This detection rule identifies potentially malicious execution of the GUP (Get Notepad++ Updater) executable when launched from suspicious directories. GUP is typically located in the Notepad++ updater directories within Program Files, but threat actors may exploit it for DLL side-loading attacks by executing it from user directories like AppData. The filtering conditions help to differentiate legitimate GUP activities from those potentially intended to conceal malicious intent. If the GUP executable is executed from paths outside of its standard Program Files locations, it signals a high-level detection of potential misuse in an attack. This rule is particularly relevant for organizations that utilize Notepad++ in environments where the software may be targeted by attackers using similar tactics. Thus, this rule provides an essential defensive layer against such attack vectors.