def rule(event):
    if all(
        [
            event.deep_get("TargetImage", default="").endswith("\\lsass.exe"),
            any(
                [
                    event.deep_get("GrantedAccess", default="").endswith("10"),
                    event.deep_get("GrantedAccess", default="").endswith("30"),
                    event.deep_get("GrantedAccess", default="").endswith("50"),
                    event.deep_get("GrantedAccess", default="").endswith("70"),
                    event.deep_get("GrantedAccess", default="").endswith("90"),
                    event.deep_get("GrantedAccess", default="").endswith("B0"),
                    event.deep_get("GrantedAccess", default="").endswith("D0"),
                    event.deep_get("GrantedAccess", default="").endswith("F0"),
                    event.deep_get("GrantedAccess", default="").endswith("18"),
                    event.deep_get("GrantedAccess", default="").endswith("38"),
                    event.deep_get("GrantedAccess", default="").endswith("58"),
                    event.deep_get("GrantedAccess", default="").endswith("78"),
                    event.deep_get("GrantedAccess", default="").endswith("98"),
                    event.deep_get("GrantedAccess", default="").endswith("B8"),
                    event.deep_get("GrantedAccess", default="").endswith("D8"),
                    event.deep_get("GrantedAccess", default="").endswith("F8"),
                    event.deep_get("GrantedAccess", default="").endswith("1A"),
                    event.deep_get("GrantedAccess", default="").endswith("3A"),
                    event.deep_get("GrantedAccess", default="").endswith("5A"),
                    event.deep_get("GrantedAccess", default="").endswith("7A"),
                    event.deep_get("GrantedAccess", default="").endswith("9A"),
                    event.deep_get("GrantedAccess", default="").endswith("BA"),
                    event.deep_get("GrantedAccess", default="").endswith("DA"),
                    event.deep_get("GrantedAccess", default="").endswith("FA"),
                    event.deep_get("GrantedAccess", default="").endswith("0x14C2"),
                    event.deep_get("GrantedAccess", default="").endswith("FF"),
                ]
            ),
            any(
                [
                    "\\Temp\\" in event.deep_get("SourceImage", default=""),
                    "\\Users\\Public\\" in event.deep_get("SourceImage", default=""),
                    "\\PerfLogs\\" in event.deep_get("SourceImage", default=""),
                    "\\AppData\\" in event.deep_get("SourceImage", default=""),
                    "\\Temporary" in event.deep_get("SourceImage", default=""),
                ]
            ),
            not any(
                [
                    all(
                        [
                            ":\\Users\\" in event.deep_get("SourceImage", default=""),
                            "\\AppData\\Local\\" in event.deep_get("SourceImage", default=""),
                            any(
                                [
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\Microsoft VS Code\\Code.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\software_reporter_tool.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\DropboxUpdate.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\MBAMInstallerService.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\WebexMTA.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\Meetings\\WebexMTAV2.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\WebEx\\WebexHost.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\JetBrains\\Toolbox\\bin\\jetbrains-toolbox.exe"
                                    ),
                                ]
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x410",
                        ]
                    ),
                    all(
                        [
                            ":\\Windows\\Temp\\" in event.deep_get("SourceImage", default=""),
                            event.deep_get("SourceImage", default="").endswith(
                                ".tmp\\DropboxUpdate.exe"
                            ),
                            event.deep_get("GrantedAccess", default="") in ["0x410", "0x1410"],
                        ]
                    ),
                    all(
                        [
                            ":\\Users\\" in event.deep_get("SourceImage", default=""),
                            "\\AppData\\Local\\Temp\\" in event.deep_get("SourceImage", default=""),
                            event.deep_get("SourceImage", default="").endswith(
                                ".tmp\\DropboxUpdate.exe"
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x1410",
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    ":\\Program Files (x86)\\Dropbox\\"
                                    in event.deep_get("SourceImage", default=""),
                                    ":\\Program Files\\Dropbox\\"
                                    in event.deep_get("SourceImage", default=""),
                                ]
                            ),
                            event.deep_get("SourceImage", default="").endswith(
                                "\\DropboxUpdate.exe"
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x1410",
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    ":\\Windows\\Temp\\asgard2-agent\\"
                                    in event.deep_get("SourceImage", default=""),
                                    ":\\Windows\\Temp\\asgard2-agent-sc\\"
                                    in event.deep_get("SourceImage", default=""),
                                ]
                            ),
                            any(
                                [
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\thor64.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\thor.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\aurora-agent-64.exe"
                                    ),
                                    event.deep_get("SourceImage", default="").endswith(
                                        "\\aurora-agent.exe"
                                    ),
                                ]
                            ),
                            event.deep_get("GrantedAccess", default="")
                            in ["0x1fffff", "0x1010", "0x101010"],
                        ]
                    ),
                    all(
                        [
                            ":\\Users\\" in event.deep_get("SourceImage", default=""),
                            "\\AppData\\Local\\Temp\\" in event.deep_get("SourceImage", default=""),
                            "\\vs_bootstrapper_" in event.deep_get("SourceImage", default=""),
                            event.deep_get("GrantedAccess", default="") == "0x1410",
                        ]
                    ),
                    all(
                        [
                            ":\\Program Files (x86)\\Google\\Temp\\"
                            in event.deep_get("SourceImage", default=""),
                            event.deep_get("SourceImage", default="").endswith(
                                ".tmp\\GoogleUpdate.exe"
                            ),
                            event.deep_get("GrantedAccess", default="") in ["0x410", "0x1410"],
                        ]
                    ),
                    all(
                        [
                            ":\\Users\\" in event.deep_get("SourceImage", default=""),
                            event.deep_get("SourceImage", default="").endswith(
                                "\\AppData\\Local\\Keybase\\keybase.exe"
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x1fffff",
                        ]
                    ),
                    all(
                        [
                            "\\AppData\\Local\\Temp\\is-"
                            in event.deep_get("SourceImage", default=""),
                            event.deep_get("SourceImage", default="").endswith(
                                ".tmp\\avira_system_speedup.tmp"
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x1410",
                        ]
                    ),
                    all(
                        [
                            "\\AppData\\Roaming\\ViberPC\\"
                            in event.deep_get("SourceImage", default=""),
                            event.deep_get("SourceImage", default="").endswith("\\updater.exe"),
                            event.deep_get("TargetImage", default="").endswith("\\winlogon.exe"),
                            event.deep_get("GrantedAccess", default="") == "0x1fffff",
                        ]
                    ),
                    all(
                        [
                            any(
                                [
                                    ":\\Program Files\\Common Files\\Adobe\\ARM\\"
                                    in event.deep_get("SourceImage", default=""),
                                    ":\\Program Files (x86)\\Common Files\\Adobe\\ARM\\"
                                    in event.deep_get("SourceImage", default=""),
                                ]
                            ),
                            event.deep_get("SourceImage", default="").endswith(
                                "\\AdobeARMHelper.exe"
                            ),
                            event.deep_get("GrantedAccess", default="") == "0x1410",
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
