Edit tour

Windows Analysis Report
https://download.techsmith.com/camtasiastudio/releases/camtasia.exe

Overview

General Information

Sample URL:	https://download.techsmith.com/camtasiastudio/releases/camtasia.exe
Analysis ID:	753409
Infos:

Detection

Score:	30
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

.NET source code references suspicious native API functions

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Found dropped PE file which has not been started or loaded

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Abnormal high CPU Usage

Is looking for software installed on the system

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Binary contains a suspicious time stamp

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 3868 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe" > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wget.exe (PID: 2692 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

camtasia.exe (PID: 2600 cmdline: C:\Users\user\Desktop\download\camtasia.exe MD5: 0C60C5F487C288CF2C6B09FE7E4A7D77)

camtasia.exe (PID: 1172 cmdline: "C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe" -burn.clean.room="C:\Users\user\Desktop\download\camtasia.exe" -burn.filehandle.attached=180 -burn.filehandle.self=624 MD5: FD85D1BD644ED79F10801C69ECBF27B1)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011A9F8F DecryptFileW,
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008D9F8F DecryptFileW,
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FF340 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,

Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdbx source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: camtasia.exe, 00000006.00000002.758526854.0000000005E72000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdb source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdb source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\EditionConstants\obj\Release\EditionConstants.pdb source: camtasia.exe, 00000006.00000002.756548919.00000000057D2000.00000002.00000001.01000000.0000000B.sdmp, EditionConstants.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdbd5~5 p5_CorDllMainmscoree.dll source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\mbahost.pdb source: camtasia.exe, 00000006.00000002.764310520.000000006FF34000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\setup\WIX\CamtasiaBootstrapperApplication\obj\Release\CamtasiaBootstrapperApplication.pdb source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\burn.pdb source: camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.6.dr

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_01193D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011D3C72 FindFirstFileW,FindClose,
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_00903C72 FindFirstFileW,FindClose,
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008C3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,

Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 Das Teilen von Inhalten auf YouTube unterliegt den Nutzungsbedingungen von YouTube {{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 . Weitere Informationen zum Datenschutz auf YouTube finden Sie unter {{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy?hl=de }}{\fldrslt{https://policies.google.com/privacy?hl=de\ul0\cf0}}}}\f0\fs22 und Ihre Sicherheitseinstellungen finden Sie unter {{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \par equals www.youtube.com (Youtube)
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 O compartilhamento de conte\'fado no YouTube est\'e1 sujeito aos Termos de Servi\'e7os do YouTube {{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 . Voc\'ea pode saber mais sobre a pol\'edtica de privacidade do YouTube acessando {{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy?hl=pt-BR }}{\fldrslt{https://policies.google.com/privacy?hl=pt-BR\ul0\cf0}}}}\f0\fs22 e pode revisar as suas configura\'e7\'f5es de seguran\'e7a em {{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \par equals www.youtube.com (Youtube)
Source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 Sharing Content to YouTube is subject to the YouTube Terms Of Services {{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 . You can learn more about YouTube\rquote s privacy policy by visiting {{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy }}{\fldrslt{https://policies.google.com/privacy\ul0\cf0}}}}\f0\fs22 and you can review your security settings by visiting {{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \par equals www.youtube.com (Youtube)
Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	String found in binary or memory: \pard\widctlpar\sa160\sl252\slmult1\cf0\b0\fs22 YouTube \f2\'82\'c5\'82\'cc\'83\'52\'83\'93\'83\'65\'83\'93\'83\'63\'82\'cc\'8b\'a4\'97\'4c\'82\'c9\'82\'cd\'81\'41\f0 YouTube \f2\'82\'cc\'97\'98\'97\'70\'8b\'4b\'96\'f1\f0 ({{\field{\\fldinst{HYPERLINK https://www.youtube.com/t/terms }}{\fldrslt{https://www.youtube.com/t/terms\ul0\cf0}}}}\f0\fs22 ) \f2\'82\'aa\'93\'4b\'97\'70\'82\'b3\'82\'ea\'82\'dc\'82\'b7\'81\'42\f0 YouTube \f2\'82\'cc\'83\'76\'83\'89\'83\'43\'83\'6f\'83\'56\'81\'5b\f0 \f2\'83\'7c\'83\'8a\'83\'56\'81\'5b\'82\'cc\'8f\'da\'8d\'d7\'82\'c9\'82\'c2\'82\'a2\'82\'c4\'82\'cd\'81\'41{\f0{\field{\\fldinst{HYPERLINK https://policies.google.com/privacy?hl=ja }}{\fldrslt{https://policies.google.com/privacy?hl=ja\ul0\cf0}}}}\f0\fs22 \f2\'82\'f0\'8e\'51\'8f\'c6\'82\'b5\'82\'c4\'82\'ad\'82\'be\'82\'b3\'82\'a2\'81\'42\'83\'86\'81\'5b\'83\'55\'81\'5b\'82\'cc\'83\'5a\'83\'4c\'83\'85\'83\'8a\'83\'65\'83\'42\'90\'dd\'92\'e8\'82\'cd\'81\'41{\f0{\field{\*\fldinst{HYPERLINK https://security.google.com/settings/security/permissions }}{\fldrslt{https://security.google.com/settings/security/permissions\ul0\cf0}}}}\f0\fs22 \f2\'82\'c5\'8a\'6d\'94\'46\'82\'c5\'82\'ab\'82\'dc\'82\'b7\'81\'42\f0 \par equals www.youtube.com (Youtube)

