def rule(event):
    if any(
        [
            all(
                [
                    "attrib" in event.deep_get("CommandLine", default=""),
                    " +h " in event.deep_get("CommandLine", default=""),
                    " +s " in event.deep_get("CommandLine", default=""),
                    " +r " in event.deep_get("CommandLine", default=""),
                    ".aspx" in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "\\ProgramData\\VSPerfMon\\" in event.deep_get("Image", default=""),
                    all(
                        [
                            "schtasks" in event.deep_get("CommandLine", default=""),
                            "VSPerfMon" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            all(
                [
                    event.deep_get("Image", default="").endswith("Opera_browser.exe"),
                    any(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\services.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\svchost.exe"),
                        ]
                    ),
                ]
            ),
            event.deep_get("Image", default="").endswith("Users\\Public\\opera\\Opera_browser.exe"),
            all(
                [
                    "vssadmin list shadows" in event.deep_get("CommandLine", default=""),
                    "Temp\\__output" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    event.deep_get("Image", default="").endswith("\\makecab.exe"),
                    "inetpub\\wwwroot\\" in event.deep_get("CommandLine", default=""),
                    ".dmp.zip" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    event.deep_get("Image", default="").endswith("\\makecab.exe"),
                    any(
                        [
                            "Microsoft\\Exchange Server\\"
                            in event.deep_get("CommandLine", default=""),
                            "compressionmemory" in event.deep_get("CommandLine", default=""),
                            ".gif" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            all(
                [
                    " -t7z " in event.deep_get("CommandLine", default=""),
                    "C:\\Programdata\\pst" in event.deep_get("CommandLine", default=""),
                    "\\it.zip" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "\\comsvcs.dll" in event.deep_get("CommandLine", default=""),
                    "Minidump" in event.deep_get("CommandLine", default=""),
                    "full " in event.deep_get("CommandLine", default=""),
                    "\\inetpub\\wwwroot" in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "Windows\\Temp\\xx.bat" in event.deep_get("CommandLine", default=""),
                    "Windows\\WwanSvcdcs" in event.deep_get("CommandLine", default=""),
                    "Windows\\Temp\\cw.exe" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
