config case_sensitive = false | preset=xdr_image_load | filter event_type = ENUM.LOAD_IMAGE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_module_path in ("*\aclui.dll", "*\activeds.dll", "*\adsldpc.dll", "*\aepic.dll", "*\apphelp.dll", "*\applicationframe.dll", "*\appvpolicy.dll", "*\appxalluserstore.dll", "*\appxdeploymentclient.dll", "*\archiveint.dll", "*\atl.dll", "*\audioses.dll", "*\auditpolcore.dll", "*\authfwcfg.dll", "*\authz.dll", "*\avrt.dll", "*\batmeter.dll", "*\bcd.dll", "*\bcp47langs.dll", "*\bcp47mrm.dll", "*\bcrypt.dll", "*\bderepair.dll", "*\bootmenuux.dll", "*\bootux.dll", "*\cabinet.dll", "*\cabview.dll", "*\certcli.dll", "*\certenroll.dll", "*\cfgmgr32.dll", "*\cldapi.dll", "*\clipc.dll", "*\clusapi.dll", "*\cmpbk32.dll", "*\cmutil.dll", "*\coloradapterclient.dll", "*\colorui.dll", "*\comdlg32.dll", "*\configmanager2.dll", "*\connect.dll", "*\coredplus.dll", "*\coremessaging.dll", "*\coreuicomponents.dll", "*\credui.dll", "*\cryptbase.dll", "*\cryptdll.dll", "*\cryptsp.dll", "*\cryptui.dll", "*\cryptxml.dll", "*\cscapi.dll", "*\cscobj.dll", "*\cscui.dll", "*\d2d1.dll", "*\d3d10_1.dll", "*\d3d10_1core.dll", "*\d3d10.dll", "*\d3d10core.dll", "*\d3d10warp.dll", "*\d3d11.dll", "*\d3d12.dll", "*\d3d9.dll", "*\d3dx9_43.dll", "*\dataexchange.dll", "*\davclnt.dll", "*\dcntel.dll", "*\dcomp.dll", "*\defragproxy.dll", "*\desktopshellext.dll", "*\deviceassociation.dll", "*\devicecredential.dll", "*\devicepairing.dll", "*\devobj.dll", "*\devrtl.dll", "*\dhcpcmonitor.dll", "*\dhcpcsvc.dll", "*\dhcpcsvc6.dll", "*\directmanipulation.dll", "*\dismapi.dll", "*\dismcore.dll", "*\dmcfgutils.dll", "*\dmcmnutils.dll", "*\dmcommandlineutils.dll", "*\dmenrollengine.dll", "*\dmenterprisediagnostics.dll", "*\dmiso8601utils.dll", "*\dmoleaututils.dll", "*\dmprocessxmlfiltered.dll", "*\dmpushproxy.dll", "*\dmxmlhelputils.dll", "*\dnsapi.dll", "*\dot3api.dll", "*\dot3cfg.dll", "*\dpx.dll", "*\drprov.dll", "*\drvstore.dll", "*\dsclient.dll", "*\dsparse.dll", "*\dsprop.dll", "*\dsreg.dll", "*\dsrole.dll", "*\dui70.dll", "*\duser.dll", "*\dusmapi.dll", "*\dwmapi.dll", "*\dwmcore.dll", "*\dwrite.dll", "*\dxcore.dll", "*\dxgi.dll", "*\dxva2.dll", "*\dynamoapi.dll", "*\eappcfg.dll", "*\eappprxy.dll", "*\edgeiso.dll", "*\edputil.dll", "*\efsadu.dll", "*\efsutil.dll", "*\esent.dll", "*\execmodelproxy.dll", "*\explorerframe.dll", "*\fastprox.dll", "*\faultrep.dll", "*\fddevquery.dll", "*\feclient.dll", "*\fhcfg.dll", "*\fhsvcctl.dll", "*\firewallapi.dll", "*\flightsettings.dll", "*\fltlib.dll", "*\framedynos.dll", "*\fveapi.dll", "*\fveskybackup.dll", "*\fvewiz.dll", "*\fwbase.dll", "*\fwcfg.dll", "*\fwpolicyiomgr.dll", "*\fwpuclnt.dll", "*\fxsapi.dll", "*\fxsst.dll", "*\fxstiff.dll", "*\getuname.dll", "*\gpapi.dll", "*\hid.dll", "*\hnetmon.dll", "*\httpapi.dll", "*\icmp.dll", "*\idstore.dll", "*\ieadvpack.dll", "*\iedkcs32.dll", "*\iernonce.dll", "*\iertutil.dll", "*\ifmon.dll", "*\ifsutil.dll", "*\inproclogger.dll", "*\iphlpapi.dll", "*\iri.dll", "*\iscsidsc.dll", "*\iscsium.dll", "*\isv.exe_rsaenh.dll", "*\iumbase.dll", "*\iumsdk.dll", "*\joinutil.dll", "*\kdstub.dll", "*\ksuser.dll", "*\ktmw32.dll", "*\licensemanagerapi.dll", "*\licensingdiagspp.dll", "*\linkinfo.dll", "*\loadperf.dll", "*\lockhostingframework.dll", "*\logoncli.dll", "*\logoncontroller.dll", "*\lpksetupproxyserv.dll