Source: camtasia.exe	String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: wget.exe, 00000002.00000002.477700107.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477438169.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.477700107.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477857273.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477438169.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000002.477700107.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477438169.0000000000B7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crlm
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-regular.otf
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-semibold.otf
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/Images/MarketingAnimation/cursor.p
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/ResourceDictionary.xaml
Source: camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/usercontrols/featuresusercontrol.x
Source: camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/CamtasiaBootstrapperApplication;component/windows/selectlanguagedialog.xaml
Source: camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Fonts/proximanova-regular.otf
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Fonts/proximanova-semibold.otf
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/camtasia2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/cursor.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/desktop2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/desktop3.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/desktop6.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Images/MarketingAnimation/share-menu.png
Source: camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/fonts/proximanova-regular.otf
Source: camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/fonts/proximanova-semibold.otf
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/camtasia1.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/camtasia2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/cursor.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/desktop2.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/desktop3.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/desktop6.png
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/images/marketinganimation/share-menu.png
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/changeusercontrol.baml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/csisrunningusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/errormessageusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/finishedusercontrol.baml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/installusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/modifyusercontrol.baml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/optionsusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/progressusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/install%20states/uninstallusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/usercontrols/featuresusercontrol.baml
Source: camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/windows/selectlanguagedialog.baml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/changeusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/csisrunningusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/errormessageusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/finishedusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/installusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/modifyusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/optionsusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/progressusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/install%20states/uninstallusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/usercontrols/featuresusercontrol.xaml
Source: camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/windows/selectlanguagedialog.xaml
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: wget.exe, 00000002.00000002.477788874.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434699584.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: http://wixtoolset.org
Source: camtasia.exe	String found in binary or memory: http://wixtoolset.org/
Source: camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: camtasia.exe, Microsoft.Deployment.WindowsInstaller.dll.6.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr	String found in binary or memory: http://wixtoolset.org/releases/SCreating
Source: camtasia.exe	String found in binary or memory: http://wixtoolset.org/telemetry/v
Source: camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.josbuivenga.demon.nl
Source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.josbuivenga.demon.nlCopyright
Source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.josbuivenga.demon.nlMuseo
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.761967978.0000000009592000.00000004.00000800.00020000.00000000.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.marksimonson.com
Source: camtasia.exe, 00000006.00000002.756685478.0000000005882000.00000002.00000001.01000000.0000000A.sdmp, camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.marksimonson.comCopyright
Source: WPFCommonControls.dll.6.dr	String found in binary or memory: http://www.marksimonson.comProxima
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comcomd
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comq
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comrK
Source: camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.marksimonson.comrV
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://assets.techsmith.com/Docs/Camtasia-2021-Deployment-Tool-Guide.pdf
Source: wget.exe, 00000002.00000002.477846105.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	String found in binary or memory: https://download.techsmith.com/camtasiastudio/releases/camtasia.exe
Source: wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.techsmith.com/camtasiastudio/releases/camtasia.exe6
Source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://policies.google.com/privacy
Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	String found in binary or memory: https://policies.google.com/privacy?hl=de
Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	String found in binary or memory: https://policies.google.com/privacy?hl=ja
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://policies.google.com/privacy?hl=pt-BR
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://security.google.com/settings/security/permissions
Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	String found in binary or memory: https://support.techsmith.com/hc/de/articles/203732668
Source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp, CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://support.techsmith.com/hc/en-us/articles/203732668-TechSmith-Return-Policy
Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	String found in binary or memory: https://support.techsmith.com/hc/ja/articles/203732668-TechSmith-Return-Policy
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.techsmith.comd=
Source: mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	String found in binary or memory: https://www.techsmith.com
Source: camtasia.exe, 00000006.00000002.756685478.0000000005882000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=
Source: camtasia.exe, 00000006.00000002.751317529.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=systemrequirements&product=camtasiastudio&ver=
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=systemrequirements&product=camtasiastudio&ver=22.3.0&l
Source: camtasia.exe, 00000006.00000002.751317529.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=windowsninstall&product=camtasiastudio&ver=22.
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.com/redirect.asp?target=windowsninstall&product=camtasiastudio&ver=22.3.0&lang
Source: camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.techsmith.comd=
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	String found in binary or memory: https://www.youtube.com/t/terms

