def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("ParentImage", default="").endswith("\\WinRAR.exe"),
                    event.deep_get("Image", default="").endswith("\\wscript.exe"),
                ]
            ),
            " /c ping.exe -n 6 127.0.0.1 & type " in event.deep_get("CommandLine", default=""),
            all(
                [
                    "regsvr32.exe" in event.deep_get("CommandLine", default=""),
                    "C:\\ProgramData" in event.deep_get("CommandLine", default=""),
                    ".tmp" in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
