def rule(event):
    if all(
        [
            event.deep_get("TargetObject", default="")
            in [
                "HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath",
                "HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath",
            ],
            not all(
                [
                    any(
                        [
                            event.deep_get("Image", default="").endswith("\\procexp64.exe"),
                            event.deep_get("Image", default="").endswith("\\procexp.exe"),
                            event.deep_get("Image", default="").endswith("\\procmon64.exe"),
                            event.deep_get("Image", default="").endswith("\\procmon.exe"),
                            event.deep_get("Image", default="").endswith("\\handle.exe"),
                            event.deep_get("Image", default="").endswith("\\handle64.exe"),
                        ]
                    ),
                    "\\WINDOWS\\system32\\Drivers\\PROCEXP152.SYS"
                    in event.deep_get("Details", default=""),
                ]
            ),
        ]
    ):
        return True
    return False
