Windows Analysis Report nHOMA2CalculatorWindowsSetup.exe

Source: nHOMA2CalculatorWindowsSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-47NV3.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-VCAJS.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-42761.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-PSQK4.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-AUQQQ.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-N1UTF.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-TOAGV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA Calculator.url	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HOMA Calculator_is1

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

File opened: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\MSVCR100.dll

Found inlined nop instructions (likely shell or obfuscated code)

Source:	Binary string: msvcp100.i386.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006156000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3344575468.000000006FD01000.00000020.00000001.01000000.0000000C.sdmp, is-42761.tmp.2.dr
Source:	Binary string: msvcr100.i386.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006156000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, HOMA2 Calculator.exe, 00000005.00000002.3343751122.000000006C871000.00000020.00000001.01000000.0000000D.sdmp, is-PSQK4.tmp.2.dr
Source:	Binary string: c:\DevelBuildSlave\QuickStableVS\build\REALbasic\REALbasic Visual Studio\Release\GUIStubWin32.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000005F00000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3342772667.0000000000FC6000.00000002.00000001.01000000.0000000A.sdmp, HOMA2 Calculator.exe, 00000005.00000000.2325387948.0000000000FC6000.00000002.00000001.01000000.0000000A.sdmp, is-VCAJS.tmp.2.dr
Source:	Binary string: c:\DevelBuildSlave\QuickStableVS\build\REALbasic\REALbasic Visual Studio\Release\RBGUIFrameworkWin32.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000626F000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3344272135.000000006CA8A000.00000002.00000001.01000000.0000000B.sdmp, is-AUQQQ.tmp.2.dr

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D0CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D0CBB
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CCC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	5_2_6C8CCC23
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D088A
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	5_2_6C8CC8FD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CE0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	5_2_6C8CE0BD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8981A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8981A1
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CFF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CFF0E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF9DD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CDBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	5_2_6C8CDBC0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF593
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CD687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	5_2_6C8CD687
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D110C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF169

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 4x nop then push esi		5_2_6C87F680
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 4x nop then or byte ptr [edi], dh		5_2_6C887270

Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2336713810.000000000238C000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2105859466.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2331970959.000000000240C000.00000004.00001000.00020000.00000000.sdmp, HOMA Calculator.url.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/HOMACalculator
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2336713810.000000000238C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dtu.ox.ac.uk/HOMACalculatorA
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2102987099.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2105859466.00000000031F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dtu.ox.ac.uk/HOMACalculatorLhttp://www.dtu.ox.ac.uk/HOMACalculatorLhttp://www.dtu.ox.ac.u
Source: is-N1UTF.tmp.2.dr, is-VCAJS.tmp.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/homa
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-TOAGV.tmp.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/homa#
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-TOAGV.tmp.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/homa#email:
Source: is-VCAJS.tmp.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/homaTextAlign
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2104076746.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2103494922.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000000.2104897484.0000000000401000.00000020.00000001.01000000.00000004.sdmp, nHOMA2CalculatorWindowsSetup.tmp.0.dr, is-47NV3.tmp.2.dr	String found in binary or memory: http://www.innosetup.com/
Source: nHOMA2CalculatorWindowsSetup.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2104076746.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2103494922.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000000.2104897484.0000000000401000.00000020.00000001.01000000.00000004.sdmp, nHOMA2CalculatorWindowsSetup.tmp.0.dr, is-47NV3.tmp.2.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

File created: C:\Windows\SysWOW64\is-JO0HR.tmp

Detected potential crypto function

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_00FC1000	5_2_00FC1000
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8BECCD	5_2_6C8BECCD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C888F83	5_2_6C888F83
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C90083D	5_2_6C90083D
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8A0919	5_2_6C8A0919
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C886B28	5_2_6C886B28
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E245B	5_2_6C8E245B
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C89457E	5_2_6C89457E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C88867F	5_2_6C88867F
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C91672F	5_2_6C91672F
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8EE765	5_2_6C8EE765
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CE0BD	5_2_6C8CE0BD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C886018	5_2_6C886018
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8721F0	5_2_6C8721F0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C908140	5_2_6C908140
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C88A2A7	5_2_6C88A2A7
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E42FB	5_2_6C8E42FB
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8843A6	5_2_6C8843A6
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8863C9	5_2_6C8863C9
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CA3DD	5_2_6C8CA3DD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C901C17	5_2_6C901C17
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C885C2C	5_2_6C885C2C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C885C30	5_2_6C885C30
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C883DD0	5_2_6C883DD0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C889D65	5_2_6C889D65
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C903888	5_2_6C903888
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8EF82E	5_2_6C8EF82E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E9945	5_2_6C8E9945
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C911A00	5_2_6C911A00
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C883A1C	5_2_6C883A1C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C917A5A	5_2_6C917A5A
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CDBC0	5_2_6C8CDBC0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8ED45A	5_2_6C8ED45A
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CD687	5_2_6C8CD687
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C919659	5_2_6C919659
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C90D674	5_2_6C90D674
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8EB79B	5_2_6C8EB79B
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8897A0	5_2_6C8897A0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C887093	5_2_6C887093
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8871A3	5_2_6C8871A3
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C89911E	5_2_6C89911E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E52E5	5_2_6C8E52E5
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C91923E	5_2_6C91923E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C887270	5_2_6C887270
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E3332	5_2_6C8E3332

Found potential string decryption / allocating functions

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: String function: 6C880C80 appears 153 times
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: String function: 6C880C67 appears 76 times
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: String function: 6C88B046 appears 63 times
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: String function: 6C88A51F appears 39 times

PE file contains executable resources (Code or Archives)

Source: nHOMA2CalculatorWindowsSetup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: nHOMA2CalculatorWindowsSetup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-47NV3.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-47NV3.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2104076746.000000007FE36000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs nHOMA2CalculatorWindowsSetup.exe
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2103494922.000000000264A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs nHOMA2CalculatorWindowsSetup.exe

Source: nHOMA2CalculatorWindowsSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean5.winEXE@7/26@0/0

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8CD543 _getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_memset,GetDiskFreeSpaceA,GetLastError,_errno,

5_2_6C8CD543

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_00FC1000 _memset,FindResourceW,LoadResource,LockResource,__strdup,_memset,MultiByteToWideChar,GetModuleFileNameW,_wcsrchr,SetDllDirectoryW,SetDllDirectoryW,SetDllDirectoryW,_free,_memset,MultiByteToWideChar,LoadLibraryW,GetModuleFileNameW,_wcsrchr,SetDllDirectoryW,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

File created: C:\Program Files\HOMA Calculator v2.2.3

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe

File created: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

File read: C:\Program Files\desktop.ini

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: nHOMA2CalculatorWindowsSetup.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe

File read: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe

Source: unknown	Process created: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe "C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"
Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp "C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp" /SL5="$203BC,1934643,407552,C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\HOMACore.dll"
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe "C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe"
Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp "C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp" /SL5="$203BC,1934643,407552,C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\HOMACore.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe "C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: homacore.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: HOMA Calculator v2.2.3.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe
Source: HOMA Calculator v2.2.3 (Excel).lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\HOMA2Calculator.xls
Source: HOMA Calculator v2.2.3 Validation (Excel).lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\HOMA2Calculator Validation.xls
Source: HOMA Calculator on the Web.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\HOMA Calculator.url
Source: Uninstall HOMA Calculator.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\unins000.exe

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Window found: window name: TMainForm

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Install

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Window detected: Number of UI elements: 14

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-47NV3.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-VCAJS.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-42761.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-PSQK4.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-AUQQQ.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-N1UTF.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-TOAGV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA Calculator.url	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HOMA Calculator_is1

Source: nHOMA2CalculatorWindowsSetup.exe

Static file information: File size 2338251 > 1048576

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

File opened: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\MSVCR100.dll

Contains functionality to dynamically determine API calls

Source:	Binary string: msvcp100.i386.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006156000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3344575468.000000006FD01000.00000020.00000001.01000000.0000000C.sdmp, is-42761.tmp.2.dr
Source:	Binary string: msvcr100.i386.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006156000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, HOMA2 Calculator.exe, 00000005.00000002.3343751122.000000006C871000.00000020.00000001.01000000.0000000D.sdmp, is-PSQK4.tmp.2.dr
Source:	Binary string: c:\DevelBuildSlave\QuickStableVS\build\REALbasic\REALbasic Visual Studio\Release\GUIStubWin32.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000005F00000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3342772667.0000000000FC6000.00000002.00000001.01000000.0000000A.sdmp, HOMA2 Calculator.exe, 00000005.00000000.2325387948.0000000000FC6000.00000002.00000001.01000000.0000000A.sdmp, is-VCAJS.tmp.2.dr
Source:	Binary string: c:\DevelBuildSlave\QuickStableVS\build\REALbasic\REALbasic Visual Studio\Release\RBGUIFrameworkWin32.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000626F000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3344272135.000000006CA8A000.00000002.00000001.01000000.0000000B.sdmp, is-AUQQQ.tmp.2.dr

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Uses code obfuscation techniques (call, push, ret)

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\HOMACore.dll"

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_00FC2DC5 push ecx; ret	5_2_00FC2DD8
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C880CC5 push ecx; ret	5_2_6C880CD8
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C872D88 push eax; ret	5_2_6C872DA6
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C89A6AA push EF3FEFD4h; iretd	5_2_6C89A6B1
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C899CD8 pushad ; iretd	5_2_6C899CE6
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C88B658 push ecx; ret	5_2_6C88B66B

Source: is-PSQK4.tmp.2.dr

Static PE information: section name: .text entropy: 6.9169969425576285

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\is-47NV3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\is-VCAJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-AUQQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0M8BV.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	File created: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\RBGUIFramework.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0M8BV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-42761.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-PSQK4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Windows\SysWOW64\is-JO0HR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Windows\SysWOW64\HOMACore.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\unins000.exe (copy)	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Windows\SysWOW64\is-JO0HR.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Windows\SysWOW64\HOMACore.dll (copy)			Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\HOMA Calculator v2.2.3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\HOMA Calculator v2.2.3 (Excel).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\HOMA Calculator v2.2.3 Validation (Excel).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\HOMA Calculator on the Web.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\Uninstall HOMA Calculator.lnk	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8CA3DD GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,

5_2_6C8CA3DD

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-AUQQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\is-47NV3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0M8BV.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\RBGUIFramework.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-42761.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-PSQK4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0M8BV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-JO0HR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\unins000.exe (copy)	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

API coverage: 1.5 %

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D0CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D0CBB
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CCC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	5_2_6C8CCC23
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D088A
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	5_2_6C8CC8FD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CE0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	5_2_6C8CE0BD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8981A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8981A1
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CFF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CFF0E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF9DD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CDBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	5_2_6C8CDBC0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF593
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CD687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	5_2_6C8CD687
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D110C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF169

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8F6BA4 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

Source: HOMA2 Calculator.exe, 00000005.00000002.3342404932.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HOMA2 Calculator.exe, 00000005.00000002.3342404932.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_00FC13E0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_00FC13E0

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8F6BA4 VirtualProtect ?,-00000001,00000104,?

Contains functionality to dynamically determine API calls

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8F9B6F __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__doserrno,_errno,__lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,__lseeki64_nolock,

5_2_6C8F9B6F

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_00FC13E0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00FC13E0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_00FC18A6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00FC18A6
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8FAD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,	5_2_6C8FAD2C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8807A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	5_2_6C8807A7
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8FC097 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	5_2_6C8FC097

Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000626F000.00000004.00001000.00020000.00000000.sdmp, is-AUQQQ.tmp.2.dr	Binary or memory string: menuShutdownSHELL_TRAYWND
Source: HOMA2 Calculator.exe, 00000005.00000002.3344272135.000000006CA8A000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: lmenuShutdownSHELL_TRAYWND

Contains functionality to query locales information (e.g. system language)

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,	5_2_6C8FEF5C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,	5_2_6C8874D0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,	5_2_6C88750C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,	5_2_6C88767A
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	5_2_6C8FF003
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,	5_2_6C8FF05E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_6C8FF2EF
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,	5_2_6C8852E4
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,	5_2_6C8FF22F
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,	5_2_6C887270
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,	5_2_6C8873B4
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_6C8FF356

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_00FC2F6F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_00FC2F6F

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8962FC _lock,__tzname,_get_timezone,_get_daylight,_get_dstbias,___lc_codepage_func,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__timezone,__daylight,__dstbias,strcmp,free,_strlen,_malloc_crt,_strlen,strcpy_s,__invoke_watson,free,strncpy_s,atol,atol,atol,strncpy_s,__timezone,__daylight,

5_2_6C8962FC

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8BBE38 GetSystemInfo,_memset,GetVersionExW,Concurrency::unsupported_os::unsupported_os,_CxxThrowException,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,Concurrency::unsupported_os::unsupported_os,GetModuleHandleW,GetProcAddress,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,GetLastError,GetLastError,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,malloc,std::exception::exception,GetLastError,Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error,free,Concurrency::unsupported_os::unsupported_os,

5_2_6C8BBE38

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Source: nHOMA2CalculatorWindowsSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-47NV3.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-VCAJS.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-42761.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-PSQK4.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-AUQQQ.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-N1UTF.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-TOAGV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA Calculator.url	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HOMA Calculator_is1

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

File opened: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\MSVCR100.dll

Found inlined nop instructions (likely shell or obfuscated code)

Source:	Binary string: msvcp100.i386.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006156000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3344575468.000000006FD01000.00000020.00000001.01000000.0000000C.sdmp, is-42761.tmp.2.dr
Source:	Binary string: msvcr100.i386.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006156000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, HOMA2 Calculator.exe, 00000005.00000002.3343751122.000000006C871000.00000020.00000001.01000000.0000000D.sdmp, is-PSQK4.tmp.2.dr
Source:	Binary string: c:\DevelBuildSlave\QuickStableVS\build\REALbasic\REALbasic Visual Studio\Release\GUIStubWin32.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000005F00000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3342772667.0000000000FC6000.00000002.00000001.01000000.0000000A.sdmp, HOMA2 Calculator.exe, 00000005.00000000.2325387948.0000000000FC6000.00000002.00000001.01000000.0000000A.sdmp, is-VCAJS.tmp.2.dr
Source:	Binary string: c:\DevelBuildSlave\QuickStableVS\build\REALbasic\REALbasic Visual Studio\Release\RBGUIFrameworkWin32.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000626F000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3344272135.000000006CA8A000.00000002.00000001.01000000.0000000B.sdmp, is-AUQQQ.tmp.2.dr

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D0CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D0CBB
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CCC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	5_2_6C8CCC23
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D088A
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	5_2_6C8CC8FD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CE0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	5_2_6C8CE0BD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8981A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8981A1
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CFF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CFF0E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF9DD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CDBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	5_2_6C8CDBC0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF593
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CD687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	5_2_6C8CD687
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D110C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF169

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 4x nop then push esi		5_2_6C87F680
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 4x nop then or byte ptr [edi], dh		5_2_6C887270

Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2336713810.000000000238C000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2105859466.00000000031F0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2331970959.000000000240C000.00000004.00001000.00020000.00000000.sdmp, HOMA Calculator.url.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/HOMACalculator
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2336713810.000000000238C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dtu.ox.ac.uk/HOMACalculatorA
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2102987099.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2105859466.00000000031F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dtu.ox.ac.uk/HOMACalculatorLhttp://www.dtu.ox.ac.uk/HOMACalculatorLhttp://www.dtu.ox.ac.u
Source: is-N1UTF.tmp.2.dr, is-VCAJS.tmp.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/homa
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-TOAGV.tmp.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/homa#
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-TOAGV.tmp.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/homa#email:
Source: is-VCAJS.tmp.2.dr	String found in binary or memory: http://www.dtu.ox.ac.uk/homaTextAlign
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2104076746.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2103494922.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000000.2104897484.0000000000401000.00000020.00000001.01000000.00000004.sdmp, nHOMA2CalculatorWindowsSetup.tmp.0.dr, is-47NV3.tmp.2.dr	String found in binary or memory: http://www.innosetup.com/
Source: nHOMA2CalculatorWindowsSetup.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2104076746.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2103494922.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000000.2104897484.0000000000401000.00000020.00000001.01000000.00000004.sdmp, nHOMA2CalculatorWindowsSetup.tmp.0.dr, is-47NV3.tmp.2.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006454000.00000004.00001000.00020000.00000000.sdmp, nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000643C000.00000004.00001000.00020000.00000000.sdmp, is-N1UTF.tmp.2.dr, is-TOAGV.tmp.2.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

File created: C:\Windows\SysWOW64\is-JO0HR.tmp

Detected potential crypto function

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_00FC1000	5_2_00FC1000
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8BECCD	5_2_6C8BECCD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C888F83	5_2_6C888F83
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C90083D	5_2_6C90083D
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8A0919	5_2_6C8A0919
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C886B28	5_2_6C886B28
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E245B	5_2_6C8E245B
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C89457E	5_2_6C89457E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C88867F	5_2_6C88867F
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C91672F	5_2_6C91672F
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8EE765	5_2_6C8EE765
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CE0BD	5_2_6C8CE0BD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C886018	5_2_6C886018
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8721F0	5_2_6C8721F0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C908140	5_2_6C908140
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C88A2A7	5_2_6C88A2A7
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E42FB	5_2_6C8E42FB
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8843A6	5_2_6C8843A6
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8863C9	5_2_6C8863C9
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CA3DD	5_2_6C8CA3DD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C901C17	5_2_6C901C17
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C885C2C	5_2_6C885C2C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C885C30	5_2_6C885C30
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C883DD0	5_2_6C883DD0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C889D65	5_2_6C889D65
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C903888	5_2_6C903888
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8EF82E	5_2_6C8EF82E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E9945	5_2_6C8E9945
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C911A00	5_2_6C911A00
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C883A1C	5_2_6C883A1C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C917A5A	5_2_6C917A5A
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CDBC0	5_2_6C8CDBC0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8ED45A	5_2_6C8ED45A
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CD687	5_2_6C8CD687
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C919659	5_2_6C919659
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C90D674	5_2_6C90D674
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8EB79B	5_2_6C8EB79B
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8897A0	5_2_6C8897A0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C887093	5_2_6C887093
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8871A3	5_2_6C8871A3
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C89911E	5_2_6C89911E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E52E5	5_2_6C8E52E5
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C91923E	5_2_6C91923E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C887270	5_2_6C887270
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8E3332	5_2_6C8E3332

Found potential string decryption / allocating functions

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: String function: 6C880C80 appears 153 times
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: String function: 6C880C67 appears 76 times
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: String function: 6C88B046 appears 63 times
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: String function: 6C88A51F appears 39 times

PE file contains executable resources (Code or Archives)

Source: nHOMA2CalculatorWindowsSetup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: nHOMA2CalculatorWindowsSetup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-47NV3.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-47NV3.tmp.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2104076746.000000007FE36000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs nHOMA2CalculatorWindowsSetup.exe
Source: nHOMA2CalculatorWindowsSetup.exe, 00000000.00000003.2103494922.000000000264A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs nHOMA2CalculatorWindowsSetup.exe

Source: nHOMA2CalculatorWindowsSetup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean5.winEXE@7/26@0/0

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8CD543 _getdiskfree,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_memset,GetDiskFreeSpaceA,GetLastError,_errno,

5_2_6C8CD543

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

File created: C:\Program Files\HOMA Calculator v2.2.3

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe

File created: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

File read: C:\Program Files\desktop.ini

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: nHOMA2CalculatorWindowsSetup.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe

File read: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe

Source: unknown	Process created: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe "C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"
Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp "C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp" /SL5="$203BC,1934643,407552,C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\HOMACore.dll"
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe "C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe"
Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp "C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp" /SL5="$203BC,1934643,407552,C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\HOMACore.dll"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe "C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe"	Jump to behavior

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: homacore.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msvcp100.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: HOMA Calculator v2.2.3.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe
Source: HOMA Calculator v2.2.3 (Excel).lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\HOMA2Calculator.xls
Source: HOMA Calculator v2.2.3 Validation (Excel).lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\HOMA2Calculator Validation.xls
Source: HOMA Calculator on the Web.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\HOMA Calculator.url
Source: Uninstall HOMA Calculator.lnk.2.dr	LNK file: ..\..\..\..\..\..\Program Files\HOMA Calculator v2.2.3\unins000.exe

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Window found: window name: TMainForm

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Automated click: Install

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Window detected: Number of UI elements: 14

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\unins000.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-47NV3.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-VCAJS.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-42761.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-PSQK4.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-AUQQQ.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-N1UTF.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\is-TOAGV.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Directory created: C:\Program Files\HOMA Calculator v2.2.3\HOMA Calculator.url	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HOMA Calculator_is1

Source: nHOMA2CalculatorWindowsSetup.exe

Static file information: File size 2338251 > 1048576

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

File opened: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\MSVCR100.dll

Contains functionality to dynamically determine API calls

Source:	Binary string: msvcp100.i386.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006156000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3344575468.000000006FD01000.00000020.00000001.01000000.0000000C.sdmp, is-42761.tmp.2.dr
Source:	Binary string: msvcr100.i386.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000006156000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, HOMA2 Calculator.exe, 00000005.00000002.3343751122.000000006C871000.00000020.00000001.01000000.0000000D.sdmp, is-PSQK4.tmp.2.dr
Source:	Binary string: c:\DevelBuildSlave\QuickStableVS\build\REALbasic\REALbasic Visual Studio\Release\GUIStubWin32.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.0000000005F00000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3342772667.0000000000FC6000.00000002.00000001.01000000.0000000A.sdmp, HOMA2 Calculator.exe, 00000005.00000000.2325387948.0000000000FC6000.00000002.00000001.01000000.0000000A.sdmp, is-VCAJS.tmp.2.dr
Source:	Binary string: c:\DevelBuildSlave\QuickStableVS\build\REALbasic\REALbasic Visual Studio\Release\RBGUIFrameworkWin32.pdb source: nHOMA2CalculatorWindowsSetup.tmp, 00000002.00000003.2327406689.000000000626F000.00000004.00001000.00020000.00000000.sdmp, HOMA2 Calculator.exe, 00000005.00000002.3344272135.000000006CA8A000.00000002.00000001.01000000.0000000B.sdmp, is-AUQQQ.tmp.2.dr

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Uses code obfuscation techniques (call, push, ret)

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\HOMACore.dll"

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_00FC2DC5 push ecx; ret	5_2_00FC2DD8
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C880CC5 push ecx; ret	5_2_6C880CD8
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C872D88 push eax; ret	5_2_6C872DA6
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C89A6AA push EF3FEFD4h; iretd	5_2_6C89A6B1
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C899CD8 pushad ; iretd	5_2_6C899CE6
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C88B658 push ecx; ret	5_2_6C88B66B

Source: is-PSQK4.tmp.2.dr

Static PE information: section name: .text entropy: 6.9169969425576285

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\is-47NV3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\is-VCAJS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-AUQQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0M8BV.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	File created: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\RBGUIFramework.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0M8BV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-42761.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-PSQK4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Windows\SysWOW64\is-JO0HR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Windows\SysWOW64\HOMACore.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Program Files\HOMA Calculator v2.2.3\unins000.exe (copy)	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Windows\SysWOW64\is-JO0HR.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\Windows\SysWOW64\HOMACore.dll (copy)			Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\HOMA Calculator v2.2.3.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\HOMA Calculator v2.2.3 (Excel).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\HOMA Calculator v2.2.3 Validation (Excel).lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\HOMA Calculator on the Web.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HOMA Calculator v2.2.3\Uninstall HOMA Calculator.lnk	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

5_2_6C8CA3DD

Source: C:\Users\user\Desktop\nHOMA2CalculatorWindowsSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-AUQQQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\is-47NV3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0M8BV.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\RBGUIFramework.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-42761.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator Libs\is-PSQK4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0M8BV.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Windows\SysWOW64\is-JO0HR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Dropped PE file which has not been started: C:\Program Files\HOMA Calculator v2.2.3\unins000.exe (copy)	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

API coverage: 1.5 %

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D0CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D0CBB
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CCC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,	5_2_6C8CCC23
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D088A
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,	5_2_6C8CC8FD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CE0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,	5_2_6C8CE0BD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8981A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8981A1
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CFF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CFF0E
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF9DD
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CDBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,	5_2_6C8CDBC0
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF593
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CD687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,	5_2_6C8CD687
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8D110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8D110C
Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe	Code function: 5_2_6C8CF169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,	5_2_6C8CF169

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8F6BA4 _resetstkoflw,VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

Source: HOMA2 Calculator.exe, 00000005.00000002.3342404932.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: HOMA2 Calculator.exe, 00000005.00000002.3342404932.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-EVEH9.tmp\nHOMA2CalculatorWindowsSetup.tmp

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_00FC13E0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_00FC13E0

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe

Code function: 5_2_6C8F6BA4 VirtualProtect ?,-00000001,00000104,?

Contains functionality to dynamically determine API calls

Source: C:\Program Files\HOMA Calculator v2.2.3\HOMA2 Calculator.exe