Loading…
Multi-pass deobfuscator for the PowerShell loaders that show up in commodity-malware and ransomware staging: -EncodedCommand, FromBase64String, char-array literals, format-string composition, replace chains, backtick noise. Each pass shows what it changed.
Heuristic — does not actually execute anything. Pure client-side; nothing leaves your browser. After decoding, dangerous primitives (IEX, DownloadString, VirtualAlloc, Defender tampering) are flagged.
-EncodedCommand base64 (UTF-16LE).[Convert]::FromBase64String + standalone long blobs.[Array]::Reverse on string literals..Replace("a","b") on literals."{0}{1}" -f 'a','b' composition.[char]65 + [char]66 and [char[]](72,73) -join ''.