This detection rule identifies the presence of suspicious Java-related executable files associated with the Adwind Remote Access Trojan (RAT) and JRAT variants in the AppData folder of Windows systems. The rule specifically targets the 'javaw.exe' executable found in the directory '\AppData\Roaming\Oracle\bin\' while also checking for VBS scripts in subdirectories like '\Retrive'. The detection logic utilizes the TargetFilename attribute to look for specific patterns indicative of the presence of these malicious files. This is significant as Adwind/JRAT are known to enable unauthorized remote access and control of compromised systems, posing a major security threat. The implementation of this rule helps in proactively identifying potential infections and enables security teams to respond effectively to threats.