{"report_id":"03091317-856e-45dc-bee1-a99318f86f4e","version":6,"status":"done","tags":[],"date":"2026-04-30T10:54:35Z","url":{"schema":"http","addr":"originndefi.org.uk","fqdn":"originndefi.org.uk","domain":"originndefi.org.uk","tld":"org.uk"},"ip":{"addr":"46.202.172.115","port":0,"asn":0,"as":"","country":"Ukraine","country_code":"UA"},"final":{"url":{"schema":"https","addr":"originndefi.org.uk/","fqdn":"originndefi.org.uk","domain":"originndefi.org.uk","tld":"org.uk"},"title":"Origin","dom":{"size":0,"mime_type":"text/plain; charset=utf-8","magic":"","md5":"d41d8cd98f00b204e9800998ecf8427e","sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha512":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e","ssdeep":"","tlshash":"","dom_hash":"domhash1f07f384c75181c66badb60ab1ec770b","first_seen":"","last_seen":"","times_seen":0,"resource_available":false,"data":null}},"submit":{"url":{"schema":"http","addr":"originndefi.org.uk","fqdn":"originndefi.org.uk","domain":"originndefi.org.uk","tld":"org.uk"},"ip":{"addr":"46.202.172.115","port":0,"asn":0,"as":"","country":"Ukraine","country_code":"UA"},"tags":null,"meta":null},"settings":{"access":"public","device_type":"desktop","expires_at":"2027-06-04T10:54:35Z","useragent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0","referer":"","cookies":null,"exit_node":"z0yflva4pidy47h"},"stats":{"alert_count":{"ids":0,"urlquery":0,"analyzer":1}},"detection":{"ids":null,"analyzer":[{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-04-30","alert":"Sinkholed","trigger":"originndefi.org.uk","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null}],"urlquery":null},"summary":[{"fqdn":"originndefi.org.uk","ip":{"addr":"46.202.172.115","port":443,"asn":0,"as":"","country":"Ukraine","country_code":"UA"},"domain_registered":"2026-04-19","domain_rank":0,"first_seen":"2026-04-30T10:54:36.627091Z","last_seen":"2026-04-30T10:54:36.627091Z","alert_count":3,"request_count":3,"received_data":4014059,"sent_data":1337,"comment":"","tags":null,"fingerprints":[{"name":"PHP:8.3.30","description":"PHP is a general-purpose scripting language used for web development.","website":"https://php.net","common_platform_enumeration":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","icon":"PHP.svg","categories":["Programming languages"]},{"name":"Hostinger","description":"Hostinger is an employee-owned Web hosting provider and internet domain registrar.","website":"https://www.hostinger.com","common_platform_enumeration":"","icon":"Hostinger.svg","categories":["Hosting"]},{"name":"LiteSpeed","description":"LiteSpeed is a high-scalability web server.","website":"https://litespeedtech.com","common_platform_enumeration":"cpe:2.3:a:litespeedtech:litespeed_web_server:*:*:*:*:*:*:*:*","icon":"LiteSpeed.svg","categories":["Web servers"]}]}],"files":null,"artifacts":{"windows_shortcuts":null,"files":null,"telegram":null,"pdfs":null,"clipboard":null},"sensors":{"ids":null,"analyzer":null,"urlquery":null},"javascript":{"script":[{"url":{"schema":"https","addr":"originndefi.org.uk/","fqdn":"originndefi.org.uk","domain":"originndefi.org.uk","tld":"org.uk"},"ip":{"addr":"46.202.172.115","port":443,"asn":0,"as":"","country":"Ukraine","country_code":"UA"},"introduction_type":"eval","is_inline":false,"md5":"a027fdbafa0a8c8244c7ccaf1d8dcb0f","sha1":"59c5c428c0a1f5a8574d950