This detection rule is designed to identify the usage of Gpg4win, a suite of tools used for encryption and signing, specifically when used to encrypt or decrypt files located in potentially suspicious directories. The rule assesses process creation logs on Windows systems to pinpoint instances where Gpg4win executables (`gpg.exe`, `gpg2.exe`) are invoked with command-line parameters indicating that they are operating on files in sensitive or commonly exploited paths, such as `C:\PerfLogs\`, `C:\Temp\`, `C:\Users\Public\`, and the Windows temporary directories. Additionally, the command line must include a passphrase parameter, making it likely that encrypted data is being manipulated in a potentially malicious context. The goal is to detect unauthorized use of encryption tools that could be leveraged by threat actors for hiding malicious activity such as data exfiltration or obfuscation of files.