Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download

This analytic detects suspicious use of `rundll32.exe` in combination with `mshtml.dll` and the export `RunHTMLApplication`. This behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or bypassing script execution policies and bypassing the usage of the "mshta.exe" binary. The detection leverages Cisco Network Visibility Module telemetry which offers network flow activity along with process information such as command-line arguments If confirmed malicious, this activity may indicate initial access or payload download.