Edit tour

Windows Analysis Report
ps11.0.0.129pro.exe

Overview

General Information

Sample name:	ps11.0.0.129pro.exe
Analysis ID:	1546263
MD5:	fc13bc8b09702ec0ca1a48f7e9157380
SHA1:	3895eac6524ea439e1dc0e3c537a868f8b3f84af
SHA256:	c2a5572944067b561cb0d269b8975affb8253631278741130f621d6d7d39f9cd
Infos:

Detection

Score:	32
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Hides threads from debuggers

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Office Autorun Keys Modification

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

ps11.0.0.129pro.exe (PID: 6804 cmdline: "C:\Users\user\Desktop\ps11.0.0.129pro.exe" MD5: FC13BC8B09702EC0CA1A48F7E9157380)

ps11.0.0.129pro.tmp (PID: 6824 cmdline: "C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp" /SL5="$70296,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe" MD5: 5ED68C2D50F4232A83D39C41722BC908)

_setup64.tmp (PID: 2668 cmdline: helper 105 0x3EC MD5: E4211D6D009757C078A9FAC7FF4F03D4)

conhost.exe (PID: 1872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PlanSwift.exe (PID: 2296 cmdline: "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver MD5: B157207600DF34B69CA9AA91F1659383)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: Excel Addin For PlanSwift, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp, ProcessId: 6824, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Excel\Addins\SwiftExcel\Description

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Source: Registry Key set

Author: Bhabesh Raj: Data: Details: Excel Addin For PlanSwift, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp, ProcessId: 6824, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Excel\Addins\SwiftExcel\Description

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T17:13:09.762456+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.17	49702	TCP
2024-10-31T17:13:48.110830+0100	2022930	1	A Network Trojan was detected	52.149.20.212	443	192.168.2.17	49710	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: ps11.0.0.129pro.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dea351d9-e184-49ac-833f-c98a60d0ae27_is1

Jump to behavior

Source: ps11.0.0.129pro.exe

Static PE information: certificate valid

Source: ps11.0.0.129pro.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Projects\17.2\BuildLabel\Temp\NetStudio.v17.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj\Release\DevExpress.Pdf.v17.2.Core.pdbTX,nX, `X,_CorDllMainmscoree.dll source: is-DLUIR.tmp.1.dr
Source:	Binary string: c:\Projects\17.2\BuildLabel\Temp\NetStudio.v17.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj\Release\DevExpress.Pdf.v17.2.Core.pdb source: is-DLUIR.tmp.1.dr

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.17:49702
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 52.149.20.212:443 -> 192.168.2.17:49710

