Unknown processes running from %AppData% or %Temp% directories.
Disguised as PDFs or Excel icons using the "double extension" trick (e.g., SOF002_Invoice.pdf.exe ). These are often Trojans like Agent Tesla or Formbook . SOF002.rar
Scripts that execute in the background to download a secondary payload from a Command and Control (C2) server. SOF002.rar
Connections to unknown IP addresses or domains (C2 communication). SOF002.rar