config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\curl.exe" or 
 action_process_signature_product = "The curl executable") and 
 ((action_process_image_command_line in ("*%AppData%*", "*%Public%*", "*%Temp%*", "*%tmp%*", "*\AppData\*", "*\Desktop\*", "*\Temp\*", "*\Users\Public\*", "*C:\PerfLogs\*", "*C:\ProgramData\*", "*C:\Windows\Temp\*")) or 
 (action_process_image_command_line in ("*.dll", "*.gif", "*.jpeg", "*.jpg", "*.png", "*.temp", "*.tmp", "*.txt", "*.vbe", "*.vbs"))) and 
 (not 
 (actor_process_image_path = "C:\Program Files\Git\usr\bin\sh.exe" and 
 action_process_image_path = "C:\Program Files\Git\mingw64\bin\curl.exe" and 
 (action_process_image_command_line contains "--silent --show-error --output " and 
 action_process_image_command_line contains "gfw-httpget-" and 
 action_process_image_command_line contains "AppData")))))