This detection rule focuses on identifying unauthorized execution of arbitrary binaries through the Notepad++ updater utility known as 'gup'. The rule captures instances where 'gup.exe' is the parent process, and an executable such as 'explorer.exe' is launched. The rule's condition checks for the selection criteria of the parent and child process relationship, filtering specifically for command line arguments that suggest execution of Notepad++ itself or its functions. If the command line does not contain direct references to Notepad++ or is absent entirely, it indicates suspicious activity. False positives may arise from legitimate uses of 'gup' in other contexts that have not been fully identified. The rule is effective at spotting potential misuse of the updater to pivot into executing malicious binaries under the guise of trusted processes.