{"id":65000,"date":"2026-05-20T11:12:37","date_gmt":"2026-05-20T09:12:37","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=65000"},"modified":"2026-05-20T11:12:42","modified_gmt":"2026-05-20T09:12:42","slug":"commieloader-leveraging-sumatra-pdf-for-dll-forwardsideloading","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/commieloader-leveraging-sumatra-pdf-for-dll-forwardsideloading\/","title":{"rendered":"CommieLoader: Leveraging SUMATRA PDF for DLL ForwardSideloading"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/commieloader-leveraging-sumatra-pdf-for-dll-forwardsideloading\/#Key_Findings\" >Key Findings<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/commieloader-leveraging-sumatra-pdf-for-dll-forwardsideloading\/#Overview\" >Overview<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/commieloader-leveraging-sumatra-pdf-for-dll-forwardsideloading\/#Timeline\" >Timeline<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/commieloader-leveraging-sumatra-pdf-for-dll-forwardsideloading\/#Analysis_of_the_malware\" >Analysis of the malware<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Key_Findings\"><\/span>Key Findings<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>During an Incident Response engagement, the SECUINFRA Falcon Team identified an interesting malware sample codenamed \u201cCommieLoader\u201d, which was masquerading as a job application.<\/li>\n\n\n\n<li>CommieLoader delivered a Cobalt Strike Beacon, which was used for Command&amp;Control communication by the threat actor<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Overview\"><\/span>Overview<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Our client received a ZIP archive via email containing three files. This archive contained previously unknown malware, which we have named \u201cCommieLoader\u201d based on certain artifacts, and which ultimately led to data exfiltration. In the following, we examine the complete attack chain of this malware.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Timeline\"><\/span>Timeline<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The initial infection occurred in the user\u2019s download directory. By executing the legitimate Sumatra Installer, which was contained in the ZIP archive, the malicious dbgcore.dll in the same directory was loaded using DLL forward sideloading, and malicious routines were executed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Below, we will take a closer look at the malicious file dbgcore.dll.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Analysis_of_the_malware\"><\/span>Analysis of the malware<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dbgcore.dll : a9121e70c39de2c10e6790da4aa3a22079242a201da2c1aeeb4ed65070e68e93<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SumatraPDF installer (\u201cVersion_Application_2.0_202566_Application_Number_0234521870_Date_0000000200.exe\u201d):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58a<strong><\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Settings.txt :<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">b9fac5fd68f333b9459fa4b0111da8fba64a20022df8ea8595eae6a2fc4b9d9d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">During our investigations, we found a ZIP archive on one of our customers\u2019 systems claiming to contain job application documents, but instead contained an installer for the SumatraPDF Viewer, a text file named \u201cSettings.txt,\u201d and a dynamic-link library (DLL) named \u201cdbgcore.dll.\u201d The installer turned out to be a legitimate PE file that contains a signature from Krzysztof Kowalczyk (the developer of SumatraPDF) and whose hash matches that of the official SumatraPDF Version 3.3.3 installer, which is why our focus initially fell on the dbgcore.dll.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">dbgcore.dll would be, if it were legitimate, a Microsoft system file providing functions for memory dumping and debugging as a part of the Debugging Tools For Windows package. However, as a system file, it usually resides in the system32 directory, not in the users document folder. Our DLL was also signed with two invalid certificates, which are shown below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"812\" height=\"964\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb1-1.png\" alt=\"\" class=\"wp-image-65004\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb1-1.png 812w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb1-1-674x800.png 674w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb1-1-768x912.png 768w\" sizes=\"(max-width: 812px) 100vw, 812px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"812\" height=\"964\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb2-1.png\" alt=\"\" class=\"wp-image-65005\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb2-1.png 812w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb2-1-674x800.png 674w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb2-1-768x912.png 768w\" sizes=\"(max-width: 812px) 100vw, 812px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figures 1 &amp; 2: Invalid certificates from \u201cESET, spol. s.r.o.\u201d<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Looking at the import table of the Sumatra Installer which lists the DLLs and the specific functions required by the executable, it is noticeable that dbgcore.dll isn\u2019t listed as one of the needed DLLs. <strong>As people don\u2019t usually add DLLs and send them around for no reasons, the next step is to look into how the execution of the Sumatra Installer (the so called \u201eapplication\u201c) could lead to the execution of the potentially malicious dbgcore.dll.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"400\" height=\"348\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb3-1.png\" alt=\"\" class=\"wp-image-65006\"\/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Figure 3: Imported DLLs of the Sumatra Installer<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Opening the installer in a dissassembler reveals an attempt to load the debug help library &nbsp;\u201edbghelp.dll\u201c.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1276\" height=\"582\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb4-1.png\" alt=\"\" class=\"wp-image-65007\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb4-1.png 1276w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb4-1-800x365.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb4-1-768x350.png 768w\" sizes=\"(max-width: 1276px) 100vw, 1276px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 4: Importing the legitimate dbghelp.dll<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At first glance, the installer appears to load the dbghelp.dll as expected: the absolute path of the DLL is constructed using PathAppendW() from the return value of GetSystemDirectoryW() and \u201cdbghelp.dll\u201d, and only then is the DLL imported using LoadLibraryW().