", "*\lrwizdll.dll", "*\magnification.dll", "*\maintenanceui.dll", "*\mapistub.dll", "*\mbaexmlparser.dll", "*\mdmdiagnostics.dll", "*\mfc42u.dll", "*\mfcore.dll", "*\mfplat.dll", "*\mi.dll", "*\midimap.dll", "*\mintdh.dll", "*\miutils.dll", "*\mlang.dll", "*\mmdevapi.dll", "*\mobilenetworking.dll", "*\mpr.dll", "*\mprapi.dll", "*\mrmcorer.dll", "*\msacm32.dll", "*\mscms.dll", "*\mscoree.dll", "*\msctf.dll", "*\msctfmonitor.dll", "*\msdrm.dll", "*\msdtctm.dll", "*\msftedit.dll", "*\msi.dll", "*\msiso.dll", "*\msutb.dll", "*\msvcp110_win.dll", "*\mswb7.dll", "*\mswsock.dll", "*\msxml3.dll", "*\mtxclu.dll", "*\napinsp.dll", "*\ncrypt.dll", "*\ndfapi.dll", "*\netapi32.dll", "*\netid.dll", "*\netiohlp.dll", "*\netjoin.dll", "*\netplwiz.dll", "*\netprofm.dll", "*\netprovfw.dll", "*\netsetupapi.dll", "*\netshell.dll", "*\nettrace.dll", "*\netutils.dll", "*\networkexplorer.dll", "*\newdev.dll", "*\ninput.dll", "*\nlaapi.dll", "*\nlansp_c.dll", "*\npmproxy.dll", "*\nshhttp.dll", "*\nshipsec.dll", "*\nshwfp.dll", "*\ntdsapi.dll", "*\ntlanman.dll", "*\ntlmshared.dll", "*\ntmarta.dll", "*\ntshrui.dll", "*\oleacc.dll", "*\omadmapi.dll", "*\onex.dll", "*\opcservices.dll", "*\osbaseln.dll", "*\osksupport.dll", "*\osuninst.dll", "*\p2p.dll", "*\p2pnetsh.dll", "*\p9np.dll", "*\pcaui.dll", "*\pdh.dll", "*\peerdistsh.dll", "*\pkeyhelper.dll", "*\pla.dll", "*\playsndsrv.dll", "*\pnrpnsp.dll", "*\policymanager.dll", "*\polstore.dll", "*\powrprof.dll", "*\printui.dll", "*\prntvpt.dll", "*\profapi.dll", "*\propsys.dll", "*\proximitycommon.dll", "*\proximityservicepal.dll", "*\prvdmofcomp.dll", "*\puiapi.dll", "*\radcui.dll", "*\rasapi32.dll", "*\rasdlg.dll", "*\rasgcw.dll", "*\rasman.dll", "*\rasmontr.dll", "*\reagent.dll", "*\regapi.dll", "*\reseteng.dll", "*\resetengine.dll", "*\resutils.dll", "*\rmclient.dll", "*\rpcnsh.dll", "*\rsaenh.dll", "*\rtutils.dll", "*\rtworkq.dll", "*\samcli.dll", "*\samlib.dll", "*\sapi_onecore.dll", "*\sas.dll", "*\scansetting.dll", "*\scecli.dll", "*\schedcli.dll", "*\secur32.dll", "*\security.dll", "*\sensapi.dll", "*\shell32.dll", "*\shfolder.dll", "*\slc.dll", "*\snmpapi.dll", "*\spectrumsyncclient.dll", "*\spp.dll", "*\sppc.dll", "*\sppcext.dll", "*\srclient.dll", "*\srcore.dll", "*\srmtrace.dll", "*\srpapi.dll", "*\srvcli.dll", "*\ssp_isv.exe_rsaenh.dll", "*\ssp.exe_rsaenh.dll", "*\sspicli.dll", "*\ssshim.dll", "*\staterepository.core.dll", "*\structuredquery.dll", "*\sxshared.dll", "*\systemsettingsthresholdadminflowui.dll", "*\tapi32.dll", "*\tbs.dll", "*\tdh.dll", "*\textshaping.dll", "*\timesync.dll", "*\tpmcoreprovisioning.dll", "*\tquery.dll", "*\tsworkspace.dll", "*\ttdrecord.dll", "*\twext.dll", "*\twinapi.dll", "*\twinui.appcore.dll", "*\uianimation.dll", "*\uiautomationcore.dll", "*\uireng.dll", "*\uiribbon.dll", "*\umpdc.dll", "*\unattend.dll", "*\updatepolicy.dll", "*\upshared.dll", "*\urlmon.dll", "*\userenv.dll", "*\utildll.dll", "*\uxinit.dll", "*\uxtheme.dll", "*\vaultcli.dll", "*\vdsutil.dll", "*\version.dll", "*\virtdisk.dll", "*\vssapi.dll", "*\vsstrace.dll", "*\wbemprox.dll", "*\wbemsvc.dll", "*\wcmapi.dll", "*\wcnnetsh.dll", "*\wdi.dll", "*\wdscore.dll", "*\webservices.dll", "*\wecapi.dll", "*\wer.dll", "*\wevtapi.dll", "*\whhelper.dll", "*\wimgapi.dll", "*\winbio.dll", "*\winbrand.dll", "*\windows.storage.dll", "*\windows.storage.search.dll", "*\windows.ui.immersive.dll", "*\windowscodecs.dll", "*\windowscodecsext.dll", "*\windowsudk.shellcommon.dll", "*\winhttp.dll", "*\wininet.dll", "*\winipsec.dll", "*\winmde.dll", "*\winmm.dll", "*\winnsi.dll", "*\winrnr.dll", "*\winscard.dll", "*\winsqlite3.dll", "*\winsta.dll", "*\winsync.dll", "*\wkscli.dll", "*\wlanapi.dll", "*\wlancfg.dll", "*\wldp.dll", "*\wlidprov.dll", "*\wmiclnt.dll", "*\wmidcom.dll", "*\wmiutils.dll", "*\wmpdui.dll", "*\wmsgapi.dll", "*\wofutil.dll", "*\wpdshext.dll", "*\wscapi.dll", "*\wsdapi.dll", "*\wshbth.dll", "*\wshelper.dll", "*\wsmsvc.dll", "*\wtsapi32.dll", "*\wwancfg.dll", "*\wwapi.dll", "*\xmllite.dll", "*\xolehlp.dll", "*\xpsservices.dll", "*\xwizards.dll", "*\xwtpw32.dll", "*\amsi.dll", "*\appraiser.dll", "*\COMRES.DLL", "*\cryptnet.dll", "*\DispBroker.dll", "*\dsound.dll", "*\dxilconv.dll", "*\FxsCompose.dll", "*\FXSRESM.DLL", "*\msdtcVSp1res.dll", "*\PrintIsolationProxy.dll", "*\rdpendp.dll", "*\rpchttp.dll", "*\storageusage.dll", "*\utcutil.dll", "*\WfsR.dll", "*\igd10iumd64.dll", "*\igd12umd64.dll", "*\igdumdim64.dll", "*\igdusc64.dll", "*\TSMSISrv.dll", "*\TSVIPSrv.dll", "*\wbemcomn.dll", "*\WLBSCTRL.dll", "*\wow64log.dll", "*\WptsExtensions.dll")) and 
 (not 
 ((action_module_path in ("*C:\$WINDOWS.~BT\*", "*C:\$WinREAgent\*", "*C:\Windows\SoftwareDistribution\*", "*C:\Windows\System32\*", "*C:\Windows\SystemTemp\*", "*C:\Windows\SysWOW64\*", "*C:\Windows\WinSxS\*", "*C:\Windows\SyChpe32\*")) or 
 (action_module_path contains "C:\Windows\Temp\" and 
 (actor_process_image_path in ("C:\Windows\WinSxS\arm64*", "C:\Windows\UUS\arm64\*")) and 
 (actor_process_image_path in ("*\TiWorker.exe", "*\wuaucltcore.exe"))) or 
 (action_module_path contains "C:\Windows\Microsoft.NET\" and 
 action_module_path contains "\cscui.dll") or 
 (action_module_path contains "C:\ProgramData\Microsoft\Windows Defender\Platform\" and 
 action_module_path contains "\version.dll") or 
 (action_module_path contains "C:\Program Files\WindowsApps\Microsoft.DirectXRuntime_" and 
 action_module_path contains "\d3dx9_43.dll"))) and 
 (not 
 ((action_module_path contains "C:\Program Files\Microsoft\Exchange Server\" and 
 action_module_path contains "\mswb7.dll") or 
 (action_module_path contains "C:\Program Files\Arsenal-Image-Mounter-" and 
 (action_module_path in ("*\mi.dll", "*\miutils.dl"))) or 
 (actor_process_image_path = "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe" and 
 action_module_path = "C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll") or 
 action_module_path contains "C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\" or 
 ((actor_process_image_path in ("*C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs*", "*C:\Windows\System32\backgroundTaskHost.exe*")) and 
 action_module_path contains "C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs") or 
 (actor_process_image_path contains "C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs" and 
 actor_process_image_path contains "\wldp.dll") or 
 ((actor_process_image_path in ("C:\Program Files\CheckPoint\*", "C:\Program Files (x86)\CheckPoint\*")) and 
 actor_process_image_path contains "\SmartConsole.exe" and 
 (action_module_path in ("C:\Program Files\CheckPoint\*", "C:\Program Files (x86)\CheckPoint\*")) and 
 action_module_path contains "\PolicyManager.dll")))))