Source: PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: ftp://http://https://localhost127.0.0.1127.0.0.1Cannot
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http:///robots.txtrobotsUrlGETFetched
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://BUCKET./http://https://BUCKETPOST/?deleteresponseHeaderS3_DeleteObjectbucketNameobjectName///
Source: PlanSwift.exe, 0000000C.00000002.2404043203.00000000041D3000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://cknotes.com/determining-ftp2-connection-settings/
Source: PlanSwift.exe, 0000000C.00000002.2398698409.0000000004030000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://cknotes.com/v9-5-0-55-micro-update-new-features-fixes-changes-etc-2/
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: PlanSwift.exe, 0000000C.00000002.2402499848.000000000415B000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://http://https://https://.www..www..CookieNameValueDomainPathExpirePrioritySavingCookieCookieDi
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: PlanSwift.exe, 0000000C.00000002.2401702509.0000000004130000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://spamarrest.com/a
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://us.ard.yahoo.com/
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://us.ard.yahoo.com/http://us.rd.yahoo.com//
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://us.rd.yahoo.com/
Source: PlanSwift.exe, 0000000C.00000003.1578035811.000000000671B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www..com
Source: is-DLUIR.tmp.1.dr	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.anything.com
Source: PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.anything.comcodeHTTP/1.1
Source: PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.chilkatforum.com/questions/11627/sftp-failed-to-get-address-info
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.chilkatsoft.com/)
Source: PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.chilkatsoft.com/)Content-LengthAuthorizationuser-agentAddParamnamevalueAddFileReferencena
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.chilkatsoft.com/p/p_463.asp)
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.chilkatsoft.com/p/p_463.asp)LanguageLianjaEnvironmentActiveXVBA.NET
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.chilkatsoft.com/rssComponent.html
Source: PlanSwift.exe, 0000000C.00000002.2402240137.000000000414B000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=210
Source: PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=217
Source: PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=217WSAEADDRINUSE
Source: PlanSwift.exe, 0000000C.00000002.2404043203.00000000041D3000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=282
Source: PlanSwift.exe, 0000000C.00000002.2404043203.00000000041D3000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=282Failed
Source: PlanSwift.exe, 0000000C.00000002.2404755481.0000000004203000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=370
Source: PlanSwift.exe, 0000000C.00000002.2404755481.0000000004203000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=370POP3
Source: PlanSwift.exe, 0000000C.00000002.2400352211.00000000040AD000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=411
Source: PlanSwift.exe, 0000000C.00000002.2400352211.00000000040AD000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=411sftp://sftp://ftp://hostnameportFailed
Source: PlanSwift.exe, 0000000C.00000002.2402240137.000000000414B000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.cknotes.com/?p=91
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: http://www.devexpress.com/0/
Source: PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.fast-report.com
Source: PlanSwift.exe, 0000000C.00000003.1573485893.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1096934765.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: ps11.0.0.129pro.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: ps11.0.0.129pro.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: PlanSwift.exe, 0000000C.00000002.2401702509.0000000004130000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.mailpass.com/verify.cgi
Source: PlanSwift.exe, 0000000C.00000002.2401702509.0000000004130000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.mailpass.com/verify.cgihttp://spamarrest.com/aThank
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=U
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1096934765.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1096934765.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://BUCKET./PARAMShttp://BUCKET./PARAMSBUCKETPARAMSGETDnsCacheClears3.amazonaws.comGETClearInMem
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/tokenMissing
Source: PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://http:///S3_PATH?S3_BUCKET./S3_PATH?S3_BUCKETS3_PATHCURRENT_DATE%2FAWS_REGION%2FAWS_SERVICE%2
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/Jcl8087.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclAnsiStrings.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclBase.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclCharsets.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclDateTime.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclFileUtils.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclIniFiles.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclLogic.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMath.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMime.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclRTTI.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclResources.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSimpleXml.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStreams.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStringConversions.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStrings.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSynch.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysInfo.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysUtils.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnicode.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnitVersioning.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclWideStrings.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclGraphUtils.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclVclResources.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclAppInst.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclConsole.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclRegistry.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclSecurity.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclShell.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclWin32.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/Snmp.pas
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ldapauth.planswift.net
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ldapauth.planswift.netU
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.planswift.com
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.planswift.com/password/email
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.planswift.com/password/emailU
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.planswift.comU
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://planswift.com/support
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://plugins.planswift.com
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://plugins.planswift.comU
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://share.planswift.com
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://share.planswift.comU
Source: PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.chilkatsoft.com/oauth2_allowed.html
Source: PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.chilkatsoft.com/oauth2_denied.html
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096044617.00000000022A8000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1095971251.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000002.2341802286.0000000000683000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1097658412.0000000003290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.constructconnect.com/privacy-policy
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.fast-report.com
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.fast-report.comU
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/tokenMissing
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.planswift.com
Source: PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.planswift.com/activate/
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.planswift.com/eula/
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.planswift.com/eula/OpenU
Source: PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.planswift.com/pricing
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.planswift.com/purchase
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.planswift.com/removelicense/
Source: PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.planswift.com/requesttrial
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.planswift.com/sVideoURL/?psVideoID=
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.planswift.com/sVideoURL/?psVideoID=U
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.planswift.com/support
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.planswift.comU
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Process Stats: CPU usage > 24%

