This rule detects instances of a renamed legitimate utility, createDump.exe (specifically associated with the LOLOBIN toolset), used for dumping process memory. Attackers frequently rename tools to obfuscate malicious activity, thus using a legitimate command line utility to evade detection. The detection is based on monitoring process creation events and filtering for specific command-line arguments that indicate potential misuse of the createDump.exe utility. The rule identifies uses of the utility when the command line arguments suggest it is employed to dump process memory to a file (.dmp) and ensures that the filename ends in 'createdump.exe'. The author references techniques employed by threat actors, particularly related to the Aquatic Panda group, which highlights the significance of tracking such renamed tools. Careful monitoring is advised due to the potential for false positives where legitimate applications might use similar command-line flags.