<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, if we look at what the handle of the imported DLL is used for, we see a call to GetProcAddress() with MiniDumpWriteDump as the second parameter:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1372\" height=\"258\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb5-1.png\" alt=\"\" class=\"wp-image-65008\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb5-1.png 1372w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb5-1-800x150.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb5-1-768x144.png 768w\" sizes=\"(max-width: 1372px) 100vw, 1372px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 5: Resolving the address to MiniDumpWriteDump<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If we now take a look at the export table of dbghelp.dll, we see that the MiniDumpWriteDump function is forwarded to \u201cdbgcore.dll\u201d:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1582\" height=\"44\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb6-1.png\" alt=\"\" class=\"wp-image-65009\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb6-1.png 1582w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb6-1-800x22.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb6-1-768x21.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb6-1-1536x43.png 1536w\" sizes=\"(max-width: 1582px) 100vw, 1582px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 6: MiniDumpWriteDump as a forwarded function implemented in dbgcore.dll<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To determine how the entry point of dbgcore.dll is called, we put a legitimate dbgcore.dll in a folder with the Sumatra Installer and opened the installer in a debugger. We set a breakpoint on GetProcAddress() and, after single-stepping for a while, we observed that LdrpCallInitRoutine() is called with the entry point of the DLL to be invoked.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"224\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb7-2-1600x224.png\" alt=\"\" class=\"wp-image-65011\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb7-2-1600x224.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb7-2-800x112.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb7-2-768x108.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb7-2-1536x215.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb7-2.png 1798w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 7: Call stack from GetProcAddress to LdrpCallInitRoutine<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As can be seen in the screenshot, LdrpCallInitRoutine() is called here with the address of the entry point in the RCX register (first parameter).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"445\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb8-1-1600x445.png\" alt=\"\" class=\"wp-image-65012\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb8-1-1600x445.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb8-1-800x222.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb8-1-768x213.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb8-1-1536x427.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb8-1-2048x569.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 8: Call to LdrpCallInitRoutine with the entry point of dbgcore.dll in the RCX register (first parameter in __fastcall)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This confirms our suspicion that the malicious code is located at the entry point of the malicious dbgcore.dll. Unlike classical DLL search order hijacking, the loading of the malicious DLL is \u00a0handled by another, legitimate DLL, in our case dbghelp.dll.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Exports<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If we take a look at the export table of our DLL, we see that the dbgcore.dll file in question exports a total of 38 functions. <a  href=\"https:\/\/strontic.github.io\/xcyclopedia\/library\/dbgcore.dll-4A77035E26FA131A2F639CEA80E89773.html\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >The legitimate dbgcore.dll<\/a> from Microsoft exports only two functions (MiniDumpReadDumpStream and MiniDumpWriteDump). Additionally, current versions of the DLL provided by Microsoft are usually signed, which is not the case with our dbgcore.dll sample. The following exported functions from our dbgcore.dll sample stand out in particular:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>ladeComm<br>antifa<br>kommEncoding<br>helloFriendssscommIsCom<br>stalin<br>SW3_HashSyscall<br>SC_Address<br>GetStalinNumber<br>GetStalin<br>AAAWriteaaaaaVirtualComm<br>ResumeComm<br>ProtectComm<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We note that the two original dbgcore.dll functions, MiniDumpWriteDump and MiniDumpReadDumpStream, are not included in our sample. Instead, there are references to \u201cstalin,\u201d \u201cgetStalinNumber,\u201d and \u201cSW3_HashSyscall,\u201d which are rather unusual references for a DLL. We therefore conclude that this is a malicious DLL with no connections to the legitimate dbgcore.dll from Microsoft.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Deep Dive<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">When we open dbgcore.dll in a disassembler and jump to the main function (DllMain), we see the following:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1198\" height=\"506\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb9-1.png\" alt=\"\" class=\"wp-image-65013\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb9-1.png 1198w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb9-1-800x338.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb9-1-768x324.png 768w\" sizes=\"(max-width: 1198px) 100vw, 1198px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 9: DllMain<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The malicious payload in the mw_Entrypoint() function is therefore only executed if the DLL is loaded using LoadLibrary() or a similar API, which sets fdwReason to DLL_PROCESS_ATTACH.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In the mw_Entrypoint() function, we can get a rough overview of the payload.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1498\" height=\"1600\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb10-1-1498x1600.png\" alt=\"\" class=\"wp-image-65014\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb10-1-1498x1600.png 1498w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb10-1-749x800.png 749w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb10-1-768x820.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb10-1-1438x1536.png 1438w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb10-1.png 1708w\" sizes=\"(max-width: 1498px) 100vw, 1498px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 10: Entry point of the DLL (malicious code)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here, we can see three function calls that check whether the program is running within a sandbox or analysis environment, followed by two additional function calls that determine whether the malicious code is to be executed or not.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Anti-Sandbox Mechanisms<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The first function, mw_ramCheck(), checks the memory size. Only if more than ~4.19 GB of RAM is installed on the system the execution is returned to the caller. If this is not the case, tooLittleRam() is called, which stops the program. As such, one possible scenario that would lead to termination of the payload would be, for example, an execution in a sandbox or virtual machine with less than 4 GB of RAM.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1070\" height=\"518\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb11-1.png\" alt=\"\" class=\"wp-image-65015\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb11-1.png 1070w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb11-1-800x387.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb11-1-768x372.png 768w\" sizes=\"(max-width: 1070px) 100vw, 1070px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 11: Sandbox check via query of physical RAM<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The next function, mw_detectResolution(), checks whether the position of the lower-right pixel of the desktop window is greater than 1023. If this is not the case, the program assumes that it is running in a controlled environment, as they often use resolutions below 1280&#215;1024 pixels, and terminates. Otherwise, control is returned to the caller.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1240\" height=\"534\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb12-1.png\" alt=\"\" class=\"wp-image-65016\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb12-1.png 1240w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb12-1-800x345.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb12-1-768x331.png 768w\" sizes=\"(max-width: 1240px) 100vw, 1240px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 12: Sandbox check via a query of the desktop\u2019s screen resolution<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The third sandbox check, mw_cpuCount(), terminates the program if the number of processor cores on the system is less than 2.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1232\" height=\"318\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb13-1.png\" alt=\"\" class=\"wp-image-65017\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb13-1.png 1232w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb13-1-800x206.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb13-1-768x198.png 768w\" sizes=\"(max-width: 1232px) 100vw, 1232px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 13: Sandbox check via query of the number of processor cores<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The fourth sandbox check, mw_timeDetect(), verifies whether the Sleep API is being hooked. Some sandboxes, analysis tools, or Endpoint Detection and Response solutions use this trick to shorten wait times. First, GetTickCount() is called, followed by a call to Sleep() to suspend execution for one second. Then GetTickCount() is called again, and the difference between the second tick count and the initial tick count is compared to 0.9 seconds. If the result is less than 0.9 seconds, the programm assumes the Sleep-function is hooked and the value 1 is returned, causing the program to terminate.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"882\" height=\"382\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb14-1.png\" alt=\"\" class=\"wp-image-65018\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb14-1.png 882w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb14-1-800x346.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb14-1-768x333.png 768w\" sizes=\"(max-width: 882px) 100vw, 882px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 14: Time-Check to see if Sleep is hooked<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The final sandbox check, mw_hostnameCheck(), is more straightforward as it solely compares the hostname against the names of popular sandboxes. Only if no match is found is 0 returned and the execution of the actual malicious code begins &#8211; provided no flags where raised during the previous checks.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1386\" height=\"820\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb15-1.png\" alt=\"\" class=\"wp-image-65019\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb15-1.png 1386w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb15-1-800x473.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb15-1-768x454.png 768w\" sizes=\"(max-width: 1386px) 100vw, 1386px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 15: Sandbox check via hostname query<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The remaining code is executed if and only if all five sandbox checks pass. First, the global variable CmdLine is populated with the string \u201cWmiPrvSE.exe\u201d, which refers the Windows Management Instrumentation (WMI) Provider Service. Then the function mw_read_settings() is called.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1520\" height=\"1512\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb16-1.png\" alt=\"\" class=\"wp-image-65020\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb16-1.png 1520w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb16-1-800x796.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb16-1-768x764.png 768w\" sizes=\"(max-width: 1520px) 100vw, 1520px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 16: CommieLoader\u2019s core functionalities<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">mw_read_settings() sets the working directory to the directory where the installer is located and reads the contents of the \u201cSettings.txt\u201d file into the global variable my_payload.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1488\" height=\"1070\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb17-1.png\" alt=\"\" class=\"wp-image-65021\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb17-1.png 1488w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb17-1-800x575.