This is a dropper ps1 script for Vidar malware.

Variables are encoded after starting script, my guess is this way used for evading AVs. Looking at the decoded variables, script's functionality can be guessed.

This part will create `%LOCALAPPDATA%` if it doesn't exist. Out-Null is used to not output anything to pipelines. This is the location the file will be saved. First command will download malware from `https://vx-events.com/build.exe`, in case of error, process will stop. Second command will hide the folder. (C:\Users\\\\AppData\Local) Third command will hide the file. (C:\Users\\\\AppData\Local\updater.exe)

Now, Add-Exclusion is a function, that is used for defence evasion:

Add-MpPreference is used for modifying Windows Defender settings. This command will try to add new Exclusion Path to defender, which is: `C:\Users\\AppData\Local\updater.exe`

Start-Process, will start the C:\Users\<user>\AppData\Local\updater.exe with Window Style hidden, Run as Administrator option, and -Wait is used to suppresses the command prompt until the processes finish.

finally part is used to remove clean everything, leave a fake message to Host and finish script.

Continue: 9e126eb3b73eeae34c46a4b3dc9dc184a19708fd2b2433302c69e6c06b3929ed