Windows Analysis Report
https://download.techsmith.com/camtasiastudio/releases/camtasia.exe

Overview

General Information

Sample URL:	https://download.techsmith.com/camtasiastudio/releases/camtasia.exe
Analysis ID:	753409
Infos:

Detection

Score:	30
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

.NET source code references suspicious native API functions

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Found dropped PE file which has not been started or loaded

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Abnormal high CPU Usage

Is looking for software installed on the system

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011A9F8F DecryptFileW,	5_2_011A9F8F
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008D9F8F DecryptFileW,	6_2_008D9F8F
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FF340 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	6_2_008FF340

Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdbx source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: camtasia.exe, 00000006.00000002.758526854.0000000005E72000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdb source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdb source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\EditionConstants\obj\Release\EditionConstants.pdb source: camtasia.exe, 00000006.00000002.756548919.00000000057D2000.00000002.00000001.01000000.0000000B.sdmp, EditionConstants.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdbd5~5 p5_CorDllMainmscoree.dll source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\mbahost.pdb source: camtasia.exe, 00000006.00000002.764310520.000000006FF34000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\setup\WIX\CamtasiaBootstrapperApplication\obj\Release\CamtasiaBootstrapperApplication.pdb source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\burn.pdb source: camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.6.dr

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_01193D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_01193D4E
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011D3C72 FindFirstFileW,FindClose,	5_2_011D3C72
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_00903C72 FindFirstFileW,FindClose,	6_2_00903C72
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008C3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_008C3D4E

Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 Das Teilen von Inhalten auf YouTube unterliegt den Nutzungsbedingungen von YouTube {{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 . Weitere Informationen zum Datenschutz auf YouTube finden Sie unter {{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy?hl=de }}{\fldrslt{https://policies.google.com/privacy?hl=de\ul0\cf0}}}}\f0\fs22 und Ihre Sicherheitseinstellungen finden Sie unter {{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \par equals www.youtube.com (Youtube)
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 O compartilhamento de conte\'fado no YouTube est\'e1 sujeito aos Termos de Servi\'e7os do YouTube {{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 . Voc\'ea pode saber mais sobre a pol\'edtica de privacidade do YouTube acessando {{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy?hl=pt-BR }}{\fldrslt{https://policies.google.com/privacy?hl=pt-BR\ul0\cf0}}}}\f0\fs22 e pode revisar as suas configura\'e7\'f5es de seguran\'e7a em {{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \par equals www.youtube.com (Youtube)
Source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 Sharing Content to YouTube is subject to the YouTube Terms Of Services {{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 . You can learn more about YouTube\rquote s privacy policy by visiting {{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy }}{\fldrslt{https://policies.google.com/privacy\ul0\cf0}}}}\f0\fs22 and you can review your security settings by visiting {{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \par equals www.youtube.com (Youtube)
Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 YouTube \f2\'82\'c5\'82\'cc\'83\'52\'83\'93\'83\'65\'83\'93\'83\'63\'82\'cc\'8b\'a4\'97\'4c\'82\'c9\'82\'cd\'81\'41\f0 YouTube \f2\'82\'cc\'97\'98\'97\'70\'8b\'4b\'96\'f1\f0 ({{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 ) \f2\'82\'aa\'93\'4b\'97\'70\'82\'b3\'82\'ea\'82\'dc\'82\'b7\'81\'42\f0 YouTube \f2\'82\'cc\'83\'76\'83\'89\'83\'43\'83\'6f\'83\'56\'81\'5b\f0 \f2\'83\'7c\'83\'8a\'83\'56\'81\'5b\'82\'cc\'8f\'da\'8d\'d7\'82\'c9\'82\'c2\'82\'a2\'82\'c4\'82\'cd\'81\'41{\f0{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy?hl=ja }}{\fldrslt{https://policies.google.com/privacy?hl=ja\ul0\cf0}}}}\f0\fs22 \f2\'82\'f0\'8e\'51\'8f\'c6\'82\'b5\'82\'c4\'82\'ad\'82\'be\'82\'b3\'82\'a2\'81\'42\'83\'86\'81\'5b\'83\'55\'81\'5b\'82\'cc\'83\'5a\'83\'4c\'83\'85\'83\'8a\'83\'65\'83\'42\'90\'dd\'92\'e8\'82\'cd\'81\'41{\f0{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \f2\'82\'c5\'8a\'6d\'94\'46\'82\'c5\'82\'ab\'82\'dc\'82\'b7\'81\'42\f0 \par equals www.youtube.com (Youtube)

Source: camtasia.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: wget.exe, 00000002.00000002.477700107.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477438169.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.477700107.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477857273.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477438169.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000002.477700107.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477438169.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crlm
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-regular.otf
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-semibold.otf
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/Images/MarketingAnimation/cursor.p
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/ResourceDictionary.xaml
Source: camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/usercontrols/featuresusercontrol.x
Source: camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/windows/selectlanguagedialog.xaml
Source: camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Fonts/proximanova-regular.otf
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Fonts/proximanova-semibold.otf
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/camtasia2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/cursor.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/desktop2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/desktop3.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/desktop6.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/share-menu.png
Source: camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/fonts/proximanova-regular.otf
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/fonts/proximanova-semibold.otf
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/camtasia1.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/camtasia2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/cursor.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/desktop2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/desktop3.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/desktop6.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/share-menu.png
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/changeusercontrol.baml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/csisrunningusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/errormessageusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/finishedusercontrol.baml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/installusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/modifyusercontrol.baml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/optionsusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/progressusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/uninstallusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/usercontrols/featuresusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/windows/selectlanguagedialog.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/changeusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/csisrunningusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/errormessageusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/finishedusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/installusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/modifyusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/optionsusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/progressusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/uninstallusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/usercontrols/featuresusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/windows/selectlanguagedialog.xaml
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://wixtoolset.org
Source: camtasia.exe	String found in binary or memory: http://wixtoolset.org/
Source: camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: camtasia.exe, Microsoft.Deployment.WindowsInstaller.dll.6.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: camtasia.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.josbuivenga.demon.nl
Source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.josbuivenga.demon.nlCopyright
Source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.josbuivenga.demon.nlMuseo
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.761967978.0000000009592000.00000004.00000800.00020000.00000000.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.marksimonson.com
Source: camtasia.exe, 00000006.00000002.756685478.0000000005882000.00000002.00000001.01000000.0000000A.sdmp, camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.marksimonson.comCopyright
Source: WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.marksimonson.comProxima
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comcomd
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comq
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comrK
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comrV
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://assets.techsmith.com/Docs/Camtasia-2021-Deployment-Tool-Guide.pdf
Source: wget.exe, 00000002.00000002.477846105.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	String found in binary or memory: https://download.techsmith.com/camtasiastudio/releases/camtasia.exe
Source: wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.techsmith.com/camtasiastudio/releases/camtasia.exe6
Source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://policies.google.com/privacy
Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	String found in binary or memory: https://policies.google.com/privacy?hl=de
Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	String found in binary or memory: https://policies.google.com/privacy?hl=ja
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://policies.google.com/privacy?hl=pt-BR
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://security.google.com/settings/security/permissions
Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	String found in binary or memory: https://support.techsmith.com/hc/de/articles/203732668
Source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp, CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://support.techsmith.com/hc/en-us/articles/203732668-TechSmith-Return-Policy
Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	String found in binary or memory: https://support.techsmith.com/hc/ja/articles/203732668-TechSmith-Return-Policy
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.techsmith.comd=
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: https://www.techsmith.com
Source: camtasia.exe, 00000006.00000002.756685478.0000000005882000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=
Source: camtasia.exe, 00000006.00000002.751317529.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=systemrequirements&product=camtasiastudio&ver=
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=systemrequirements&product=camtasiastudio&ver=22.3.0&l
Source: camtasia.exe, 00000006.00000002.751317529.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=windowsninstall&product=camtasiastudio&ver=22.
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=windowsninstall&product=camtasiastudio&ver=22.3.0&lang
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.comd=
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://www.youtube.com/t/terms

Detected potential crypto function

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF7426	2_2_00CF7426
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00D00820	2_2_00D00820
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BC01F	5_2_011BC01F
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BF8C3	5_2_011BF8C3
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CA28E	5_2_011CA28E
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C9DE0	5_2_011C9DE0
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C2413	5_2_011C2413
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CE73C	5_2_011CE73C
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011B3F71	5_2_011B3F71
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C2642	5_2_011C2642
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EF8C3	6_2_008EF8C3
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EC01F	6_2_008EC01F
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FA28E	6_2_008FA28E
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F2413	6_2_008F2413
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F9DE0	6_2_008F9DE0
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F2642	6_2_008F2642
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FE73C	6_2_008FE73C
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008E3F71	6_2_008E3F71
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_05364180	6_2_05364180

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 01192022 appears 46 times
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 011D2B5D appears 79 times
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 011CFB09 appears 445 times
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 011938BA appears 375 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 008C2022 appears 46 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 008FFB09 appears 459 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 008C38BA appears 373 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 00902B5D appears 79 times

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\wget.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll1.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll2.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll3.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"
Source: unknown	Process created: C:\Users\user\Desktop\download\camtasia.exe C:\Users\user\Desktop\download\camtasia.exe
Source: C:\Users\user\Desktop\download\camtasia.exe	Process created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe "C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe" -burn.clean.room="C:\Users\user\Desktop\download\camtasia.exe" -burn.filehandle.attached=180 -burn.filehandle.self=624
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"	Jump to behavior
Source: C:\Users\user\Desktop\download\camtasia.exe	Process created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe "C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe" -burn.clean.room="C:\Users\user\Desktop\download\camtasia.exe" -burn.filehandle.attached=180 -burn.filehandle.self=624	Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_01194639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		5_2_01194639
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008C4639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		6_2_008C4639

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe

File created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\

Jump to behavior

Source: classification engine

Classification label: sus30.evad.win@7/55@0/2

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011D28BD GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

5_2_011D28BD

Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CachePackageBeginEventArgs.cs	Suspicious method names: System.Int64 Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CachePackageBeginEventArgs::get_CachePayloads()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/ResolveSourceEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.ResolveSourceEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadBeginEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadBeginEventArgs.cs	Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadBeginEventArgs::.ctor(System.String,System.String)
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadBeginEventArgs::get_PayloadFileName()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheVerifyCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheVerifyCompleteEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheAcquireCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheAcquireCompleteEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheVerifyBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheVerifyBeginEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheAcquireProgressEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheAcquireProgressEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadCompleteEventArgs.cs	Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadCompleteEventArgs::.ctor(System.String,System.String,System.Int32)
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadCompleteEventArgs::get_PayloadFileName()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadCompleteEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheAcquireBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheAcquireBeginEventArgs::get_PayloadId()

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_01192078 FormatMessageW,GetLastError,LocalFree,

5_2_01192078

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A723FF4B-219A-4F82-BBF4-A96C1104CA00}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_01

