config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "attrib" and 
 action_process_image_command_line contains " +h " and 
 action_process_image_command_line contains " +s " and 
 action_process_image_command_line contains " +r " and 
 action_process_image_command_line contains ".aspx") or 
 (action_process_image_path contains "\ProgramData\VSPerfMon\" or 
 (action_process_image_command_line contains "schtasks" and 
 action_process_image_command_line contains "VSPerfMon")) or 
 (action_process_image_path contains "Opera_browser.exe" and 
 (actor_process_image_path in ("*\services.exe", "*\svchost.exe"))) or 
 action_process_image_path contains "Users\Public\opera\Opera_browser.exe" or 
 (action_process_image_command_line contains "vssadmin list shadows" and 
 action_process_image_command_line contains "Temp\__output") or 
 (action_process_image_path contains "\makecab.exe" and 
 (action_process_image_command_line contains "inetpub\wwwroot\" and 
 action_process_image_command_line contains ".dmp.zip")) or 
 (action_process_image_path contains "\makecab.exe" and 
 (action_process_image_command_line in ("*Microsoft\Exchange Server\*", "*compressionmemory*", "*.gif*"))) or 
 (action_process_image_command_line contains " -t7z " and 
 action_process_image_command_line contains "C:\Programdata\pst" and 
 action_process_image_command_line contains "\it.zip") or 
 (action_process_image_command_line contains "\comsvcs.dll" and 
 action_process_image_command_line contains "Minidump" and 
 action_process_image_command_line contains "full " and 
 action_process_image_command_line contains "\inetpub\wwwroot") or 
 (action_process_image_command_line in ("*Windows\Temp\xx.bat*", "*Windows\WwanSvcdcs*", "*Windows\Temp\cw.exe*"))))