Source: ps11.0.0.129pro.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: ps11.0.0.129pro.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: ps11.0.0.129pro.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-429JP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-429JP.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-429JP.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: is-Q1BLR.tmp.1.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs ps11.0.0.129pro.exe
Source: ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs ps11.0.0.129pro.exe

Source: ps11.0.0.129pro.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus32.evad.winEXE@8/1528@0/0

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

File created: C:\Program Files (x86)\PlanSwift11

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1872:120:WilError_03

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

File created: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp

Jump to behavior

Source: Yara match

File source: 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: ps11.0.0.129pro.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

File read: C:\Users\user\Desktop\ps11.0.0.129pro.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ps11.0.0.129pro.exe "C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp "C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp" /SL5="$70296,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp helper 105 0x3EC
Source: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp "C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp" /SL5="$70296,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp helper 105 0x3EC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver	Jump to behavior

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: chilkatdelphixe.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: planswiftanalyticsservice.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\Addins\SwiftExcel

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dea351d9-e184-49ac-833f-c98a60d0ae27_is1

Jump to behavior

Source: ps11.0.0.129pro.exe

Static PE information: certificate valid

Source: ps11.0.0.129pro.exe

Static file information: File size 54814096 > 1048576

Source: ps11.0.0.129pro.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\Projects\17.2\BuildLabel\Temp\NetStudio.v17.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj\Release\DevExpress.Pdf.v17.2.Core.pdbTX,nX, `X,_CorDllMainmscoree.dll source: is-DLUIR.tmp.1.dr
Source:	Binary string: c:\Projects\17.2\BuildLabel\Temp\NetStudio.v17.2.2005\Win\DevExpress.Pdf\DevExpress.Pdf.Core\obj\Release\DevExpress.Pdf.v17.2.Core.pdb source: is-DLUIR.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-ASV96.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U78KF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-MK349.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-JOR6L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-1122G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VID2E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-QP7RD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-V4GME.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-Q1BLR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-3A80D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-HTL6A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-I5Q8K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-RTBKM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U2E4T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-9E8O3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-11P5O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DLUIR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-RKK8B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-TC49G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H9PBC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-MK6BQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-FGMT7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-EPJ45.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	File created: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-IKQI1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\is-429JP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-FA79K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-8TLV1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-AEDQ3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-2Q5JM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7CSTM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-T556C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-VSBET.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DDO4H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-E20LJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-MVLL5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-E7NEL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-RDL8M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-NSFQH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-6REKE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-AUBRP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-76LAT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-GEH09.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2NGS1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: RegmonClass	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PlanSwift 11\PlanSwift 11.lnk

Jump to behavior

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	System information queried: FirmwareTableInformation			Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Special instruction interceptor: First address: 2211862 instructions caused by: Self-modifying code

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-ASV96.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U78KF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-MK349.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-JOR6L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-1122G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VID2E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-QP7RD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-V4GME.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-Q1BLR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-3A80D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-HTL6A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-I5Q8K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-RTBKM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U2E4T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-9E8O3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-11P5O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DLUIR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-RKK8B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-TC49G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H9PBC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-MK6BQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-FGMT7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-EPJ45.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-IKQI1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\is-429JP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-FA79K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-AEDQ3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-8TLV1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-2Q5JM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7CSTM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-T556C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-VSBET.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-E20LJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DDO4H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-MVLL5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-E7NEL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-RDL8M.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-NSFQH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-AUBRP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-6REKE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-76LAT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-GEH09.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2NGS1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

File opened: PhysicalDrive0

Jump to behavior

Source: ps11.0.0.129pro.tmp, 00000001.00000002.2341802286.0000000000683000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TatVirtualMachines(<
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TatVirtualMachine
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TatVirtualMachines
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TatVirtualMachineh=

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: regmonclass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: gbdyllo
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: procmon_window_class
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: ollydbg
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: filemonclass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp

Process created: C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp helper 105 0x3EC

