Windows Analysis Report
RadProCalculator3.26_64BSetup.exe

Overview

General Information

Sample name: RadProCalculator3.26_64BSetup.exe
Analysis ID: 1524334
MD5: db2df493ed3ef51a0731e67c41c81eb1
SHA1: 483f3fdba4fd84b2739a19f90a17d9c08f0559eb
SHA256: 4b526c198671dbe6351021935b780a9ce582a891b1ca0eddc1b170fa762b8661
Infos:

Detection

Score: 12
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Found potential equation exploit (CVE-2017-11882)
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: Use NTFS Short Name in Command Line
Uses 32bit PE files

Classification

Exploits
barindex
Found potential equation exploit (CVE-2017-11882)
Source: Static RTF information: Object: 0 Offset: 000016F2h
Source: Static RTF information: Object: 1 Offset: 00004C0Ah
Source: Static RTF information: Object: 2 Offset: 0000811Dh
Uses 32bit PE files
Source: RadProCalculator3.26_64BSetup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\D1E532D5\242A76C8\RadPro License.rtf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf Jump to behavior
Source: Binary string: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\1E27FC18\242A76C8\adProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3432860988.000000000075C000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198152344.0000000000756000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\USERS\RAY\DOCUMENTS\VISUAL STUDIO 2008\PROJECTS\RADPROCALCULATOR64BIT\BIN\RADPROCALCULATOR.PDB source: RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.0000000002458000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: gacutil.pdb, AH/@ source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209757364.000000000060C000.00000002.00000001.01000000.00000004.sdmp, RadProCalculator3.26_64BSetup.exe.0.dr
Source: Binary string: 242A76C8\RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.00000000024CC000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, mia.tmp.2.dr, RadProCalculator3.26_64BSetup.exe.0.dr
Source: Binary string: gacutil.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209757364.000000000060C000.00000002.00000001.01000000.00000004.sdmp, RadProCalculator3.26_64BSetup.exe.0.dr
Source: Binary string: aC:\Users\Ray\Documents\Visual Studio 2008\Projects\RadProCalculator64Bit\bin\RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.0000000002458000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: u/OFFLINE/B00CA824/242A76C8/RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2208829416.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3433082676.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2208941075.00000000009AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\1E27FC18\42A76C8\adProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3432860988.000000000075C000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198152344.0000000000756000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1355-gdiplus.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003CC1000.00000004.00000020.00020000.00000000.sdmp, gdiplus.dll.0.dr
Source: Binary string: data/OFFLINE/B00CA824/242A76C8/RadProCalculator.pdbvD source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2208740632.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198233127.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2207629927.00000000009AB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Ray\Documents\Visual Studio 2008\Projects\RadProCalculator64Bit\bin\RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.0000000002458000.00000004.00001000.00020000.00000000.sdmp, mia.tmp.2.dr, RadProCalculator3.26_64BSetup.exe.0.dr
Source: Binary string: aC:\USERS\RAY\DOCUMENTS\VISUAL STUDIO 2008\PROJECTS\RADPROCALCULATOR64BIT\BIN\RADPROCALCULATOR.PDB source: RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.0000000002458000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\884935FF\42A76C8\RadProCalculator.pdbll source: RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3432860988.000000000075C000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198152344.0000000000756000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Ray\Documents\Visual Studio 2008\Projects\RadProCalculator64Bit\obj\Debug\RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator.exe.0.dr
