This detection rule identifies potentially malicious modifications to the Windows registry by the Qakbot malware, based on changes made under the \SOFTWARE\Microsoft\ registry path. The detection logic focuses on specific system events captured by EDR agents, particularly looking for creation of registry entries characterized by eight-character encrypted binary data values. The rule combines information from various Sysmon event IDs to filter out suspicious activities linked to processes known to be associated with Qakbot. If confirmed, such activities could indicate the presence of malware attempting to persist and execute further malicious actions on the system.