195f1fd3d66801cfb","sha256":"072be3db4fe53081f2032a8ca2012b2868c64829143d241283eedd1686044cc3","sha512":"850c320b5cbbe662feb894a675644dadf2552759fe6ee49832b3e879d6c345aa62aad2caaf889d5af293d7371217763cfc1552bb00d3daa9deed32d1f21a215c","ssdeep":"768:Fv3KEuNo/O1EVlr0K1ckbxWcdcgPcJZ90cWRReRAhlAsiU:F5OEl1FqkRReRAhlAq","tlshash":"701360e1250bd4d59e5610eee033e801e068196bce7df2a3ea2cddc1752ef22854757b","size":42255,"data":"","first_seen":"2026-04-30T10:23:07.139317Z","last_seen":"2026-04-30T11:05:15.55264Z","times_seen":12,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"originndefi.org.uk/","fqdn":"originndefi.org.uk","domain":"originndefi.org.uk","tld":"org.uk"},"ip":{"addr":"46.202.172.115","port":443,"asn":0,"as":"","country":"Ukraine","country_code":"UA"},"introduction_type":"scriptElement","is_inline":true,"md5":"261fa5f948bd99fdf005f80595805744","sha1":"51d57156b1974322b3ba8542f48893082199d5e1","sha256":"1dcf3b0e1f92d593867169c5ee26771d2f3b77f552eee6c73beba961b91d61b7","sha512":"532ff30dfdd593068e7afc5f98cb1bc72408e594f297911c0a7c590c97a2ed6be6b91981322dfe3b3e90f21241404ae8692139732372f119279dbdf29f3ae429","ssdeep":"","tlshash":"a6015927222233707ce9d5dca8b6dd8e39bb501ae40a0090a09f944d1834bc644f7bec","size":847,"data":"","first_seen":"2023-03-07T01:03:07Z","last_seen":"2026-05-17T01:57:24.729372Z","times_seen":3493,"alerts":{"ids":null,"analyzer":null,"urlquery":null}},{"url":{"schema":"https","addr":"originndefi.org.uk/lt2wh63.php","fqdn":"originndefi.org.uk","domain":"originndefi.org.uk","tld":"org.uk"},"ip":{"addr":"46.202.172.115","port":443,"asn":0,"as":"","country":"Ukraine","country_code":"UA"},"introduction_type":"scriptElement","is_inline":false,"md5":"f2b3d5d3f4f2c81f1509ce83fe9616ea","sha1":"3cb088ee3fad73200a371aa7527493d4f3eb4639","sha256":"6611ffaab287745470637204cc6076e5c8d5774a34cafc5f8f5226aa6ddc72c5","sha512":"38da6afee96c07631f4e21ccad638ba195d343cd29c5283c83a1d00a558c357a5e22800d2bab6fd428ba601434dfe7e2f83b133661c68540884d31c7fcc604be","ssdeep":"1536:+Fp03mMyM+0TEDV4+AHAZZWIERY5Y6AxqD9+Fn3Un3Ug3Us80qL1PqXyQ:+Fp03mMyM+0Y54+AO8cB+FbY","tlshash":"d8248569db9380dc8f69405ed1f3b48dc4114d2a8a6cb4a3ee2ddd812619fa7a0c717f","size":209492,"data":"","first_seen":"2026-04-30T10:54:40.219329Z","last_seen":"2026-04-30T11:05:15.550989Z","times_seen":2,"alerts":{"ids":null,"analyzer":null,"urlquery":null}}],"eval":null,"write":null,"console":null},"http":[{"url":{"schema":"https","addr":"originndefi.org.uk/lt2wh63.php","fqdn":"originndefi.org.uk","domain":"originndefi.org.uk","tld":"org.uk"},"ip":{"addr":"46.202.172.115","port":443,"asn":0,"as":"","country":"Ukraine","country_code":"UA"},"is_navigation_request":false,"resource_type":"script","requested_by":"https://originndefi.org.uk/","date":"2026-04-30T10:54:11.322Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"originndefi.org.uk","organization":""},"issuer":{"commonName":"R12","organization":"Let's Encrypt"},"validity":{"start":"Sun, 19 Apr 2026 01:24:21 GMT","end":"Sat, 18 Jul 2026 01:24:20 GMT"},"fingerprint":{"sha1":"A9:1D:2F:0B:8F:89:AE:0E:73:2A:DB:64:E3:A9:60:91:4C:32:23:BB","sha256":"E3:60:00:9A:8A:74:B0:AF:58:67:09:CF:29:80:C4:CF:6E:F5:CF:95:56:1F:24:D2:74:C1:73:29:82:7D:69:1E"}}},"request":{"raw":"GET /lt2wh63.php HTTP/1.1\r\nHost: originndefi.org.uk\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nConnection: keep-alive\r\nReferer: https://originndefi.org.uk/\r\nSec-Fetch-Dest: script\r\nSec-Fetch-Mode: no-cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\nx-powered-by: PHP/8.3.30\r\naccess-control-allow-origin: *\r\naccess-control-allow-methods: *\r\naccess-control-allow-headers: *\r\naccess-control-max-age: 3600\r\ncontent-type: application/javascript\r\ncache-control: public, max-age=3600\r\ncontent-encoding: br\r\nvary: Accept-Encoding\r\ndate: Thu, 30 Apr 2026 10:54:11 GMT\r\nserver: LiteSpeed\r\nplatform: hostinger\r\npanel: hpanel\r\ncontent-security-policy: upgrade-insecure-requests\r\nalt-svc: h3=\":443\"; ma=2592000, h3-29=\":443\"; ma=2592000, h3-Q050=\":443\"; ma=2592000, h3-Q046=\":443\"; ma=2592000, h3-Q043=\":443\"; ma=2592000, quic=\":443\"; ma=2592000; v=\"43,46\"\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"PHP:8.3.30","description":"PHP is a general-purpose scripting language used for web development.","website":"https://php.net","common_platform_enumeration":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","icon":"PHP.svg","categories":["Programming languages"]},{"name":"Hostinger","description":"Hostinger is an employee-owned Web hosting provider and internet domain registrar.","website":"https://www.hostinger.com","common_platform_enumeration":"","icon":"Hostinger.svg","categories":["Hosting"]},{"name":"LiteSpeed","description":"LiteSpeed is a high-scalability web server.","website":"https://litespeedtech.com","common_platform_enumeration":"cpe:2.3:a:litespeedtech:litespeed_web_server:*:*:*:*:*:*:*:*","icon":"LiteSpeed.svg","categories":["Web servers"]}],"data":{"size":210290,"size_decoded":0,"mime_type":"application/javascript","magic":"JavaScript source, Unicode text, UTF-8 text, with very long lines (49822), with no line terminators","md5":"f2b3d5d3f4f2c81f1509ce83fe9616ea","sha1":"3cb088ee3fad73200a371aa7527493d4f3eb4639","sha256":"6611ffaab287745470637204cc6076e5c8d5774a34cafc5f8f5226aa6ddc72c5","sha512":"38da6afee96c07631f4e21ccad638ba195d343cd29c5283c83a1d00a558c357a5e22800d2bab6fd428ba601434dfe7e2f83b133661c68540884d31c7fcc604be","ssdeep":"1536:+Fp03mMyM+0TEDV4+AHAZZWIERY5Y6AxqD9+Fn3Un3Ug3Us80qL1PqXyQ:+Fp03mMyM+0Y54+AO8cB+FbY","tlshash":"d8248569db9380dc8f69405ed1f3b48dc4114d2a8a6cb4a3ee2ddd812619fa7a0c717f","first_seen":"2026-04-30T10:54:40.219329Z","last_seen":"2026-04-30T11:05:15.550989Z","times_seen":2,"resource_available":true,"data":null}},"time_used":82,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":41,"receive":41,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-04-30","alert":"Sinkholed","trigger":"originndefi.org.uk","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"originndefi.org.uk/lt2wh63.php?m=2962577","fqdn":"originndefi.org.uk","domain":"originndefi.org.uk","tld":"org.uk"},"ip":{"addr":"46.202.172.115","port":443,"asn":0,"as":"","country":"Ukraine","country_code":"UA"},"is_navigation_request":false,"resource_type":"fetch","requested_by":"https://originndefi.org.uk/","date":"2026-04-30T10:54:11.696Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"originndefi.org.uk","organization":""},"issuer":{"commonName":"R12","organization":"Let's Encrypt"},"validity":{"start":"Sun, 19 Apr 2026 01:24:21 GMT","end":"Sat, 18 Jul 2026 01:24:20 