def rule(event):
    if any(
        [
            any(
                [
                    "SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f"
                    in event.deep_get("Hashes", default=""),
                    "SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5"
                    in event.deep_get("Hashes", default=""),
                ]
            ),
            all(
                [
                    event.deep_get("Image", default="").endswith("\\schtasks.exe"),
                    "Create" in event.deep_get("CommandLine", default=""),
                    "/RU" in event.deep_get("CommandLine", default=""),
                    "SYSTEM" in event.deep_get("CommandLine", default=""),
                    "\\Microsoft\\Windows\\WinSrv" in event.deep_get("CommandLine", default=""),
                    any(
                        [
                            "servtask.bat" in event.deep_get("CommandLine", default=""),
                            "execute.bat" in event.deep_get("CommandLine", default=""),
                            "doit.bat" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
            all(
                [
                    event.deep_get("Image", default="").endswith("\\schtasks.exe"),
                    "Delete" in event.deep_get("CommandLine", default=""),
                    "/F " in event.deep_get("CommandLine", default=""),
                    "\\Microsoft\\Windows\\WinSrv" in event.deep_get("CommandLine", default=""),
                ]
            ),
            all(
                [
                    "Get-ChildItem" in event.deep_get("CommandLine", default=""),
                    ".save" in event.deep_get("CommandLine", default=""),
                    "Compress-Archive -DestinationPath C:\\ProgramData\\"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
