This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 49%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIS%3C/text%3E%3C/svg%3E)
Hi,
I have a question about onboarding powershell command.
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-MDATP-test\invoice.exe');Start-Process 'C:\test-MDATP-test\invoice.exe'
what is the invoice.exe file ?
Thank You!
Irin Sultana
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Irin Sultana Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
@Irin Sultana Thank you for reaching out to us, the above mentioned command is a detection test on a device recently onboarded to Microsoft Defender for Endpoint.
Based on the PowerShell command you provided, the invoice.exe file is being downloaded from the URL http://127.0.0.1/1.exe and saved to the local directory C:\test-MDATP-test\. The command then starts the invoice.exe process.
Without more information about the source of the PowerShell command or the context in which it is being used, it is difficult to determine the purpose of the invoice.exe file. It is possible that the file is a legitimate application or tool that is being used for a specific purpose, or it could be a malicious file that is being used for malicious purposes.
Reference: https://learn.microsoft.com/en-us/defender-endpoint/run-detection-test
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.