Source: Binary string: data/RadProCalculator3.26_64BSetup.msiRadProCalculator3.26_64BSetup.msisetup.bmpdata/OFFLINE/5779DC17/242A76C8/RadProCalculator.exe.manifestdata/OFFLINE/9DCC724B/242A76C8/RadProCalculator.xmldata/OFFLINE/2635807C/242A76C8/Rad Pro Settings-DONT DELETE.txtdata/OFFLINE/ABF56A8A/C6DB425E/Rad Pro Settings-DONT DELETE.txtdata/OFFLINE/4D693B19/242A76C8/Settings.txtdata/OFFLINE/1E89F593/242A76C8/file.docdata/OFFLINE/B2FB7337/242A76C8/ShieldingandBuildup.docdata/OFFLINE/DA2F022C/242A76C8/Contact Rad Pro Calculator.rtfdata/OFFLINE/6E19DDB9/242A76C8/Notice of Disclaimer Rad Pro Calculator.rtfdata/OFFLINE/884935FF/242A76C8/Rad Pro Calculator References.rtfdata/OFFLINE/D1E532D5/242A76C8/RadPro License.rtfdata/OFFLINE/353EFE74/242A76C8/Uranium.rtfdata/OFFLINE/EF8B86D1/242A76C8/Help for Rad Pro Calculator.pdfdata/OFFLINE/1C1753FF/242A76C8/Rad Pro Calculator References.pdfdata/OFFLINE/1E27FC18/242A76C8/ShieldingandBuildup.pdfdata/OFFLINE/764C6FA8/242A76C8/RadProCalculator.exeRadProCalculator3.26_64BSetup.exedata/OFFLINE/28D15CAF/242A76C8/AxInterop.ComCtl2.dlldata/OFFLINE/F699690B/242A76C8/AxInterop.ComctlLib.dlldata/gdiplus.dlldata/OFFLINE/F10E7C53/242A76C8/Interop.ComCtl2.dlldata/OFFLINE/DEFF21C9/242A76C8/Interop.ComctlLib.dlldata/OFFLINE/F3319620/242A76C8/Interop.Microsoft.Office.Core.dlldata/OFFLINE/9B25A4E7/242A76C8/Interop.Microsoft.Office.Interop.Excel.dlldata/OFFLINE/489D2344/242A76C8/Interop.VBIDE.dlldata/mMSI.dll/mMSIExec.dllmia.libdata/OFFLINE/B00CA824/242A76C8/RadProCalculator.pdbdata/OFFLINE/A6542D7A/242A76C8/RadProCalculator.applicationRadProCalculator3.26_64BSetup.resdata/{0AD26D48-644B-4268-AAB1-C0C6839EEBCB}data/OFFLINE/F699690B/242A76C8data/OFFLINE/F699690Bdata/OFFLINE/F3319620/242A76C8data/OFFLINE/F3319620data/OFFLINE/F10E7C53/242A76C8data/OFFLINE/F10E7C53data/OFFLINE/EF8B86D1/242A76C8data/OFFLINE/EF8B86D1data/OFFLINE/DEFF21C9/242A76C8data/OFFLINE/DEFF21C9data/OFFLINE/DA2F022C/242A76C8data/OFFLINE/DA2F022Cdata/OFFLINE/D1E532D5/242A76C8data/OFFLINE/D1E532D5data/OFFLINE/B2FB7337/242A76C8data/OFFLINE/B2FB7337data/OFFLINE/B00CA824/242A76C8data/OFFLINE/B00CA824data/OFFLINE/ABF56A8A/C6DB425Edata/OFFLINE/ABF56A8Adata/OFFLINE/A6542D7A/242A76C8data/OFFLINE/A6542D7Adata/OFFLINE/9DCC724B/242A76C8data/OFFLINE/9DCC724Bdata/OFFLINE/9B25A4E7/242A76C8data/OFFLINE/9B25A4E7data/OFFLINE/884935FF/242A76C8data/OFFLINE/884935FFdata/OFFLINE/764C6FA8/242A76C8data/OFFLINE/764C6FA8data/OFFLINE/6E19DDB9/242A76C8data/OFFLINE/6E19DDB9data/OFFLINE/5779DC17/242A76C8data/OFFLINE/5779DC17data/OFFLINE/4D693B19/242A76C8data/OFFLINE/4D693B19data/OFFLINE/489D2344/242A76C8data/OFFLINE/489D2344data/OFFLINE/353EFE74/242A76C8data/OFFLINE/353EFE74data/OFFLINE/28D15CAF/242A76C8data/OFFLINE/28D15CAFdata/OFFLINE/2635807C/242A76C8data/OFFLINE/2635807Cdata/OFFLINE/1E89F593/242A76C8data/OFFLINE/1E89F593data/OFFLINE/1E27FC18/242A76C8data/OFFLINE/1E27FC18data/OFFLINE/1C1753FF/242A76C8data/OFFLINE/1C1753FFdata/OFFLINEdata/mMSI.dll source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.218
Source: Binary string: op.Excel.dlldata/OFFLINE/489D2344/242A76C8/Interop.VBIDE.dlldata/mMSI.dll/mMSIExec.dllmia.libdata/OFFLINE/B00CA824/242A76C8/RadProCalculator.pdbdata/OFFLINE/A6542D7A/242A76C8/RadProCalcul source: RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3433056568.00000000009A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Documents and Settings\K-ballo\Mis documentos\Visual Studio 2008\Projects\ahadmin_wrapper\ReleaseDLL\ahadmin_wrapper.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209757364.000000000060C000.00000002.00000001.01000000.00000004.sdmp, RadProCalculator3.26_64BSetup.exe.0.dr
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: ShieldingandBuildup.doc.0.dr String found in binary or memory: http://hps.org/publicinformation/ate/faqs/gammaandexposure.html
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, ShieldingandBuildup.pdf.0.dr, Rad Pro Calculator References.pdf.0.dr, Help for Rad Pro Calculator.pdf.0.dr String found in binary or memory: http://hps.org/publicinformation/ate/faqs/gammaandexposure.html)/S/URI
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, ShieldingandBuildup.doc.0.dr String found in binary or memory: http://hps.org/publicinformation/ate/faqs/gammaandexposure.htmlyX
Source: Rad Pro Calculator References.rtf.0.dr String found in binary or memory: http://ie.lbl.gov/toi.html
