Logic fix for sysmon_non_priv_program_files_move

rules/windows/file_event/sysmon_non_priv_program_files_move.yml

@@ -21,10 +21,11 @@ detection:
         - TargetFilename|contains:
             - '\Program Files\'
             - '\Program Files (x86)\'
-        - TargetFilename|startswith: '\Windows\'
+    windows:
+        TargetFilename|startswith: '\Windows\'
     temp:
         TargetFilename|contains: 'temp'
-    condition: integrity and (program_files or temp)
+    condition: integrity and (program_files or windows and not temp)
 falsepositives:
     - Unknown
 level: medium