config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 (event_sub_type in (ENUM.REGISTRY_DELETE_KEY, ENUM.REGISTRY_DELETE_VALUE))) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\shell\open\command" and 
 (not 
 (actor_process_image_path contains "C:\Windows\explorer.exe" or 
 actor_process_image_path = "C:\Windows\system32\svchost.exe" or 
 (actor_process_image_path in ("C:\Windows\System32\msiexec.exe", "C:\Windows\SysWOW64\msiexec.exe")) or 
 (actor_process_image_path in ("C:\Program Files\*", "C:\Program Files (x86)\*")) or 
 actor_process_image_path = "C:\Windows\System32\OpenWith.exe")) and 
 (not 
 ((actor_process_image_path contains "\Dropbox.exe" and 
 action_registry_key_name contains "\Dropbox.") or 
 (actor_process_image_path contains "\AppData\Local\Temp\Wireshark_uninstaller.exe" and 
 action_registry_key_name contains "\wireshark-capture-file\") or 
 (actor_process_image_path contains "peazip" and 
 action_registry_key_name contains "\PeaZip.") or 
 (actor_process_image_path contains "\Everything.exe" and 
 action_registry_key_name contains "\Everything.") or 
 actor_process_image_path contains "C:\Windows\Installer\MSI" or 
 (actor_process_image_path contains "C:\Program Files (x86)\Java\" and 
 actor_process_image_path contains "\installer.exe" and 
 action_registry_key_name contains "\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}") or 
 actor_process_image_path contains "\Microsoft\EdgeUpdate\Install" or 
 ((actor_process_image_path in ("C:\Program Files (x86)\Avira\Antivirus\", "C:\Program Files\Avira\Antivirus\")) and 
 (action_registry_key_name in ("*\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command", "*\AntiVir.Keyfile\shell\open\command"))) or 
 ((actor_process_image_path contains "AppData\Local\Temp" and 
 actor_process_image_path contains "\setup.exe") or 
 (actor_process_image_path contains "\Temp\is-" and 
 actor_process_image_path contains "\target.tmp")) or 
 actor_process_image_path contains "\ninite.exe" or 
 (actor_process_image_path contains "\reg.exe" and 
 action_registry_key_name contains "\Discord\shell\open\command") or 
 (actor_process_image_path contains "\Spotify.exe" and 
 action_registry_key_name contains "\Spotify\shell\open\command") or 
 (actor_process_image_path contains "C:\eclipse\eclipse.exe" and 
 action_registry_key_name contains "_Classes\eclipse+") or 
 (actor_process_image_path contains "\Temp" and 
 actor_process_image_path contains "\TeamViewer")))))