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdbx source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: camtasia.exe, 00000006.00000002.758526854.0000000005E72000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdb source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdb source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\EditionConstants\obj\Release\EditionConstants.pdb source: camtasia.exe, 00000006.00000002.756548919.00000000057D2000.00000002.00000001.01000000.0000000B.sdmp, EditionConstants.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdbd5~5 p5_CorDllMainmscoree.dll source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\mbahost.pdb source: camtasia.exe, 00000006.00000002.764310520.000000006FF34000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\setup\WIX\CamtasiaBootstrapperApplication\obj\Release\CamtasiaBootstrapperApplication.pdb source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\burn.pdb source: camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.6.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CFF013 push 00000078h; retf	2_2_00CFF015
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF65E2 push edi; iretd	2_2_00CF664A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CFA19B pushfd ; iretd	2_2_00CFA19E
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF5999 push ecx; iretd	2_2_00CF59A2
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF596D push ecx; iretd	2_2_00CF59A2
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF657C push edi; iretd	2_2_00CF664A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF5D0C push edx; iretd	2_2_00CF5D02
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF6654 push edi; iretd	2_2_00CF664A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF1652 push ss; iretd	2_2_00CF1666
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CECF48 pushad ; iretd	2_2_00CECF55
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BE806 push ecx; ret	5_2_011BE819
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EE806 push ecx; ret	6_2_008EE819

PE file contains sections with non-standard names

Source: camtasia.exe.2.dr	Static PE information: section name: .wixburn
Source: camtasia.exe.5.dr	Static PE information: section name: .wixburn

Binary contains a suspicious time stamp

Source: EditionConstants.dll.6.dr

Static PE information: 0xBBD9EC2A [Thu Nov 14 02:19:22 2069 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.109301216282531

Drops PE files

Source: C:\Windows\SysWOW64\wget.exe	File created: C:\Users\user\Desktop\download\camtasia.exe	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\download\camtasia.exe	File created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\download\camtasia.exe	File created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found evasive API chain (date check)

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 011CF839h	5_2_011CF79E
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 011CF832h	5_2_011CF79E
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008FF839h	6_2_008FF79E
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008FF832h	6_2_008FF79E

Is looking for software installed on the system

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Registry key enumerated: More than 152 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\download\camtasia.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_01193D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_01193D4E
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011D3C72 FindFirstFileW,FindClose,	5_2_011D3C72
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_00903C72 FindFirstFileW,FindClose,	6_2_00903C72
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008C3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_008C3D4E

Source: C:\Users\user\Desktop\download\camtasia.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	API call chain: ExitProcess graph end node

Source: wget.exe	Binary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.477857273.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011C34A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_011C34A2

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011939DF GetProcessHeap,RtlAllocateHeap,

5_2_011939DF

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C4104 mov eax, dword ptr fs:[00000030h]		5_2_011C4104
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F4104 mov eax, dword ptr fs:[00000030h]		6_2_008F4104

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BE0A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_011BE0A8
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C34A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_011C34A2
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EE0A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_008EE0A8
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F34A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_008F34A2

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: WPFCommonControls.dll.6.dr, WPFCommonControls/NativeMouseMove.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32')
Source: Microsoft.Deployment.WindowsInstaller.dll.6.dr, Deployment.WindowsInstaller/NativeMethods.cs	Reference to suspicious API methods: ('FindResourceEx', 'FindResourceEx@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryExW@kernel32.dll')
Source: TechSmith.Win32.dll.6.dr, Win32/User32.cs	Reference to suspicious API methods: ('MapVirtualKeyW', 'MapVirtualKeyW@user32.dll')

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\download\camtasia.exe

Process created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe "C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe" -burn.clean.room="C:\Users\user\Desktop\download\camtasia.exe" -burn.filehandle.attached=180 -burn.filehandle.self=624

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\wget.exe	Queries volume information: C:\Users\user\Desktop\download VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Aero\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011A4E6A ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

5_2_011A4E6A

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011BE463 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_011BE463

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011D8039 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

5_2_011D8039

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011D3349 GetVersionExW,

5_2_011D3349

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States		15169	GOOGLEUS	false
23.205.232.22	unknown	United States		16625	AKAMAI-ASUS	false

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011A9F8F DecryptFileW,	5_2_011A9F8F
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008D9F8F DecryptFileW,	6_2_008D9F8F
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FF340 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,	6_2_008FF340

Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdbx source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: camtasia.exe, 00000006.00000002.758526854.0000000005E72000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdb source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdb source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\EditionConstants\obj\Release\EditionConstants.pdb source: camtasia.exe, 00000006.00000002.756548919.00000000057D2000.00000002.00000001.01000000.0000000B.sdmp, EditionConstants.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdbd5~5 p5_CorDllMainmscoree.dll source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\mbahost.pdb source: camtasia.exe, 00000006.00000002.764310520.000000006FF34000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\setup\WIX\CamtasiaBootstrapperApplication\obj\Release\CamtasiaBootstrapperApplication.pdb source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\burn.pdb source: camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.6.dr

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_01193D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_01193D4E
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011D3C72 FindFirstFileW,FindClose,	5_2_011D3C72
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_00903C72 FindFirstFileW,FindClose,	6_2_00903C72
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008C3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_008C3D4E

Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 Das Teilen von Inhalten auf YouTube unterliegt den Nutzungsbedingungen von YouTube {{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 . Weitere Informationen zum Datenschutz auf YouTube finden Sie unter {{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy?hl=de }}{\fldrslt{https://policies.google.com/privacy?hl=de\ul0\cf0}}}}\f0\fs22 und Ihre Sicherheitseinstellungen finden Sie unter {{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \par equals www.youtube.com (Youtube)
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 O compartilhamento de conte\'fado no YouTube est\'e1 sujeito aos Termos de Servi\'e7os do YouTube {{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 . Voc\'ea pode saber mais sobre a pol\'edtica de privacidade do YouTube acessando {{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy?hl=pt-BR }}{\fldrslt{https://policies.google.com/privacy?hl=pt-BR\ul0\cf0}}}}\f0\fs22 e pode revisar as suas configura\'e7\'f5es de seguran\'e7a em {{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \par equals www.youtube.com (Youtube)
Source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 Sharing Content to YouTube is subject to the YouTube Terms Of Services {{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 . You can learn more about YouTube\rquote s privacy policy by visiting {{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy }}{\fldrslt{https://policies.google.com/privacy\ul0\cf0}}}}\f0\fs22 and you can review your security settings by visiting {{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \par equals www.youtube.com (Youtube)
Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 YouTube \f2\'82\'c5\'82\'cc\'83\'52\'83\'93\'83\'65\'83\'93\'83\'63\'82\'cc\'8b\'a4\'97\'4c\'82\'c9\'82\'cd\'81\'41\f0 YouTube \f2\'82\'cc\'97\'98\'97\'70\'8b\'4b\'96\'f1\f0 ({{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 ) \f2\'82\'aa\'93\'4b\'97\'70\'82\'b3\'82\'ea\'82\'dc\'82\'b7\'81\'42\f0 YouTube \f2\'82\'cc\'83\'76\'83\'89\'83\'43\'83\'6f\'83\'56\'81\'5b\f0 \f2\'83\'7c\'83\'8a\'83\'56\'81\'5b\'82\'cc\'8f\'da\'8d\'d7\'82\'c9\'82\'c2\'82\'a2\'82\'c4\'82\'cd\'81\'41{\f0{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy?hl=ja }}{\fldrslt{https://policies.google.com/privacy?hl=ja\ul0\cf0}}}}\f0\fs22 \f2\'82\'f0\'8e\'51\'8f\'c6\'82\'b5\'82\'c4\'82\'ad\'82\'be\'82\'b3\'82\'a2\'81\'42\'83\'86\'81\'5b\'83\'55\'81\'5b\'82\'cc\'83\'5a\'83\'4c\'83\'85\'83\'8a\'83\'65\'83\'42\'90\'dd\'92\'e8\'82\'cd\'81\'41{\f0{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \f2\'82\'c5\'8a\'6d\'94\'46\'82\'c5\'82\'ab\'82\'dc\'82\'b7\'81\'42\f0 \par equals www.youtube.com (Youtube)

Source: camtasia.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: wget.exe, 00000002.00000002.477700107.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477438169.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.477700107.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477857273.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477438169.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000002.477700107.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477438169.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crlm
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-regular.otf
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-semibold.otf
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/Images/MarketingAnimation/cursor.p
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/ResourceDictionary.xaml
Source: camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/usercontrols/featuresusercontrol.x
Source: camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/windows/selectlanguagedialog.xaml
Source: camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Fonts/proximanova-regular.otf
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Fonts/proximanova-semibold.otf
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/camtasia2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/cursor.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/desktop2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/desktop3.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/desktop6.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/share-menu.png
Source: camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/fonts/proximanova-regular.otf
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/fonts/proximanova-semibold.otf
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/camtasia1.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/camtasia2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/cursor.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/desktop2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/desktop3.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/desktop6.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/share-menu.png
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/changeusercontrol.baml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/csisrunningusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/errormessageusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/finishedusercontrol.baml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/installusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/modifyusercontrol.baml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/optionsusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/progressusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/uninstallusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/usercontrols/featuresusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/windows/selectlanguagedialog.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/changeusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/csisrunningusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/errormessageusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/finishedusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/installusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/modifyusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/optionsusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/progressusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/uninstallusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/usercontrols/featuresusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/windows/selectlanguagedialog.xaml
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://wixtoolset.org
Source: camtasia.exe	String found in binary or memory: http://wixtoolset.org/
Source: camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: camtasia.exe, Microsoft.Deployment.WindowsInstaller.dll.6.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: camtasia.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.josbuivenga.demon.nl
Source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.josbuivenga.demon.nlCopyright
Source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.josbuivenga.demon.nlMuseo
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.761967978.0000000009592000.00000004.00000800.00020000.00000000.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.marksimonson.com
Source: camtasia.exe, 00000006.00000002.756685478.0000000005882000.00000002.00000001.01000000.0000000A.sdmp, camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.marksimonson.comCopyright
Source: WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.marksimonson.comProxima
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comcomd
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comq
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comrK
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comrV
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://assets.techsmith.com/Docs/Camtasia-2021-Deployment-Tool-Guide.pdf
Source: wget.exe, 00000002.00000002.477846105.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	String found in binary or memory: https://download.techsmith.com/camtasiastudio/releases/camtasia.exe
Source: wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.techsmith.com/camtasiastudio/releases/camtasia.exe6
Source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://policies.google.com/privacy
Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	String found in binary or memory: https://policies.google.com/privacy?hl=de
Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	String found in binary or memory: https://policies.google.com/privacy?hl=ja
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://policies.google.com/privacy?hl=pt-BR
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://security.google.com/settings/security/permissions
Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	String found in binary or memory: https://support.techsmith.com/hc/de/articles/203732668
Source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp, CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://support.techsmith.com/hc/en-us/articles/203732668-TechSmith-Return-Policy
Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	String found in binary or memory: https://support.techsmith.com/hc/ja/articles/203732668-TechSmith-Return-Policy
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.techsmith.comd=
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: https://www.techsmith.com
Source: camtasia.exe, 00000006.00000002.756685478.0000000005882000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=
Source: camtasia.exe, 00000006.00000002.751317529.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=systemrequirements&product=camtasiastudio&ver=
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=systemrequirements&product=camtasiastudio&ver=22.3.0&l
Source: camtasia.exe, 00000006.00000002.751317529.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=windowsninstall&product=camtasiastudio&ver=22.
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=windowsninstall&product=camtasiastudio&ver=22.3.0&lang
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.comd=
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://www.youtube.com/t/terms

