config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name in ("*\Software\Microsoft\Windows\CurrentVersion\Run*", "*\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run*", "*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*")) and 
 (((action_registry_value_name in ("*:\Perflogs*", "*:\ProgramData'*", "*:\Windows\Temp*", "*:\Temp*", "*\AppData\Local\Temp*", "*\AppData\Roaming*", "*:\$Recycle.bin*", "*:\Users\Default*", "*:\Users\public*", "*%temp%*", "*%tmp%*", "*%Public%*", "*%AppData%*")) or 
 (action_registry_data in ("*:\Perflogs*", "*:\ProgramData'*", "*:\Windows\Temp*", "*:\Temp*", "*\AppData\Local\Temp*", "*\AppData\Roaming*", "*:\$Recycle.bin*", "*:\Users\Default*", "*:\Users\public*", "*%temp%*", "*%tmp%*", "*%Public%*", "*%AppData%*"))) or 
 ((action_registry_value_name contains ":\Users\" or 
 action_registry_data contains ":\Users\") and 
 ((action_registry_value_name in ("*\Favorites*", "*\Favourites*", "*\Contacts*", "*\Music*", "*\Pictures*", "*\Documents*", "*\Photos*")) or 
 (action_registry_data in ("*\Favorites*", "*\Favourites*", "*\Contacts*", "*\Music*", "*\Pictures*", "*\Documents*", "*\Photos*"))))) and 
 (not 
 (action_registry_key_name contains "\Microsoft\Windows\CurrentVersion\RunOnce\" and 
 actor_process_image_path contains "C:\Windows\SoftwareDistribution\Download\" and 
 ((action_registry_value_name contains "rundll32.exe " and 
 action_registry_value_name contains "C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32") or 
 (action_registry_data contains "rundll32.exe " and 
 action_registry_data contains "C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32")) and 
 ((action_registry_value_name in ("*\AppData\Local\Temp\*", "*C:\Windows\Temp\*")) or 
 (action_registry_data in ("*\AppData\Local\Temp\*", "*C:\Windows\Temp\*"))))) and 
 (not 
 ((actor_process_image_path in ("*C:\Program Files\Spotify\Spotify.exe", "*C:\Program Files (x86)\Spotify\Spotify.exe", "*\AppData\Roaming\Spotify\Spotify.exe")) and 
 action_registry_key_name contains "SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify" and 
 (action_registry_value_name contains "Spotify.exe --autostart --minimized" or 
 action_registry_data contains "Spotify.exe --autostart --minimized")))))