GMT"},"fingerprint":{"sha1":"A9:1D:2F:0B:8F:89:AE:0E:73:2A:DB:64:E3:A9:60:91:4C:32:23:BB","sha256":"E3:60:00:9A:8A:74:B0:AF:58:67:09:CF:29:80:C4:CF:6E:F5:CF:95:56:1F:24:D2:74:C1:73:29:82:7D:69:1E"}}},"request":{"raw":"GET /lt2wh63.php?m=2962577 HTTP/1.1\r\nHost: originndefi.org.uk\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: */*\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nReferer: https://originndefi.org.uk/\r\nDNT: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: empty\r\nSec-Fetch-Mode: cors\r\nSec-Fetch-Site: same-origin\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/3 200 OK\r\nx-powered-by: PHP/8.3.30\r\naccess-control-allow-origin: *\r\naccess-control-allow-methods: *\r\naccess-control-allow-headers: *\r\naccess-control-max-age: 3600\r\ncontent-type: application/javascript\r\ncache-control: public, max-age=300\r\ncontent-encoding: br\r\nvary: Accept-Encoding\r\ndate: Thu, 30 Apr 2026 10:54:11 GMT\r\nserver: LiteSpeed\r\nplatform: hostinger\r\npanel: hpanel\r\ncontent-security-policy: upgrade-insecure-requests\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"LiteSpeed","description":"LiteSpeed is a high-scalability web server.","website":"https://litespeedtech.com","common_platform_enumeration":"cpe:2.3:a:litespeedtech:litespeed_web_server:*:*:*:*:*:*:*:*","icon":"LiteSpeed.svg","categories":["Web servers"]},{"name":"PHP:8.3.30","description":"PHP is a general-purpose scripting language used for web development.","website":"https://php.net","common_platform_enumeration":"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*","icon":"PHP.svg","categories":["Programming languages"]},{"name":"Hostinger","description":"Hostinger is an employee-owned Web hosting provider and internet domain registrar.","website":"https://www.hostinger.com","common_platform_enumeration":"","icon":"Hostinger.svg","categories":["Hosting"]}],"data":{"size":3311673,"size_decoded":0,"mime_type":"application/javascript","magic":"JavaScript source, ASCII text, with very long lines (65536), with no line terminators","md5":"ccf9611a7062530792f14c0348516395","sha1":"faffb506a2eaafb06a1e64ba724077f5b5aaf352","sha256":"abe90f5c10f831767cae7d311b0923c699423a22bf849f7b8cb8173ded3f4651","sha512":"3c8b1beefc88212739fba5ae361679e4078d2455c26bddbae53a350a6973e4502dc9e1856c908810b3c488f6e6d9c205a0a84b84957a9b36ef4d8bdfff70ec01","ssdeep":"24576:Ofctb/YWmLkwsOukzMSPbg+lsVo5/Cr0OSzcfUjesPr4OckJsCk0b:OfchGkwdNZngkXbcI","tlshash":"c22523d22e8ad4748f4c5b9ab0f71d0e69444e13048d75adea46ecc23269fb081eb57f","first_seen":"2026-04-30T10:54:40.220678Z","last_seen":"2026-04-30T11:05:15.551537Z","times_seen":2,"resource_available":false,"data":null}},"time_used":228,"timings":{"blocked":0,"dns":0,"connect":0,"send":0,"wait":43,"receive":185,"ssl":0},"alerts":{"ids":null,"analyzer":[{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-04-30","alert":"Sinkholed","trigger":"originndefi.org.uk","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null}],"urlquery":null}},{"url":{"schema":"https","addr":"originndefi.org.uk/","fqdn":"originndefi.org.uk","domain":"originndefi.org.uk","tld":"org.uk"},"ip":{"addr":"46.202.172.115","port":443,"asn":0,"as":"","country":"Ukraine","country_code":"UA"},"is_navigation_request":true,"resource_type":"document","requested_by":"","date":"2026-04-30T10:54:10.993Z","timestamp":0,"http_version":"","security_state":"secure","security_info":{"cipher_suite":"TLS_AES_128_GCM_SHA256","key_group_name":"x25519","signature_name":"RSA-PSS-SHA256","protocol":"TLSv1.3","cert":{"subject":{"commonName":"originndefi.org.uk","organization":""},"issuer":{"commonName":"R12","organization":"Let's