import re


def rule(event):
    if any(
        [
            all(
                [
                    "Microsoft\\Windows\\CurrentVersion\\Run"
                    in event.deep_get("CommandLine", default=""),
                    "C:\\users\\Public\\" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "del /s /f /q c:\\" in event.deep_get("CommandLine", default=""),
                    re.match(r"^.*\\.*.bac.*$", event.deep_get("CommandLine", default="")),
                    re.match(r"^.*\\.*.bak.*$", event.deep_get("CommandLine", default="")),
                    re.match(r"^.*\\.*.bkf.*$", event.deep_get("CommandLine", default="")),
                ]
            ),
            all(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\net.exe"),
                            event.deep_get("Image", default="").endswith("\\net1.exe"),
                        ]
                    ),
                    " stop " in event.deep_get("CommandLine", default=""),
                    " /y" in event.deep_get("CommandLine", default=""),
                    any(
                        [
                            "samss" in event.deep_get("CommandLine", default=""),
                            "audioendpointbuilder" in event.deep_get("CommandLine", default=""),
                            "unistoresvc_" in event.deep_get("CommandLine", default=""),
                            "AcrSch2Svc" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
