Source: unknown |
HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.22:49173 version: TLS 1.2 |
Source: unknown |
DNS traffic detected: queries for: files.cchsfs.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49179 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49180 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49176 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49198 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49175 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49174 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49173 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49180 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49198 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49175 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49176 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49173 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49174 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49179 -> 443 |
Source: global traffic |
HTTP traffic detected: GET /doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: files.cchsfs.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: global traffic |
HTTP traffic detected: GET /jsapi HTTP/1.1Host: www.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=WP.289365 |
Source: global traffic |
HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=84.0.4147.135&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: bgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-84.0.4147.135Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9 |
Source: wget.exe, wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl |
Source: wget.exe, 00000003.00000002.913235959.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: Downloading ATX.htm.3.dr |
String found in binary or memory: http://www.madcapsoftware.com/Schemas/MadCap.xsd |
Source: wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp, cmdline.out.0.dr |
String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm |
Source: wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm( |
Source: wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm: |
Source: wget.exe, 00000003.00000002.912995632.0000000000020000.00000004.00000020.00040000.00000000.sdmp |
String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htmJ |
Source: wget.exe, 00000003.00000002.913115920.00000000007ED000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htmS |
Source: wget.exe, 00000003.00000002.913203014.0000000000910000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htmW |
Source: Downloading ATX.htm.3.dr |
String found in binary or memory: https://support.atxinc.com/ |
Source: wget.exe, 00000003.00000002.913172634.0000000000833000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000003.00000002.913163684.000000000082B000.00000004.00000800.00020000.00000000.sdmp, Downloading ATX.htm.3.dr |
String found in binary or memory: https://www.google-analytics.com/analytics.js |
Source: wget.exe, 00000003.00000002.913172634.0000000000833000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000003.00000002.913163684.000000000082B000.00000004.00000800.00020000.00000000.sdmp, Downloading ATX.htm.3.dr |
String found in binary or memory: https://www.google.com/jsapi |
Source: unknown |
HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=WP.289365 |
Source: unknown |
HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.22:49173 version: TLS 1.2 |
Source: C:\Windows\SysWOW64\wget.exe |
Memory allocated: 77620000 page execute and read and write |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
Memory allocated: 77740000 page execute and read and write |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F4E71 |
3_2_007F4E71 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F1B47 |
3_2_007F1B47 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007FA303 |
3_2_007FA303 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F59D8 |
3_2_007F59D8 |
Source: C:\Windows\SysWOW64\wget.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: wget.exe |
String found in binary or memory: files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm |
Source: wget.exe |
String found in binary or memory: 2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm |
Source: wget.exe |
String found in binary or memory: T /doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: */* Accept-Encoding: identity Host: files.cchsfs.com Connection: Keep-Alive |
Source: wget.exe |
String found in binary or memory: doc/atx/2021/Help/Content/Both-SSource/Installation |
Source: wget.exe |
String found in binary or memory: Wget [100%] https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm |
Source: wget.exe |
String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm |
Source: wget.exe |
String found in binary or memory: https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm |
Source: wget.exe |
String found in binary or memory: /2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm |
Source: classification engine |
Classification label: clean2.win@29/2@4/7 |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm" > cmdline.out 2>&1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm" |
|
Source: unknown |
Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized -- "C:\Users\user\Desktop\download\Downloading ATX.htm.html |
|
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1019000916465979311,6662852395727443255,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1436 /prefetch:8 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://files.cchsfs.com/doc/atx/2021/Help/Content/Both-SSource/Installation/Downloading%20ATX.htm" |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1008,1019000916465979311,6662852395727443255,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1436 /prefetch:8 |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe |
Process created: unknown unknown |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\InProcServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
File created: C:\Users\user\Desktop\cmdline.out |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F467A push eax; ret |
3_2_007F4685 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F6EFF push 98007FC6h; iretd |
3_2_007F6F39 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007FBCE2 push esp; iretd |
3_2_007FBD91 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007EF8E0 pushad ; ret |
3_2_007EF8E3 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F54E1 push eax; iretd |
3_2_007F54ED |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F9ECA push es; retf |
3_2_007F9F01 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F9D58 push esi; retf |
3_2_007F9D81 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F6B40 push eax; retf |
3_2_007F6B41 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007FB711 pushad ; retn 0078h |
3_2_007FB745 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F9DE9 push ebp; retf |
3_2_007F9D99 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F9FB0 push ds; retf |
3_2_007F9FC1 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F6FA8 pushad ; retn 007Fh |
3_2_007F6FB9 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_007F9B90 pushfd ; retf |
3_2_007F9BD1 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_00C16CD6 push ds; ret |
3_2_00C16CDA |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_00C16CA1 push ds; ret |
3_2_00C16CD2 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_00C16C5C push ds; ret |
3_2_00C16CD2 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_00C1B264 push 3800C295h; retn 0000h |
3_2_00C1B271 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 3_2_00C16B56 push ds; ret |
3_2_00C16B5A |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://files.cchsfs.com/doc/atx/2021/help/content/both-ssource/installation/downloading%20atx.htm" > cmdline.out 2>&1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://files.cchsfs.com/doc/atx/2021/help/content/both-ssource/installation/downloading%20atx.htm" |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://files.cchsfs.com/doc/atx/2021/help/content/both-ssource/installation/downloading%20atx.htm" |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
Queries volume information: C:\Users\user\Desktop\download VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |