This detection rule targets suspicious sub-processes associated with the Hangul Word Processor (HWP), particularly focusing on the creation of certain processes that could indicate exploitation attempts. The rule captures sub-processes (`gbb.exe`) that are spawned through the legitimate HWP executable (`Hwp.exe`), highlighting potential malicious activities such as exploit delivery or unauthorized access via HWP documents. The rule's importance stems from the known vulnerabilities and exploitation techniques available against the HWP file format, which have been utilized in various cyberattacks. The detection is designed with a high level of alertness, as these activities can result in significant breaches if not addressed promptly. This rule is particularly relevant in an enterprise environment where HWP files may be used regularly for documentation, potentially masking malicious intents beneath legitimate-looking operations.