Jump to behavior

Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndU

Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	2 Masquerading	OS Credential Dumping	631 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	33 Virtualization/Sandbox Evasion	LSASS Memory	33 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	2 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ps11.0.0.129pro.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy)	4%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy)	4%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2NGS1.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-3A80D.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-8TLV1.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-E7NEL.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-FGMT7.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-IKQI1.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-MK349.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-TC49G.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-MK6BQ.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-11P5O.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-2Q5JM.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-AUBRP.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-GEH09.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-HTL6A.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-JOR6L.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-MVLL5.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-RTBKM.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-6REKE.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-9E8O3.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-ASV96.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DDO4H.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-DLUIR.tmp	4%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-E20LJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H9PBC.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-I5Q8K.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-NSFQH.tmp	4%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-Q1BLR.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-RKK8B.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-T556C.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U2E4T.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-U78KF.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-V4GME.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VID2E.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-1122G.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-76LAT.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7CSTM.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-EPJ45.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-FA79K.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-QP7RD.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-RDL8M.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-VSBET.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Data.v17.2.resources.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-AEDQ3.tmp	3%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\is-429JP.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\unins000.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp	7%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.remobjects.com/psU	0%	URL Reputation	safe
https://www.thawte.com/cps0/	0%	URL Reputation	safe
https://www.thawte.com/repository0W	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://share.planswift.comU	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://ldapauth.planswift.netU	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclDateTime.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.planswift.com/removelicense/	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.chilkatsoft.com/)	PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://www.indyproject.org/	PlanSwift.exe, 0000000C.00000003.1573485893.00000000035D0000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.cknotes.com/?p=282Failed	PlanSwift.exe, 0000000C.00000002.2404043203.00000000041D3000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://www.cknotes.com/?p=91	PlanSwift.exe, 0000000C.00000002.2402240137.000000000414B000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://www.planswift.com	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=U	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.chilkatsoft.com/p/p_463.asp)	PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclCharsets.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclFileUtils.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclShell.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.chilkatsoft.com/oauth2_allowed.html	PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclRTTI.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://plugins.planswift.comU	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnicode.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysInfo.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.mailpass.com/verify.cgihttp://spamarrest.com/aThank	PlanSwift.exe, 0000000C.00000002.2401702509.0000000004130000.00000008.00000001.01000000.0000000D.sdmp	false		unknown
http://www.innosetup.com/	ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1096934765.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://www.chilkatsoft.com/)Content-LengthAuthorizationuser-agentAddParamnamevalueAddFileReferencena	PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/	PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	ps11.0.0.129pro.exe	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMime.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://BUCKET./PARAMShttp://BUCKET./PARAMSBUCKETPARAMSGETDnsCacheClears3.amazonaws.comGETClearInMem	PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp	false		unknown
http://www.chilkatsoft.com/rssComponent.html	PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://us.ard.yahoo.com/	PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMath.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.planswift.com/eula/	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclWin32.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.chilkatsoft.com/oauth2_denied.html	PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://www.planswift.com/sVideoURL/?psVideoID=	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://myaccount.planswift.com/password/emailU	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://myaccount.planswift.comU	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSimpleXml.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://cknotes.com/determining-ftp2-connection-settings/	PlanSwift.exe, 0000000C.00000002.2404043203.00000000041D3000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://www.cknotes.com/?p=411	PlanSwift.exe, 0000000C.00000002.2400352211.00000000040AD000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://www..com	PlanSwift.exe, 0000000C.00000003.1578035811.000000000671B000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.cknotes.com/?p=370POP3	PlanSwift.exe, 0000000C.00000002.2404755481.0000000004203000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://BUCKET./http://https://BUCKETPOST/?deleteresponseHeaderS3_DeleteObjectbucketNameobjectName///	PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclAnsiStrings.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclIniFiles.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.cknotes.com/?p=370	PlanSwift.exe, 0000000C.00000002.2404755481.0000000004203000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://planswift.com/support	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.planswift.com/sVideoURL/?psVideoID=U	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysUtils.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclAppInst.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSynch.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://http:///S3_PATH?S3_BUCKET./S3_PATH?S3_BUCKETS3_PATHCURRENT_DATE%2FAWS_REGION%2FAWS_SERVICE%2	PlanSwift.exe, 0000000C.00000002.2399454100.000000000406C000.00000008.00000001.01000000.0000000D.sdmp	false		unknown
http://us.ard.yahoo.com/http://us.rd.yahoo.com//	PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclResources.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	ps11.0.0.129pro.exe	false		unknown
http://www.cknotes.com/?p=282	PlanSwift.exe, 0000000C.00000002.2404043203.00000000041D3000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http:///robots.txtrobotsUrlGETFetched	PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://www.anything.com	PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclBase.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnitVersioning.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.planswift.com/requesttrial	PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
https://share.planswift.com	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.planswift.comU	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStringConversions.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.planswift.com/purchase	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	false	URL Reputation: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclLogic.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.chilkatsoft.com/p/p_463.asp)LanguageLianjaEnvironmentActiveXVBA.NET	PlanSwift.exe, 0000000C.00000002.2397972154.0000000003FDD000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://ldapauth.planswift.net	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://cknotes.com/v9-5-0-55-micro-update-new-features-fixes-changes-etc-2/	PlanSwift.exe, 0000000C.00000002.2398698409.0000000004030000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://www.fast-report.com	PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
http://spamarrest.com/a	PlanSwift.exe, 0000000C.00000002.2401702509.0000000004130000.00000008.00000001.01000000.0000000D.sdmp	false		unknown
http://www.aiim.org/pdfa/ns/id/	is-DLUIR.tmp.1.dr	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclConsole.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.fast-report.com	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://ocsp.thawte.com0	is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	false	URL Reputation: safe	unknown
https://www.planswift.com/pricing	PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclVclResources.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.cknotes.com/?p=411sftp://sftp://ftp://hostnameportFailed	PlanSwift.exe, 0000000C.00000002.2400352211.00000000040AD000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/Snmp.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.chilkatforum.com/questions/11627/sftp-failed-to-get-address-info	PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp	false		unknown
http://us.rd.yahoo.com/	PlanSwift.exe, 0000000C.00000002.2400633382.00000000040BE000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
http://www.cknotes.com/?p=217WSAEADDRINUSE	PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp	false		unknown
https://www.planswift.com/eula/OpenU	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclRegistry.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.planswift.com/activate/	PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
http://www.remobjects.com/psU	ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1096934765.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://www.cknotes.com/?p=217	PlanSwift.exe, 0000000C.00000002.2402306898.0000000004151000.00000008.00000001.01000000.0000000D.sdmp	false		unknown
https://www.thawte.com/cps0/	is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	false	URL Reputation: safe	unknown
http://www.anything.comcodeHTTP/1.1	PlanSwift.exe, 0000000C.00000002.2400030098.0000000004091000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/Jcl8087.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.fast-report.comU	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://www.planswift.com/support	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 0000000C.00000002.2338786835.000000000112B000.00000020.00000001.01000000.0000000C.sdmp	false		unknown
https://www.thawte.com/repository0W	is-FA79K.tmp.1.dr, is-DLUIR.tmp.1.dr	false	URL Reputation: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclGraphUtils.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.cknotes.com/?p=210	PlanSwift.exe, 0000000C.00000002.2402240137.000000000414B000.00000004.00000001.01000000.0000000D.sdmp	false		unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStrings.pas	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.mailpass.com/verify.cgi	PlanSwift.exe, 0000000C.00000002.2401702509.0000000004130000.00000008.00000001.01000000.0000000D.sdmp	false		unknown
https://plugins.planswift.com	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
https://myaccount.planswift.com/password/email	PlanSwift.exe, 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp	false		unknown
http://www.remobjects.com/ps	ps11.0.0.129pro.exe, 00000000.00000003.1096387220.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1096543179.00000000022BC000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1096934765.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546263
Start date and time:	2024-10-31 17:12:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ps11.0.0.129pro.exe
Detection:	SUS
Classification:	sus32.evad.winEXE@8/1528@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: ps11.0.0.129pro.exe