Detected potential crypto function

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF7426	2_2_00CF7426
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00D00820	2_2_00D00820
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BC01F	5_2_011BC01F
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BF8C3	5_2_011BF8C3
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CA28E	5_2_011CA28E
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C9DE0	5_2_011C9DE0
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C2413	5_2_011C2413
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CE73C	5_2_011CE73C
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011B3F71	5_2_011B3F71
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C2642	5_2_011C2642
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EF8C3	6_2_008EF8C3
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EC01F	6_2_008EC01F
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FA28E	6_2_008FA28E
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F2413	6_2_008F2413
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F9DE0	6_2_008F9DE0
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F2642	6_2_008F2642
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FE73C	6_2_008FE73C
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008E3F71	6_2_008E3F71
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_05364180	6_2_05364180

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 01192022 appears 46 times
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 011D2B5D appears 79 times
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 011CFB09 appears 445 times
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 011938BA appears 375 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 008C2022 appears 46 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 008FFB09 appears 459 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 008C38BA appears 373 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 00902B5D appears 79 times

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\wget.exe

Process Stats: CPU usage > 98%

PE file contains strange resources

Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll1.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll2.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll3.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"
Source: unknown	Process created: C:\Users\user\Desktop\download\camtasia.exe C:\Users\user\Desktop\download\camtasia.exe
Source: C:\Users\user\Desktop\download\camtasia.exe	Process created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe "C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe" -burn.clean.room="C:\Users\user\Desktop\download\camtasia.exe" -burn.filehandle.attached=180 -burn.filehandle.self=624
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"	Jump to behavior
Source: C:\Users\user\Desktop\download\camtasia.exe	Process created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe "C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe" -burn.clean.room="C:\Users\user\Desktop\download\camtasia.exe" -burn.filehandle.attached=180 -burn.filehandle.self=624	Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_01194639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		5_2_01194639
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008C4639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,		6_2_008C4639

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe

File created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\

Jump to behavior

Source: classification engine

Classification label: sus30.evad.win@7/55@0/2

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011D28BD GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

5_2_011D28BD

Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CachePackageBeginEventArgs.cs	Suspicious method names: System.Int64 Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CachePackageBeginEventArgs::get_CachePayloads()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/ResolveSourceEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.ResolveSourceEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadBeginEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadBeginEventArgs.cs	Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadBeginEventArgs::.ctor(System.String,System.String)
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadBeginEventArgs::get_PayloadFileName()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheVerifyCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheVerifyCompleteEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheAcquireCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheAcquireCompleteEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheVerifyBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheVerifyBeginEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheAcquireProgressEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheAcquireProgressEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadCompleteEventArgs.cs	Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadCompleteEventArgs::.ctor(System.String,System.String,System.Int32)
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadCompleteEventArgs::get_PayloadFileName()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadCompleteEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheAcquireBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheAcquireBeginEventArgs::get_PayloadId()

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_01192078 FormatMessageW,GetLastError,LocalFree,

5_2_01192078

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A723FF4B-219A-4F82-BBF4-A96C1104CA00}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_01

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdbx source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: camtasia.exe, 00000006.00000002.758526854.0000000005E72000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdb source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdb source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\EditionConstants\obj\Release\EditionConstants.pdb source: camtasia.exe, 00000006.00000002.756548919.00000000057D2000.00000002.00000001.01000000.0000000B.sdmp, EditionConstants.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdbd5~5 p5_CorDllMainmscoree.dll source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\mbahost.pdb source: camtasia.exe, 00000006.00000002.764310520.000000006FF34000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\setup\WIX\CamtasiaBootstrapperApplication\obj\Release\CamtasiaBootstrapperApplication.pdb source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\burn.pdb source: camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.6.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CFF013 push 00000078h; retf	2_2_00CFF015
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF65E2 push edi; iretd	2_2_00CF664A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CFA19B pushfd ; iretd	2_2_00CFA19E
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF5999 push ecx; iretd	2_2_00CF59A2
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF596D push ecx; iretd	2_2_00CF59A2
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF657C push edi; iretd	2_2_00CF664A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF5D0C push edx; iretd	2_2_00CF5D02
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF6654 push edi; iretd	2_2_00CF664A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF1652 push ss; iretd	2_2_00CF1666
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CECF48 pushad ; iretd	2_2_00CECF55
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BE806 push ecx; ret	5_2_011BE819
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EE806 push ecx; ret	6_2_008EE819

PE file contains sections with non-standard names

Source: camtasia.exe.2.dr	Static PE information: section name: .wixburn
Source: camtasia.exe.5.dr	Static PE information: section name: .wixburn

Binary contains a suspicious time stamp

Source: EditionConstants.dll.6.dr

Static PE information: 0xBBD9EC2A [Thu Nov 14 02:19:22 2069 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.109301216282531

Drops PE files

Source: C:\Windows\SysWOW64\wget.exe	File created: C:\Users\user\Desktop\download\camtasia.exe	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\download\camtasia.exe	File created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\download\camtasia.exe	File created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found evasive API chain (date check)

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 011CF839h	5_2_011CF79E
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 011CF832h	5_2_011CF79E
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008FF839h	6_2_008FF79E
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008FF832h	6_2_008FF79E