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF7426
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00D00820
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BC01F
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BF8C3
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CA28E
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C9DE0
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C2413
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CE73C
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011B3F71
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C2642
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EF8C3
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EC01F
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FA28E
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F2413
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F9DE0
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F2642
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FE73C
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008E3F71
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_05364180

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 01192022 appears 46 times
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 011D2B5D appears 79 times
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 011CFB09 appears 445 times
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: String function: 011938BA appears 375 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 008C2022 appears 46 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 008FFB09 appears 459 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 008C38BA appears 373 times
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: String function: 00902B5D appears 79 times

Source: C:\Windows\SysWOW64\wget.exe

Process Stats: CPU usage > 98%

Source: CamtasiaBootstrapperApplication.resources.dll.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll0.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll1.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll2.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll3.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Source: CamtasiaBootstrapperApplication.resources.dll4.6.dr	Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"
Source: unknown	Process created: C:\Users\user\Desktop\download\camtasia.exe C:\Users\user\Desktop\download\camtasia.exe
Source: C:\Users\user\Desktop\download\camtasia.exe	Process created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe "C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe" -burn.clean.room="C:\Users\user\Desktop\download\camtasia.exe" -burn.filehandle.attached=180 -burn.filehandle.self=624
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"
Source: C:\Users\user\Desktop\download\camtasia.exe	Process created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe "C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe" -burn.clean.room="C:\Users\user\Desktop\download\camtasia.exe" -burn.filehandle.attached=180 -burn.filehandle.self=624

Source: C:\Users\user\Desktop\download\camtasia.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F11-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_01194639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008C4639 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Users\user\Desktop\download\camtasia.exe

File created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\

Jump to behavior

Source: classification engine

Classification label: sus30.evad.win@7/55@0/2

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011D28BD GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess,

Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CachePackageBeginEventArgs.cs	Suspicious method names: System.Int64 Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CachePackageBeginEventArgs::get_CachePayloads()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/ResolveSourceEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.ResolveSourceEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadBeginEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadBeginEventArgs.cs	Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadBeginEventArgs::.ctor(System.String,System.String)
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadBeginEventArgs::get_PayloadFileName()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheVerifyCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheVerifyCompleteEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheAcquireCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheAcquireCompleteEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheVerifyBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheVerifyBeginEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheAcquireProgressEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheAcquireProgressEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadCompleteEventArgs.cs	Suspicious method names: System.Void Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadCompleteEventArgs::.ctor(System.String,System.String,System.Int32)
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadCompleteEventArgs::get_PayloadFileName()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/DownloadPayloadCompleteEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.DownloadPayloadCompleteEventArgs::get_PayloadId()
Source: BootstrapperCore.dll.6.dr, Tools.WindowsInstallerXml/Bootstrapper/CacheAcquireBeginEventArgs.cs	Suspicious method names: System.String Microsoft.Tools.WindowsInstallerXml.Bootstrapper.CacheAcquireBeginEventArgs::get_PayloadId()

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_01192078 FormatMessageW,GetLastError,LocalFree,

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{A723FF4B-219A-4F82-BBF4-A96C1104CA00}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_01

Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdbx source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: camtasia.exe, 00000006.00000002.758526854.0000000005E72000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: d:\BuildAgent2\work\332abf23d6adde7e\WPFCommonControls\obj\Release\WPFCommonControls.pdb source: camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdb source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\EditionConstants\obj\Release\EditionConstants.pdb source: camtasia.exe, 00000006.00000002.756548919.00000000057D2000.00000002.00000001.01000000.0000000B.sdmp, EditionConstants.dll.6.dr
Source:	Binary string: d:\BuildAgent\work\e5c4efd8f9fde200\WPFCommonViewModel\obj\Release\WPFCommonViewModel.pdbd5~5 p5_CorDllMainmscoree.dll source: camtasia.exe, 00000006.00000002.756599449.0000000005852000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\mbahost.pdb source: camtasia.exe, 00000006.00000002.764310520.000000006FF34000.00000002.00000001.01000000.00000006.sdmp, mbahost.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: E:\DTLTMP160133615\work\b8074b7c5534a0bd\setup\WIX\CamtasiaBootstrapperApplication\obj\Release\CamtasiaBootstrapperApplication.pdb source: camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\burn.pdb source: camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\core\BootstrapperCore.pdb source: camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: Microsoft.Deployment.WindowsInstaller.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\WixStdBA.pdb source: mbapreq.dll.6.dr

