def rule(event):
    if any(
        [
            event.deep_get("Image", default="").endswith("\\SelectMyParent.exe"),
            any(
                [
                    "PPID-spoof" in event.deep_get("CommandLine", default=""),
                    "ppid_spoof" in event.deep_get("CommandLine", default=""),
                    "spoof-ppid" in event.deep_get("CommandLine", default=""),
                    "spoof_ppid" in event.deep_get("CommandLine", default=""),
                    "ppidspoof" in event.deep_get("CommandLine", default=""),
                    "spoofppid" in event.deep_get("CommandLine", default=""),
                    "spoofedppid" in event.deep_get("CommandLine", default=""),
                    " -spawnto " in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "PPID-spoof" in event.deep_get("OriginalFileName", default=""),
                    "ppid_spoof" in event.deep_get("OriginalFileName", default=""),
                    "spoof-ppid" in event.deep_get("OriginalFileName", default=""),
                    "spoof_ppid" in event.deep_get("OriginalFileName", default=""),
                    "ppidspoof" in event.deep_get("OriginalFileName", default=""),
                    "spoofppid" in event.deep_get("OriginalFileName", default=""),
                    "spoofedppid" in event.deep_get("OriginalFileName", default=""),
                ]
            ),
            event.deep_get("Description", default="") == "SelectMyParent",
            any(
                [
                    "IMPHASH=04D974875BD225F00902B4CAD9AF3FBC"
                    in event.deep_get("Hashes", default=""),
                    "IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E"
                    in event.deep_get("Hashes", default=""),
                    "IMPHASH=89059503D7FBF470E68F7E63313DA3AD"
                    in event.deep_get("Hashes", default=""),
                    "IMPHASH=CA28337632625C8281AB8A130B3D6BAD"
                    in event.deep_get("Hashes", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