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, Rad Pro Calculator References.pdf.0.dr String found in binary or memory: http://ie.lbl.gov/toi.html)/S/URI
Source: ShieldingandBuildup.doc.0.dr String found in binary or memory: http://physics.nist.gov/PhysRefData/XrayMassCoef/tab3.html
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, ShieldingandBuildup.pdf.0.dr String found in binary or memory: http://physics.nist.gov/PhysRefData/XrayMassCoef/tab3.html)/S/URI
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, ShieldingandBuildup.doc.0.dr String found in binary or memory: http://physics.nist.gov/PhysRefData/XrayMassCoef/tab3.htmla
Source: ShieldingandBuildup.doc.0.dr String found in binary or memory: http://physics.nist.gov/PhysRefData/XrayMassCoef/tab4.html
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, ShieldingandBuildup.pdf.0.dr String found in binary or memory: http://physics.nist.gov/PhysRefData/XrayMassCoef/tab4.html)/S/URI
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, Rad Pro Calculator References.rtf.0.dr String found in binary or memory: http://physics.nist.gov/xaamdi
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209437928.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RadProCalculator3.26_64BSetup.exe.0.dr String found in binary or memory: http://www.InstallAware.com/
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209437928.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RadProCalculator3.26_64BSetup.exe.0.dr String found in binary or memory: http://www.InstallAware.com/open
Source: ShieldingandBuildup.doc.0.dr String found in binary or memory: http://www.ans.org/store/vi-240180
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, ShieldingandBuildup.pdf.0.dr String found in binary or memory: http://www.ans.org/store/vi-240180)/S/URI
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, Help for Rad Pro Calculator.pdf.0.dr String found in binary or memory: http://www.epa.gov/radiation/marssim/docs/revision1_August_2002corrections/chapter6.pdf)/S/URI
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, Help for Rad Pro Calculator.pdf.0.dr String found in binary or memory: http://www.epa.gov/radiation/marssim/obtain.html)/S/URI
Source: RadProCalculator3.26_64BSetup.exe.0.dr String found in binary or memory: http://www.installaware.com/
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209437928.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RadProCalculator3.26_64BSetup.exe.0.dr String found in binary or memory: http://www.installaware.com/InstallAware
Source: RadProCalculator3.26_64BSetup.exe, RadProCalculator3.26_64BSetup.exe.0.dr String found in binary or memory: http://www.installaware.comz
Source: Rad Pro Calculator References.rtf.0.dr String found in binary or memory: http://www.pacificrad.com/pages/publications.html
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, Rad Pro Calculator References.pdf.0.dr String found in binary or memory: http://www.pacificrad.com/pages/publications.html)/S/URI
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, Help for Rad Pro Calculator.pdf.0.dr String found in binary or memory: http://www.radiationsoftware.com/mshield.html)/S/URI
Source: RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.00000000024CC000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, mia.tmp.2.dr, RadProCalculator3.26_64BSetup.exe.0.dr String found in binary or memory: http://www.radprocalculator.com/
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, Help for Rad Pro Calculator.pdf.0.dr String found in binary or memory: http://www.radprocalculator.com/Request.aspx)/S/URI
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator.exe.0.dr String found in binary or memory: http://www.radprocalculator.com/Request.aspxGmailto:support
Source: Contact Rad Pro Calculator.rtf.0.dr String found in binary or memory: http://www.radprocalculator.com/request.aspx
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.000000000372F000.00000004.00000020.00020000.00000000.sdmp, Help for Rad Pro Calculator.pdf.0.dr String found in binary or memory: http://www.wmginc.com/Software/MegaShield/megashield.htm)/S/URI
Creates a DirectInput object (often for capturing keystrokes)
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003CC1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DirectDrawCreateEx memstr_68406ce3-7
PE file contains executable resources (Code or Archives)