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CFF013 push 00000078h; retf
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF65E2 push edi; iretd
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CFA19B pushfd ; iretd
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF5999 push ecx; iretd
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF596D push ecx; iretd
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF657C push edi; iretd
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF5D0C push edx; iretd
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF6654 push edi; iretd
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CF1652 push ss; iretd
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_00CECF48 pushad ; iretd
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BE806 push ecx; ret
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EE806 push ecx; ret

Source: camtasia.exe.2.dr	Static PE information: section name: .wixburn
Source: camtasia.exe.5.dr	Static PE information: section name: .wixburn

Source: EditionConstants.dll.6.dr

Static PE information: 0xBBD9EC2A [Thu Nov 14 02:19:22 2069 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.109301216282531

Source: C:\Windows\SysWOW64\wget.exe	File created: C:\Users\user\Desktop\download\camtasia.exe	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\download\camtasia.exe	File created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\download\camtasia.exe	File created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbahost.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	File created: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	Jump to dropped file
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Dropped PE file which has not been started: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 011CF839h
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011CF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 011CF832h
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 008FF839h
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008FF79E GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 008FF832h

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Registry key enumerated: More than 152 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\download\camtasia.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_01193D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011D3C72 FindFirstFileW,FindClose,
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_00903C72 FindFirstFileW,FindClose,
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008C3D4E GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,

Source: C:\Users\user\Desktop\download\camtasia.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	API call chain: ExitProcess graph end node

Source: wget.exe	Binary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.477857273.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011C34A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011939DF GetProcessHeap,RtlAllocateHeap,

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C4104 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F4104 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011BE0A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\download\camtasia.exe	Code function: 5_2_011C34A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008EE0A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Code function: 6_2_008F34A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: WPFCommonControls.dll.6.dr, WPFCommonControls/NativeMouseMove.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32')
Source: Microsoft.Deployment.WindowsInstaller.dll.6.dr, Deployment.WindowsInstaller/NativeMethods.cs	Reference to suspicious API methods: ('FindResourceEx', 'FindResourceEx@kernel32.dll'), ('LoadLibraryEx', 'LoadLibraryExW@kernel32.dll')
Source: TechSmith.Win32.dll.6.dr, Win32/User32.cs	Reference to suspicious API methods: ('MapVirtualKeyW', 'MapVirtualKeyW@user32.dll')

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe"

Source: C:\Users\user\Desktop\download\camtasia.exe

Process created: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe "C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe" -burn.clean.room="C:\Users\user\Desktop\download\camtasia.exe" -burn.filehandle.attached=180 -burn.filehandle.self=624

Source: C:\Windows\SysWOW64\wget.exe	Queries volume information: C:\Users\user\Desktop\download VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Aero\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Aero.dll VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011A4E6A ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011BE463 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011D8039 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,