Is looking for software installed on the system

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Registry key enumerated: More than 152 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\download\camtasia.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_01193D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	5_2_01193D4E
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011D3C72 FindFirstFileW,FindClose,	5_2_011D3C72
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_00903C72 FindFirstFileW,FindClose,	6_2_00903C72
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008C3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,	6_2_008C3D4E

Source: C:\Users\user\Desktop\download\camtasia.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	API call chain: ExitProcess graph end node

Source: wget.exe	Binary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.477857273.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011C34A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_011C34A2

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011939DF GetProcessHeap,RtlAllocateHeap,

5_2_011939DF

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C4104 mov eax, dword ptr fs:[00000030h]		5_2_011C4104
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F4104 mov eax, dword ptr fs:[00000030h]		6_2_008F4104

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BE0A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_011BE0A8
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C34A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_011C34A2
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EE0A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_008EE0A8
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F34A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_008F34A2

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: WPFCommonControls.dll.6.dr, WPFCommonControls/NativeMouseMove.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32')
Source: Microsoft.Deployment.WindowsInstaller.dll.6.dr, Deployment.WindowsInstaller/NativeMethods.cs	Reference to suspicious API methods: ('FindResourceEx', 'FindResourceEx@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryExW@kernel32.dll')
Source: TechSmith.Win32.dll.6.dr, Win32/User32.cs	Reference to suspicious API methods: ('MapVirtualKeyW', 'MapVirtualKeyW@user32.dll')

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\download\camtasia.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\wget.exe	Queries volume information: C:\Users\user\Desktop\download VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Aero\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011A4E6A ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

5_2_011A4E6A

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011BE463 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_011BE463

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011D8039 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