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb17-1-768x552.png 768w\" sizes=\"(max-width: 1488px) 100vw, 1488px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 17: Function that reads the contents of Settings.txt into the my_payload buffer<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">When we open the \u201cSettings.txt\u201d file, we find, among other things, various names of communists, a variety of MAC addresses, and excerpts from the Communist Manifesto (many of which contain spelling errors). With this observation, the name \u201cCommieLoader\u201d is born. Upon closer inspection, a pattern seems to emerge in which the clustering of \u201ctrotzki\u201d strings could each represent a null byte (0x00). Therefore, we hypothesize that Settings.txt contains an encoded payload, possibly the next stage of execution for the malware. The encoding method would thus be a dictionary substitution, in which a corresponding word is used as a translation for each hexadecimal value from 0x00 to 0xFF.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"1034\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb18-1-1600x1034.png\" alt=\"\" class=\"wp-image-65022\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb18-1-1600x1034.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb18-1-800x517.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb18-1-768x496.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb18-1-1536x993.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb18-1-2048x1323.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 18: Excerpt from the contents of Settings.txt<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Upon closer examination of the dbgcore.dll file, it becomes apparent that the file contains a data structure with 256 entries suitable for a dictionary and, as suspected, begins with \u201ctrotzki\u201d as the value for 0x00.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"908\" height=\"432\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bild-18-1.png\" alt=\"\" class=\"wp-image-65023\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bild-18-1.png 908w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bild-18-1-800x381.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/bild-18-1-768x365.png 768w\" sizes=\"(max-width: 908px) 100vw, 908px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 18: Excerpt from the dictionary in dbgcore.dll<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To export the dictionary from dbgcore.dll, we developed a Python script that can decode the Settings.txt file.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;`<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">#!\/usr\/bin\/env python3<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;&#8221;&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Decoder for commieLoader Settings.txt payload.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">dbgcore.dll contains a 256-entry wordlist stored as fixed-width (5000-byte) slots<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">starting at offset 0x8B40. Each word in Settings.txt maps to one byte of the<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">original binary payload.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;&#8221;&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">import sys<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">import argparse<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DLL_PATH = &#8220;dbgcore.dll&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SETTINGS_PATH = &#8220;Settings.txt&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">OUTPUT_PATH = &#8220;decoded_payload.bin&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">WORDLIST_OFFSET = 0x8B40&nbsp;&nbsp; # offset of first entry (&#8220;trotzki&#8221; = 0x00) in dbgcore.dll<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">WORDLIST_STRIDE = 5000&nbsp;&nbsp;&nbsp;&nbsp; # each entry occupies a fixed 5000-byte slot<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">def load_wordlist(dll_path: str) -&gt; dict[str, int]:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; with open(dll_path, &#8220;rb&#8221;) as f:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; data = f.read()<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; word_to_byte: dict[str, int] = {}<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; for i in range(256):<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; offset = WORDLIST_OFFSET + i * WORDLIST_STRIDE<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; chunk = data[offset:offset + WORDLIST_STRIDE]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; end = chunk.find(b&#8221;\\x00&#8243;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; word_bytes = chunk[:end] if end != -1 else chunk<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; word = word_bytes.decode(&#8220;utf-8&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; word_to_byte[word] = i<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; return word_to_byte<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">def decode(settings_path: str, word_to_byte: dict[str, int]) -&gt; bytearray:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; with open(settings_path, &#8220;r&#8221;, encoding=&#8221;utf-8&#8243;) as f:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; content = f.read()<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; # Tokens are separated by &#8220;, &#8220;; remove only leading spaces to preserve<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; # trailing spaces that are part of some token names (e.g., &#8220;Ricardo &#8220;).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; tokens = [t.lstrip(&#8221; &#8220;) for t in content.split(&#8220;,&#8221;)]<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; unknown = {t for t in tokens if t and t not in word_to_byte}<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; if unknown:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print(f&#8221;[!] Warning: {len(unknown)} unknown token(s): {unknown}&#8221;, file=sys.stderr)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; out = bytearray()<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; for t in tokens:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if t:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; out.append(word_to_byte.get(t, 0))<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; return out<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">def main() -&gt; None:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; parser = argparse.ArgumentParser(description=&#8221;Decode commieLoader Settings.txt payload&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; parser.add_argument(&#8220;&#8211;dll&#8221;,&nbsp;&nbsp;&nbsp; default=DLL_PATH,&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; help=f&#8221;Path to dbgcore.dll (default: {DLL_PATH})&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; parser.add_argument(&#8220;&#8211;input&#8221;,&nbsp; default=SETTINGS_PATH, help=f&#8221;Path to Settings.txt (default: {SETTINGS_PATH})&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; parser.add_argument(&#8220;&#8211;output&#8221;, default=OUTPUT_PATH,&nbsp;&nbsp; help=f&#8221;Output path for decoded binary (default: {OUTPUT_PATH})&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; args = parser.parse_args()<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; print(f&#8221;[*] Loading wordlist from {args.dll} &#8230;&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; word_to_byte = load_wordlist(args.dll)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; print(f&#8221;[+] Loaded {len(word_to_byte)} wordlist entries&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; print(f&#8221;[*] Decoding {args.input} &#8230;&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; payload = decode(args.input, word_to_byte)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; print(f&#8221;[+] Decoded {len(payload)} bytes&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; with open(args.output, &#8220;wb&#8221;) as f:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f.write(payload)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; print(f&#8221;[+] Written to {args.output}&#8221;)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">if __name__ == &#8220;__main__&#8221;:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp; main()<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&#8220;`<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We were able to identify the decoded file as CobaltStrike Beacon shellcode through YARA rule matches and manual analysis. CobaltStrike is an adversary emulation framework designed for red teaming, which is used both for legitimate security testing and for command-and-control purposes by attackers with malicious intent. To classify it and learn more about the functionality of the CobaltStrike beacon, we extracted its configuration.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The Cobalt Strike payload contains the following configuration, which defines the functionality, behavior, and camouflage of the malware. Communication occurs via the HTTPS protocol on port 443\/tcp. The team server (the attacker\u2019s Command &amp; Control infrastructure) is accessible via the domain refugee-help[.]com and is disguised as a contact form so that the web traffic does not stand out too much in an analysis. The beacon disguises itself as the Windows system program wmiprvse.exe to avoid drawing attention in the process tree. The final piece of information, which is particularly relevant to us, is the watermark value \u201c987654321,\u201d which normally pseudonymously identifies the software\u2019s licensee. However, the descending sequence of numbers is an indication that this must be an unlicensed copy of CobaltStrike, which is often offered for exchange or sale by cybercriminals in online forums.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">BeaconType&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; HTTPS<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 443<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SleepTime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 30000<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MaxGetSize&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 16798776<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Jitter&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 50<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MaxDNS&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">PublicKey_MD5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 1089d58afc804cfab88e6e2aca60e3f3<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">C2Server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; refugee-help.com,\/dpixel<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">UserAgent&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.3600 (KHTML, like Gecko) Chrome\/135.50.90.0 Safari\/537.3600<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HttpPostUri&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; \/contact.php<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Malleable_C2_Instructions&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Base64 decode<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HttpGet_Metadata&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Metadata<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003base64<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003header &#8220;Cookie&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HttpPost_Metadata&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; ConstHeaders<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003Content-Type: application\/x-www-form-urlencoded<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ConstParams<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003name=OSF<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003email=media@opensocietyfoundations.org<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003subject=Resource support<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SessionId<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003header &#8220;Cookie&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Output<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003base64url<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003prepend &#8220;message=&#8221;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \u2003\u2003print<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">PipeName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_Idle&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_Sleep&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SSH_Host&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SSH_Port&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SSH_Username&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SSH_Password_Plaintext&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SSH_Password_Pubkey&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">SSH_Banner&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HttpGet_Verb&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; GET<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HttpPost_Verb&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; POST<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HttpPostChunk&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Spawnto_x86&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; %windir%\\syswow64\\wbem\\wmiprvse.exe -Embedding<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Spawnto_x64&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; %windir%\\sysnative\\wbem\\wmiprvse.exe -Embedding<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">CryptoScheme&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Proxy_Config&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Proxy_User&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Proxy_Password&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Proxy_Behavior&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Use