Source: C:\Users\user\Desktop\download\camtasia.exe

Code function: 5_2_011D3349 GetVersionExW,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Native API	Boot or Logon Initialization Scripts	12 Process Injection	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://download.techsmith.com/camtasiastudio/releases/camtasia.exe	0%	Virustotal		Browse
https://download.techsmith.com/camtasiastudio/releases/camtasia.exe	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner
C:\Users\user\Desktop\download\camtasia.exe	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\BootstrapperCore.dll	2%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\CamtasiaBootstrapperApplication.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\EditionConstants.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\Microsoft.Expression.Interactions.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\System.Windows.Interactivity.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\TechSmith.Win32.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonControls.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\WPFCommonViewModel.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\de-DE\CamtasiaBootstrapperApplication.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\es-ES\CamtasiaBootstrapperApplication.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\fr-FR\CamtasiaBootstrapperApplication.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\ja-JP\CamtasiaBootstrapperApplication.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbahost.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\mbapreq.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\pt-BR\CamtasiaBootstrapperApplication.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\zh-CN\CamtasiaBootstrapperApplication.resources.dll	0%	ReversingLabs
C:\Windows\Temp\{CB5AD3D6-270A-4AB0-A898-D5E0F7C2252B}\.cr\camtasia.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://appsyndication.org/2006/appsynapplicationc:	0%	URL Reputation	safe
http://appsyndication.org/2006/appsyn	0%	URL Reputation	safe
http://foo/install%20states/csisrunningusercontrol.xaml	0%	Avira URL Cloud	safe
http://foo/bar/images/marketinganimation/desktop3.png	0%	Avira URL Cloud	safe
http://foo/Images/MarketingAnimation/camtasia2.png	0%	Avira URL Cloud	safe
https://www.techsmith.comd=	0%	Avira URL Cloud	safe
http://www.josbuivenga.demon.nlMuseo	0%	Avira URL Cloud	safe
http://www.marksimonson.comq	0%	Avira URL Cloud	safe
http://www.josbuivenga.demon.nl	0%	Avira URL Cloud	safe
http://foo/install%20states/installusercontrol.xaml	0%	Avira URL Cloud	safe
http://foo/bar/images/marketinganimation/cursor.png	0%	Avira URL Cloud	safe
http://foo/Images/MarketingAnimation/desktop3.png	0%	Avira URL Cloud	safe
http://foo/install%20states/errormessageusercontrol.xaml	0%	Avira URL Cloud	safe
http://defaultcontainer/CamtasiaBootstrapperApplication;component/ResourceDictionary.xaml	0%	Avira URL Cloud	safe
http://foo/install%20states/optionsusercontrol.xaml	0%	Avira URL Cloud	safe
http://foo/bar/install%20states/optionsusercontrol.baml	0%	Avira URL Cloud	safe
http://foo/bar/install%20states/progressusercontrol.baml	0%	Avira URL Cloud	safe
http://foo/bar/fonts/proximanova-semibold.otf	0%	Avira URL Cloud	safe
http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-semibold.otf	0%	Avira URL Cloud	safe
http://foo/bar/install%20states/installusercontrol.baml	0%	Avira URL Cloud	safe
http://defaultcontainer/CamtasiaBootstrapperApplication;component/windows/selectlanguagedialog.xaml	0%	Avira URL Cloud	safe
http://foo/Images/MarketingAnimation/cursor.png	0%	Avira URL Cloud	safe
http://defaultcontainer/CamtasiaBootstrapperApplication;component/usercontrols/featuresusercontrol.x	0%	Avira URL Cloud	safe
http://foo/bar/images/marketinganimation/desktop6.png	0%	Avira URL Cloud	safe
http://foo/bar/images/marketinganimation/share-menu.png	0%	Avira URL Cloud	safe
http://foo/bar/install%20states/csisrunningusercontrol.baml	0%	Avira URL Cloud	safe
http://www.josbuivenga.demon.nlCopyright	0%	Avira URL Cloud	safe
http://foo/usercontrols/featuresusercontrol.xaml	0%	Avira URL Cloud	safe
http://foo/bar/install%20states/uninstallusercontrol.baml	0%	Avira URL Cloud	safe
http://foo/install%20states/progressusercontrol.xaml	0%	Avira URL Cloud	safe
http://www.marksimonson.comProxima	0%	Avira URL Cloud	safe
http://foo/Fonts/proximanova-regular.otf	0%	Avira URL Cloud	safe
http://foo/Images/MarketingAnimation/desktop2.png	0%	Avira URL Cloud	safe
https://support.techsmith.comd=	0%	Avira URL Cloud	safe
http://foo/install%20states/changeusercontrol.xaml	0%	Avira URL Cloud	safe
http://foo/bar/images/marketinganimation/camtasia1.png	0%	Avira URL Cloud	safe
http://foo/bar/windows/selectlanguagedialog.baml	0%	Avira URL Cloud	safe
http://foo/install%20states/uninstallusercontrol.xaml	0%	Avira URL Cloud	safe
http://foo/bar/images/marketinganimation/camtasia2.png	0%	Avira URL Cloud	safe
http://foo/bar/install%20states/changeusercontrol.baml	0%	Avira URL Cloud	safe
http://foo/install%20states/finishedusercontrol.xaml	0%	Avira URL Cloud	safe
http://foo/bar/install%20states/modifyusercontrol.baml	0%	Avira URL Cloud	safe
http://foo/bar/install%20states/finishedusercontrol.baml	0%	Avira URL Cloud	safe
http://foo/windows/selectlanguagedialog.xaml	0%	Avira URL Cloud	safe
http://foo/Images/MarketingAnimation/share-menu.png	0%	Avira URL Cloud	safe
http://www.marksimonson.comrK	0%	Avira URL Cloud	safe
http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-regular.otf	0%	Avira URL Cloud	safe
http://foo/bar/usercontrols/featuresusercontrol.baml	0%	Avira URL Cloud	safe
http://foo/install%20states/modifyusercontrol.xaml	0%	Avira URL Cloud	safe
http://www.marksimonson.comcomd	0%	Avira URL Cloud	safe
http://www.marksimonson.comrV	0%	Avira URL Cloud	safe
http://foo/bar/fonts/proximanova-regular.otf	0%	Avira URL Cloud	safe
http://foo/bar/images/marketinganimation/desktop2.png	0%	Avira URL Cloud	safe
http://foo/bar/install%20states/errormessageusercontrol.baml	0%	Avira URL Cloud	safe
http://www.marksimonson.comCopyright	0%	Avira URL Cloud	safe
http://defaultcontainer/CamtasiaBootstrapperApplication;component/Images/MarketingAnimation/cursor.p	0%	Avira URL Cloud	safe
http://foo/Fonts/proximanova-semibold.otf	0%	Avira URL Cloud	safe
http://foo/Images/MarketingAnimation/desktop6.png	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.josbuivenga.demon.nlMuseo	camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	false	Avira URL Cloud: safe	unknown