5_2_011D8039

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011D3349 GetVersionExW,

5_2_011D3349

ID:	753409
Product:	CloudBasic
Start time:	19:13:53
Start date:	24.11.2022
Cookbook:	urldownload.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\cmdline.out	ASCII text, with CRLF line terminators	513243550C654A23E9443A54D674AEEC	220674420B8BE12412AB9DF40DA74794FC07362D	19A91D33FE2E21A052A51DE2624BA071554C6BEC9EDF1784DD1EBC58A6398A29
C:\Users\user\Desktop\download\camtasia.exe	PE32 executable (GUI) Intel 80386, for MS Windows	0C60C5F487C288CF2C6B09FE7E4A7D77	0927751BA365DD9B672B2A10CF7FB1584579FC7D	3913A1981B8FAE2BB3A9D5C6B00B90ADEA03AB407C2FE958D7C01DC3383F0945
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1028\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	1D4B831F77EFEC96FFBC70BC4B59B8B5	1B3ED82655AEC8A52DAEC60F8674BC7E07F8CFEB	1B93556F07C35AC0564D57E0743CCBA231950962C6506C8D4A74A31CD66FD04C
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1029\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	CC8C6D04DC707B38E0F0C08BA16FE49B	95EA7F570677AEA52393D02FDB21CEBB218A7343	DC445E2457ED31ABF536871F90FF7CC96800A40B6BC033F37D45E3156A3B4FA9
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1030\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	7C6E4CE87870B3B5E71D3EF4555500F8	E831E8978A48BEAFA04AAD52A564B7EADED4311D	CAC263E0E90A4087446A290055257B1C39F17E11F065598CB2286DF4332C7696
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1031\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	C8E7E0B4E63B3076047B7F49C76D56E1	4E44E656A0D552B2FFD65911CB45245364E5DBF3	631D46CB048FB6CF0B9A1362F8E5A1854C46E9525A0260C7841A04B2316C8295
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1032\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	074D5921AF07E6126049CB45814246ED	91D4BDDA8D2B703879CFE2C28550E0A46074FA57	B8E90E20EDF110AAAAEA54FBC8533872831777BE5589E380CFDD17E1F93147B5
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1035\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	E338408F1101499EB22507A3451F7B06	83B42F9D7307265A108FC339D0460D36B66A8B94	B7D9528F29761C82C3D926EFE5E0D5036A0E0D83EB4CCA7282846C86A9D6F9F3
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1036\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	AA32A059AADD42431F7837CB1BE7257F	4CD21661E341080FB8C2DEFD9F32F134561FC3BA	88E7DDACD6B714D94D5322876BD50051479B7A0C686DC2E9EB06B3B7A0BC06C9
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1038\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	17FB605A2F02DA203DF06F714D1CC6DE	3A71D13D4CCA06116B111625C90DD1C451EA9228	55CF62D54EFB79801A9D94B24B3C9BA221C2465417A068950D40A67C52BA66EF
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1040\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	50261379B89457B1980FF19CFABE6A08	F80B1F416539D33206CE3C24BA3B14B799A84813	A40C94EB33F8841C79E9F6958433AFFD517F97B4570F731666AF572E63178BB7
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1041\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	DB0F5BAB42403FD67C0A18E35E6880EC	C0A18C8C5BCD7B88C384B5304B56EEB85A0DA3DC	CCDCDB111EFA152C5F9FF4930033698B843390A549699AE802098D87431F16FE
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1042\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	442F8463EF5CA42B99B2EFACA696BD01	67496DB91CBAA85AC0727B12FC2D35E990537DAC	D22F6ADA97DBFFC1E7548E52163807F982B30B11A2A5109E71F42985102CCCBD
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1043\mbapreq.wxl	XML 1.0 document, ASCII text, with CRLF line terminators	67F28BCDB3BA6774CD66AA198B06FF38	85D843B7248A5E1173FF9BD59CB73BB505F69B66	226B778604236931B4AE45F6F272586C884A11517444A34BF45CD5CAE49BE62E
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1044\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	5454F724C9CDAB8172678A1CC7057220	241A57018ACE1210881583A9CF646E7D2E51412F	41545AC1247B61C3C3E2A7E4659D9FAD2BCCA8347C69F2EB7B9D0CF5FC31E113
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1045\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	96ACAAA5AEF7798E9048BAFF4C3FA8D3	E76629973F6C1CFC06F60BA64FE9F237B2DB9698	F4AA983E39FB29C95E3306082F034B3A43E1D26489C997B8E6697B6A3B2F9F3C
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1046\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	BD39ADB6B872163FD2D570028E9F3213	688B8A109688D3EA483548F29DE2E57A8A56C868	ECB5C22E6C2423CAF07AEBE69F4FAF22450164EEE9587B64EF45A2D7F658CA15
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1049\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	DAF167AF4031EF47E562056A7D51AA73	0156B230CADD6169AC2820865E3C031ED79785EF	C91C9E87AB4A6DB078F1991F4A2CDC726B58A40E47BCE49D39168A8F8F151C3B
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1051\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	016C278E515F87F589AD22C856B201F7	F20C7DB38B3161B143DEC4E578CE71D7F585F436	4A7FDF4A9033FE05C31F565ED3AE5B8C67D324B7AEADB737CE95DBB416D46868
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1053\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	D95E81164C57B6FD75E7C3022454192E	5D5ACBC56E7078AF4D04C45B78C0FF090C02EE6A	6DD61CC6B87B53EAF28430068A2A459730FD4B2BCF876CCDF040212D04C4FE7D
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1055\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	01B200E06BA600A4EF00C00F7AAC5CE4	22234426C42637E069A46217019551E4434A4AB6	06BFB6DFBC38105C699DEA226A029DF3EF673C33E4B8928DC4EC7FB8F761487D
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1060\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	5836F0C655BDD97093F68AAF69AB2BAB	B6842E816F9E0DCC559A5692E4D26101D10B4B16	C015247D022BDC108B4FFCAE89CB55D1E313034D7E6EED18744C1BB55F108F8C
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\2052\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	A34DCF7771198C779648B89156483E83	A6E0FA91CD50048511C7BEF1BE3A8D32B42B6D1F	89C559C6765F8D643469E3C8F4AA93023F09369B0395EA647FAD5AF3C2893EB6
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\2070\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	8A278E519EF81B2847490EFB070219BC	7365EDF6E4F9E66B6CEE47933B6C70FF0B9ECFF8	E2BFDB2CF3BEAE2E988827C52C58006D7EEAD4ABA5312B5EAE1F6CCF3863C385
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\3082\mbapreq.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	1024AA88AE01BC7BA797193CC6023375	9252A309C1CB32573F4D58A595A78660FDF54B2F	B884C4ABB8867553C1FFADD6721C2135EC5F9F1455C3F668D711CCEA65363D1A
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Bootstrapper.de-DE.wxl	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (336), with CRLF line terminators	7D187DAD9DD9DC8DECC740DF4BF476D9	EA17C69D4CB679A8B3BE22365BE28105BF7D2EF1	1E893384D56472D5D6CC5AF101D1CE659E67DFE1D29029C320CE144112942B1F
