config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*IAAtAGIAeABvAHIAIAAwAHgA*", "*AALQBiAHgAbwByACAAMAB4A*", "*gAC0AYgB4AG8AcgAgADAAeA*", "*AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg*", "*AuAEkAbgB2AG8AawBlACgAKQAgAHwAI*", "*ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC*", "*AHsAMQB9AHsAMAB9ACIAIAAtAGYAI*", "*B7ADEAfQB7ADAAfQAiACAALQBmAC*", "*AewAxAH0AewAwAH0AIgAgAC0AZgAg*", "*AHsAMAB9AHsAMwB9ACIAIAAtAGYAI*", "*B7ADAAfQB7ADMAfQAiACAALQBmAC*", "*AewAwAH0AewAzAH0AIgAgAC0AZgAg*", "*AHsAMgB9AHsAMAB9ACIAIAAtAGYAI*", "*B7ADIAfQB7ADAAfQAiACAALQBmAC*", "*AewAyAH0AewAwAH0AIgAgAC0AZgAg*", "*AHsAMQB9AHsAMAB9ACcAIAAtAGYAI*", "*B7ADEAfQB7ADAAfQAnACAALQBmAC*", "*AewAxAH0AewAwAH0AJwAgAC0AZgAg*", "*AHsAMAB9AHsAMwB9ACcAIAAtAGYAI*", "*B7ADAAfQB7ADMAfQAnACAALQBmAC*", "*AewAwAH0AewAzAH0AJwAgAC0AZgAg*", "*AHsAMgB9AHsAMAB9ACcAIAAtAGYAI*", "*B7ADIAfQB7ADAAfQAnACAALQBmAC*", "*AewAyAH0AewAwAH0AJwAgAC0AZgAg*")))