http://foo/Images/MarketingAnimation/camtasia2.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/install%20states/csisrunningusercontrol.xaml	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.techsmith.comd=	camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/images/marketinganimation/desktop3.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.josbuivenga.demon.nl	camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	false	Avira URL Cloud: safe	unknown
http://www.marksimonson.comq	camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.techsmith.com/redirect.asp?target=windowsninstall&product=camtasiastudio&ver=22.3.0&lang	camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.techsmith.com/hc/de/articles/203732668	CamtasiaBootstrapperApplication.resources.dll0.6.dr	false		high
http://foo/Images/MarketingAnimation/desktop3.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.techsmith.com/redirect.asp?target=systemrequirements&product=camtasiastudio&ver=22.3.0&l	camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://foo/install%20states/installusercontrol.xaml	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/images/marketinganimation/cursor.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/install%20states/errormessageusercontrol.xaml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.techsmith.com/redirect.asp?target=windowsninstall&product=camtasiastudio&ver=22.	camtasia.exe, 00000006.00000002.751317529.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://defaultcontainer/CamtasiaBootstrapperApplication;component/ResourceDictionary.xaml	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.techsmith.com/redirect.asp?target=systemrequirements&product=camtasiastudio&ver=	camtasia.exe, 00000006.00000002.751317529.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.techsmith.com/hc/ja/articles/203732668-TechSmith-Return-Policy	CamtasiaBootstrapperApplication.resources.dll.6.dr	false		high
https://www.youtube.com/t/terms	CamtasiaBootstrapperApplication.resources.dll4.6.dr	false		high
http://foo/install%20states/optionsusercontrol.xaml	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://wixtoolset.org/news/	camtasia.exe, camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr	false		high
https://policies.google.com/privacy?hl=de	CamtasiaBootstrapperApplication.resources.dll0.6.dr	false		high
https://download.techsmith.com/camtasiastudio/releases/camtasia.exe6	wget.exe, 00000002.00000003.477392459.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000002.477815634.0000000000BC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://foo/bar/install%20states/optionsusercontrol.baml	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://wixtoolset.org/releases/SCreating	camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, BootstrapperCore.dll.6.dr	false		high
http://foo/bar/install%20states/progressusercontrol.baml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-semibold.otf	camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/fonts/proximanova-semibold.otf	camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/install%20states/installusercontrol.baml	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://appsyndication.org/2006/appsynapplicationc:	camtasia.exe, 00000005.00000000.489737589.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000005.00000002.750467361.00000000011DA000.00000002.00000001.01000000.00000003.sdmp, camtasia.exe, 00000006.00000000.490838479.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe, 00000006.00000002.750881184.000000000090A000.00000002.00000001.01000000.00000005.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	false	URL Reputation: safe	unknown
http://defaultcontainer/CamtasiaBootstrapperApplication;component/windows/selectlanguagedialog.xaml	camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/Images/MarketingAnimation/cursor.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://wixtoolset.org	mbahost.dll.6.dr, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr, mbapreq.dll.6.dr	false		high
https://download.techsmith.com/camtasiastudio/releases/camtasia.exe	wget.exe, 00000002.00000002.477846105.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr	false		high
http://defaultcontainer/CamtasiaBootstrapperApplication;component/usercontrols/featuresusercontrol.x	camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/images/marketinganimation/desktop6.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/images/marketinganimation/share-menu.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/install%20states/csisrunningusercontrol.baml	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.josbuivenga.demon.nlCopyright	camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, WPFCommonControls.dll.6.dr	false	Avira URL Cloud: safe	unknown
http://foo/bar/install%20states/uninstallusercontrol.baml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/usercontrols/featuresusercontrol.xaml	camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/install%20states/progressusercontrol.xaml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.marksimonson.comProxima	WPFCommonControls.dll.6.dr	false	Avira URL Cloud: safe	unknown
http://foo/Fonts/proximanova-regular.otf	camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://security.google.com/settings/security/permissions	CamtasiaBootstrapperApplication.resources.dll4.6.dr	false		high
http://foo/Images/MarketingAnimation/desktop2.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://support.techsmith.comd=	camtasia.exe, 00000005.00000002.750699046.0000000002CD0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.752029151.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/install%20states/changeusercontrol.xaml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/images/marketinganimation/camtasia1.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/windows/selectlanguagedialog.baml	camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/encoding/	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://assets.techsmith.com/Docs/Camtasia-2021-Deployment-Tool-Guide.pdf	CamtasiaBootstrapperApplication.resources.dll4.6.dr	false		high
http://foo/install%20states/uninstallusercontrol.xaml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	camtasia.exe, 00000006.00000002.755966145.0000000005362000.00000002.00000001.01000000.00000009.sdmp, Microsoft.Deployment.WindowsInstaller.dll.6.dr, BootstrapperCore.dll.6.dr	false		high