Process:	C:\Users\user\AppData\Local\Temp\is-BR9JR.tmp\ps11.0.0.129pro.tmp
File Type:	XML 1.0 document, ASCII text, with very long lines (954), with CRLF line terminators
Category:	dropped
Size (bytes):	6284
Entropy (8bit):	5.108886176656682
Encrypted:	false
SSDEEP:	96:kAz3qd2uI0MdOM2Wbd/ul0MdOM3bdwz0MdOMKebcwk0MdOMNMqbddy0MdOMrbddz:BdOzdOZdOXdOEMLdOvgdObZdO6dOsCd
MD5:	064897F8A4AB5A4EAAD98F71F2769994
SHA1:	9675608380259871523E40FA8529A0FA6F02492B
SHA-256:	BD704248CF74A6CE2818D43409881CFE7583A873F1E98F21C88D33B49EEF04DC
SHA-512:	C76243FD9EEE596B32CB417AEFD5E07565E2B0545EC0B60328CA4AA84D871D733B628F5BD8BEF1EF1E0E7624B7FA7B5FA64193D5C701990BD49B950D638DBC22
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="iso-8859-1"?>..<Item Class="Item" Name="Additional Help" GUID="{16E3A938-C463-48D8-AE99-1C57D688842F}">.. <Properties>.. <Property Class="Text" GUID="{8CBBCC61-5F73-44A0-9AA3-72A81DFCFF33}" Name="Name" inheritaction="" calculatebefore="0" inherited="False" input="True" inputcondition="" locked="False" hidden="False" systemlocked="False" systemhidden="False" required="True" units="" inputunits="" group="Item" PullFrom="" OrderIndex="0" Adjust="" ListType="Simple List" SimpleList="" List="" ListResultColumn="" TreeList="" ListFromProperty="False" ListShowSearch="False" ListColumnAutoWidth="False" ListVisibleColumnsInDropdown="" ListPropertiesToSet="" ListShowOnlyTypes="" ListReturnFullPath="False" ListShow1Level="False" PluginToExecute="" PluginToExecuteButtonCaption="" Expression="0" RememberValue="0" ToolHint="">Additional Help</Property>.. <Property Class="Type" GUID="{15330163-EE6B-4527-A3C0-43036726ADBB}" Name="Type" inheritaction="" calculatebef

