtx/Maps/Application_1002.map
@@ -0,0 +1,47 @@
+Author: Hyun Yi @hyuunnn
+Description: The program has been terminated.
+EventId: 1002
+Channel: "Application"
+Provider: "Application Hang"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "Data: %Data%"
+ Values:
+ -
+ Name: Data
+ Value: "/Event/EventData/Data[text()]"
+
+# Valid properties include:
+
+#
+#
+#
+# 1002
+# 0
+# 2
+# 101
+# 0
+# 0x80000000000000
+#
+# 6529
+#
+#
+# Application
+# ComputerName
+#
+#
+#
+# FTK Imager.exe
+# 4.5.0.3
+# 19e4
+# 01d6a8f4a7784904
+# 80
+# C:\Program Files\AccessData\FTK Imager\FTK Imager.exe
+# Value
+#
+#
+# Unknown
+# {Binary}
+#
+#
\ No newline at end of file
diff --git a/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map b/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map
new file mode 100644
index 00000000..66f208c1
--- /dev/null
+++ b/evtx/Maps/Microsoft-DriverFrameworks-UserMode_2100.map
@@ -0,0 +1,58 @@
+Author: Hyun Yi @hyuunnn
+Description: USB Connection
+EventId: 2100
+Channel: "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "InstanceId: %InstanceId%"
+ Values:
+ -
+ Name: InstanceId
+ Value: "/Event/UserData/UMDFHostDeviceRequest/InstanceId"
+ -
+ Property: PayloadData2
+ PropertyValue: "LifetimeId: %LifetimeId%"
+ Values:
+ -
+ Name: LifetimeId
+ Value: "/Event/UserData/UMDFHostDeviceRequest/LifetimeId"
+
+# Valid properties include:
+
+#
+#
+#
+# 2100
+# 1
+# 4
+# 37
+# 1
+# 0x8000000000000000
+#
+# 27
+#
+#
+# Microsoft-Windows-DriverFrameworks-UserMode/Operational
+# ComputerName
+#
+#
+#
+#
+# {Value}
+# SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.27#{Value}&0#{Value}
+# 27
+# 0
+# 0x0
+# 0x0
+# 0x0
+# 0x0
+# 3221225659
+#
+#
+#
+#
+# Windows Vista, 7 : enable (default)
+# Windows 8~ : disable (default)
+# https://nxlog.co/documentation/nxlog-user-guide/windows-usb-auditing.html
+# https://www.reddit.com/r/sysadmin/comments/4dr2t2/security_guy_wants_to_log_usb_storage_devices_on/
\ No newline at end of file
diff --git a/evtx/Maps/System_6008.map b/evtx/Maps/System_6008.map
new file mode 100644
index 00000000..9be55e4d
--- /dev/null
+++ b/evtx/Maps/System_6008.map
@@ -0,0 +1,43 @@
+Author: Hyun Yi @hyuunnn
+Description: Unexpected system shutdown
+EventId: 6008
+Channel: "System"
+Maps:
+ -
+ Property: PayloadData1
+ PropertyValue: "Time, Date : %Data%"
+ Values:
+ -
+ Name: Data
+ Value: "/Event/EventData/Data"
+
+# Valid properties include:
+
+#
+#
+#
+# 6008
+# 0
+# 2
+# 0
+# 0
+# 0x80000000000000
+#
+# 6329
+#
+#
+# System
+# Computer
+#
+#
+#
+# PM 3:32:54
+# 2020-11-13
+#
+#
+# 520643
+#
+#
+# {Binary}
+#
+#
\ No newline at end of file