https://www.techsmith.com	wget.exe, 00000002.00000003.434632058.0000000000BB8000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434681470.0000000000BBA000.00000004.00000800.00020000.00000000.sdmp, wget.exe, 00000002.00000003.434597617.0000000000BB0000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe.5.dr, camtasia.exe.2.dr	false		high
http://foo/bar/images/marketinganimation/camtasia2.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/install%20states/changeusercontrol.baml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/install%20states/finishedusercontrol.xaml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/install%20states/modifyusercontrol.baml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/install%20states/finishedusercontrol.baml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://policies.google.com/privacy?hl=ja	CamtasiaBootstrapperApplication.resources.dll.6.dr	false		high
https://support.techsmith.com/hc/en-us/articles/203732668-TechSmith-Return-Policy	camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp, CamtasiaBootstrapperApplication.resources.dll4.6.dr	false		high
https://www.techsmith.com/redirect.asp?target=	camtasia.exe, 00000006.00000002.756685478.0000000005882000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://foo/windows/selectlanguagedialog.xaml	camtasia.exe, 00000006.00000002.754862185.00000000035E9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.marksimonson.comrK	camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/releases/	camtasia.exe, Microsoft.Deployment.WindowsInstaller.dll.6.dr	false		high
http://foo/Images/MarketingAnimation/share-menu.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/CamtasiaBootstrapperApplication;component/Fonts/proximanova-regular.otf	camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/usercontrols/featuresusercontrol.baml	camtasia.exe, 00000006.00000002.754151345.0000000003466000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/install%20states/modifyusercontrol.xaml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.marksimonson.comcomd	camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.marksimonson.comrV	camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/fonts/proximanova-regular.otf	camtasia.exe, 00000006.00000002.754926608.0000000003608000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/wsdl/	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.marksimonson.com	camtasia.exe, 00000006.00000002.751386655.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, camtasia.exe, 00000006.00000002.761967978.0000000009592000.00000004.00000800.00020000.00000000.sdmp, WPFCommonControls.dll.6.dr	false		high
http://wixtoolset.org/	camtasia.exe	false		high
http://wixtoolset.org/telemetry/v	camtasia.exe	false		high
https://policies.google.com/privacy	camtasia.exe, 00000006.00000002.757000023.00000000058F7000.00000002.00000001.01000000.0000000A.sdmp	false		high
http://foo/bar/images/marketinganimation/desktop2.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://policies.google.com/privacy?hl=pt-BR	CamtasiaBootstrapperApplication.resources.dll4.6.dr	false		high
http://foo/bar/install%20states/errormessageusercontrol.baml	camtasia.exe, 00000006.00000002.754283314.000000000348D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.marksimonson.comCopyright	camtasia.exe, 00000006.00000002.756685478.0000000005882000.00000002.00000001.01000000.0000000A.sdmp, camtasia.exe, 00000006.00000002.758598344.0000000005F12000.00000002.00000001.01000000.0000000E.sdmp, camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp, WPFCommonControls.dll.6.dr	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/CamtasiaBootstrapperApplication;component/Images/MarketingAnimation/cursor.p	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/Fonts/proximanova-semibold.otf	camtasia.exe, 00000006.00000002.755219331.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/Images/MarketingAnimation/desktop6.png	camtasia.exe, 00000006.00000002.752276135.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://appsyndication.org/2006/appsyn	camtasia.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States		15169	GOOGLEUS	false
23.205.232.22	unknown	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	753409
Start date and time:	2022-11-24 19:13:53 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	urldownload.jbs
Sample URL:	https://download.techsmith.com/camtasiastudio/releases/camtasia.exe
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus30.evad.win@7/55@0/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 64.5% (good quality ratio 61.9%) Quality average: 73.2% Quality standard deviation: 27.4%
HCA Information:	Successful, ratio: 84% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Execution Graph export aborted for target wget.exe, PID 2692 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	560894
Entropy (8bit):	2.189471291564133
Encrypted:	false
SSDEEP:	1536:dK8QXYaJk+N2Ryy1WS9MQ3JnGsxc2REiLDsKZIAMFd8JDhuWsfLlDhCS/ciSuHz1:sxdEzJae61
MD5:	513243550C654A23E9443A54D674AEEC
SHA1:	220674420B8BE12412AB9DF40DA74794FC07362D
SHA-256:	19A91D33FE2E21A052A51DE2624BA071554C6BEC9EDF1784DD1EBC58A6398A29
SHA-512:	E8C5D7C3060A402F0DB33A5E8B9C6112C91591E1EDB7365FE03997F461C458AB94A44B6929D34F67B785A83385C29021781095F2A3949DCE1A9A17FBC27AC2F6
Malicious:	false
Reputation:	low
Preview:	--2022-11-24 19:14:43-- https://download.techsmith.com/camtasiastudio/releases/camtasia.exe..Resolving download.techsmith.com (download.techsmith.com)... 23.205.232.22..Connecting to download.techsmith.com (download.techsmith.com)\|23.205.232.22\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 368315368 (351M) [application/octet-stream]..Saving to: 'C:/Users/user/Desktop/download/camtasia.exe'.... 0K .......... .......... .......... .......... .......... 0% 902K 6m39s.. 50K .......... .......... .......... .......... .......... 0% 1.24M 5m41s.. 100K .......... .......... .......... .......... .......... 0% 1.16M 5m29s.. 150K .......... .......... .......... .......... .......... 0% 1.86M 4m54s.. 200K .......... .......... .......... .......... .......... 0% 1.20M 4m53s.. 250K .......... .......... .......... .......... .......... 0% 2.35M 4m29s.. 300K .......... .......... .......... .......... .......... 0% 1.88M 4m17s.. 350K ....

