config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path in ("*windows\system32\Physmem.sys*", "*Windows\system32\ime\SHARED\WimBootConfigurations.ini*", "*Windows\system32\ime\IMEJP\WimBootConfigurations.ini*", "*Windows\system32\ime\IMETC\WimBootConfigurations.ini*")) or 
 (((action_process_image_path in ("*windows\system32\filepath2*", "*windows\system32\ime*")) and 
 action_process_image_command_line contains "reg add") and 
 (action_process_image_command_line in ("*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32*", "*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32*")))))