This analytic detects suspicious activity from the Windows Error Reporting Manager (wermgr.exe), specifically monitoring for the process creating or connecting to named pipes, using Sysmon Event Codes 17 and 18. Traditionally, wermgr.exe functions as part of Windows OS for error reporting, but its legitimate use can be exploited by malware like Trickbot and Qakbot to execute unwanted operations and maintain persistence. The detection script processes Event IDs to aggregate instances of such activities, which could signify potential malware operations aimed at covertly communicating or escalating privileges within the environment. Prompt identification of this behavior is crucial as it signifies a high threat level potentially linked to a compromised system.