This analytic rule detects the creation of suspicious archived files named 'passff.tar' and 'cookie.tar', which indicate the presence of IcedID malware on a compromised machine. These files are often a sign of exfiltrated browser data, such as user history and cookies, suggesting that sensitive personal information has been stolen. The detection uses Sysmon EventCode 11 to track the creation of these files, aiming to identify potential data breaches and the exfiltration of personal data. The analytics highlight the importance of recognizing these artifacts, as they are associated with further exploitation possibilities, including phishing attacks and increased threat actor presence. The rule requires integration with Sysmon logs and is intended for proactive threat hunting within endpoint environments.