def rule(event):
    if any(
        [
            all(
                [
                    any(
                        [
                            event.deep_get("ParentImage", default="").endswith("\\node.exe"),
                            event.deep_get("ParentImage", default="").endswith("\\bun.exe"),
                        ]
                    ),
                    event.deep_get("Image", default="").endswith("\\cmd.exe"),
                    "cscript" in event.deep_get("CommandLine", default=""),
                    "AppData\\Local\\Temp" in event.deep_get("CommandLine", default=""),
                    "//nologo && del" in event.deep_get("CommandLine", default=""),
                    "6202033.vbs" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\curl.exe"),
                            event.deep_get("Image", default="").endswith("\\powershell.exe"),
                        ]
                    ),
                    "http://sfrclak.com" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    event.deep_get("OriginalFileName", default="") == "PowerShell.EXE",
                    '"C:\\ProgramData\\wt.exe" -w hidden -ep bypass -file'
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