Encrypt"},"validity":{"start":"Sun, 19 Apr 2026 01:24:21 GMT","end":"Sat, 18 Jul 2026 01:24:20 GMT"},"fingerprint":{"sha1":"A9:1D:2F:0B:8F:89:AE:0E:73:2A:DB:64:E3:A9:60:91:4C:32:23:BB","sha256":"E3:60:00:9A:8A:74:B0:AF:58:67:09:CF:29:80:C4:CF:6E:F5:CF:95:56:1F:24:D2:74:C1:73:29:82:7D:69:1E"}}},"request":{"raw":"GET / HTTP/1.1\r\nHost: originndefi.org.uk\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate, br\r\nDNT: 1\r\nUpgrade-Insecure-Requests: 1\r\nConnection: keep-alive\r\nSec-Fetch-Dest: document\r\nSec-Fetch-Mode: navigate\r\nSec-Fetch-Site: cross-site\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n\r\n","headers":null,"cookies":null,"method":"GET"},"response":{"raw":"HTTP/2 200 OK\r\ncontent-type: text/html\r\nlast-modified: Wed, 29 Apr 2026 01:55:52 GMT\r\netag: \"77bf4-69f16528-5296e738295a529d;br\"\r\naccept-ranges: bytes\r\ncontent-encoding: br\r\nvary: Accept-Encoding\r\ncontent-length: 214354\r\ndate: Thu, 30 Apr 2026 10:54:11 GMT\r\nserver: LiteSpeed\r\nplatform: hostinger\r\npanel: hpanel\r\ncontent-security-policy: upgrade-insecure-requests\r\nalt-svc: h3=\":443\"; ma=2592000, h3-29=\":443\"; ma=2592000, h3-Q050=\":443\"; ma=2592000, h3-Q046=\":443\"; ma=2592000, h3-Q043=\":443\"; ma=2592000, quic=\":443\"; ma=2592000; v=\"43,46\"\r\nX-Firefox-Spdy: h2\r\n\r\n","headers":null,"cookies":null,"status_code":"200","status_text":"OK","fingerprints":[{"name":"Hostinger","description":"Hostinger is an employee-owned Web hosting provider and internet domain registrar.","website":"https://www.hostinger.com","common_platform_enumeration":"","icon":"Hostinger.svg","categories":["Hosting"]},{"name":"LiteSpeed","description":"LiteSpeed is a high-scalability web server.","website":"https://litespeedtech.com","common_platform_enumeration":"cpe:2.3:a:litespeedtech:litespeed_web_server:*:*:*:*:*:*:*:*","icon":"LiteSpeed.svg","categories":["Web servers"]}],"data":{"size":490484,"size_decoded":0,"mime_type":"text/html","magic":"HTML document, ASCII text, with very long lines (62998)","md5":"5dacd5ad53ea6800d2b245eac0924aa7","sha1":"67b0b71e0ab6cd6d86259f0a8d29d73db9acdcde","sha256":"61d95b04032a5f07124aadd823ba925e8771c03f64fd09542215a69fa9ae8615","sha512":"d6e1cfda4649ad024f052a2a4af6db5139ee9bedb2122b4ba43b9f5ac59255f89e321c091157f18f17919f562c58b7b7d51f5bf960b9666e982b7f3c96176fa5","ssdeep":"12288:Xz4sBnyUrXQQQIy7p6USBIeFDpWdGMoIHf31H6Vo/b:XzttB1SdGQGo/b","tlshash":"85a45b3eae41b23b3513957171a246aa5f4fb823d7085f3a64b925b1d0bd38013bb778","first_seen":"2026-04-30T10:54:40.22182Z","last_seen":"2026-04-30T11:05:15.550425Z","times_seen":2,"resource_available":true,"data":null}},"time_used":458,"timings":{"blocked":154,"dns":78,"connect":31,"send":0,"wait":33,"receive":118,"ssl":40},"alerts":{"ids":null,"analyzer":[{"sensor_name":"hagezi","sensor_type":"DNS","title":"Hagezi Threat Feed","description":"Hagezi Threat Feed","scan_date":"2026-04-30","alert":"Sinkholed","trigger":"originndefi.org.uk","verdict":"malicious","severity":"medium","comment":"","link":"https://github.com/hagezi/dns-blocklists","meta":null}],"urlquery":null}}]}