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	368315368
Entropy (8bit):	7.99971960397624
Encrypted:	true
SSDEEP:	6291456:j6ZqpwjIuzjEinRLMtQRBj4xfEXPuaoZhPNEyvpYORwtpG2SepZlmkxe49WvMBqD:j6cuXzjEoRWCjDQvEGY9pG2v3lLwBvMC
MD5:	0C60C5F487C288CF2C6B09FE7E4A7D77
SHA1:	0927751BA365DD9B672B2A10CF7FB1584579FC7D
SHA-256:	3913A1981B8FAE2BB3A9D5C6B00B90ADEA03AB407C2FE958D7C01DC3383F0945
SHA-512:	A786DFB0C7394E4D44D87B2A392A830B2616EFEF522A59FB9BC48B6FE7F98AA908DA3A60AF601AEE3CE13E3FD805751E24A663B5533CFC1A719E2770781D3764
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.o.}k..}k..}k.....wk......k.....ek../...nk../...ik../...Vk..t...xk..t...lk..}k..(j......6k......\|k..}k...k......\|k..Rich}k..........PE..L...2p.]............................q.............@..................................W....@.........................................................P....*.......=..0p..T....................p.......j..@...................4\|.......................text............................... ..`.rdata..`...........................@..@.data...............................@....wixburn8...........................@..@.rsrc...............................@..@.reloc...=.......>...Z..............@..B........................................................................................................................................................................................................................................................

Target ID:	0
Start time:	19:14:43
Start date:	24/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://download.techsmith.com/camtasiastudio/releases/camtasia.exe" > cmdline.out 2>&1
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	5
Start time:	19:16:14
Start date:	24/11/2022
Path:	C:\Users\user\Desktop\download\camtasia.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\download\camtasia.exe
Imagebase:	0x1190000
File size:	368315368 bytes
MD5 hash:	0C60C5F487C288CF2C6B09FE7E4A7D77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://download.techsmith.com/camtasiastudio/releases/camtasia.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\cmdline.out

C:\Users\user\Desktop\download\camtasia.exe

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1028\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1029\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1030\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1031\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1032\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1035\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1036\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1038\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1040\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1041\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1042\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1043\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1044\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1045\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1046\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1049\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1051\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1053\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1055\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\1060\mbapreq.wxl

C:\Windows\Temp\{7E66493E-A433-47D4-9045-EEADE201F171}\.ba\2052\mbapreq.wxl

Windows Analysis Report
https://download.techsmith.com/camtasiastudio/releases/camtasia.exe