RunDLL32 Spawning Explorer (caa06de8-fdef-4c91-826a-7f9e163eef4b)

Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	RunDLL32 Spawning Explorer (caa06de8-fdef-4c91-826a-7f9e163eef4b)	Sigma-Rules	1
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	2