This detection rule monitors file access activities to cryptocurrency wallet files by processes that are not typically associated with such activities. The rule specifically looks for access attempts to files located in common cryptocurrency storage directories within the user's AppData. Uncommon applications trying to access these sensitive files may indicate malicious intent, such as an attempt to steal cryptocurrency wallets. By leveraging the Microsoft-Windows-Kernel-File ETW provider, the rule aims to catch any suspicious behavior that deviates from normal application usage patterns. The detection mechanism includes a set of criteria where it matches file paths that contain or end with specified cryptocurrency wallet identifiers while excluding those activities that originate from well-known system and defender processes. This helps to reduce false positives associated with legitimate software that might also access the same files. The rule is currently listed as experimental, reflecting ongoing refinement before deployment in production environments.