Expresses interest in specific running processes Show sources
| api_process_name | rundll32.exe |
Attempts to connect to a dead IP:Port (1 unique times) Show sources
| network_host_ip | 162.240.27.36:80 (United States) |
Performs some HTTP requests Show sources
| network_url | http://avionxpress.com/lp/T9b1Bga4FdDfP5HI/ |
A document file initiated network communications indicative of a potential exploit or payload download Show sources
| network_anomaly | excel.exe_InternetCrackUrlA_http://avionxpress.com |
| network_anomaly | excel.exe_URLDownloadToFileW_http://avionxpress.com/lp/T9b1Bga4FdDfP5HI/ |
Martian Subprocess Started By Office Process Show sources
| office_martian | c:\windows\syswow64\rundll32.exe |
| office_martian | c:\windows\syswow64\rundll32.exe |
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | rundll32.exe, PID 2528 |