def rule(event):
    if all(
        [
            any(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\accesschk.exe"),
                            event.deep_get("Image", default="").endswith("\\accesschk64.exe"),
                            event.deep_get("Image", default="").endswith("\\AccessEnum.exe"),
                            event.deep_get("Image", default="").endswith("\\ADExplorer.exe"),
                            event.deep_get("Image", default="").endswith("\\ADExplorer64.exe"),
                            event.deep_get("Image", default="").endswith("\\ADInsight.exe"),
                            event.deep_get("Image", default="").endswith("\\ADInsight64.exe"),
                            event.deep_get("Image", default="").endswith("\\adrestore.exe"),
                            event.deep_get("Image", default="").endswith("\\adrestore64.exe"),
                            event.deep_get("Image", default="").endswith("\\Autologon.exe"),
                            event.deep_get("Image", default="").endswith("\\Autologon64.exe"),
                            event.deep_get("Image", default="").endswith("\\Autoruns.exe"),
                            event.deep_get("Image", default="").endswith("\\Autoruns64.exe"),
                            event.deep_get("Image", default="").endswith("\\autorunsc.exe"),
                            event.deep_get("Image", default="").endswith("\\autorunsc64.exe"),
                            event.deep_get("Image", default="").endswith("\\Bginfo.exe"),
                            event.deep_get("Image", default="").endswith("\\Bginfo64.exe"),
                            event.deep_get("Image", default="").endswith("\\Cacheset.exe"),
                            event.deep_get("Image", default="").endswith("\\Cacheset64.exe"),
                            event.deep_get("Image", default="").endswith("\\Clockres.exe"),
                            event.deep_get("Image", default="").endswith("\\Clockres64.exe"),
                            event.deep_get("Image", default="").endswith("\\Contig.exe"),
                            event.deep_get("Image", default="").endswith("\\Contig64.exe"),
                            event.deep_get("Image", default="").endswith("\\Coreinfo.exe"),
                            event.deep_get("Image", default="").endswith("\\Coreinfo64.exe"),
                            event.deep_get("Image", default="").endswith("\\CPUSTRES.EXE"),
                            event.deep_get("Image", default="").endswith("\\CPUSTRES64.EXE"),
                            event.deep_get("Image", default="").endswith("\\ctrl2cap.exe"),
                            event.deep_get("Image", default="").endswith("\\Dbgview.exe"),
                            event.deep_get("Image", default="").endswith("\\dbgview64.exe"),
                            event.deep_get("Image", default="").endswith("\\Desktops.exe"),
                            event.deep_get("Image", default="").endswith("\\Desktops64.exe"),
                            event.deep_get("Image", default="").endswith("\\disk2vhd.exe"),
                            event.deep_get("Image", default="").endswith("\\disk2vhd64.exe"),
                            event.deep_get("Image", default="").endswith("\\diskext.exe"),
                            event.deep_get("Image", default="").endswith("\\diskext64.exe"),
                            event.deep_get("Image", default="").endswith("\\Diskmon.exe"),
                            event.deep_get("Image", default="").endswith("\\Diskmon64.exe"),
                            event.deep_get("Image", default="").endswith("\\DiskView.exe"),
                            event.deep_get("Image", default="").endswith("\\DiskView64.exe"),
                            event.deep_get("Image", default="").endswith("\\du.exe"),
                            event.deep_get("Image", default="").endswith("\\du64.exe"),
                            event.deep_get("Image", default="").endswith("\\efsdump.exe"),
                            event.deep_get("Image", default="").endswith("\\FindLinks.exe"),
                            event.deep_get("Image", default="").endswith("\\FindLinks64.exe"),
                            event.deep_get("Image", default="").endswith("\\handle.exe"),
                            event.deep_get("Image", default="").endswith("\\handle64.exe"),
                            event.deep_get("Image", default="").endswith("\\hex2dec.exe"),
                            event.deep_get("Image", default="").endswith("\\hex2dec64.exe"),
                            event.deep_get("Image", default="").endswith("\\junction.exe"),
                            event.deep_get("Image", default="").endswith("\\junction64.exe"),
                            event.deep_get("Image", default="").endswith("\\ldmdump.exe"),
