This detection rule identifies potentially malicious behavior linked to the Remcos Remote Access Trojan (RAT) by monitoring for the creation of .wav files specifically within the AppData\Roaming directory of a Windows system. The detection is essential as the AppData folder is often targeted by malware for storing sensitive information or audio recordings for potential exfiltration purposes. By leveraging data from various sources including Sysmon and Windows Event Logs related to process creation and filesystem changes, the rule alerts on the creation of .wav files that can indicate unauthorized data collection. The ability to pinpoint this activity can help security teams respond to and mitigate threats of sensitive data exfiltration.