def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\reg.exe"),
                    event.deep_get("OriginalFileName", default="") == "reg.exe",
                ]
            ),
            any(
                [
                    "save" in event.deep_get("CommandLine", default=""),
                    "export" in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    "\\Software\\Aerofox\\Foxmail\\V3.1"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\Aerofox\\FoxmailPreview"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\DownloadManager\\Passwords"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\FTPWare\\COREFTP\\Sites"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\IncrediMail\\Identities"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\Martin Prikryl\\WinSCP 2\\Sessions"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\Mobatek\\MobaXterm" in event.deep_get("CommandLine", default=""),
                    "\\Software\\OpenSSH\\Agent\\Keys" in event.deep_get("CommandLine", default=""),
                    "\\Software\\OpenVPN-GUI\\configs" in event.deep_get("CommandLine", default=""),
                    "\\Software\\ORL\\WinVNC3\\Password"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\Qualcomm\\Eudora\\CommandLine"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\RealVNC\\WinVNC4" in event.deep_get("CommandLine", default=""),
                    "\\Software\\RimArts\\B2\\Settings"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\SimonTatham\\PuTTY\\Sessions"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\SimonTatham\\PuTTY\\SshHostKeys"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\Sota\\FFFTP" in event.deep_get("CommandLine", default=""),
                    "\\Software\\TightVNC\\Server" in event.deep_get("CommandLine", default=""),
                    "\\Software\\WOW6432Node\\Radmin\\v3.0\\Server\\Parameters\\Radmin"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
