def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\wmic.exe"),
                    event.deep_get("OriginalFileName", default="") == "wmic.exe",
                    event.deep_get("ParentImage", default="").endswith("\\wmiprvse.exe"),
                ]
            ),
            "reg" in event.deep_get("CommandLine", default=""),
            " add " in event.deep_get("CommandLine", default=""),
            any(
                [
                    "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    any(
                        [
                            ":\\Perflogs" in event.deep_get("CommandLine", default=""),
                            ":\\ProgramData'" in event.deep_get("CommandLine", default=""),
                            ":\\Windows\\Temp" in event.deep_get("CommandLine", default=""),
                            ":\\Temp" in event.deep_get("CommandLine", default=""),
                            "\\AppData\\Local\\Temp" in event.deep_get("CommandLine", default=""),
                            "\\AppData\\Roaming" in event.deep_get("CommandLine", default=""),
                            ":\\$Recycle.bin" in event.deep_get("CommandLine", default=""),
                            ":\\Users\\Default" in event.deep_get("CommandLine", default=""),
                            ":\\Users\\public" in event.deep_get("CommandLine", default=""),
                            "%temp%" in event.deep_get("CommandLine", default=""),
                            "%tmp%" in event.deep_get("CommandLine", default=""),
                            "%Public%" in event.deep_get("CommandLine", default=""),
                            "%AppData%" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            ":\\Users\\" in event.deep_get("CommandLine", default=""),
                            any(
                                [
                                    "\\Favorites" in event.deep_get("CommandLine", default=""),
                                    "\\Favourites" in event.deep_get("CommandLine", default=""),
                                    "\\Contacts" in event.deep_get("CommandLine", default=""),
                                    "\\Music" in event.deep_get("CommandLine", default=""),
                                    "\\Pictures" in event.deep_get("CommandLine", default=""),
                                    "\\Documents" in event.deep_get("CommandLine", default=""),
                                    "\\Photos" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
