This detection rule identifies potentially malicious instances of the Windows Error Reporting Manager (wermgr.exe) based on its execution location. Legitimate executions of wermgr.exe typically originate from specific system directories such as C:\Windows\System32\, C:\Windows\SysWOW64\, or C:\Windows\WinSxS\. If an instance of wermgr.exe is detected outside of these standard locations, it may indicate that malware is masquerading as a legitimate Windows process to evade detection. The rule uses a straightforward selection criterion where it checks if the Image path ends with \wermgr.exe, while simultaneously ensuring that it does not come from one of the trusted directories. Given the high level of risk associated with such detections, any alert triggered by this rule should be investigated promptly as it may indicate a successful infiltration by malware employing sophisticated evasion tactics.