Source: RadProCalculator3.26_64BSetup.exe.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: RadProCalculator3.26_64BSetup.exe.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003E6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInterop.Microsoft.Office.Core.dll|. vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003E38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInterop.ComctlLib.dll vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInterop.Microsoft.Office.Interop.Excel.dll|- vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInterop.VBIDE.dll|- vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003CA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAxInterop.ComctlLib.dll4 vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRadProCalculator.exeP vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegacutil.exeT vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAxInterop.ComCtl2.dll4 vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003CC1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegdiplusj% vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003CC1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInterop.ComCtl2.dll vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3434996427.0000000010069000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilename7z.exe, vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamegacutil.exeT vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2214055378.000000007FDC0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename7z.exe, vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209757364.000000000060C000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenamegacutil.exeT vs RadProCalculator3.26_64BSetup.exe
Source: RadProCalculator3.26_64BSetup.exe.0.dr Binary or memory string: OriginalFilenamegacutil.exeT vs RadProCalculator3.26_64BSetup.exe
Uses 32bit PE files
Source: RadProCalculator3.26_64BSetup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp, Interop.VBIDE.dll.0.dr Binary or memory string: VBIDE.VBProjectClass)
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp, Interop.VBIDE.dll.0.dr Binary or memory string: VBIDE.VBProjectsClass)
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp, Interop.VBIDE.dll.0.dr Binary or memory string: VBIDE.VBProjectClass
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003EA1000.00000004.00000020.00020000.00000000.sdmp, Interop.VBIDE.dll.0.dr Binary or memory string: VBIDE.VBProjectsClass
Source: classification engine Classification label: clean12.expl.winEXE@3/73@0/0
Source: ShieldingandBuildup.pdf.0.dr Initial sample: http://physics.nist.gov/physrefdata/xraymasscoef/tab3.html
Source: ShieldingandBuildup.pdf.0.dr Initial sample: http://physics.nist.gov/PhysRefData/XrayMassCoef/tab3.html
Source: Help for Rad Pro Calculator.pdf.0.dr Initial sample: http://www.radprocalculator.com/Request.aspx
Source: Help for Rad Pro Calculator.pdf.0.dr Initial sample: http://www.epa.gov/radiation/marssim/docs/revision1_August_2002corrections/chapter6.pdf
Source: ShieldingandBuildup.pdf.0.dr Initial sample: http://hps.org/publicinformation/ate/faqs/gammaandexposure.html
Source: ShieldingandBuildup.pdf.0.dr Initial sample: http://physics.nist.gov/PhysRefData/XrayMassCoef/tab4.html
Source: ShieldingandBuildup.pdf.0.dr Initial sample: http://physics.nist.gov/physrefdata/xraymasscoef/tab4.html
Source: Help for Rad Pro Calculator.pdf.0.dr Initial sample: http://www.radiationsoftware.com/mshield.html
Source: Rad Pro Calculator References.pdf.0.dr Initial sample: http://www.pacificrad.com/pages/publications.html
Source: Rad Pro Calculator References.pdf.0.dr Initial sample: http://ie.lbl.gov/toi.html
Source: Help for Rad Pro Calculator.pdf.0.dr Initial sample: http://www.wmginc.com/Software/MegaShield/megashield.htm
Source: Help for Rad Pro Calculator.pdf.0.dr Initial sample: http://www.wmginc.com/software/megashield/megashield.htm
Source: ShieldingandBuildup.pdf.0.dr Initial sample: http://www.ans.org/store/vi-240180
Source: Help for Rad Pro Calculator.pdf.0.dr Initial sample: http://www.epa.gov/radiation/marssim/obtain.html
Source: Help for Rad Pro Calculator.pdf.0.dr Initial sample: http://www.epa.gov/radiation/marssim/docs/revision1_august_2002corrections/chapter6.pdf
Source: Help for Rad Pro Calculator.pdf.0.dr Initial sample: http://www.radprocalculator.com/request.aspx
