This detection rule monitors for the loading of the RstrtMgr.DLL (Restart Manager) by processes that are considered uncommon. Given its historical usage in notable ransomware attacks such as Conti and Cactus, where it is employed to terminate processes that might otherwise inhibit file encryption, the detection aims to flag potentially malicious activity. Additionally, the DLL has been observed in the BiBi wiper malware, which is designed for data destruction on Windows systems. The rule specifically targets instances where this DLL is loaded not by standard Windows processes, which could indicate a malicious intent, such as process termination for anti-analysis purposes or execution of ransomware functionalities. The rule uses several filtering parameters to refine potential true positives from legitimate processes, focusing on excluding known safe directories and common software installations, ensuring that alerts generated are of higher fidelity.