config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "SUVYIChb" or 
 action_process_image_command_line contains "lFWCAoW" or 
 action_process_image_command_line contains "JRVggKF" or 
 action_process_image_command_line contains "aWV4IChb" or 
 action_process_image_command_line contains "lleCAoW" or 
 action_process_image_command_line contains "pZXggKF" or 
 action_process_image_command_line contains "aWV4IChOZX" or 
 action_process_image_command_line contains "lleCAoTmV3" or 
 action_process_image_command_line contains "pZXggKE5ld" or 
 action_process_image_command_line contains "SUVYIChOZX" or 
 action_process_image_command_line contains "lFWCAoTmV3" or 
 action_process_image_command_line contains "JRVggKE5ld" or 
 action_process_image_command_line contains "SUVYKF" or 
 action_process_image_command_line contains "lFWChb" or 
 action_process_image_command_line contains "JRVgoW" or 
 action_process_image_command_line contains "aWV4KF" or 
 action_process_image_command_line contains "lleChb" or 
 action_process_image_command_line contains "pZXgoW" or 
 action_process_image_command_line contains "aWV4KE5ld" or 
 action_process_image_command_line contains "lleChOZX" or 
 action_process_image_command_line contains "pZXgoTmV3" or 
 action_process_image_command_line contains "SUVYKE5ld" or 
 action_process_image_command_line contains "lFWChOZX" or 
 action_process_image_command_line contains "JRVgoTmV3" or 
 action_process_image_command_line contains "SUVYKCgn" or 
 action_process_image_command_line contains "lFWCgoJ" or 
 action_process_image_command_line contains "JRVgoKC" or 
 action_process_image_command_line contains "aWV4KCgn" or 
 action_process_image_command_line contains "lleCgoJ" or 
 action_process_image_command_line contains "pZXgoKC") or 
 (action_process_image_command_line in ("*SQBFAFgAIAAoAFsA*", "*kARQBYACAAKABbA*", "*JAEUAWAAgACgAWw*", "*aQBlAHgAIAAoAFsA*", "*kAZQB4ACAAKABbA*", "*pAGUAeAAgACgAWw*", "*aQBlAHgAIAAoAE4AZQB3A*", "*kAZQB4ACAAKABOAGUAdw*", "*pAGUAeAAgACgATgBlAHcA*", "*SQBFAFgAIAAoAE4AZQB3A*", "*kARQBYACAAKABOAGUAdw*", "*JAEUAWAAgACgATgBlAHcA*"))))