                            event.deep_get("Image", default="").endswith("\\listdlls.exe"),
                            event.deep_get("Image", default="").endswith("\\listdlls64.exe"),
                            event.deep_get("Image", default="").endswith("\\livekd.exe"),
                            event.deep_get("Image", default="").endswith("\\livekd64.exe"),
                            event.deep_get("Image", default="").endswith("\\loadOrd.exe"),
                            event.deep_get("Image", default="").endswith("\\loadOrd64.exe"),
                            event.deep_get("Image", default="").endswith("\\loadOrdC.exe"),
                            event.deep_get("Image", default="").endswith("\\loadOrdC64.exe"),
                            event.deep_get("Image", default="").endswith("\\logonsessions.exe"),
                            event.deep_get("Image", default="").endswith("\\logonsessions64.exe"),
                            event.deep_get("Image", default="").endswith("\\movefile.exe"),
                            event.deep_get("Image", default="").endswith("\\movefile64.exe"),
                            event.deep_get("Image", default="").endswith("\\notmyfault.exe"),
                            event.deep_get("Image", default="").endswith("\\notmyfault64.exe"),
                            event.deep_get("Image", default="").endswith("\\notmyfaultc.exe"),
                            event.deep_get("Image", default="").endswith("\\notmyfaultc64.exe"),
                            event.deep_get("Image", default="").endswith("\\ntfsinfo.exe"),
                            event.deep_get("Image", default="").endswith("\\ntfsinfo64.exe"),
                            event.deep_get("Image", default="").endswith("\\pendmoves.exe"),
                            event.deep_get("Image", default="").endswith("\\pendmoves64.exe"),
                            event.deep_get("Image", default="").endswith("\\pipelist.exe"),
                            event.deep_get("Image", default="").endswith("\\pipelist64.exe"),
                            event.deep_get("Image", default="").endswith("\\portmon.exe"),
                            event.deep_get("Image", default="").endswith("\\procdump.exe"),
                            event.deep_get("Image", default="").endswith("\\procdump64.exe"),
                            event.deep_get("Image", default="").endswith("\\procexp.exe"),
                            event.deep_get("Image", default="").endswith("\\procexp64.exe"),
                            event.deep_get("Image", default="").endswith("\\Procmon.exe"),
                            event.deep_get("Image", default="").endswith("\\Procmon64.exe"),
                            event.deep_get("Image", default="").endswith("\\psExec.exe"),
                            event.deep_get("Image", default="").endswith("\\psExec64.exe"),
                            event.deep_get("Image", default="").endswith("\\psfile.exe"),
                            event.deep_get("Image", default="").endswith("\\psfile64.exe"),
                            event.deep_get("Image", default="").endswith("\\psGetsid.exe"),
                            event.deep_get("Image", default="").endswith("\\psGetsid64.exe"),
                            event.deep_get("Image", default="").endswith("\\psInfo.exe"),
                            event.deep_get("Image", default="").endswith("\\psInfo64.exe"),
                            event.deep_get("Image", default="").endswith("\\pskill.exe"),
                            event.deep_get("Image", default="").endswith("\\pskill64.exe"),
                            event.deep_get("Image", default="").endswith("\\pslist.exe"),
                            event.deep_get("Image", default="").endswith("\\pslist64.exe"),
                            event.deep_get("Image", default="").endswith("\\psLoggedon.exe"),
                            event.deep_get("Image", default="").endswith("\\psLoggedon64.exe"),
                            event.deep_get("Image", default="").endswith("\\psloglist.exe"),
                            event.deep_get("Image", default="").endswith("\\psloglist64.exe"),
                            event.deep_get("Image", default="").endswith("\\pspasswd.exe"),
                            event.deep_get("Image", default="").endswith("\\pspasswd64.exe"),
                            event.deep_get("Image", default="").endswith("\\psping.exe"),
                            event.deep_get("Image", default="").endswith("\\psping64.exe"),
                            event.deep_get("Image", default="").endswith("\\psService.exe"),
                            event.deep_get("Image", default="").endswith("\\psService64.exe"),
                            event.deep_get("Image", default="").endswith("\\psshutdown.exe"),
                            event.deep_get("Image", default="").endswith("\\psshutdown64.exe"),
