Yep just got hundreds of those emails today. They all point to 178.16.54.109 but spl.exe 404's so it looks like the abused hosting provider has already squashed this malware campaign out.
Bummer, I would've loved to analyze this spl.exe encryptor and maybe also troll the attacker
Also fyi, somehow, exiftool supports .lnk files so you can read the full command of the lnk cleanly with that.
Good idea, I wasn't aware of exiftool, thanks for the suggestion. Although it apparently had a bad vulnerability in 2024 CVE-2021-22204 which if I'm reading it right, would mean, just reading a hacked file with it could mean remote code execution.