def rule(event):
    if all(
        [
            "\\SysAidServer\\tomcat\\webapps" in event.deep_get("ScriptBlockText", default=""),
            "Starting user.exe" in event.deep_get("ScriptBlockText", default=""),
            "\\usersfiles\\user.exe" in event.deep_get("ScriptBlockText", default=""),
            'Remove-Item -Force "$wapps' in event.deep_get("ScriptBlockText", default=""),
            "(Sophos)." in event.deep_get("ScriptBlockText", default=""),
        ]
    ):
        return True
    return False
