config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line in ("*reg.exe save hklm\sam %temp%\~reg_sam.save*", "*1q2w3e4r@#$@#$@#$*", "* -hp1q2w3e4 *", "*.dat data03 10000 -p *")) or 
 (action_process_image_command_line contains "netstat -aon | find " and 
 action_process_image_command_line contains "ESTA" and 
 action_process_image_command_line contains " > %temp%\~") or 
 (action_process_image_command_line contains ".255 10 C:\ProgramData\IBM\" and 
 action_process_image_command_line contains ".DAT") or 
 ((action_process_image_command_line contains " /c " and 
 action_process_image_command_line contains " -p 0x") and 
 (action_process_image_command_line in ("*C:\ProgramData\*", "*C:\RECYCLER\*"))) or 
 ((action_process_image_command_line contains "rundll32 " and 
 action_process_image_command_line contains "C:\ProgramData\") and 
 (action_process_image_command_line in ("*.bin,*", "*.tmp,*", "*.dat,*", "*.io,*", "*.ini,*", "*.db,*")))))