URL:	http://leak-my-tits.linkpc.net/
Full analysis:	https://app.any.run/tasks/105d3f92-acdb-4c22-aad3-ec37e0301aa6
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	April 01, 2025, 02:59:56
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	clickfix phishing fake-recaptcha loader
Indicators:
MD5:	C15A1CB8DB2B7E96A505A4F62B222BD9
SHA1:	4A55D795B34544784548F30EC4D1AAD8FC522DC3
SHA256:	8D4EE8493C8B10E6F1F22107ED8B7B49394E0C17B2528551527896EAD72826A8
SSDEEP:	3:N1KSAII0mwAsn:CSS0ys


(PID) Process:	(2692) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(2692) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(2692) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:	write	Name:	StatusCodes
Value:
(PID) Process:	(2692) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(2692) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(2692) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	dr
Value: 1
(PID) Process:	(2692) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(2692) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome
Operation:	write	Name:	UsageStatsInSample
Value: 0
(PID) Process:	(2692) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(2692) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	metricsid
Value:

PID	Process	Filename		Type
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-67EB56B4-A84.pma		—
		MD5:—	SHA256:—
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF163e75.TMP		—
		MD5:—	SHA256:—
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF163e84.TMP		—
		MD5:—	SHA256:—
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF163e84.TMP		—
		MD5:—	SHA256:—
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF163e84.TMP		—
		MD5:—	SHA256:—
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old		—
		MD5:—	SHA256:—
2692	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF163e84.TMP		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3156	smartscreen.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d7222d49d21c953c	unknown	—	—	whitelisted
2996	chrome.exe	GET	200	74.91.24.19:80	http://leak-my-tits.linkpc.net/	unknown	—	—	whitelisted
3640	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2996	chrome.exe	GET	404	74.91.24.19:80	http://leak-my-tits.linkpc.net/favicon.ico	unknown	—	—	whitelisted
1352	svchost.exe	GET	200	88.221.110.147:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
7080	mshta.exe	GET	200	74.91.24.19:80	http://leak-my-tits.linkpc.net/recaptcha-verify	unknown	—	—	whitelisted
3156	smartscreen.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
7080	mshta.exe	GET	200	142.250.185.163:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted
7080	mshta.exe	GET	200	142.250.185.163:80	http://o.pki.goog/we2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEG%2BorlfPZWf5CeqNw%2Flf3jE%3D	unknown	—	—	whitelisted
7080	mshta.exe	GET	200	142.250.185.163:80	http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQDmpjMpZqu4LxJugBCwTODC	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1352	svchost.exe	88.221.110.216:80	—	Akamai International B.V.	DE	unknown
3156	smartscreen.exe	48.209.180.244:443	checkappexec.microsoft.com	—	US	whitelisted
3156	smartscreen.exe	199.232.214.172:80	ctldl.windowsupdate.com	FASTLY	US	whitelisted
3156	smartscreen.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3528	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2692	chrome.exe	239.255.255.250:1900	—	—	—	whitelisted
2996	chrome.exe	142.250.185.138:443	safebrowsingohttpgateway.googleapis.com	GOOGLE	US	whitelisted
2996	chrome.exe	142.250.145.84:443	accounts.google.com	GOOGLE	US	whitelisted
2996	chrome.exe	74.91.24.19:443	leak-my-tits.linkpc.net	NOCIX	US	whitelisted

Domain	IP	Reputation
google.com	142.250.186.174	whitelisted
checkappexec.microsoft.com	48.209.180.244	whitelisted
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172 208.89.74.17 208.89.74.23 208.89.74.21 208.89.74.29 208.89.74.27 208.89.74.19 208.89.74.25 208.89.74.31	whitelisted
ocsp.digicert.com	2.17.190.73 2.23.77.188	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
leak-my-tits.linkpc.net	74.91.24.19	whitelisted
accounts.google.com	142.250.145.84	whitelisted
safebrowsingohttpgateway.googleapis.com	142.250.185.138 142.250.184.202 216.58.206.42 142.250.186.170 142.250.185.234 142.250.184.234 172.217.23.106 142.250.185.202 142.250.186.138 142.250.185.170 172.217.18.106 216.58.212.170 142.250.185.74 216.58.212.138 142.250.185.106 142.250.181.234	whitelisted
google-ohttp-relay-safebrowsing.fastly-edge.com	151.101.193.91 151.101.1.91 151.101.129.91 151.101.65.91	unknown
use.fontawesome.com	172.67.142.245 104.21.27.152	whitelisted

PID	Process	Class	Message
2996	chrome.exe	Potentially Bad Traffic	ET DYN_DNS Observed DNS Query to DynDNS Domain (linkpc .net)
2996	chrome.exe	Potentially Bad Traffic	ET DYN_DNS Observed DNS Query to DynDNS Domain (linkpc .net)
2996	chrome.exe	Potentially Bad Traffic	ET DYN_DNS Observed DNS Query to DynDNS Domain (linkpc .net)
2996	chrome.exe	Potentially Bad Traffic	ET DYN_DNS Observed DNS Query to DynDNS Domain (linkpc .net)
2996	chrome.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.linkpc .net Domain
2996	chrome.exe	A Network Trojan was detected	ET MALWARE Observed ClickFix Powershell Delivery Page Inbound
2996	chrome.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.linkpc .net Domain
1352	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
1664	svchost.exe	Potentially Bad Traffic	ET DYN_DNS Observed DNS Query to DynDNS Domain (linkpc .net)
7080	mshta.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.linkpc .net Domain

General Info

http://leak-my-tits.linkpc.net/

C15A1CB8DB2B7E96A505A4F62B222BD9

4A55D795B34544784548F30EC4D1AAD8FC522DC3

8D4EE8493C8B10E6F1F22107ED8B7B49394E0C17B2528551527896EAD72826A8

3:N1KSAII0mwAsn:CSS0ys

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

CLICKFIX has been detected (SURICATA)

Fake reCAPTCHA has been detected

Accesses environment variables (SCRIPT)

Gets TEMP folder path (SCRIPT)

SUSPICIOUS

Reads the Internet Settings

Block-list domains

Starts CMD.EXE for commands execution

Execution of CURL command

Process requests binary or script from the Internet

Runs shell command (SCRIPT)

Uses TIMEOUT.EXE to delay execution

Executes application which crashes

Potential Corporate Privacy Violation

Executable content was dropped or overwritten

INFO

Reads the machine GUID from the registry

Creates files or folders in the user directory

Checks supported languages

Reads the software policy settings

Checks proxy server information

Reads Internet Explorer settings

Manual execution by a user

Application launched itself

Execution of CURL command

Reads the computer name

Create files in a temporary directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings