def rule(event):
    if any(
        [
            any(
                [
                    event.deep_get("Image", default="").endswith("\\lazagne.exe"),
                    all(
                        [
                            any(
                                [
                                    ":\\PerfLogs\\" in event.deep_get("Image", default=""),
                                    ":\\ProgramData\\" in event.deep_get("Image", default=""),
                                    ":\\Temp\\" in event.deep_get("Image", default=""),
                                    ":\\Tmp\\" in event.deep_get("Image", default=""),
                                    ":\\Users\\Public\\" in event.deep_get("Image", default=""),
                                    ":\\Windows\\Temp\\" in event.deep_get("Image", default=""),
                                    "\\$Recycle.bin" in event.deep_get("Image", default=""),
                                    "\\AppData\\" in event.deep_get("Image", default=""),
                                    "\\Desktop\\" in event.deep_get("Image", default=""),
                                    "\\Downloads\\" in event.deep_get("Image", default=""),
                                    "\\Favorites\\" in event.deep_get("Image", default=""),
                                    "\\Links\\" in event.deep_get("Image", default=""),
                                    "\\Music\\" in event.deep_get("Image", default=""),
                                    "\\Photos\\" in event.deep_get("Image", default=""),
                                    "\\Pictures\\" in event.deep_get("Image", default=""),
                                    "\\Saved Games\\" in event.deep_get("Image", default=""),
                                    "\\Searches\\" in event.deep_get("Image", default=""),
                                    "\\Users\\Contacts\\" in event.deep_get("Image", default=""),
                                    "\\Users\\Default\\" in event.deep_get("Image", default=""),
                                    "\\Users\\Searches\\" in event.deep_get("Image", default=""),
                                    "\\Videos\\" in event.deep_get("Image", default=""),
                                    "\\Windows\\addins\\" in event.deep_get("Image", default=""),
                                    "\\Windows\\Fonts\\" in event.deep_get("Image", default=""),
                                    "\\Windows\\IME\\" in event.deep_get("Image", default=""),
                                ]
                            ),
                            any(
                                [
                                    event.deep_get("CommandLine", default="").endswith(".exe all"),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe browsers"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe chats"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe databases"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe games"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(".exe git"),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe mails"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe maven"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe memory"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe multimedia"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe sysadmin"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe unused"
                                    ),
                                    event.deep_get("CommandLine", default="").endswith(".exe wifi"),
                                    event.deep_get("CommandLine", default="").endswith(
                                        ".exe windows"
                                    ),
                                ]
                            ),
                        ]
                    ),
                ]
            ),
            all(
                [
                    any(
                        [
                            " all " in event.deep_get("CommandLine", default=""),
                            " browsers " in event.deep_get("CommandLine", default=""),
                            " chats " in event.deep_get("CommandLine", default=""),
                            " databases " in event.deep_get("CommandLine", default=""),
                            " games " in event.deep_get("CommandLine", default=""),
                            " mails " in event.deep_get("CommandLine", default=""),
                            " maven " in event.deep_get("CommandLine", default=""),
                            " memory " in event.deep_get("CommandLine", default=""),
                            " multimedia " in event.deep_get("CommandLine", default=""),
                            " php " in event.deep_get("CommandLine", default=""),
                            " svn " in event.deep_get("CommandLine", default=""),
                            " sysadmin " in event.deep_get("CommandLine", default=""),
                            " unused " in event.deep_get("CommandLine", default=""),
                            " wifi " in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            "-1Password" in event.deep_get("CommandLine", default=""),
                            "-apachedirectorystudio" in event.deep_get("CommandLine", default=""),
                            "-autologon" in event.deep_get("CommandLine", default=""),
                            "-ChromiumBased" in event.deep_get("CommandLine", default=""),
                            "-coreftp" in event.deep_get("CommandLine", default=""),
                            "-credfiles" in event.deep_get("CommandLine", default=""),
                            "-credman" in event.deep_get("CommandLine", default=""),
                            "-cyberduck" in event.deep_get("CommandLine", default=""),
                            "-dbvis" in event.deep_get("CommandLine", default=""),
                            "-EyeCon" in event.deep_get("CommandLine", default=""),
                            "-filezilla" in event.deep_get("CommandLine", default=""),
                            "-filezillaserver" in event.deep_get("CommandLine", default=""),
                            "-ftpnavigator" in event.deep_get("CommandLine", default=""),
                            "-galconfusion" in event.deep_get("CommandLine", default=""),
                            "-gitforwindows" in event.deep_get("CommandLine", default=""),
                            "-hashdump" in event.deep_get("CommandLine", default=""),
                            "-iisapppool" in event.deep_get("CommandLine", default=""),
                            "-IISCentralCertP" in event.deep_get("CommandLine", default=""),
                            "-kalypsomedia" in event.deep_get("CommandLine", default=""),
                            "-keepass" in event.deep_get("CommandLine", default=""),
                            "-keepassconfig" in event.deep_get("CommandLine", default=""),
                            "-lsa_secrets" in event.deep_get("CommandLine", default=""),
                            "-mavenrepositories" in event.deep_get("CommandLine", default=""),
                            "-memory_dump" in event.deep_get("CommandLine", default=""),
                            "-Mozilla" in event.deep_get("CommandLine", default=""),
                            "-mRemoteNG" in event.deep_get("CommandLine", default=""),
                            "-mscache" in event.deep_get("CommandLine", default=""),
                            "-opensshforwindows" in event.deep_get("CommandLine", default=""),
                            "-openvpn" in event.deep_get("CommandLine", default=""),
                            "-outlook" in event.deep_get("CommandLine", default=""),
                            "-pidgin" in event.deep_get("CommandLine", default=""),
                            "-postgresql" in event.deep_get("CommandLine", default=""),
                            "-psi-im" in event.deep_get("CommandLine", default=""),
                            "-puttycm" in event.deep_get("CommandLine", default=""),
                            "-pypykatz" in event.deep_get("CommandLine", default=""),
                            "-Rclone" in event.deep_get("CommandLine", default=""),
                            "-rdpmanager" in event.deep_get("CommandLine", default=""),
                            "-robomongo" in event.deep_get("CommandLine", default=""),
                            "-roguestale" in event.deep_get("CommandLine", default=""),
                            "-skype" in event.deep_get("CommandLine", default=""),
                            "-SQLDeveloper" in event.deep_get("CommandLine", default=""),
                            "-squirrel" in event.deep_get("CommandLine", default=""),
                            "-tortoise" in event.deep_get("CommandLine", default=""),
                            "-turba" in event.deep_get("CommandLine", default=""),
                            "-UCBrowser" in event.deep_get("CommandLine", default=""),
                            "-unattended" in event.deep_get("CommandLine", default=""),
                            "-vault" in event.deep_get("CommandLine", default=""),
                            "-vaultfiles" in event.deep_get("CommandLine", default=""),
                            "-vnc" in event.deep_get("CommandLine", default=""),
                            "-winscp" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                ]
            ),
        ]
    ):
        return True
    return False