IE settings<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Watermark_Hash&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; NtZOV6JzDr9QkEnX6bobPg==<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Watermark&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 987654321<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">bStageCleanup&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; True<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">bCFGCaution&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; True<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">KillDate&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">bProcInject_StartRWX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; False<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">bProcInject_UseRWX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; False<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">bProcInject_MinAllocSize&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 24576<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ProcInject_PrependAppend_x86&nbsp;&nbsp;&nbsp;&nbsp; &#8211; b&#8217;D@KCLH\\x90f\\x90\\x0f\\x1f\\x00f\\x0f\\x1f\\x04\\x00\\x0f\\x1f\\x04\\x00\\x0f\\x1f\\x00\\x0f\\x1f\\x00&#8242;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Empty<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ProcInject_PrependAppend_x64&nbsp;&nbsp;&nbsp;&nbsp; &#8211; b&#8217;D@KCLH\\x90f\\x90\\x0f\\x1f\\x00f\\x0f\\x1f\\x04\\x00\\x0f\\x1f\\x04\\x00\\x0f\\x1f\\x00\\x0f\\x1f\\x00&#8242;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Empty<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ProcInject_Execute&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; kernel32.dll:BaseThreadInitThunk<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NtQueueApcThread-s<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; kernel32.dll:LoadLibraryA<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CreateRemoteThread<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RtlCreateUserThread<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SetThreadContext<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ProcInject_AllocationMethod&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; NtMapViewOfSection<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">bUsesCookies&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; True<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">HostHeader&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">headersToRemove&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_Beaconing&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_get_TypeA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_get_TypeAAAA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_get_TypeTXT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_put_metadata&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_put_output&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_resolver&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; Not Found<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_strategy&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; round-robin<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_strategy_rotate_seconds&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; -1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_strategy_fail_x&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; -1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">DNS_strategy_fail_seconds&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; -1<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Retry_Max_Attempts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Retry_Increase_Attempts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Retry_Duration&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8211; 0<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once the shellcode is decoded, a new process is created. As mentioned above, the string \u201cWmiPrvSE.exe\u201d was previously copied into the global variable CmdLine. And with the call to CreateProcessA(), a process is created in a suspended state.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1122\" height=\"410\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb19-1.png\" alt=\"\" class=\"wp-image-65024\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb19-1.png 1122w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb19-1-800x292.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb19-1-768x281.png 768w\" sizes=\"(max-width: 1122px) 100vw, 1122px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 19: Creation of the suspended WmiPrvSE process<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once the process is created, we observe several syscall invocations that indicate classic process injection. The call to ZwAllocateVirtualMemory() allocates a buffer in the newly created process, which serves as storage for the shellcode. This shellcode is then written to the newly allocated buffer using ZwWriteVirtualMemory(), and the process is made executable using ZwProtectVirtualMemory().<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Afterward, ZwQueueApcThread() is used to append the shellcode to the process\u2019s APC queue, and ZwResumeThread() is then used to finally execute the shellcode on the main thread.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1186\" height=\"874\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb20-1.png\" alt=\"\" class=\"wp-image-65025\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb20-1.png 1186w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb20-1-800x590.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb20-1-768x566.png 768w\" sizes=\"(max-width: 1186px) 100vw, 1186px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 20: Transfer of the shellcode into the memory space of the WmiPrvSE process, followed by the execution of the shellcode<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After the shellcode has been written to the process and executed, the program begins to implement persistence mechanisms. These are found in the copyfiles() function.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">First, the current user\u2019s username is queried to locate their Documents directory. After the path string to the Documents directory has been constructed, all three files &#8211; \u201cSettings.txt,\u201d dbgcore.dll, and the Sumatra Installer &#8211; are copied into the directory.<br><br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"780\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb21-1-1600x780.png\" alt=\"\" class=\"wp-image-65026\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb21-1-1600x780.