This detection rule targets the creation of .crmlog files in the Windows Registration directory, a known behavior associated with Snake malware. The analytic utilizes Sysmon Event ID 11 to identify file creation events, particularly those conforming to the pattern <RANDOM_GUID>.<RANDOM_GUID>.crmlog, indicating potential malware activity. The detection leverages Splunk's Endpoint.Filesystem data model, highlighting the necessity for proper data ingestion from endpoint processes. If such files are detected, it signifies possible Snake malware presence, which could lead to data exfiltration and system compromise. Immediate investigation is crucial upon detection.