Overview
overview
7Static
static
3GANG-Nuker.zip
windows10-2004-x64
1GANG-Nuker/GANG.exe
windows10-2004-x64
7GANG.pyc
windows10-2004-x64
3GANG-Nuker...nt.txt
windows10-2004-x64
1GANG-Nuker...NG.png
windows10-2004-x64
3GANG-Nuker...ker.py
windows10-2004-x64
3GANG-Nuker...gin.py
windows10-2004-x64
3GANG-Nuker...ter.py
windows10-2004-x64
3GANG-Nuker...ber.py
windows10-2004-x64
3GANG-Nuker...kup.py
windows10-2004-x64
3GANG-Nuker...nfo.py
windows10-2004-x64
3GANG-Nuker...ore.py
windows10-2004-x64
3GANG-Nuker...mon.py
windows10-2004-x64
3GANG-Nuker...rys.py
windows10-2004-x64
3GANG-Nuker...ate.py
windows10-2004-x64
3GANG-Nuker...ersion
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 14:50
Behavioral task
behavioral1
Sample
GANG-Nuker.zip
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
GANG-Nuker/GANG.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
GANG.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
GANG-Nuker/data/useragent.txt
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
GANG-Nuker/utilities/Avatars/GANG.png
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
GANG-Nuker/utilities/Plugins/Account_Nuker.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
GANG-Nuker/utilities/Plugins/Auto_Login.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
GANG-Nuker/utilities/Plugins/DM_Deleter.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
GANG-Nuker/utilities/Plugins/QR_Grabber.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
GANG-Nuker/utilities/Plugins/Server_Lookup.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
GANG-Nuker/utilities/Plugins/Token_Info.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
GANG-Nuker/utilities/Plugins/ignore/ignore.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
GANG-Nuker/utilities/Settings/common.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
GANG-Nuker/utilities/Settings/libarys.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
GANG-Nuker/utilities/Settings/update.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
GANG-Nuker/utilities/Settings/version
Resource
win10v2004-20240426-en
General
-
Target
GANG-Nuker/utilities/Plugins/Server_Lookup.py
-
Size
2KB
-
MD5
5525d43dd9604f2001dd7e16fddec630
-
SHA1
4f4cbcf679881d139f721f70f3bb1835ae53a9e7
-
SHA256
a55a516416c59294be36cfae89ab848c7339db53c138416c9b1fe9b62d93815e
-
SHA512
976d3cc527537b6f03503fd1d317779611b643324b72c2f5f739fd48ccdd692f8266a59d76481c72c7ab349bffcb3b59342f407d9d26c284575ecea7ab557e0c
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 13 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.py OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\䞪ᩅᜀ耀㍀ꦜǀ\ = "py_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\䞪ᩅᜀ耀㍀ꦜǀ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\py_auto_file\shell\Read OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\py_auto_file\shell\Read\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\py_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\䝕ᩂ᠀耀 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\䝕ᩂ᠀耀\ = "py_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\py_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.py\ = "py_auto_file" OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 1720 OpenWith.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exepid process 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe 1720 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 1720 wrote to memory of 3436 1720 OpenWith.exe AcroRd32.exe PID 1720 wrote to memory of 3436 1720 OpenWith.exe AcroRd32.exe PID 1720 wrote to memory of 3436 1720 OpenWith.exe AcroRd32.exe PID 3436 wrote to memory of 880 3436 AcroRd32.exe RdrCEF.exe PID 3436 wrote to memory of 880 3436 AcroRd32.exe RdrCEF.exe PID 3436 wrote to memory of 880 3436 AcroRd32.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 4984 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe PID 880 wrote to memory of 2260 880 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Server_Lookup.py1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Plugins\Server_Lookup.py"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2DAEF9C7D138CA0C57995A7E999F2AD1 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7D62A1338A61BF7927DDE0488DA51E62 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7D62A1338A61BF7927DDE0488DA51E62 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E819E405E78005BB834671234AA0F0C7 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=148062A09B3A0BE653641B2CE6A34215 --mojo-platform-channel-handle=1988 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=05D09E3AB9AAC23344756434BFB96FBB --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