                            event.deep_get("Image", default="").endswith("\\pssuspend.exe"),
                            event.deep_get("Image", default="").endswith("\\pssuspend64.exe"),
                            event.deep_get("Image", default="").endswith("\\RAMMap.exe"),
                            event.deep_get("Image", default="").endswith("\\RAMMap64.exe"),
                            event.deep_get("Image", default="").endswith("\\RDCMan.exe"),
                            event.deep_get("Image", default="").endswith("\\RegDelNull.exe"),
                            event.deep_get("Image", default="").endswith("\\RegDelNull64.exe"),
                            event.deep_get("Image", default="").endswith("\\regjump.exe"),
                            event.deep_get("Image", default="").endswith("\\ru.exe"),
                            event.deep_get("Image", default="").endswith("\\ru64.exe"),
                            event.deep_get("Image", default="").endswith("\\sdelete.exe"),
                            event.deep_get("Image", default="").endswith("\\sdelete64.exe"),
                            event.deep_get("Image", default="").endswith("\\ShareEnum.exe"),
                            event.deep_get("Image", default="").endswith("\\ShareEnum64.exe"),
                            event.deep_get("Image", default="").endswith("\\shellRunas.exe"),
                            event.deep_get("Image", default="").endswith("\\sigcheck.exe"),
                            event.deep_get("Image", default="").endswith("\\sigcheck64.exe"),
                            event.deep_get("Image", default="").endswith("\\streams.exe"),
                            event.deep_get("Image", default="").endswith("\\streams64.exe"),
                            event.deep_get("Image", default="").endswith("\\strings.exe"),
                            event.deep_get("Image", default="").endswith("\\strings64.exe"),
                            event.deep_get("Image", default="").endswith("\\sync.exe"),
                            event.deep_get("Image", default="").endswith("\\sync64.exe"),
                            event.deep_get("Image", default="").endswith("\\Sysmon.exe"),
                            event.deep_get("Image", default="").endswith("\\Sysmon64.exe"),
                            event.deep_get("Image", default="").endswith("\\tcpvcon.exe"),
                            event.deep_get("Image", default="").endswith("\\tcpvcon64.exe"),
                            event.deep_get("Image", default="").endswith("\\tcpview.exe"),
                            event.deep_get("Image", default="").endswith("\\tcpview64.exe"),
                            event.deep_get("Image", default="").endswith("\\Testlimit.exe"),
                            event.deep_get("Image", default="").endswith("\\Testlimit64.exe"),
                            event.deep_get("Image", default="").endswith("\\vmmap.exe"),
                            event.deep_get("Image", default="").endswith("\\vmmap64.exe"),
                            event.deep_get("Image", default="").endswith("\\Volumeid.exe"),
                            event.deep_get("Image", default="").endswith("\\Volumeid64.exe"),
                            event.deep_get("Image", default="").endswith("\\whois.exe"),
                            event.deep_get("Image", default="").endswith("\\whois64.exe"),
                            event.deep_get("Image", default="").endswith("\\Winobj.exe"),
                            event.deep_get("Image", default="").endswith("\\Winobj64.exe"),
                            event.deep_get("Image", default="").endswith("\\ZoomIt.exe"),
                            event.deep_get("Image", default="").endswith("\\ZoomIt64.exe"),
                        ]
                    ),
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\accesschk64a.exe"),
                            event.deep_get("Image", default="").endswith("\\ADExplorer64a.exe"),
                            event.deep_get("Image", default="").endswith("\\ADInsight64a.exe"),
                            event.deep_get("Image", default="").endswith("\\adrestore64a.exe"),
                            event.deep_get("Image", default="").endswith("\\Autologon64a.exe"),
                            event.deep_get("Image", default="").endswith("\\Autoruns64a.exe"),
                            event.deep_get("Image", default="").endswith("\\autorunsc64a.exe"),
                            event.deep_get("Image", default="").endswith("\\Clockres64a.exe"),
                            event.deep_get("Image", default="").endswith("\\Contig64a.exe"),
                            event.deep_get("Image", default="").endswith("\\Coreinfo64a.exe"),
                            event.deep_get("Image", default="").endswith("\\Dbgview64a.exe"),
