def rule(event):
    if any(
        [
            any(
                [
                    "\\fgdump-log" in event.deep_get("TargetFilename", default=""),
                    "\\kirbi" in event.deep_get("TargetFilename", default=""),
                    "\\pwdump" in event.deep_get("TargetFilename", default=""),
                    "\\pwhashes" in event.deep_get("TargetFilename", default=""),
                    "\\wce_ccache" in event.deep_get("TargetFilename", default=""),
                    "\\wce_krbtkts" in event.deep_get("TargetFilename", default=""),
                ]
            ),
            any(
                [
                    event.deep_get("TargetFilename", default="").endswith("\\cachedump.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\cachedump64.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\DumpExt.dll"),
                    event.deep_get("TargetFilename", default="").endswith("\\DumpSvc.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\Dumpy.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\fgexec.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\lsremora.dll"),
                    event.deep_get("TargetFilename", default="").endswith("\\lsremora64.dll"),
                    event.deep_get("TargetFilename", default="").endswith("\\NTDS.out"),
                    event.deep_get("TargetFilename", default="").endswith("\\procdump.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\procdump64.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\procdump64a.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\pstgdump.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\pwdump.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\SAM.out"),
                    event.deep_get("TargetFilename", default="").endswith("\\SECURITY.out"),
                    event.deep_get("TargetFilename", default="").endswith("\\servpw.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\servpw64.exe"),
                    event.deep_get("TargetFilename", default="").endswith("\\SYSTEM.out"),
                    event.deep_get("TargetFilename", default="").endswith("\\test.pwd"),
                    event.deep_get("TargetFilename", default="").endswith("\\wceaux.dll"),
                ]
            ),
        ]
    ):
        return True
    return False
