Windows Analysis Report
ps11.0.0.129pro.exe

Overview

General Information

Sample name: ps11.0.0.129pro.exe
Analysis ID: 1546263
MD5: fc13bc8b09702ec0ca1a48f7e9157380
SHA1: 3895eac6524ea439e1dc0e3c537a868f8b3f84af
SHA256: c2a5572944067b561cb0d269b8975affb8253631278741130f621d6d7d39f9cd
Infos:

Detection

Score: 32
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Hides threads from debuggers
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Office Autorun Keys Modification
Sigma detected: Potential Persistence Via Visual Studio Tools for Office
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: ps11.0.0.129pro.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dea351d9-e184-49ac-833f-c98a60d0ae27_is1 Jump to behavior
Source: ps11.0.0.129pro.exe Static PE information: certificate valid
Source: ps11.0.0.129pro.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\Projects\17.2\BuildLabel\Temp\NetStudio.v17.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj\Release\DevExpress.Pdf.v17.2.Core.pdbTX,nX, `X,_CorDllMainmscoree.dll source: is-DLUIR.tmp.1.dr
Source: Binary string: c:\Projects\17.2\BuildLabel\Temp\NetStudio.v17.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj\Release\DevExpress.Pdf.v17.2.Core.pdb source: is-DLUIR.tmp.1.dr
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.17:49702
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.17:49710
Source: PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: ftp://http://https://localhost127.0.0.1127.0.0.1Cannot
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http:///robots.txtrobotsUrlGETFetched
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: http://BUCKET./http://https://BUCKETPOST/?deleteresponseHeaderS3_DeleteObjectbucketNameobjectName///
Source: PlanSwift.exe, 0000000C.00000002.2404043203.00000000041D3000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://cknotes.com/determining-ftp2-connection-settings/
Source: PlanSwift.exe, 0000000C.00000002.2398698409.0000000004030000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://cknotes.com/v9-5-0-55-micro-update-new-features-fixes-changes-etc-2/
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: PlanSwift.exe, 0000000C.00000002.2402499848.000000000415B000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://http://https://https://.www..www..CookieNameValueDomainPathExpirePrioritySavingCookieCookieDi
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: PlanSwift.exe, 0000000C.00000002.2401702509.0000000004130000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: http://spamarrest.com/a
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://t2.symcb.com0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://tl.symcd.com0&
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://us.ard.yahoo.com/
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://us.ard.yahoo.com/http://us.rd.yahoo.com//
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://us.rd.yahoo.com/
Source: PlanSwift.exe, 0000000C.00000003.1578035811.000000000671B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www..com
Source: is-DLUIR.tmp.1.dr String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.anything.com
Source: PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.anything.comcodeHTTP/1.1
Source: PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.chilkatforum.com/questions/11627/sftp-failed-to-get-address-info
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.chilkatsoft.com/)
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.chilkatsoft.com/)Content-LengthAuthorizationuser-agentAddParamnamevalueAddFileReferencena
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.chilkatsoft.com/p/p_463.asp)
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.chilkatsoft.com/p/p_463.asp)LanguageLianjaEnvironmentActiveXVBA.NET
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.chilkatsoft.com/rssComponent.html
Source: PlanSwift.exe, 0000000C.00000002.2402240137.000000000414B000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=210
Source: PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=217
Source: PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=217WSAEADDRINUSE
Source: PlanSwift.exe, 0000000C.00000002.2404043203.00000000041D3000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=282
Source: PlanSwift.exe, 0000000C.00000002.2404043203.00000000041D3000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=282Failed
Source: PlanSwift.exe, 0000000C.00000002.2404755481.0000000004203000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=370
Source: PlanSwift.exe, 0000000C.00000002.2404755481.0000000004203000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=370POP3
Source: PlanSwift.exe, 0000000C.00000002.2400352211.00000000040AD000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=411
Source: PlanSwift.exe, 0000000C.00000002.2400352211.00000000040AD000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=411sftp://sftp://ftp://hostnameportFailed
Source: PlanSwift.exe, 0000000C.00000002.2402240137.000000000414B000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.cknotes.com/?p=91
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: http://www.devexpress.com/0/
Source: PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.fast-report.com
Source: PlanSwift.exe, 0000000C.00000003.1573485893.00000000035D0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.indyproject.org/
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1096934765.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.innosetup.com/
Source: ps11.0.0.129pro.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: ps11.0.0.129pro.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: PlanSwift.exe, 0000000C.00000002.2401702509.0000000004130000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.mailpass.com/verify.cgi
Source: PlanSwift.exe, 0000000C.00000002.2401702509.0000000004130000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.mailpass.com/verify.cgihttp://spamarrest.com/aThank
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=U
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1096934765.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1096934765.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.remobjects.com/psU
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: https://BUCKET./PARAMShttp://BUCKET./PARAMSBUCKETPARAMSGETDnsCacheClears3.amazonaws.comGETClearInMem
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/tokenMissing
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: https://http:///S3_PATH?S3_BUCKET./S3_PATH?S3_BUCKETS3_PATHCURRENT_DATE%2FAWS_REGION%2FAWS_SERVICE%2
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/Jcl8087.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclAnsiStrings.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclBase.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclCharsets.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclDateTime.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclFileUtils.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclIniFiles.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclLogic.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMath.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMime.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclRTTI.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclResources.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSimpleXml.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStreams.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStringConversions.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStrings.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSynch.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysInfo.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysUtils.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnicode.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnitVersioning.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclWideStrings.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclGraphUtils.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclVclResources.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclAppInst.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclConsole.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclRegistry.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclSecurity.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclShell.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclWin32.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/Snmp.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ldapauth.planswift.net
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ldapauth.planswift.netU
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.planswift.com
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.planswift.com/password/email
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.planswift.com/password/emailU
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://myaccount.planswift.comU
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://planswift.com/support
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://plugins.planswift.com
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://plugins.planswift.comU
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://share.planswift.com
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://share.planswift.comU
Source: PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: https://www.chilkatsoft.com/oauth2_allowed.html
Source: PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: https://www.chilkatsoft.com/oauth2_denied.html
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096044617.00000000022A8000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1095971251.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000002.2341802286.0000000000683000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1097658412.0000000003290000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.constructconnect.com/privacy-policy
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.fast-report.com
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.fast-report.comU
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/tokenMissing
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: https://www.planswift.com
Source: PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: https://www.planswift.com/activate/
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.planswift.com/eula/
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.planswift.com/eula/OpenU
Source: PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: https://www.planswift.com/pricing
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.planswift.com/purchase
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.planswift.com/removelicense/
Source: PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: https://www.planswift.com/requesttrial
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.planswift.com/sVideoURL/?psVideoID=
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.planswift.com/sVideoURL/?psVideoID=U
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: https://www.planswift.com/support
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.planswift.comU
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr String found in binary or memory: https://www.thawte.com/repository0W
Abnormal high CPU Usage
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process Stats: CPU usage > 24%
PE file contains executable resources (Code or Archives)
Source: ps11.0.0.129pro.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: ps11.0.0.129pro.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: ps11.0.0.129pro.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-429JP.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-429JP.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-429JP.tmp.1.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
PE file contains strange resources
Source: is-Q1BLR.tmp.1.dr Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Sample file is different than original file name gathered from version info
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs ps11.0.0.129pro.exe
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs ps11.0.0.129pro.exe
Uses 32bit PE files
Source: ps11.0.0.129pro.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: sus32.evad.winEXE@8/1528@0/0
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1872:120:WilError_03
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe File created: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp Jump to behavior
Source: Yara match File source: 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: ps11.0.0.129pro.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe File read: C:\Users\user\Desktop\ps11.0.0.129pro.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ps11.0.0.129pro.exe "C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Process created: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp "C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp" /SL5="$70296,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process created: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp helper 105 0x3EC
Source: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Process created: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp "C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp" /SL5="$70296,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process created: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp helper 105 0x3EC Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver Jump to behavior
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: chilkatdelphixe.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: planswiftanalyticsservice.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\Addins\SwiftExcel Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dea351d9-e184-49ac-833f-c98a60d0ae27_is1 Jump to behavior
Source: ps11.0.0.129pro.exe Static PE information: certificate valid
Source: ps11.0.0.129pro.exe Static file information: File size 54814096 > 1048576
Source: ps11.0.0.129pro.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\Projects\17.2\BuildLabel\Temp\NetStudio.v17.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj\Release\DevExpress.Pdf.v17.2.Core.pdbTX,nX, `X,_CorDllMainmscoree.dll source: is-DLUIR.tmp.1.dr
Source: Binary string: c:\Projects\17.2\BuildLabel\Temp\NetStudio.v17.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj\Release\DevExpress.Pdf.v17.2.Core.pdb source: is-DLUIR.tmp.1.dr
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-ASV96.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U78KF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-MK349.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-JOR6L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-1122G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VID2E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-QP7RD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-V4GME.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-Q1BLR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-3A80D.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-HTL6A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-I5Q8K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-RTBKM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U2E4T.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-9E8O3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-11P5O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DLUIR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-RKK8B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-TC49G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H9PBC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-MK6BQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-FGMT7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-EPJ45.tmp Jump to dropped file
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe File created: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-IKQI1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\is-429JP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-FA79K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-8TLV1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-AEDQ3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-2Q5JM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7CSTM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-T556C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-VSBET.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DDO4H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-E20LJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-MVLL5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-E7NEL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-RDL8M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-NSFQH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-6REKE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-AUBRP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-76LAT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-GEH09.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2NGS1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: RegmonClass Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PlanSwift 11\PlanSwift 11.lnk Jump to behavior
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Special instruction interceptor: First address: 2211862 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-ASV96.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U78KF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-MK349.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-JOR6L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-1122G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VID2E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-QP7RD.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-V4GME.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-Q1BLR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-3A80D.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-HTL6A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-I5Q8K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-RTBKM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U2E4T.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-9E8O3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-11P5O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DLUIR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-RKK8B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-TC49G.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H9PBC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-MK6BQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-FGMT7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-EPJ45.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-IKQI1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\is-429JP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-FA79K.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-AEDQ3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-8TLV1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-2Q5JM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7CSTM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-T556C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-VSBET.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-E20LJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DDO4H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-MVLL5.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-E7NEL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-RDL8M.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-NSFQH.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-AUBRP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-6REKE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-76LAT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-GEH09.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2NGS1.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Queries disk information (often used to detect virtual machines)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: PhysicalDrive0 Jump to behavior
Source: ps11.0.0.129pro.tmp, 00000001.00000002.2341802286.0000000000683000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TatVirtualMachines(<
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TatVirtualMachine
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TatVirtualMachines
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TatVirtualMachineh=
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: regmonclass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: gbdyllo
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: procmon_window_class
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: ollydbg
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: filemonclass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Process created: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp helper 105 0x3EC Jump to behavior
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndU
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546263 Sample: ps11.0.0.129pro.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 32 31 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->31 33 Tries to evade debugger and weak emulator (self modifying code) 2->33 8 ps11.0.0.129pro.exe 2 2->8         started        process3 file4 21 C:\Users\user\AppData\...\ps11.0.0.129pro.tmp, PE32 8->21 dropped 11 ps11.0.0.129pro.tmp 54 1011 8->11         started        process5 file6 23 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->23 dropped 25 C:\...\unins000.exe (copy), PE32 11->25 dropped 27 C:\Program Files (x86)\...\is-429JP.tmp, PE32 11->27 dropped 29 84 other files (none is malicious) 11->29 dropped 14 PlanSwift.exe 1 11->14         started        17 _setup64.tmp 1 11->17         started        process7 signatures8 35 Query firmware table information (likely to detect VMs) 14->35 37 Hides threads from debuggers 14->37 39 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->39 41 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->41 19 conhost.exe 17->19         started        process9
No contacted IP infos