Another Windows vulnerability exploited. https://threatpost.com/carbanak-attackers-devise-clever-new-persistence-trick/125457/
Interesting, but I assume this is blocked when you block execution of powershell.exe? If not, then sdbinst.exe should also be added to the vulnerable apps list. And I don't think that AutoRuns is monitoring the AppCompatFlags reg-key, so they might want to add this.
Sbinst.exe like most Win utility processes needs admin privileges. So if past malware "tricks" such as running it hidden were attempted, UAC set at max. level will trigger an alert.