def rule(event):
    if all(
        [
            event.deep_get("Image", default="").endswith("\\reg.exe"),
            "reg" in event.deep_get("CommandLine", default=""),
            " add " in event.deep_get("CommandLine", default=""),
            any(
                [
                    "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
                    in event.deep_get("CommandLine", default=""),
                    "\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"
                    in event.deep_get("CommandLine", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
