def rule(event):
    if any(
        [
            all(
                [
                    event.deep_get("ParentImage", default="").endswith("\\w3wp.exe"),
                    any(
                        [
                            any(
                                [
                                    any(
                                        [
                                            "cwBwAGkAbgBzAHQAYQBsAGwAMAAuAGEAcwBwAHgA"
                                            in event.deep_get("CommandLine", default=""),
                                            "MAcABpAG4AcwB0AGEAbABsADAALgBhAHMAcAB4A"
                                            in event.deep_get("CommandLine", default=""),
                                            "zAHAAaQBuAHMAdABhAGwAbAAwAC4AYQBzAHAAeA"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                    "c3BpbnN0YWxsMC5hc3B4"
                                    in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            any(
                                [
                                    any(
                                        [
                                            "OgBcAFAAUgBPAEcAUgBBAH4AMQBcAEMATwBNAE0ATwBOAH4AMQBcAE0ASQBDAFIATwBTAH4AMQBcAFcARQBCAFMARQBSAH4AMQBcADEANQBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA"
                                            in event.deep_get("CommandLine", default=""),
                                            "oAXABQAFIATwBHAFIAQQB+ADEAXABDAE8ATQBNAE8ATgB+ADEAXABNAEkAQwBSAE8AUwB+ADEAXABXAEUAQgBTAEUAUgB+ADEAXAAxADUAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA"
                                            in event.deep_get("CommandLine", default=""),
                                            "6AFwAUABSAE8ARwBSAEEAfgAxAFwAQwBPAE0ATQBPAE4AfgAxAFwATQBJAEMAUgBPAFMAfgAxAFwAVwBFAEIAUwBFAFIAfgAxAFwAMQA1AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                    any(
                                        [
                                            "OgBcAFAAUgBPAEcAUgBBAH4AMQBcAEMATwBNAE0ATwBOAH4AMQBcAE0ASQBDAFIATwBTAH4AMQBcAFcARQBCAFMARQBSAH4AMQBcADEANgBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA"
                                            in event.deep_get("CommandLine", default=""),
                                            "oAXABQAFIATwBHAFIAQQB+ADEAXABDAE8ATQBNAE8ATgB+ADEAXABNAEkAQwBSAE8AUwB+ADEAXABXAEUAQgBTAEUAUgB+ADEAXAAxADYAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA"
                                            in event.deep_get("CommandLine", default=""),
                                            "6AFwAUABSAE8ARwBSAEEAfgAxAFwAQwBPAE0ATQBPAE4AfgAxAFwATQBJAEMAUgBPAFMAfgAxAFwAVwBFAEIAUwBFAFIAfgAxAFwAMQA2AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                    any(
                                        [
                                            "OgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABDAG8AbQBtAG8AbgAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwBoAGEAcgBlAGQAXABXAGUAYgAgAFMAZQByAHYAZQByACAARQB4AHQAZQBuAHMAaQBvAG4AcwBcADEANQBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA"
                                            in event.deep_get("CommandLine", default=""),
                                            "oAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAQwBvAG0AbQBvAG4AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdAAgAFMAaABhAHIAZQBkAFwAVwBlAGIAIABTAGUAcgB2AGUAcgAgAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAxADUAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA"
                                            in event.deep_get("CommandLine", default=""),
                                            "6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEMAbwBtAG0AbwBuACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAIABTAGgAYQByAGUAZABcAFcAZQBiACAAUwBlAHIAdgBlAHIAIABFAHgAdABlAG4AcwBpAG8AbgBzAFwAMQA1AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                    any(
                                        [
                                            "OgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABDAG8AbQBtAG8AbgAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwBoAGEAcgBlAGQAXABXAGUAYgAgAFMAZQByAHYAZQByACAARQB4AHQAZQBuAHMAaQBvAG4AcwBcADEANgBcAFQARQBNAFAATABBAFQARQBcAEwAQQBZAE8AVQBUAFMA"
                                            in event.deep_get("CommandLine", default=""),
                                            "oAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAQwBvAG0AbQBvAG4AIABGAGkAbABlAHMAXABNAGkAYwByAG8AcwBvAGYAdAAgAFMAaABhAHIAZQBkAFwAVwBlAGIAIABTAGUAcgB2AGUAcgAgAEUAeAB0AGUAbgBzAGkAbwBuAHMAXAAxADYAXABUAEUATQBQAEwAQQBUAEUAXABMAEEAWQBPAFUAVABTA"
                                            in event.deep_get("CommandLine", default=""),
                                            "6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEMAbwBtAG0AbwBuACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAIABTAGgAYQByAGUAZABcAFcAZQBiACAAUwBlAHIAdgBlAHIAIABFAHgAdABlAG4AcwBpAG8AbgBzAFwAMQA2AFwAVABFAE0AUABMAEEAVABFAFwATABBAFkATwBVAFQAUw"
                                            in event.deep_get("CommandLine", default=""),
                                        ]
                                    ),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            any(
                [
                    "-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0"
                    in event.deep_get("CommandLine", default=""),
                    "TEMPLATE\\LAYOUTS\\spinstall0.aspx"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