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb21-1-800x390.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb21-1-768x374.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb21-1-1536x749.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb21-1.png 1678w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 21: Copying the Sumatra installer, dbgcore.dll, and Settings.txt to the user\u2019s Documents folder<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, the write_auto function is called, which creates an autorun registry key disguised as \u201cFirefox_Updater_Version_2.3.1000\u201d for the installer. This ensures that the installer runs every time the system starts up, so that the attacker does not lose access to the system after a reboot.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"949\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb22-1-1600x949.png\" alt=\"\" class=\"wp-image-65027\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb22-1-1600x949.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb22-1-800x475.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb22-1-768x456.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb22-1-1536x911.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb22-1.png 1810w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 22: Entry of the autorun key in the registry<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"549\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb23-1-1600x549.png\" alt=\"\" class=\"wp-image-65028\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb23-1-1600x549.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb23-1-800x274.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb23-1-768x263.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb23-1-1536x527.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb23-1-2048x702.png 2048w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 23: Registry entry after execution of the malware<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A small bonus: We were able to find artifacts of a Vectored Exception Handler in the DLL that sets a hook on the EtwEventWrite function. However, we could find no evidence that this handler is registered.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1526\" height=\"1014\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb24-1.png\" alt=\"\" class=\"wp-image-65029\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb24-1.png 1526w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb24-1-800x532.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb24-1-768x510.png 768w\" sizes=\"(max-width: 1526px) 100vw, 1526px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 24: A Vectored Exception Handler that overwrites EtwEventWrite with a ret instruction (however, it is never registered)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Noteworthy:<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">It is perhaps worth noting that our sample only took limited anti-AV measures. Microsoft Defender was running on our client\u2019s system, and as far as we could tell, it was active throughout the entire infection period and scanned the sample multiple times. In the end, it found nothing to complain about, even though it spent the longest time scanning dbgcore.dll on average.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In two instances, however, it identified malicious activity (\u201cVirTool:MSIL\/Deimos.A!MTB\u201d and \u201cTrojan:Win32\/Sabsik.EN.B!ml\u201d) associated with WmiPrvSE.exe:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1600\" height=\"555\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb25-1-1600x555.png\" alt=\"\" class=\"wp-image-65030\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb25-1-1600x555.png 1600w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb25-1-800x277.png 800w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb25-1-768x266.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb25-1-1536x533.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/abb25-1.png 1739w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Figure 25: Windows Defender detections<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In both cases, Windows Defender quarantined WmiPrvSE.exe.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We were unable to associate \u201cCommieLoader\u201d with any known malware family. When searching for it on platforms for analyzing and exchanging malware samples, we were able to identify another sample (SHA256: 127c525b0107045c39d4c956d51a16aba6b28e8a08cb1687e3fe7fc1f16e0de5) using a YARA rule, which was also located in a ZIP archive (\u201cbewerbung_gesamt.zip\u201d) containing a Settings.txt file and the SumatraPDF installer. The payload of this sample is nearly identical to our sample, except that an msedge.exe process is used for the APC injection instead of a WmiPrvSE.exe process. This suggests that this sample could be a test sample designed to test detection by AVs and EDRs. According to the alleged attacker, Elastic EDR would likely have detected the sample as well. Only time will tell whether this attack was a targeted attack against our customer or whether the sample will appear more frequently in the future.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Appendix<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Host-based Indicators<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Filename<strong><\/strong><\/td><td>SHA256<\/td><td>Description<\/td><\/tr><tr><td>dbgcore.dll<\/td><td>a9121e70c39de2c10e6790da4aa3a22079242a201da2c1aeeb4ed65070e68e93<em><\/em><\/td><td><em>Malicious DLL loaded by the SumatraPDF installer via DLL forward sideloading<\/em><\/td><\/tr><tr><td>Version_Application_2.0_202566_Application_Number_0234521870_Date_0000000200<\/td><td><em>cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58a<\/em><\/td><td><em>Legitimate SumatraPDF installer<\/em><\/td><\/tr><tr><td>Settings.txt<\/td><td><em>b9fac5fd68f333b9459fa4b0111da8fba64a20022df8ea8595eae6a2fc4b9d9d<\/em><em><\/em><\/td><td><em>Text file containing an encoded Cobalt Strike beacon<\/em><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Additional host-based IoCs:<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Firefox_Updater_Version_2.3.1000:<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&#8220;C:\\Users\\[Username]\\Documents\\Version_Application_2.0_202566_Application_Number_0234521870_Date_0000000200.exe<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Network-based Indicators<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Type<\/td><td>Indicator<\/td><\/tr><tr><td>C2<\/td><td>refugee-help[.]com<em><\/em><\/td><\/tr><tr><td><strong>URIs<\/strong><\/td><td>\/dpixel, \/contact.php<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Detection