def rule(event):
    if all(
        [
            any(
                [
                    all(
                        [
                            event.deep_get("TargetObject", default="").startswith(
                                "HKLM\\System\\CurrentControlSet\\Services\\"
                            ),
                            event.deep_get("TargetObject", default="").endswith("\\Start"),
                            any(
                                [
                                    "\\Users\\Public\\" in event.deep_get("Image", default=""),
                                    "\\Perflogs\\" in event.deep_get("Image", default=""),
                                    "\\ADMIN$\\" in event.deep_get("Image", default=""),
                                    "\\Temp\\" in event.deep_get("Image", default=""),
                                ]
                            ),
                            event.deep_get("Details", default="")
                            in ["DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)"],
                        ]
                    ),
                    all(
                        [
                            event.deep_get("TargetObject", default="").startswith(
                                "HKLM\\System\\CurrentControlSet\\Services\\"
                            ),
                            event.deep_get("TargetObject", default="").endswith("\\ImagePath"),
                            any(
                                [
                                    "\\Users\\Public\\" in event.deep_get("Details", default=""),
                                    "\\Perflogs\\" in event.deep_get("Details", default=""),
                                    "\\ADMIN$\\" in event.deep_get("Details", default=""),
                                    "\\Temp\\" in event.deep_get("Details", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    all(
                        [
                            "\\Common Files\\" in event.deep_get("Image", default=""),
                            "\\Temp\\" in event.deep_get("Image", default=""),
                        ]
                    ),
                    all(
                        [
                            event.deep_get("TargetObject", default="").endswith(
                                "\\CurrentControlSet\\Services\\MBAMInstallerService\\ImagePath"
                            ),
                            event.deep_get("Details", default="").endswith(
                                '\\AppData\\Local\\Temp\\MBAMInstallerService.exe"'
                            ),
                            event.deep_get("Image", default="")
                            == "C:\\Windows\\system32\\services.exe",
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
