Windows Analysis Report
ps11.0.0.129pro.exe

Overview

General Information

Sample name: ps11.0.0.129pro.exe
Analysis ID: 1500780
MD5: fc13bc8b09702ec0ca1a48f7e9157380
SHA1: 3895eac6524ea439e1dc0e3c537a868f8b3f84af
SHA256: c2a5572944067b561cb0d269b8975affb8253631278741130f621d6d7d39f9cd
Infos:

Detection

Score: 34
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

.NET source code contains very large array initializations
Hides threads from debuggers
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Office Autorun Keys Modification
Sigma detected: Potential Persistence Via Visual Studio Tools for Office
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION PlanSwift.exe
Uses 32bit PE files
Source: ps11.0.0.129pro.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dea351d9-e184-49ac-833f-c98a60d0ae27_is1 Jump to behavior
Source: ps11.0.0.129pro.exe Static PE information: certificate valid
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: ps11.0.0.129pro.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00476DFC FindFirstFileA,FindNextFileA,FindClose, 1_2_00476DFC
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00453238 FindFirstFileA,GetLastError, 1_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0049ACD8 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_0049ACD8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00463B44 FindFirstFileA,FindNextFileA,FindClose, 1_2_00463B44
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 7_2_0040E0C0 FindFirstFileW,FindClose, 7_2_0040E0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 7_2_0040DAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 7_2_0040DAEC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 9_2_0040E0C0 FindFirstFileW,FindClose, 9_2_0040E0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 9_2_0040DAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 9_2_0040DAEC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_00BAE0C0 FindFirstFileW,FindClose, 11_2_00BAE0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_00BADAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 11_2_00BADAEC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /status/ HTTP/1.1Content-Type: multipart/form-data; boundary=------------000001050802010608020008Host: www.planswift.comContent-Length: 375
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.18.11.207 104.18.11.207
Source: Joe Sandbox View IP Address: 104.18.11.207 104.18.11.207
Source: Joe Sandbox View IP Address: 199.60.103.30 199.60.103.30
Source: Joe Sandbox View IP Address: 104.17.25.14 104.17.25.14
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: fed8d14fc5a67b40cd470ba239019785
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipHost: www.planswift.com
Source: global traffic HTTP traffic detected: GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipHost: hub.planswift.com
Source: global traffic HTTP traffic detected: GET /hs-fs/hub/2347101/hub_generated/template_assets/23959717271/1580250761785/HubUI-PlanSwift/assets/production.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hs-fs/hub/2347101/hub_generated/template_assets/9927841831/1580250760790/Custom/page/Planswift_May2017-theme/Planswift_May2017-style.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hs-fs/hubfs/PS%20-%20Getting%20Started/Whats%20New%20in%20PlanSwift%C2%AE%2011.png?width=500&name=Whats%20New%20in%20PlanSwift%C2%AE%2011.png HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /font-awesome/4.6.3/css/font-awesome.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hubfs/bid-boss.jpg HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ajax/libs/fancybox/3.5.2/jquery.fancybox.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ajax/libs/slick-carousel/1.8.0/slick-theme.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hubfs/PS%20-%20Getting%20Started/spaceFrame_700.jpg HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ajax/libs/slick-carousel/1.8.0/slick.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipHost: www.planswift.com
Source: global traffic HTTP traffic detected: GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipHost: hub.planswift.com
Source: global traffic HTTP traffic detected: GET /hs-fs/hub/2347101/hub_generated/template_assets/23959717271/1580250761785/HubUI-PlanSwift/assets/production.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hs-fs/hub/2347101/hub_generated/template_assets/9927841831/1580250760790/Custom/page/Planswift_May2017-theme/Planswift_May2017-style.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hs-fs/hubfs/PS%20-%20Getting%20Started/Whats%20New%20in%20PlanSwift%C2%AE%2011.png?width=500&name=Whats%20New%20in%20PlanSwift%C2%AE%2011.png HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /font-awesome/4.6.3/css/font-awesome.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hubfs/bid-boss.jpg HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ajax/libs/fancybox/3.5.2/jquery.fancybox.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ajax/libs/slick-carousel/1.8.0/slick-theme.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /hubfs/PS%20-%20Getting%20Started/spaceFrame_700.jpg HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ajax/libs/slick-carousel/1.8.0/slick.min.css HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: www.planswift.com
Source: global traffic DNS traffic detected: DNS query: hub.planswift.com
Source: global traffic DNS traffic detected: DNS query: maxcdn.bootstrapcdn.com
Source: global traffic DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: unknown HTTP traffic detected: POST /status/ HTTP/1.1Content-Type: multipart/form-data; boundary=------------000001050802010608020008Host: www.planswift.comContent-Length: 375
Source: PlanSwift.exe String found in binary or memory: ftp://ftp.000010002000300040005000600070008000900110012001300140015001600170018001900210022002300240
Source: PlanSwift.exe, 00000007.00000003.2266073890.00000000064FB000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2360641025.000000000668B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www..com
Source: PlanSwift.exe String found in binary or memory: http://www.chilkatsoft.com/rssComponent.html
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000001981000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.fast-report.com
Source: PlanSwift.exe, 00000007.00000003.2262470356.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000007.00000003.2337279134.00000000069E3000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2358261010.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2425201679.0000000006BB3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.indyproject.org/
Source: ps11.0.0.129pro.tmp, ps11.0.0.129pro.tmp, 00000001.00000000.1666665834.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.innosetup.com/
Source: ps11.0.0.129pro.exe, ps11.0.0.129pro.exe, 00000000.00000000.1665343528.0000000000401000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: ps11.0.0.129pro.exe, 00000000.00000000.1665343528.0000000000401000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: PlanSwift.exe, 00000009.00000003.2425793276.00000000065BD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.planswift.com/activate/PlanSwiftActivation/
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=U
Source: ps11.0.0.129pro.exe, 00000000.00000003.1666090769.0000000002320000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1666302856.000000000210C000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, ps11.0.0.129pro.tmp, 00000001.00000000.1666665834.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: ps11.0.0.129pro.exe, 00000000.00000003.1666090769.0000000002320000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1666302856.000000000210C000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1666665834.0000000000401000.00000020.00000001.01000000.00000004.sdmp String found in binary or memory: http://www.remobjects.com/psU
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/Jcl8087.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclAnsiStrings.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclBase.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclCharsets.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclDateTime.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclFileUtils.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclIniFiles.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclLogic.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMath.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMime.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclRTTI.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclResources.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSimpleXml.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStreams.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStringConversions.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStrings.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSynch.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysInfo.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysUtils.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnicode.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnitVersioning.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclWideStrings.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclGraphUtils.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclVclResources.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclAppInst.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclConsole.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclRegistry.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclSecurity.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclShell.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclWin32.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/Snmp.pas
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://ldapauth.planswift.net
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://ldapauth.planswift.netU
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://myaccount.planswift.com
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://myaccount.planswift.com/password/email
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://myaccount.planswift.com/password/emailU
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://myaccount.planswift.comU
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://planswift.com/support
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://plugins.planswift.com
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://plugins.planswift.comU
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://share.planswift.com
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://share.planswift.comU
Source: ps11.0.0.129pro.exe, 00000000.00000003.1665694428.0000000002320000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1665762973.00000000020F8000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.2483568739.00000000020F8000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.2483442313.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1667380568.0000000002228000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2310510471.0000000003464000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1948604214.000000000078B000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1667307291.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2477022758.0000000002228000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2252827367.0000000003464000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2471290854.000000000346C000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2473431795.0000000002224000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2472399532.0000000000769000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.constructconnect.com/privacy-policy
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.fast-report.com
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.fast-report.comU
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.com
Source: PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.planswift.com/activate/
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.com/eula/
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.com/eula/OpenU
Source: PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.com/pricing
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.com/purchase
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.com/removelicense/
Source: PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.planswift.com/requesttrial
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.com/sVideoURL/?psVideoID=
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.com/sVideoURL/?psVideoID=U
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006D20000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.com/support
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.planswift.comU
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.4:49754 version: TLS 1.2

System Summary
barindex
.NET source code contains very large array initializations
Source: is-P9DH3.tmp.1.dr, ImagesAssemblyImageList.cs Large array initialization: ImagesAssemblyImageList: array initializer size 4225
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00424014 NtdllDefWindowProc_A, 1_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0047A9E8 NtdllDefWindowProc_A, 1_2_0047A9E8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00412A68 NtdllDefWindowProc_A, 1_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0042FA00 NtdllDefWindowProc_A, 1_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 1_2_00457E24
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 1_2_0042EDC4
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_00455E14
Detected potential crypto function
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_004088C0 0_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004688B8 1_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00482A88 1_2_00482A88
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00471FB0 1_2_00471FB0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00452194 1_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0043E240 1_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004905E0 1_2_004905E0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0043083C 1_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0046A974 1_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004449B8 1_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00434AB4 1_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00488E3C 1_2_00488E3C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00444F60 1_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004313C8 1_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00445658 1_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004357B8 1_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0045F954 1_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00445A64 1_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0045BA04 1_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00489D9C 1_2_00489D9C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 7_2_0040C27C 7_2_0040C27C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 7_2_004134E4 7_2_004134E4
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 9_2_0040C27C 9_2_0040C27C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 9_2_004134E4 9_2_004134E4
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_00BAC27C 11_2_00BAC27C
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 004587AC appears 81 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 004585A0 appears 120 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 00403684 appears 233 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: String function: 00407D84 appears 43 times
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: String function: 00CCCC98 appears 241 times
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: String function: 03AF7174 appears 45 times
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: String function: 0052CC98 appears 482 times
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: String function: 0040CD68 appears 34 times
PE file contains executable resources (Code or Archives)
Source: ps11.0.0.129pro.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: ps11.0.0.129pro.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: ps11.0.0.129pro.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-RQBTG.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-RQBTG.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-RQBTG.tmp.1.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
PE file contains strange resources
Source: is-S2ENC.tmp.1.dr Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"
Sample file is different than original file name gathered from version info
Source: ps11.0.0.129pro.exe, 00000000.00000003.1666090769.0000000002320000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs ps11.0.0.129pro.exe
Source: ps11.0.0.129pro.exe, 00000000.00000003.1666302856.000000000210C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs ps11.0.0.129pro.exe
Uses 32bit PE files
Source: ps11.0.0.129pro.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: sus34.evad.winEXE@14/1587@4/4
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 1_2_00455E14
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA, 1_2_0045663C
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_0040A10C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_416
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_5888
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Mutant created: \Sessions\1\BaseNamedObjects\firebird_trace_mutex
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_3140
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe File created: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp Jump to behavior
Source: Yara match File source: 9.2.PlanSwift.exe.f80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PlanSwift.exe.f80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.PlanSwift.exe.f80000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2917164884.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2587147896.0000000006290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: ps11.0.0.129pro.exe String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: PlanSwift.exe String found in binary or memory: application/vnd.groove-help
Source: PlanSwift.exe String found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: PlanSwift.exe String found in binary or memory: application/x-install-instructions
Source: PlanSwift.exe String found in binary or memory: Cache/getting-started.mht
Source: PlanSwift.exe String found in binary or memory: /getting-started-licensed
Source: PlanSwift.exe String found in binary or memory: /getting-started-expired
Source: PlanSwift.exe String found in binary or memory: /getting-started-viewer
Source: PlanSwift.exe String found in binary or memory: /getting-started-trial
Source: PlanSwift.exe String found in binary or memory: /getting-started/
Source: PlanSwift.exe String found in binary or memory: application/vnd.groove-help
Source: PlanSwift.exe String found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: PlanSwift.exe String found in binary or memory: application/x-install-instructions
Source: PlanSwift.exe String found in binary or memory: Are you sure you want to continue with the plugin un-installation
Source: PlanSwift.exe String found in binary or memory: Uninstallation of installed plugins will REQUIRE a restart of PlanSwift immediately after the plugin un-installation has completed
Source: PlanSwift.exe String found in binary or memory: Package is already installed on your system. You will need to uninstall it before it can be re-installed. Do you want to uninstall plugin identified above
Source: PlanSwift.exe String found in binary or memory: NATS-DANO-ADD
Source: PlanSwift.exe String found in binary or memory: NATS-SEFI-ADD
Source: PlanSwift.exe String found in binary or memory: Cache/getting-started.mht
Source: PlanSwift.exe String found in binary or memory: /getting-started-licensed
Source: PlanSwift.exe String found in binary or memory: /getting-started-expired
Source: PlanSwift.exe String found in binary or memory: /getting-started-viewer
Source: PlanSwift.exe String found in binary or memory: /getting-started-trial
Source: PlanSwift.exe String found in binary or memory: /getting-started/
Source: PlanSwift.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: PlanSwift.exe String found in binary or memory: jp-ocr-hand-add
Source: PlanSwift.exe String found in binary or memory: jp-ocr-b-add
Source: PlanSwift.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: PlanSwift.exe String found in binary or memory: ISO_6937-2-add
Source: PlanSwift.exe String found in binary or memory: application/vnd.groove-help
Source: PlanSwift.exe String found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: PlanSwift.exe String found in binary or memory: application/x-install-instructions
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe File read: C:\Users\user\Desktop\ps11.0.0.129pro.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\ps11.0.0.129pro.exe "C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Process created: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp "C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp" /SL5="$20410,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process created: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp helper 105 0x3E4
Source: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /init
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" -o "Sample Plan"
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Process created: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp "C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp" /SL5="$20410,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process created: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp helper 105 0x3E4 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /init Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" -o "Sample Plan" Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: chilkatdelphixe.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: planswiftanalyticsservice.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: fpdfsdk.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wship6.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dspdf.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: gds32.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: icuuc30.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: icudt30.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ibxml.dll Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: version.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: chilkatdelphixe.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: oleacc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: usp10.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: planswiftanalyticsservice.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netapi32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: olepro32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: fpdfsdk.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: textshaping.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wship6.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netprofm.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: npmproxy.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: riched20.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msls31.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dspdf.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msftedit.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: gds32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: icuuc30.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: icudt30.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ibxml.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: fwbase.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: version.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: chilkatdelphixe.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: oleacc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: usp10.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: planswiftanalyticsservice.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netapi32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: textshaping.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: olepro32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: fpdfsdk.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wship6.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: netprofm.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: npmproxy.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: riched20.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msls31.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dspdf.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msftedit.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: gds32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: icuuc30.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: icudt30.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ibxml.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ieframe.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: wkscli.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: d3d11.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dcomp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dxgi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msiso.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: mshtml.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: powrprof.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: umpdc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: srpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: jscript9.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msimtf.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: mlang.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: schannel.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: d2d1.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dwrite.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: d3d10warp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dxcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: dpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Section loaded: uianimation.dll
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File written: C:\Program Files (x86)\PlanSwift11\PERSIST.INI
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Window found: window name: TMainForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Automated click: I accept the agreement
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Windows\SysWOW64\Msftedit.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\Addins\SwiftExcel Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dea351d9-e184-49ac-833f-c98a60d0ae27_is1 Jump to behavior
Source: ps11.0.0.129pro.exe Static PE information: certificate valid
Source: ps11.0.0.129pro.exe Static file information: File size 54814096 > 1048576
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: ps11.0.0.129pro.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00450A28
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_00406A50 push 00406A8Dh; ret 0_2_00406A85
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_004093EC push 0040941Fh; ret 0_2_00409417
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_004085B8 push ecx; mov dword ptr [esp], eax 0_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00409DDC push 00409E19h; ret 1_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0041A0B8 push ecx; mov dword ptr [esp], ecx 1_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00452194 push ecx; mov dword ptr [esp], eax 1_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax 1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0040A2DF push ds; ret 1_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004605AC push ecx; mov dword ptr [esp], ecx 1_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00458848 push 00458880h; ret 1_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00410970 push ecx; mov dword ptr [esp], edx 1_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0049CD48 pushad ; retf 1_2_0049CD57
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00412DB8 push 00412E1Bh; ret 1_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0040D2C8 push ecx; mov dword ptr [esp], edx 1_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0040F828 push ecx; mov dword ptr [esp], edx 1_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004978C8 push ecx; mov dword ptr [esp], ecx 1_2_004978CD
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004878A0 push ecx; mov dword ptr [esp], ecx 1_2_004878A5
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00443930 push ecx; mov dword ptr [esp], ecx 1_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00479A30 push ecx; mov dword ptr [esp], edx 1_2_00479A31
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00459B60 push 00459BA4h; ret 1_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00451FD0 push 00452003h; ret 1_2_00451FFB
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-J8M7F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-6IN84.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-P0OB4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-M0JQ2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S2ENC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-CPQJG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-NC4QM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-L2OVJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-LCN76.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-H37KB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-03RG0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-3TOPV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-LF9SO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-4KI03.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-OF3B7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-UQKVV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-GH56H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-38AFE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-BGR7A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-P9DH3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-C6KMG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S1QUV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\is-RQBTG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-KF882.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H8F7U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-9TO3L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-LNG1S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2UQDK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-RKMEQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe File created: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-C5VI4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-453AR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-EI8K0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-9HNDC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-PAU3O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-1G665.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-CD3K2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-R6F91.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VD39V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-EVE0N.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-B71FA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-2G38J.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-UJ625.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-QSKEV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7A7VE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: FilemonClass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: RegmonClass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: FilemonClass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Window searched: window name: RegmonClass
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PlanSwift 11\PlanSwift 11.lnk Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0041815E IsIconic,SetWindowPos, 1_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0042466C IsIconic,SetActiveWindow,SetFocus, 1_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00424624 IsIconic,SetActiveWindow, 1_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow, 1_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00417A28 IsIconic,GetCapture, 1_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00485AAC IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 1_2_00485AAC
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 1_2_0041F5A8
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Special instruction interceptor: First address: 2C91862 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: E9A0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: F720000 memory commit | memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: F8A0000 memory commit | memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: F8C0000 memory commit | memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: EFC0000 memory commit | memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: ED40000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 10A80000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 15230000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 108C0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 16030000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 10CB0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 10CD0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 10CF0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 16840000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 16860000 memory reserve | memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: 15110000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-J8M7F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-6IN84.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-P0OB4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S2ENC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-M0JQ2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-CPQJG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-NC4QM.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-L2OVJ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-LCN76.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-H37KB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-03RG0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-3TOPV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-LF9SO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-4KI03.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-OF3B7.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-UQKVV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-GH56H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-38AFE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-BGR7A.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Pdf.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-P9DH3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-C6KMG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S1QUV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\is-RQBTG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-KF882.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-9TO3L.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H8F7U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-LNG1S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2UQDK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-RKMEQ.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-C5VI4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-453AR.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-EI8K0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-9HNDC.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-PAU3O.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-1G665.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-CD3K2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-R6F91.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VD39V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-EVE0N.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-B71FA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-UJ625.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-2G38J.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7A7VE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-QSKEV.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe API coverage: 6.8 %
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe API coverage: 6.8 %
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe API coverage: 8.3 %
Queries disk information (often used to detect virtual machines)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00476DFC FindFirstFileA,FindNextFileA,FindClose, 1_2_00476DFC
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00453238 FindFirstFileA,GetLastError, 1_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0049ACD8 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 1_2_0049ACD8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 1_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00463B44 FindFirstFileA,FindNextFileA,FindClose, 1_2_00463B44
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 7_2_0040E0C0 FindFirstFileW,FindClose, 7_2_0040E0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 7_2_0040DAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 7_2_0040DAEC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 9_2_0040E0C0 FindFirstFileW,FindClose, 9_2_0040E0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 9_2_0040DAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 9_2_0040DAEC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_00BAE0C0 FindFirstFileW,FindClose, 11_2_00BAE0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_00BADAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW, 11_2_00BADAEC
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_0040A050
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp Binary or memory string: TatVirtualMachines(<A
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp Binary or memory string: TatVirtualMachine
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TatVirtualMachines(<
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp Binary or memory string: TatVirtualMachines
Source: ps11.0.0.129pro.tmp, 00000001.00000003.2472918711.0000000000754000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\k
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TatVirtualMachineh=
Source: ps11.0.0.129pro.tmp, 00000001.00000003.2472918711.0000000000754000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ms
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp Binary or memory string: TatVirtualMachineh=A
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe API call chain: ExitProcess graph end node
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: regmonclass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: gbdyllo
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: procmon_window_class
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: ollydbg
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: filemonclass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugPort
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugPort
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugPort
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 7_2_00412F5A IsDebuggerPresent, 7_2_00412F5A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00450A28
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03951467 GetProcessHeap,HeapAlloc, 11_2_03951467
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Memory allocated: page read and write | page guard
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0047A42C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 1_2_0047A42C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Process created: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp helper 105 0x3E4 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA, 1_2_0042F294
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 1_2_0042E52C
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp Binary or memory string: Shell_TrayWnd
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndU
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 7_2_00407AD4 cpuid 7_2_00407AD4
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: GetLocaleInfoA, 0_2_00405694
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: GetLocaleInfoA, 0_2_004056E0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: GetLocaleInfoA, 1_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: GetLocaleInfoA, 1_2_00408A44
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 7_2_0040E218
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: EnumSystemLocalesW, 7_2_00412D32
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: GetLocaleInfoW, 7_2_00412DC2
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: GetLocaleInfoW, 7_2_00412DCA
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_0040D688
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 9_2_0040E218
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: EnumSystemLocalesW, 9_2_00412D32
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: GetLocaleInfoW, 9_2_00412DC2
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: GetLocaleInfoW, 9_2_00412DCA
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 9_2_0040D688
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 11_2_00BAE218
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 11_2_00BAD688
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 1_2_00458E58
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp Code function: 1_2_00455DCC GetUserNameA, 1_2_00455DCC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 7_2_00412EB2 GetTimeZoneInformation, 7_2_00412EB2
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe Code function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy, 0_2_00404654
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_0395538C CkBinData_AppendEncoded, 11_2_0395538C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039553C0 CkBinData_AppendEncodedSb, 11_2_039553C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039553FC CkBinData_AppendSb, 11_2_039553FC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955324 CkBinData_AppendBinary, 11_2_03955324
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_0395535C CkBinData_AppendBom, 11_2_0395535C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955280 CkBinData_getLastMethodSuccess, 11_2_03955280
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039552A8 CkBinData_putLastMethodSuccess, 11_2_039552A8
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039552D0 CkBinData_getNumBytes, 11_2_039552D0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039552EC CkBinData_AppendBd, 11_2_039552EC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955214 CkBinData_Dispose, 11_2_03955214
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_0395520C CkBinData_Create, 11_2_0395520C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_0395579C CkBinData_WriteFile, 11_2_0395579C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955710 CkBinData_LoadFile, 11_2_03955710
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955740 CkBinData_RemoveChunk, 11_2_03955740
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955774 CkBinData_SecureClear, 11_2_03955774
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955684 CkBinData__getString, 11_2_03955684
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039556A4 CkBinData_LoadBinary, 11_2_039556A4
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039556DC CkBinData_LoadEncoded, 11_2_039556DC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_0395560C CkBinData_GetEncodedSb, 11_2_0395560C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955648 CkBinData_GetString, 11_2_03955648
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955580 CkBinData__getEncoded, 11_2_03955580
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039555A0 CkBinData_GetEncodedChunk, 11_2_039555A0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039555E4 CkBinData__getEncodedChunk, 11_2_039555E4
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955504 CkBinData_GetBinaryChunk, 11_2_03955504
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955544 CkBinData_GetEncoded, 11_2_03955544
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955494 CkBinData_ContentsEqual, 11_2_03955494
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_039554CC CkBinData_GetBinary, 11_2_039554CC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_03955438 CkBinData_AppendString, 11_2_03955438
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe Code function: 11_2_0395546C CkBinData_Clear, 11_2_0395546C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500780 Sample: ps11.0.0.129pro.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 34 39 www.planswift.com 2->39 41 maxcdn.bootstrapcdn.com 2->41 43 4 other IPs or domains 2->43 59 .NET source code contains very large array initializations 2->59 61 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->61 63 Tries to evade debugger and weak emulator (self modifying code) 2->63 9 ps11.0.0.129pro.exe 2 2->9         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\ps11.0.0.129pro.tmp, PE32 9->29 dropped 12 ps11.0.0.129pro.tmp 46 1011 9->12         started        process6 file7 31 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->31 dropped 33 C:\...\unins000.exe (copy), PE32 12->33 dropped 35 C:\Program Files (x86)\...\is-RQBTG.tmp, PE32 12->35 dropped 37 86 other files (none is malicious) 12->37 dropped 15 PlanSwift.exe 12->15         started        19 PlanSwift.exe 61 13 12->19         started        21 PlanSwift.exe 12->21         started        23 _setup64.tmp 1 12->23         started        process8 dnsIp9 45 group1.sites.hscoscdn00.net 199.60.103.30, 443, 49743, 49744 QUICKSILVER1CA Canada 15->45 47 cdnjs.cloudflare.com 104.17.25.14, 443, 49753, 49754 CLOUDFLARENETUS United States 15->47 49 2 other IPs or domains 15->49 51 Query firmware table information (likely to detect VMs) 15->51 53 Hides threads from debuggers 15->53 55 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->55 25 splwow64.exe 15->25         started        57 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->57 27 conhost.exe 23->27         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.18.11.207
 maxcdn.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
18.144.71.249
 www.planswift.com United States
16509 AMAZON-02US false
199.60.103.30
 group1.sites.hscoscdn00.net Canada
23181 QUICKSILVER1CA false
104.17.25.14
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
www.planswift.com 18.144.71.249 true
group1.sites.hscoscdn00.net 199.60.103.30 true
cdnjs.cloudflare.com 104.17.25.14 true
maxcdn.bootstrapcdn.com 104.18.11.207 true
hub.planswift.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.2/jquery.fancybox.min.css false
  • Avira URL Cloud: safe
 unknown
https://hub.planswift.com/hubfs/bid-boss.jpg false
  • Avira URL Cloud: safe
 unknown
https://www.planswift.com/getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& false
  • Avira URL Cloud: safe
 unknown
https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.8.0/slick.min.css false
  • Avira URL Cloud: safe
 unknown
https://www.planswift.com/status/ false
  • Avira URL Cloud: safe
 unknown
https://hub.planswift.com/hs-fs/hub/2347101/hub_generated/template_assets/9927841831/1580250760790/Custom/page/Planswift_May2017-theme/Planswift_May2017-style.min.css false
  • Avira URL Cloud: safe
 unknown
https://hub.planswift.com/hs-fs/hubfs/PS%20-%20Getting%20Started/Whats%20New%20in%20PlanSwift%C2%AE%2011.png?width=500&name=Whats%20New%20in%20PlanSwift%C2%AE%2011.png false
  • Avira URL Cloud: safe
 unknown
https://hub.planswift.com/hubfs/PS%20-%20Getting%20Started/spaceFrame_700.jpg false
  • Avira URL Cloud: safe
 unknown
https://hub.planswift.com/hs-fs/hub/2347101/hub_generated/template_assets/23959717271/1580250761785/HubUI-PlanSwift/assets/production.min.css false
  • Avira URL Cloud: safe
 unknown
https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css false
  • Avira URL Cloud: safe
 unknown
https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.8.0/slick-theme.css false
  • Avira URL Cloud: safe
 unknown
https://hub.planswift.com/getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& false
  • Avira URL Cloud: safe
 unknown