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\PackageAware Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp Jump to behavior
Source: Yara match File source: 00000002.00000000.2209437928.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe, type: DROPPED
Source: RadProCalculator3.26_64BSetup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File read: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe "C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe"
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Process created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe .\RadProCalculator3.26_64BSetup.exe /m="C:\Users\user\Desktop\RADPRO~1.EXE" /k=""
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Process created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe .\RadProCalculator3.26_64BSetup.exe /m="C:\Users\user\Desktop\RADPRO~1.EXE" /k="" Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Window found: window name: TButton Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Automated click: I accept the license agreement
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: RadProCalculator3.26_64BSetup.exe Static file information: File size 3493085 > 1048576
Source: Binary string: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\1E27FC18\242A76C8\adProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3432860988.000000000075C000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198152344.0000000000756000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\USERS\RAY\DOCUMENTS\VISUAL STUDIO 2008\PROJECTS\RADPROCALCULATOR64BIT\BIN\RADPROCALCULATOR.PDB source: RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.0000000002458000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: gacutil.pdb, AH/@ source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209757364.000000000060C000.00000002.00000001.01000000.00000004.sdmp, RadProCalculator3.26_64BSetup.exe.0.dr
Source: Binary string: 242A76C8\RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.00000000024CC000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, mia.tmp.2.dr, RadProCalculator3.26_64BSetup.exe.0.dr
Source: Binary string: gacutil.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209757364.000000000060C000.00000002.00000001.01000000.00000004.sdmp, RadProCalculator3.26_64BSetup.exe.0.dr
Source: Binary string: aC:\Users\Ray\Documents\Visual Studio 2008\Projects\RadProCalculator64Bit\bin\RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.0000000002458000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: u/OFFLINE/B00CA824/242A76C8/RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2208829416.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3433082676.00000000009AF000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2208941075.00000000009AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\1E27FC18\42A76C8\adProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3432860988.000000000075C000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198152344.0000000000756000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1355-gdiplus.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003CC1000.00000004.00000020.00020000.00000000.sdmp, gdiplus.dll.0.dr
Source: Binary string: data/OFFLINE/B00CA824/242A76C8/RadProCalculator.pdbvD source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2208740632.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198233127.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2207629927.00000000009AB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Ray\Documents\Visual Studio 2008\Projects\RadProCalculator64Bit\bin\RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.0000000002458000.00000004.00001000.00020000.00000000.sdmp, mia.tmp.2.dr, RadProCalculator3.26_64BSetup.exe.0.dr
Source: Binary string: aC:\USERS\RAY\DOCUMENTS\VISUAL STUDIO 2008\PROJECTS\RADPROCALCULATOR64BIT\BIN\RADPROCALCULATOR.PDB source: RadProCalculator3.26_64BSetup.exe, 00000002.00000002.3433296326.0000000002458000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\884935FF\42A76C8\RadProCalculator.pdbll source: RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3432860988.000000000075C000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198152344.0000000000756000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Ray\Documents\Visual Studio 2008\Projects\RadProCalculator64Bit\obj\Debug\RadProCalculator.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator.exe.0.dr
Source: Binary string: data/RadProCalculator3.26_64BSetup.msiRadProCalculator3.26_64BSetup.msisetup.bmpdata/OFFLINE/5779DC17/242A76C8/RadProCalculator.exe.manifestdata/OFFLINE/9DCC724B/242A76C8/RadProCalculator.xmldata/OFFLINE/2635807C/242A76C8/Rad Pro Settings-DONT DELETE.txtdata/OFFLINE/ABF56A8A/C6DB425E/Rad Pro Settings-DONT DELETE.txtdata/OFFLINE/4D693B19/242A76C8/Settings.txtdata/OFFLINE/1E89F593/242A76C8/file.docdata/OFFLINE/B2FB7337/242A76C8/ShieldingandBuildup.docdata/OFFLINE/DA2F022C/242A76C8/Contact Rad Pro Calculator.rtfdata/OFFLINE/6E19DDB9/242A76C8/Notice of Disclaimer Rad Pro Calculator.rtfdata/OFFLINE/884935FF/242A76C8/Rad Pro Calculator References.rtfdata/OFFLINE/D1E532D5/242A76C8/RadPro License.rtfdata/OFFLINE/353EFE74/242A76C8/Uranium.rtfdata/OFFLINE/EF8B86D1/242A76C8/Help for Rad Pro Calculator.pdfdata/OFFLINE/1C1753FF/242A76C8/Rad Pro Calculator References.pdfdata/OFFLINE/1E27FC18/242A76C8/ShieldingandBuildup.pdfdata/OFFLINE/764C6FA8/242A76C8/RadProCalculator.exeRadProCalculator3.26_64BSetup.exedata/OFFLINE/28D15CAF/242A76C8/AxInterop.ComCtl2.dlldata/OFFLINE/F699690B/242A76C8/AxInterop.ComctlLib.dlldata/gdiplus.dlldata/OFFLINE/F10E7C53/242A76C8/Interop.ComCtl2.dlldata/OFFLINE/DEFF21C9/242A76C8/Interop.ComctlLib.dlldata/OFFLINE/F3319620/242A76C8/Interop.Microsoft.Office.Core.dlldata/OFFLINE/9B25A4E7/242A76C8/Interop.Microsoft.Office.Interop.Excel.dlldata/OFFLINE/489D2344/242A76C8/Interop.VBIDE.dlldata/mMSI.dll/mMSIExec.dllmia.libdata/OFFLINE/B00CA824/242A76C8/RadProCalculator.pdbdata/OFFLINE/A6542D7A/242A76C8/RadProCalculator.applicationRadProCalculator3.26_64BSetup.resdata/{0AD26D48-644B-4268-AAB1-C0C6839EEBCB}data/OFFLINE/F699690B/242A76C8data/OFFLINE/F699690Bdata/OFFLINE/F3319620/242A76C8data/OFFLINE/F3319620data/OFFLINE/F10E7C53/242A76C8data/OFFLINE/F10E7C53data/OFFLINE/EF8B86D1/242A76C8data/OFFLINE/EF8B86D1data/OFFLINE/DEFF21C9/242A76C8data/OFFLINE/DEFF21C9data/OFFLINE/DA2F022C/242A76C8data/OFFLINE/DA2F022Cdata/OFFLINE/D1E532D5/242A76C8data/OFFLINE/D1E532D5data/OFFLINE/B2FB7337/242A76C8data/OFFLINE/B2FB7337data/OFFLINE/B00CA824/242A76C8data/OFFLINE/B00CA824data/OFFLINE/ABF56A8A/C6DB425Edata/OFFLINE/ABF56A8Adata/OFFLINE/A6542D7A/242A76C8data/OFFLINE/A6542D7Adata/OFFLINE/9DCC724B/242A76C8data/OFFLINE/9DCC724Bdata/OFFLINE/9B25A4E7/242A76C8data/OFFLINE/9B25A4E7data/OFFLINE/884935FF/242A76C8data/OFFLINE/884935FFdata/OFFLINE/764C6FA8/242A76C8data/OFFLINE/764C6FA8data/OFFLINE/6E19DDB9/242A76C8data/OFFLINE/6E19DDB9data/OFFLINE/5779DC17/242A76C8data/OFFLINE/5779DC17data/OFFLINE/4D693B19/242A76C8data/OFFLINE/4D693B19data/OFFLINE/489D2344/242A76C8data/OFFLINE/489D2344data/OFFLINE/353EFE74/242A76C8data/OFFLINE/353EFE74data/OFFLINE/28D15CAF/242A76C8data/OFFLINE/28D15CAFdata/OFFLINE/2635807C/242A76C8data/OFFLINE/2635807Cdata/OFFLINE/1E89F593/242A76C8data/OFFLINE/1E89F593data/OFFLINE/1E27FC18/242A76C8data/OFFLINE/1E27FC18data/OFFLINE/1C1753FF/242A76C8data/OFFLINE/1C1753FFdata/OFFLINEdata/mMSI.dll source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.218
Source: Binary string: op.Excel.dlldata/OFFLINE/489D2344/242A76C8/Interop.VBIDE.dlldata/mMSI.dll/mMSIExec.dllmia.libdata/OFFLINE/B00CA824/242A76C8/RadProCalculator.pdbdata/OFFLINE/A6542D7A/242A76C8/RadProCalcul source: RadProCalculator3.26_64BSetup.exe, 00000000.00000002.3433056568.00000000009A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Documents and Settings\K-ballo\Mis documentos\Visual Studio 2008\Projects\ahadmin_wrapper\ReleaseDLL\ahadmin_wrapper.pdb source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209757364.000000000060C000.00000002.00000001.01000000.00000004.sdmp, RadProCalculator3.26_64BSetup.exe.0.dr
PE file contains an invalid checksum
Source: RadProCalculator3.26_64BSetup.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x299dfc
Source: AxInterop.ComctlLib.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x23494
Source: RadProCalculator3.26_64BSetup.exe Static PE information: real checksum: 0x2df62 should be: 0x35d76e
Source: RadProCalculator.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x176d87
Source: Interop.Microsoft.Office.Core.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x42fac
Source: AxInterop.ComCtl2.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xd5a5
Source: Interop.Microsoft.Office.Interop.Excel.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x13827f
Source: Interop.ComctlLib.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x42505
Source: Interop.ComCtl2.dll.0.dr Static PE information: real checksum: 0x0 should be: 0xe761
PE file contains sections with non-standard names
Source: gdiplus.dll.0.dr Static PE information: section name: Shared
Drops PE files
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\764C6FA8\242A76C8\RadProCalculator.exe Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\mMSI.dll\mMSIExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\F3319620\242A76C8\Interop.Microsoft.Office.Core.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\28D15CAF\242A76C8\AxInterop.ComCtl2.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\F10E7C53\242A76C8\Interop.ComCtl2.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\DEFF21C9\242A76C8\Interop.ComctlLib.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\gdiplus.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\F699690B\242A76C8\AxInterop.ComctlLib.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\9B25A4E7\242A76C8\Interop.Microsoft.Office.Interop.Excel.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\489D2344\242A76C8\Interop.VBIDE.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\mia.lib Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\mia.lib Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\D1E532D5\242A76C8\RadPro License.rtf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf Jump to behavior
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\764C6FA8\242A76C8\RadProCalculator.exe Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\mMSI.dll\mMSIExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\F3319620\242A76C8\Interop.Microsoft.Office.Core.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\28D15CAF\242A76C8\AxInterop.ComCtl2.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\F10E7C53\242A76C8\Interop.ComCtl2.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\DEFF21C9\242A76C8\Interop.ComctlLib.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\gdiplus.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\F699690B\242A76C8\AxInterop.ComctlLib.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\9B25A4E7\242A76C8\Interop.Microsoft.Office.Interop.Excel.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\RadProCalculator3.26_64BSetup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia400B.tmp\data\OFFLINE\489D2344\242A76C8\Interop.VBIDE.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mia400B.tmp\RadProCalculator3.26_64BSetup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209437928.0000000000401000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: Shell_TrayWnd
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209437928.0000000000401000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: Progman
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209437928.0000000000401000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: Progmanadvapi32.dllCreateProcessWithTokenW
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209437928.0000000000401000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: ProgmanU
Source: RadProCalculator3.26_64BSetup.exe, 00000000.00000003.2198576039.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000003.2215926342.000000007FBB0000.00000004.00001000.00020000.00000000.sdmp, RadProCalculator3.26_64BSetup.exe, 00000002.00000000.2209437928.0000000000401000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: Shell_TrayWndU
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524334 Sample: RadProCalculator3.26_64BSetup.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 12 22 Found potential equation exploit (CVE-2017-11882) 2->22 6 RadProCalculator3.26_64BSetup.exe 1 145 2->6         started        process3 file4 12 C:\Users\user\AppData\Local\Temp\...\mia.lib, PE32 6->12 dropped 14 C:\Users\user\AppData\Local\...\mMSIExec.dll, PE32 6->14 dropped 16 C:\Users\user\AppData\Local\...\gdiplus.dll, PE32 6->16 dropped 18 9 other files (none is malicious) 6->18 dropped 9 RadProCalculator3.26_64BSetup.exe 52 6->9         started        process5 file6 20 C:\Users\user\AppData\Local\...\mMSIExec.dll, PE32 9->20 dropped
No contacted IP infos