def rule(event):
    if any(
        [
            any(
                [
                    "reg.exe save hklm\\sam %temp%\\~reg_sam.save"
                    in event.deep_get("CommandLine", default=""),
                    "1q2w3e4r@#$@#$@#$" in event.deep_get("CommandLine", default=""),
                    " -hp1q2w3e4 " in event.deep_get("CommandLine", default=""),
                    ".dat data03 10000 -p " in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "netstat -aon | find " in event.deep_get("CommandLine", default=""),
                    "ESTA" in event.deep_get("CommandLine", default=""),
                    " > %temp%\\~" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    ".255 10 C:\\ProgramData\\IBM\\" in event.deep_get("CommandLine", default=""),
                    ".DAT" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    " /c " in event.deep_get("CommandLine", default=""),
                    " -p 0x" in event.deep_get("CommandLine", default=""),
                    any(
                        [
                            "C:\\ProgramData\\" in event.deep_get("CommandLine", default=""),
                            "C:\\RECYCLER\\" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            all(
                [
                    "rundll32 " in event.deep_get("CommandLine", default=""),
                    "C:\\ProgramData\\" in event.deep_get("CommandLine", default=""),
                    any(
                        [
                            ".bin," in event.deep_get("CommandLine", default=""),
                            ".tmp," in event.deep_get("CommandLine", default=""),
                            ".dat," in event.deep_get("CommandLine", default=""),
                            ".io," in event.deep_get("CommandLine", default=""),
                            ".ini," in event.deep_get("CommandLine", default=""),
                            ".db," in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