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Bootstrapper.en-US.wxl	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (302), with CRLF line terminators	2C0A13A927382F371D2706F7F2B7BDEB	B75968C17B7A96CC6267D9218AB93E8C42C30582	197E948199466201AE29B258E79961BD5A3B0A2B8F61D05C815C8B09553080D4
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Bootstrapper.es-ES.wxl	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (312), with CRLF line terminators	F80B16DDFDF530127076C34519F03C48	DF117500B2EB3650EC54991FFA48C59669A762FF	E986448D0BB106EA7E516031C3664730FC7E58DBEE73A48EAB792B47D34E6025
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Bootstrapper.fr-FR.wxl	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (348), with CRLF line terminators	534F2469EEC9D749ACE4AE627D252EBD	98C37C21B36F481BE3F0E6C22D2FE4563835F8B7	6420409E6C929642C2725560533F6B5F32FAC9F9C9F591CB1D60A4D1834CDD71
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Bootstrapper.ja-JP.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	494FDFF94397D5D257909CA117860AAF	4C63CD9E8DC535C914AF810CF7FF08A587B2C85C	948931CD34CB3A28EA3535F495EDD41EFAC0D6B996D33526F2F76FCAE3959458
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Bootstrapper.pt-BR.wxl	XML 1.0 document, Unicode text, UTF-8 text, with very long lines (318), with CRLF line terminators	66EF836E4BF990648546E4F9979A7076	EB7AC755B45F7EB0C772D2F5D7C51262BF9C3E55	CDEB23E9BE69A7AC7E3095F0BD98E422259F4663FEFD721260D00F814C9446F7
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Bootstrapper.zh-CN.wxl	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators	D8641897EDBA695C0AAE6B20E16B2543	BC052880915C5C67703664FEE44F0C0DC911FF04	7DB5163792DC2AB7E2BA567571EFBF9EEB90820A4DA3D713862F544D731F7032
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperApplicationData.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (573), with CRLF line terminators	B9C42AD32B9F3D203F227C724DEE5C1B	FA61E6A81BA514A9292A11F04B2A0633DB164DD9	052E1F0665783530B47A57ED290158CE25167ABC024314B53D9DD1C94CE915C0
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.config	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	B21B189DDA42B3C02641CC8913E7D5A2	23078EA5CA53CA64106C52A1758E6DAAED2CF151	1AC8B06B7FAFB709D47BF1053DD16A247B3A39C034A6A88B0A5A341B9A5D6710
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	B0D10A2A622A322788780E7A3CBB85F3	04D90B16FA7B47A545C1133D5C0CA9E490F54633	F2C2B3CE2DF70A3206F3111391FFC7B791B32505FA97AEF22C0C2DBF6F3B0426
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	53EA819BA99A05D6BC41414E2B48F2E4	CA9915D9730633C2CE9930164026B0C1AD6BBCCA	2B42BEF74C17A08341BEE7A0B0D0246B90412D79505D4AC97638EE2204B73EA7
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	52B1DEDB325A75827408D8EDCBDECB9A	9A6A3CB354A2FB45FCE0A85EB8D5E1DD9352DA95	76901D237E39F84C3A0DAD621C103AAC76B4858EDE825A2F8C8752DA7F5F8315
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	1A5CAEA6734FDD07CAA514C3F3FB75DA	F070AC0D91BD337D7952ABD1DDF19A737B94510C	CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	6A3B9E46C41E42E7B8E1479468D892AF	E31C05AE685E51D07808B1DD24CECED9D299ED81	F3B14DEFBD05493B8573016B08B86E5B5D53B486B0457FD75F67BF8BFF04BE38
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	3AB57A33A6E3A1476695D5A6E856C06A	DABB4ECFFD0C422A8EEBFF5D4EC8116A6E90D7E7	4AACE8C8A330AE8429CD8CC1B6804076D3A9FFD633470F91FD36BDD25BB57876
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	9B7262268522E3110914B0FB197D2370	BE5E3CB4B6352BA96CCC7F5F67F672830CB601BC	CF66B59B248CB5D63AA655FF3B5B220AD6113367A7FF21128057285F7F342BC5
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	790253CBA1EF332266357D09FC03F62D	3B5A71BC97BC827C8B03931135EFD98463D8D588	58D679CCCBA0664439C5FF3F894477C9E862E436E642357892000F1FFB44E202
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	6B0E7E074D99B03CC289F33C92EC7379	D1B2946ADB8FC85EDACF2B897A73F73567A7982B	EA0D692FB1A71EE8DBAF8C07B7A90ED6132183AA678DD04A4B7B27EE0152DA2F
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A39974EC9EEFD2872E35836AE96327D1	A1C5EC8B981A27DF6286D194F6BCAC5203C59B2D	55D6CC71F99F020A6F5ED87D6C142D06832BFE33195A1D6CD6E840D5157D989F
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	F1A30A8F3E7C18D417B350ADCE2B954F	9C23861EA0289D00BBAD2FD35098476A2824521B	D213345E58EFC32F976BA5EEB060087316F5A3B090405AE00B5CEAD1EA2DFF48
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	686D783A6A43534030BCA2B253D6F706	A2E5C9C499FA183947B2669660A90D694AE7B6E5	3E92C5F6A2F1B7DB02475AAE5A76036462C80E1C951BA3FFA4E8AEB0C61DDE51
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	70122771D7C2FD74D65D3BC0B5B3D5D5	8AC08F1289BFAC938136A3E886225F3AE65A46AB	F67E5C448A0A1F5772A34E4C6188931429113CFEEE77D09DA858812D0A70B4F0
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbahost.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C59832217903CE88793A6C40888E3CAE	6D9FACABF41DCF53281897764D467696780623B8	9DFA1BC5D2AB4C652304976978749141B8C312784B05CB577F338A0AA91330DB
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FE7E0BD53F52E6630473C31299A49FDD	F706F45768BFB95F4C96DFA0BE36DF57AA863898	2BEA14D70943A42D344E09B7C9DE5562FA7E109946E1C615DD584DA30D06CC80
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.png	PNG image data, 63 x 63, 8-bit/color RGBA, non-interlaced	A356956FD269567B8F4612A33802637B	75AE41181581FD6376CA9CA88147011E48BF9A30	A401A225ADDAF89110B4B0F6E8CF94779E7C0640BCDD2D670FFCF05AAB0DAD03
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.thm	XML 1.0 document, ASCII text, with CRLF line terminators	A20778EC90A094A62A6C3A6AB2A6DC7D	74C131B5FD80446FFDF2AFAD723762DD36621309	F8C3A03F47F0B9B3C20F0522A2481DA28C77FECDBB302F8DD8FBED87758CBAEA
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.wxl	XML 1.0 document, ASCII text, with CRLF line terminators	4D2C8D10C5DCCA6B938B71C8F02CA8A8	11577021465379E9D1FF4260E607149BA5DFA6B3	C63DE5F309502F9272402587A6BE22624D1BC2FEACD1BD33FB11E44CD6614B96
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	2CB03012D457B4E3887BA3D944079EBA	02B2EF15AFD898AD9334598A32619F3328757762	1DE6142CAA4EE1683F5AE91E29F63DD8F0C1E11541ABC766854509DA751DD8E2
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	943A37A2CA7B130BDD98CC547ACBEC9C	3F057B938FB717DABB658EC66D0C5B421CC210FA	088E8BE2331F7D4D38665D24A9453EBEC41DE5830049CC08B897C27F8F5958CF
C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FD85D1BD644ED79F10801C69ECBF27B1	B4C5A3B83AB35ED1957B032335812013A3DAABA3	B5BCB60B49216BE9BDE71BFB402F2C16E34B5D1BBF00E2A3DBFCFF4B60FBFD69

Windows Analysis Report
https://download.techsmith.com/camtasiastudio/releases/camtasia.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report https://download.techsmith.com/camtasiastudio/releases/camtasia.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
https://download.techsmith.com/camtasiastudio/releases/camtasia.exe