def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\regsvr32.exe"),
                    event.deep_get("OriginalFileName", default="") == "REGSVR32.EXE",
                ]
            ),
            any(
                [
                    any(
                        [
                            ":\\PerfLogs\\" in event.deep_get("CommandLine", default=""),
                            ":\\Temp\\" in event.deep_get("CommandLine", default=""),
                            "\\Windows\\Registration\\CRMLog"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\System32\\com\\dmp\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\System32\\FxsTmp\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\System32\\spool\\drivers\\color\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\System32\\spool\\PRINTERS\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\System32\\spool\\SERVERS\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\System32\\Tasks_Migrated\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\SysWOW64\\com\\dmp\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\SysWOW64\\FxsTmp\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\\"
                            in event.deep_get("CommandLine", default=""),
                            "\\Windows\\Tasks\\" in event.deep_get("CommandLine", default=""),
                            "\\Windows\\Tracing\\" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    ' "C:\\' in event.deep_get("CommandLine", default=""),
                                    " C:\\" in event.deep_get("CommandLine", default=""),
                                    " 'C:\\" in event.deep_get("CommandLine", default=""),
                                    "D:\\" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                            not any(
                                [
                                    "C:\\Program Files (x86)\\"
                                    in event.deep_get("CommandLine", default=""),
                                    "C:\\Program Files\\"
                                    in event.deep_get("CommandLine", default=""),
                                    "C:\\ProgramData\\"
                                    in event.deep_get("CommandLine", default=""),
                                    "C:\\Users\\" in event.deep_get("CommandLine", default=""),
                                    " C:\\Windows\\" in event.deep_get("CommandLine", default=""),
                                    ' "C:\\Windows\\' in event.deep_get("CommandLine", default=""),
                                    " 'C:\\Windows\\" in event.deep_get("CommandLine", default=""),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    event.deep_get("CommandLine", default="") == "",
                    event.deep_get("CommandLine", default="") == "",
                ]
            ),
        ]
    ):
        return True
    return False
