config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_registry_key_name contains "\CLSID\" and 
 (action_registry_key_name in ("*\InprocServer32\(Default)", "*\LocalServer32\(Default)"))) and 
 (action_registry_key_name in ("*\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\*", "*\{2155fee3-2419-4373-b102-6843707eb41f}\*", "*\{4590f811-1d3a-11d0-891f-00aa004b2e24}\*", "*\{4de225bf-cf59-4cfc-85f7-68b90f185355}\*", "*\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\*", "*\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\*", "*\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\*", "*\{7849596a-48ea-486e-8937-a2a3009f31a9}\*", "*\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\*", "*\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\*", "*\{30D49246-D217-465F-B00B-AC9DDD652EB7}\*", "*\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\*", "*\{2227A280-3AEA-1069-A2DE-08002B30309D}\*", "*\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\*", "*\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\*"))) and 
 (((action_registry_value_name in ("*:\Perflogs\*", "*\AppData\Local\*", "*\Desktop\*", "*\Downloads\*", "*\Microsoft\Windows\Start Menu\Programs\Startup\*", "*\System32\spool\drivers\color\*", "*\Temporary Internet*", "*\Users\Public\*", "*\Windows\Temp\*", "*%appdata%*", "*%temp%*", "*%tmp%*")) or 
 (action_registry_data in ("*:\Perflogs\*", "*\AppData\Local\*", "*\Desktop\*", "*\Downloads\*", "*\Microsoft\Windows\Start Menu\Programs\Startup\*", "*\System32\spool\drivers\color\*", "*\Temporary Internet*", "*\Users\Public\*", "*\Windows\Temp\*", "*%appdata%*", "*%temp%*", "*%tmp%*"))) or 
 (((action_registry_value_name contains ":\Users\" and 
 action_registry_value_name contains "\Favorites\") or 
 (action_registry_data contains ":\Users\" and 
 action_registry_data contains "\Favorites\")) or 
 ((action_registry_value_name contains ":\Users\" and 
 action_registry_value_name contains "\Favourites\") or 
 (action_registry_data contains ":\Users\" and 
 action_registry_data contains "\Favourites\")) or 
 ((action_registry_value_name contains ":\Users\" and 
 action_registry_value_name contains "\Contacts\") or 
 (action_registry_data contains ":\Users\" and 
 action_registry_data contains "\Contacts\")) or 
 ((action_registry_value_name contains ":\Users\" and 
 action_registry_value_name contains "\Pictures\") or 
 (action_registry_data contains ":\Users\" and 
 action_registry_data contains "\Pictures\"))))))