Rule<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><em>rule SI_MAL_LDR_CommieLoader_Apr13 {<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;meta:<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; version = &#8220;1.0&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; date = &#8220;2026-04-13&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; modified = &#8220;2026-04-14&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; status = &#8220;RELEASED&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; sharing = &#8220;TLP:CLEAR&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; source = &#8220;SECUINFRA Falcon Team&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; description = &#8220;Detects the dbgcore.dll used in the CommieLoader campaign&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; category = &#8220;malware&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; mitre_att = &#8220;T1129, T1055, T1112&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; \/\/ SHA-256 hashes of our observed samples<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; <\/em><em>hash1 = &#8220;a9121e70c39de2c10e6790da4aa3a22079242a201da2c1aeeb4ed65070e68e93&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; hash2 = &#8220;127c525b0107045c39d4c956d51a16aba6b28e8a08cb1687e3fe7fc1f16e0de5&#8221;<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;strings:<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; <\/em><em>$mz = { 4d 5a }<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; \/\/ Below are code snippets used in CommieLoaders Sandbox\/VM check.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; $a1 =<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; {<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp;&nbsp; \/\/ Stub for retrieving the computer name.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; 48 81 ec 30 01 00 00&nbsp;&nbsp; \/\/ sub rsp, 0x130<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; 48 8d ac 24 80 00 00 00&nbsp; \/\/ lea rbp, [rsp+0x80]<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; c7 45 ac 00 01 00 00&nbsp;&nbsp; \/\/ mov dword [rbp-0x54], 0x100<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; 48 8d 55 ac&nbsp;&nbsp;&nbsp;&nbsp; \/\/ lea rdx, [rbp-0x54]<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; 48 8d 45 b0&nbsp;&nbsp;&nbsp;&nbsp; \/\/ lea rax, [rbp-0x50]<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; 48 89 c1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/ mov rcx, rax<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; 48 ?? ?? ?? ?? ?? ??&nbsp;&nbsp; \/\/ mov rax, ?<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; ff d0 85 c0&nbsp;&nbsp;&nbsp;&nbsp; \/\/ call rax<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; }<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; $a2 =<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; {<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; \/\/ Stub for comparing the computer name against common sandbox hostnames.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp;&nbsp; 48 8d 45 b0&nbsp;&nbsp;&nbsp;&nbsp; \/\/ lea rax, [rbp-0x50]<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp;&nbsp; 48 ?? ?? ?? ?? ?? ??&nbsp;&nbsp; \/\/ lea rdx, ?<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp;&nbsp; 48 89 c1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/ mov rcx, rax<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp;&nbsp; e8 ?? ?? ?? ??&nbsp;&nbsp;&nbsp;&nbsp; \/\/ call ?<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp;&nbsp; 85 c0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/ test eax, eax<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; }<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; \/\/ SysWhispers3 function names observed in the samples.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; $b1 = &#8220;SW3_GetSyscallAddress&#8221; ascii<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; $b2 = &#8220;SW3_HashSyscall&#8221; ascii<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; $b3 = &#8220;SW3_PopulateSyscallList&#8221; ascii<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; \/\/ Strings related to the Autorun key that CommieLoader sets for persistence.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; $c1 = &#8220;Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run&#8221; ascii<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;&nbsp; $c2 = &#8220;Firefox_Updater_Version_2.3.1000&#8221; ascii<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp;condition:<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; $mz at 0 and<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; filesize &lt; 3MB and<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; all of ($a*) and<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; all of ($b*) and<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>&nbsp; all of ($c*)<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>}<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">References:<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/www.hexacorn.com\/blog\/2025\/08\/19\/dll-forwardsideloading\/\"  target=\"_blank\" rel=\"noreferrer noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >hexacorn<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a  href=\"https:\/\/github.com\/Sentinel-One\/CobaltStrikeParser\"  target=\"_blank\" rel=\"noreferrer noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >github<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As part of an incident response operation, the SECUINFRA Falcon team identified an interesting malware sample codenamed &#8220;CommieLoader&#8221; masquerading as an application form.<\/p>\n<p>CommieLoader installed a Cobalt Strike Beacon, which was used by the attacker for command-and-control communication<\/p>\n","protected":false},"author":6,"featured_media":64999,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[85,81],"tags":[],"dpc_coauthors":[834],"class_list":["post-65000","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-digital-forensics","category-techtalk","dpc_coauthors-si_falcon_tm"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/65000","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=65000"}],"version-history":[{"count":3,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/65000\/revisions"}],"predecessor-version":[{"id":65054,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/65000\/revisions\/65054"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/64999"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=65000"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=65000"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=65000"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=65000"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}