import re


def rule(event):
    if all(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\wget.exe"),
                    event.deep_get("OriginalFileName", default="") == "wget.exe",
                ]
            ),
            any(
                [
                    ".githubusercontent.com" in event.deep_get("CommandLine", default=""),
                    "anonfiles.com" in event.deep_get("CommandLine", default=""),
                    "cdn.discordapp.com" in event.deep_get("CommandLine", default=""),
                    "ddns.net" in event.deep_get("CommandLine", default=""),
                    "dl.dropboxusercontent.com" in event.deep_get("CommandLine", default=""),
                    "ghostbin.co" in event.deep_get("CommandLine", default=""),
                    "github.com" in event.deep_get("CommandLine", default=""),
                    "glitch.me" in event.deep_get("CommandLine", default=""),
                    "gofile.io" in event.deep_get("CommandLine", default=""),
                    "hastebin.com" in event.deep_get("CommandLine", default=""),
                    "mediafire.com" in event.deep_get("CommandLine", default=""),
                    "mega.nz" in event.deep_get("CommandLine", default=""),
                    "onrender.com" in event.deep_get("CommandLine", default=""),
                    "pages.dev" in event.deep_get("CommandLine", default=""),
                    "paste.ee" in event.deep_get("CommandLine", default=""),
                    "pastebin.com" in event.deep_get("CommandLine", default=""),
                    "pastebin.pl" in event.deep_get("CommandLine", default=""),
                    "pastetext.net" in event.deep_get("CommandLine", default=""),
                    "pixeldrain.com" in event.deep_get("CommandLine", default=""),
                    "privatlab.com" in event.deep_get("CommandLine", default=""),
                    "privatlab.net" in event.deep_get("CommandLine", default=""),
                    "send.exploit.in" in event.deep_get("CommandLine", default=""),
                    "sendspace.com" in event.deep_get("CommandLine", default=""),
                    "storage.googleapis.com" in event.deep_get("CommandLine", default=""),
                    "storjshare.io" in event.deep_get("CommandLine", default=""),
                    "supabase.co" in event.deep_get("CommandLine", default=""),
                    "temp.sh" in event.deep_get("CommandLine", default=""),
                    "transfer.sh" in event.deep_get("CommandLine", default=""),
                    "trycloudflare.com" in event.deep_get("CommandLine", default=""),
                    "ufile.io" in event.deep_get("CommandLine", default=""),
                    "w3spaces.com" in event.deep_get("CommandLine", default=""),
                    "workers.dev" in event.deep_get("CommandLine", default=""),
                ]
            ),
            "http" in event.deep_get("CommandLine", default=""),
            any(
                [
                    re.match(r"\\s-O\\s", event.deep_get("CommandLine", default="")),
                    "--output-document" in event.deep_get("CommandLine", default=""),
                ]
            ),
            any(
                [
                    event.deep_get("CommandLine", default="").endswith(".ps1"),
                    event.deep_get("CommandLine", default="").endswith(".ps1'"),
                    event.deep_get("CommandLine", default="").endswith('.ps1"'),
                    event.deep_get("CommandLine", default="").endswith(".dat"),
                    event.deep_get("CommandLine", default="").endswith(".dat'"),
                    event.deep_get("CommandLine", default="").endswith('.dat"'),
                    event.deep_get("CommandLine", default="").endswith(".msi"),
                    event.deep_get("CommandLine", default="").endswith(".msi'"),
                    event.deep_get("CommandLine", default="").endswith('.msi"'),
                    event.deep_get("CommandLine", default="").endswith(".bat"),
                    event.deep_get("CommandLine", default="").endswith(".bat'"),
                    event.deep_get("CommandLine", default="").endswith('.bat"'),
                    event.deep_get("CommandLine", default="").endswith(".exe"),
                    event.deep_get("CommandLine", default="").endswith(".exe'"),
                    event.deep_get("CommandLine", default="").endswith('.exe"'),
                    event.deep_get("CommandLine", default="").endswith(".vbs"),
                    event.deep_get("CommandLine", default="").endswith(".vbs'"),
                    event.deep_get("CommandLine", default="").endswith('.vbs"'),
                    event.deep_get("CommandLine", default="").endswith(".vbe"),
                    event.deep_get("CommandLine", default="").endswith(".vbe'"),
                    event.deep_get("CommandLine", default="").endswith('.vbe"'),
                    event.deep_get("CommandLine", default="").endswith(".hta"),
                    event.deep_get("CommandLine", default="").endswith(".hta'"),
                    event.deep_get("CommandLine", default="").endswith('.hta"'),
                    event.deep_get("CommandLine", default="").endswith(".dll"),
                    event.deep_get("CommandLine", default="").endswith(".dll'"),
                    event.deep_get("CommandLine", default="").endswith('.dll"'),
                    event.deep_get("CommandLine", default="").endswith(".psm1"),
                    event.deep_get("CommandLine", default="").endswith(".psm1'"),
                    event.deep_get("CommandLine", default="").endswith('.psm1"'),
                ]
            ),
        ]
    ):
        return True
    return False