                            event.deep_get("Image", default="").endswith("\\disk2vhd64a.exe"),
                            event.deep_get("Image", default="").endswith("\\diskext64a.exe"),
                            event.deep_get("Image", default="").endswith("\\DiskView64a.exe"),
                            event.deep_get("Image", default="").endswith("\\du64a.exe"),
                            event.deep_get("Image", default="").endswith("\\FindLinks64a.exe"),
                            event.deep_get("Image", default="").endswith("\\handle64a.exe"),
                            event.deep_get("Image", default="").endswith("\\hex2dec64a.exe"),
                            event.deep_get("Image", default="").endswith("\\junction64a.exe"),
                            event.deep_get("Image", default="").endswith("\\LoadOrd64a.exe"),
                            event.deep_get("Image", default="").endswith("\\LoadOrdC64a.exe"),
                            event.deep_get("Image", default="").endswith("\\logonsessions64a.exe"),
                            event.deep_get("Image", default="").endswith("\\movefile64a.exe"),
                            event.deep_get("Image", default="").endswith("\\notmyfault64a.exe"),
                            event.deep_get("Image", default="").endswith("\\notmyfaultc64a.exe"),
                            event.deep_get("Image", default="").endswith("\\pendmoves64a.exe"),
                            event.deep_get("Image", default="").endswith("\\pipelist64a.exe"),
                            event.deep_get("Image", default="").endswith("\\procdump64a.exe"),
                            event.deep_get("Image", default="").endswith("\\procexp64a.exe"),
                            event.deep_get("Image", default="").endswith("\\Procmon64a.exe"),
                            event.deep_get("Image", default="").endswith("\\PsExec64a.exe"),
                            event.deep_get("Image", default="").endswith("\\psfile64a.exe"),
                            event.deep_get("Image", default="").endswith("\\PsGetsid64a.exe"),
                            event.deep_get("Image", default="").endswith("\\PsInfo64a.exe"),
                            event.deep_get("Image", default="").endswith("\\pskill64a.exe"),
                            event.deep_get("Image", default="").endswith("\\psloglist64a.exe"),
                            event.deep_get("Image", default="").endswith("\\pspasswd64a.exe"),
                            event.deep_get("Image", default="").endswith("\\psping64a.exe"),
                            event.deep_get("Image", default="").endswith("\\PsService64a.exe"),
                            event.deep_get("Image", default="").endswith("\\pssuspend64a.exe"),
                            event.deep_get("Image", default="").endswith("\\RAMMap64a.exe"),
                            event.deep_get("Image", default="").endswith("\\RegDelNull64a.exe"),
                            event.deep_get("Image", default="").endswith("\\ru64a.exe"),
                            event.deep_get("Image", default="").endswith("\\sdelete64a.exe"),
                            event.deep_get("Image", default="").endswith("\\sigcheck64a.exe"),
                            event.deep_get("Image", default="").endswith("\\streams64a.exe"),
                            event.deep_get("Image", default="").endswith("\\strings64a.exe"),
                            event.deep_get("Image", default="").endswith("\\sync64a.exe"),
                            event.deep_get("Image", default="").endswith("\\Sysmon64a.exe"),
                            event.deep_get("Image", default="").endswith("\\tcpvcon64a.exe"),
                            event.deep_get("Image", default="").endswith("\\tcpview64a.exe"),
                            event.deep_get("Image", default="").endswith("\\vmmap64a.exe"),
                            event.deep_get("Image", default="").endswith("\\whois64a.exe"),
                            event.deep_get("Image", default="").endswith("\\Winobj64a.exe"),
                            event.deep_get("Image", default="").endswith("\\ZoomIt64a.exe"),
                        ]
                    ),
                ]
            ),
            not any(
                [
                    any(
                        [
                            event.deep_get("Company", default="")
                            in ["Sysinternals - www.sysinternals.com", "Sysinternals"],
                            event.deep_get("Product", default="").startswith("Sysinternals"),
                        ]
                    ),
                    any(
                        [
                            event.deep_get("Company", default="") == "",
                            event.deep_get("Product", default="") == "",
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
