def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\eqnedt32.exe"),
                    event.deep_get("Image", default="").endswith("\\wordpad.exe"),
                    event.deep_get("Image", default="").endswith("\\wordview.exe"),
                    event.deep_get("Image", default="").endswith("\\certutil.exe"),
                    event.deep_get("Image", default="").endswith("\\certoc.exe"),
                    event.deep_get("Image", default="").endswith("\\CertReq.exe"),
                    event.deep_get("Image", default="").endswith("\\Desktopimgdownldr.exe"),
                    event.deep_get("Image", default="").endswith("\\esentutl.exe"),
                    event.deep_get("Image", default="").endswith("\\mshta.exe"),
                    event.deep_get("Image", default="").endswith("\\AcroRd32.exe"),
                    event.deep_get("Image", default="").endswith("\\RdrCEF.exe"),
                    event.deep_get("Image", default="").endswith("\\hh.exe"),
                    event.deep_get("Image", default="").endswith("\\finger.exe"),
                ]
            ),
            any(
                [
                    event.deep_get("TargetFilename", default="").endswith(".ps1"),
                    event.deep_get("TargetFilename", default="").endswith(".bat"),
                    event.deep_get("TargetFilename", default="").endswith(".vbs"),
                    event.deep_get("TargetFilename", default="").endswith(".scf"),
                    event.deep_get("TargetFilename", default="").endswith(".wsf"),
                    event.deep_get("TargetFilename", default="").endswith(".wsh"),
                ]
            ),
        ]
    ):
        return True
    return False
