import re


def rule(event):
    if all(
        [
            any(
                [
                    ":\\Windows\\System32\\wsmprovhost.exe"
                    in event.deep_get("ContextInfo", default=""),
                    ":\\Windows\\SysWOW64\\wsmprovhost.exe"
                    in event.deep_get("ContextInfo", default=""),
                ]
            ),
            any(
                [
                    any(
                        [
                            'value="(get-location).path' in event.deep_get("Payload", default=""),
                            re.match(
                                r"^.*value=\"(get-item.*).length.*$",
                                event.deep_get("Payload", default=""),
                            ),
                            "Invoke-Binary " in event.deep_get("Payload", default=""),
                            re.match(
                                r"^.*Donut-Loader -process_id.*-donutfile.*$",
                                event.deep_get("Payload", default=""),
                            ),
                            "Bypass-4MSI" in event.deep_get("Payload", default=""),
                            "IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($a))).replace('???','')"
                            in event.deep_get("Payload", default=""),
                        ]
                    ),
                    all(
                        [
                            '$servicios = Get-ItemProperty "registry::HKLM\\System\\CurrentControlSet\\Services\\"'
                            in event.deep_get("Payload", default=""),
                            'Where-Object {$_.imagepath -notmatch "system" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath'
                            in event.deep_get("Payload", default=""),
                        ]
                    ),
                    all(
                        [
                            "$a +=  \\\"$($_.FullName.Replace('\\','/'))/\\\"}else{  $a += \\\"$($_.FullName.Replace('\\', '/'))\\\" }"
                            in event.deep_get("Payload", default=""),
                            "$a=@();$" in event.deep_get("Payload", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
