This detection rule identifies the execution of the GMER rootkit detector and remover on Windows systems by monitoring process creation events. The rule looks specifically for the presence of the executable 'gmer.exe' in the process image path and checks for specific cryptographic hash values (MD5, SHA1, SHA256) associated with that executable. If a process has an image that ends with '\gmer.exe' or matches any of the specified hash values, the rule triggers an alert, indicating potential use of a known tool for bypassing security measures, specifically as it relates to rootkit detection and removal. This tool, while legitimate, may be employed by attackers to assist in anti-forensic activities or to clean up malware traces, making its execution noteworthy for security monitoring.