Process:	C:\Program Files (x86)\PlanSwift11\PlanSwift.exe
File Type:	data
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.625
Encrypted:	false
SSDEEP:	3:h8A68YP:hR6B
MD5:	68D397FD33FE497BA2B667FC91344F36
SHA1:	36241F5727ED7D9DF52E964ECC002AEC4A7EB692
SHA-256:	B25E69A9265342D91585C90DC887ADB48429A26AF2347B5AFC2CAB8EA753B52C
SHA-512:	D3AA0C12D8D872F6CDE05E934E6CA4A2EBC241B35471582617DD99885D1D6D355C80A61460A0A1BEA42CB524CDE88BD6C110C55D533BA0544198BBA250383F8A
Malicious:	false
Preview:	(...Y.a.Y=}..<}.

Process:	C:\Users\user\Desktop\ps11.0.0.129pro.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	718848
Entropy (8bit):	6.516324966510223
Encrypted:	false
SSDEEP:	12288:cqIRz+f+ui8TrPO37fzH4A63RRwDNtuXUZERvDrNMRdT9Taslb0GtzCOpFyxyR:hIZg+uiirPO37fzH4A6haDzcUZEIdT95
MD5:	5ED68C2D50F4232A83D39C41722BC908
SHA1:	EB1ABA1A0406C34FD9601E7C2E61FCAFD0376D7A
SHA-256:	DE17FCE3B4BC0E4B95D25EBFB98E6FB97098AA96153973CB16585793CA23901B
SHA-512:	006E8131A50C9D79E654AB9D6D5A2467A5230205D82F43C2E5CE49FF011D163ED01CCD2182D6B99C2BD1422B81C8E70DD187DA3118423BF1E359A7A42B109C1C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.........................................@.......................................@......@..............................2&...........................................................@......................................................CODE.... ........................... ..`DATA....D...........................@...BSS......................................idata..2&.......(..................@....tls.........0...........................rdata.......@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Entrypoint:	0x40aad0
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	2fb819a19fe4dee5c03e8c6a79342f79

