Windows Analysis Report
https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm

Overview

General Information

Sample URL: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm
Analysis ID: 694551
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function

Classification

Source: unknown HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: files.cchsfs.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: global traffic HTTP traffic detected: GET /doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: files.cchsfs.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /jsapi HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=WP.289365
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: bgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: wget.exe, wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000003.00000002.913235959.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Downloading ATX.htm.3.dr String found in binary or memory: http://www.madcapsoftware.com/Schemas/MadCap.xsd
Source: wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp, cmdline.out.0.dr String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm
Source: wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm(
Source: wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm:
Source: wget.exe, 00000003.00000002.912995632.0000000000020000.00000004.00000020.00040000.00000000.sdmp String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htmJ
Source: wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htmS
Source: wget.exe, 00000003.00000002.913203014.0000000000910000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htmW
Source: Downloading ATX.htm.3.dr String found in binary or memory: https://support.atxinc.com/
Source: wget.exe, 00000003.00000002.913172634.0000000000833000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000003.00000002.913163684.000000000082B000.00000004.00000800.00020000.00000000.sdmp, Downloading ATX.htm.3.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: wget.exe, 00000003.00000002.913172634.0000000000833000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000003.00000002.913163684.000000000082B000.00000004.00000800.00020000.00000000.sdmp, Downloading ATX.htm.3.dr String found in binary or memory: https://www.google.com/jsapi
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=WP.289365
Source: unknown HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: C:\Windows\SysWOW64\wget.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F4E71 3_2_007F4E71
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F1B47 3_2_007F1B47
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007FA303 3_2_007FA303
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F59D8 3_2_007F59D8
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: wget.exe String found in binary or memory: files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm
Source: wget.exe String found in binary or memory: 2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm
Source: wget.exe String found in binary or memory: T /doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: */* Accept-Encoding: identity Host: files.cchsfs.com Connection: Keep-Alive
Source: wget.exe String found in binary or memory: doc/atx/2021/Help/Content/Both-SSource/Installation
Source: wget.exe String found in binary or memory: Wget [100%] https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm
Source: wget.exe String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm
Source: wget.exe String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm
Source: wget.exe String found in binary or memory: /2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm
Source: classification engine Classification label: clean2.win@29/2@4/7
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm"
Source: unknown Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized -- "C:\Users\user\Desktop\download\Downloading ATX.htm.html
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1019000916465979311,6662852395727443255,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1436 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm" Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1019000916465979311,6662852395727443255,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1436 /prefetch:8 Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F467A push eax; ret 3_2_007F4685
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F6EFF push 98007FC6h; iretd 3_2_007F6F39
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007FBCE2 push esp; iretd 3_2_007FBD91
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007EF8E0 pushad ; ret 3_2_007EF8E3
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F54E1 push eax; iretd 3_2_007F54ED
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F9ECA push es; retf 3_2_007F9F01
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F9D58 push esi; retf 3_2_007F9D81
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F6B40 push eax; retf 3_2_007F6B41
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007FB711 pushad ; retn 0078h 3_2_007FB745
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F9DE9 push ebp; retf 3_2_007F9D99
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F9FB0 push ds; retf 3_2_007F9FC1
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F6FA8 pushad ; retn 007Fh 3_2_007F6FB9
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_007F9B90 pushfd ; retf 3_2_007F9BD1
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_00C16CD6 push ds; ret 3_2_00C16CDA
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_00C16CA1 push ds; ret 3_2_00C16CD2
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_00C16C5C push ds; ret 3_2_00C16CD2
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_00C1B264 push 3800C295h; retn 0000h 3_2_00C1B271
Source: C:\Windows\SysWOW64\wget.exe Code function: 3_2_00C16B56 push ds; ret 3_2_00C16B5A
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://files.cchsfs.com/doc/atx/2021/help/content/both-ssource/installation/downloading%20atx.htm" > cmdline.out 2>&1