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	01/03/2023 01:00:00 01/03/2026 00:59:59
Subject Chain	CN="ConstructConnect, Inc.", O="ConstructConnect, Inc.", L=Cincinnati, S=Ohio, C=US
Version:	3
Thumbprint MD5:	586B3871E283983668E2AFCE9FD55F9B
Thumbprint SHA-1:	6F9296A617BDE8B5BBDD7CE3B48863D01A33DEFA
Thumbprint SHA-256:	7159CF6018A711D5EF3A3BFFB2BE9E5634B60A9346B3BE15A7BDE333770FA534
Serial:	0A9F66FA7F8798F17CF9F01CACCA424E

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x97c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x34453d0	0x11c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x10000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0xa208	0xa400	49513e676dadfb3919c4b137dd7c6d66	False	0.5959413109756098	data	6.6016742350943245	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xc000	0x250	0x400	0a7b48e75f6b6ef4a087528fee0d185c	False	0.30859375	data	2.771347682604831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xd000	0xe94	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xe000	0x97c	0xa00	df5f31e62e05c787fd29eed7071bf556	False	0.41796875	data	4.486076246232586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xf000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x10000	0x18	0x200	14dfa4128117e7f94fe2f8d7dea374a0	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x920	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x2c00	0x2c00	b520d4d57d6bb2631641bcab729029e5	False	0.33460582386363635	data	4.606450540099942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1247c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x129e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x12ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x13574	0x2f2	data			0.35543766578249336
RT_STRING	0x13868	0x30c	data			0.3871794871794872
RT_STRING	0x13b74	0x2ce	data			0.42618384401114207
RT_STRING	0x13e44	0x68	data			0.75
RT_STRING	0x13eac	0xb4	data			0.6277777777777778
RT_STRING	0x13f60	0xae	data			0.5344827586206896
RT_RCDATA	0x14010	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x1403c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1407c	0x4f4	data	English	United States	0.2870662460567823
RT_MANIFEST	0x14570	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Target ID:	0
Start time:	12:12:54
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\ps11.0.0.129pro.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Imagebase:	0x400000
File size:	54'814'096 bytes
MD5 hash:	FC13BC8B09702EC0CA1A48F7E9157380
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	10
Start time:	12:13:15
Start date:	31/10/2024
Path:	C:\Users\user\AppData\Local\Temp\is-SEEO1.tmp\_isetup\_setup64.tmp
Wow64 process (32bit):	false
Commandline:	helper 105 0x3EC
Imagebase:	0x140000000
File size:	6'144 bytes
MD5 hash:	E4211D6D009757C078A9FAC7FF4F03D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	false

Target ID:	12
Start time:	12:13:39
Start date:	31/10/2024
Path:	C:\Program Files (x86)\PlanSwift11\PlanSwift.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver
Imagebase:	0x500000
File size:	15'557'072 bytes
MD5 hash:	B157207600DF34B69CA9AA91F1659383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000003.1563070453.0000000006540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ps11.0.0.129pro.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\PlanSwift11\Data\Developers\Additional Help\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\Additional Help\is-ULK9S.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\About\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\About\is-80M07.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\BeginFormulaUpdate\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\BeginFormulaUpdate\is-AAQB7.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\BeginUpdate\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\BeginUpdate\is-QDDJG.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CancelTool\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CancelTool\is-439J8.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CloseJob\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CloseJob\is-8R814.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CompareVersion\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CompareVersion\is-RV4IO.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CopyItem\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CopyItem\is-P3H88.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CurrentVersion\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CurrentVersion\is-DJE5S.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CurrentViewport\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CurrentViewport\is-LUQLB.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\DeleteItem\Data.xml (copy)

Windows Analysis Report
ps11.0.0.129pro.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre