Edit tour

Windows Analysis Report
ps11.0.0.129pro.exe

Overview

General Information

Sample name:	ps11.0.0.129pro.exe
Analysis ID:	1500780
MD5:	fc13bc8b09702ec0ca1a48f7e9157380
SHA1:	3895eac6524ea439e1dc0e3c537a868f8b3f84af
SHA256:	c2a5572944067b561cb0d269b8975affb8253631278741130f621d6d7d39f9cd
Infos:

Detection

Score:	34
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

.NET source code contains very large array initializations

Hides threads from debuggers

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Office Autorun Keys Modification

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ps11.0.0.129pro.exe (PID: 5316 cmdline: "C:\Users\user\Desktop\ps11.0.0.129pro.exe" MD5: FC13BC8B09702EC0CA1A48F7E9157380)

ps11.0.0.129pro.tmp (PID: 6252 cmdline: "C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp" /SL5="$20410,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe" MD5: 5ED68C2D50F4232A83D39C41722BC908)

_setup64.tmp (PID: 5260 cmdline: helper 105 0x3E4 MD5: E4211D6D009757C078A9FAC7FF4F03D4)

conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PlanSwift.exe (PID: 416 cmdline: "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver MD5: B157207600DF34B69CA9AA91F1659383)

PlanSwift.exe (PID: 3140 cmdline: "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /init MD5: B157207600DF34B69CA9AA91F1659383)

PlanSwift.exe (PID: 5888 cmdline: "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" -o "Sample Plan" MD5: B157207600DF34B69CA9AA91F1659383)

splwow64.exe (PID: 2656 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000B.00000002.2917164884.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000B.00000003.2587147896.0000000006290000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.PlanSwift.exe.f80000.1.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
7.2.PlanSwift.exe.f80000.1.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
11.2.PlanSwift.exe.f80000.1.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: Excel Addin For PlanSwift, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp, ProcessId: 6252, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Excel\Addins\SwiftExcel\Description

Sigma detected: Potential Persistence Via Visual Studio Tools for Office

Source: Registry Key set

Author: Bhabesh Raj: Data: Details: Excel Addin For PlanSwift, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp, ProcessId: 6252, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Excel\Addins\SwiftExcel\Description

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION PlanSwift.exe

Source: ps11.0.0.129pro.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dea351d9-e184-49ac-833f-c98a60d0ae27_is1

Jump to behavior

Source: ps11.0.0.129pro.exe

Static PE information: certificate valid

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.4:49754 version: TLS 1.2

Source: ps11.0.0.129pro.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00476DFC FindFirstFileA,FindNextFileA,FindClose,	1_2_00476DFC
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00453238 FindFirstFileA,GetLastError,	1_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0049ACD8 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049ACD8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,	1_2_00463B44
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 7_2_0040E0C0 FindFirstFileW,FindClose,	7_2_0040E0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 7_2_0040DAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	7_2_0040DAEC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 9_2_0040E0C0 FindFirstFileW,FindClose,	9_2_0040E0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 9_2_0040DAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	9_2_0040DAEC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_00BAE0C0 FindFirstFileW,FindClose,	11_2_00BAE0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_00BADAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	11_2_00BADAEC

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: global traffic

HTTP traffic detected: POST /status/ HTTP/1.1Content-Type: multipart/form-data; boundary=------------000001050802010608020008Host: www.planswift.comContent-Length: 375

Source: Joe Sandbox View	IP Address: 104.18.11.207 104.18.11.207
Source: Joe Sandbox View	IP Address: 104.18.11.207 104.18.11.207
Source: Joe Sandbox View	IP Address: 199.60.103.30 199.60.103.30
Source: Joe Sandbox View	IP Address: 104.17.25.14 104.17.25.14

Source: Joe Sandbox View	JA3 fingerprint: fed8d14fc5a67b40cd470ba239019785
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipHost: www.planswift.com
Source: global traffic	HTTP traffic detected: GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipHost: hub.planswift.com
Source: global traffic	HTTP traffic detected: GET /hs-fs/hub/2347101/hub_generated/template_assets/23959717271/1580250761785/HubUI-PlanSwift/assets/production.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hs-fs/hub/2347101/hub_generated/template_assets/9927841831/1580250760790/Custom/page/Planswift_May2017-theme/Planswift_May2017-style.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hs-fs/hubfs/PS%20-%20Getting%20Started/Whats%20New%20in%20PlanSwift%C2%AE%2011.png?width=500&name=Whats%20New%20in%20PlanSwift%C2%AE%2011.png HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /font-awesome/4.6.3/css/font-awesome.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hubfs/bid-boss.jpg HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ajax/libs/fancybox/3.5.2/jquery.fancybox.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ajax/libs/slick-carousel/1.8.0/slick-theme.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hubfs/PS%20-%20Getting%20Started/spaceFrame_700.jpg HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ajax/libs/slick-carousel/1.8.0/slick.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipHost: www.planswift.com
Source: global traffic	HTTP traffic detected: GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Connection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept-Language: en-us,en;q=0.5Accept-Encoding: gzipHost: hub.planswift.com
Source: global traffic	HTTP traffic detected: GET /hs-fs/hub/2347101/hub_generated/template_assets/23959717271/1580250761785/HubUI-PlanSwift/assets/production.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hs-fs/hub/2347101/hub_generated/template_assets/9927841831/1580250760790/Custom/page/Planswift_May2017-theme/Planswift_May2017-style.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hs-fs/hubfs/PS%20-%20Getting%20Started/Whats%20New%20in%20PlanSwift%C2%AE%2011.png?width=500&name=Whats%20New%20in%20PlanSwift%C2%AE%2011.png HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /font-awesome/4.6.3/css/font-awesome.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hubfs/bid-boss.jpg HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ajax/libs/fancybox/3.5.2/jquery.fancybox.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ajax/libs/slick-carousel/1.8.0/slick-theme.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /hubfs/PS%20-%20Getting%20Started/spaceFrame_700.jpg HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: hub.planswift.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ajax/libs/slick-carousel/1.8.0/slick.min.css HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdnjs.cloudflare.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.planswift.com
Source: global traffic	DNS traffic detected: DNS query: hub.planswift.com
Source: global traffic	DNS traffic detected: DNS query: maxcdn.bootstrapcdn.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com

Source: unknown

HTTP traffic detected: POST /status/ HTTP/1.1Content-Type: multipart/form-data; boundary=------------000001050802010608020008Host: www.planswift.comContent-Length: 375

Source: PlanSwift.exe	String found in binary or memory: ftp://ftp.000010002000300040005000600070008000900110012001300140015001600170018001900210022002300240
Source: PlanSwift.exe, 00000007.00000003.2266073890.00000000064FB000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2360641025.000000000668B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www..com
Source: PlanSwift.exe	String found in binary or memory: http://www.chilkatsoft.com/rssComponent.html
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000001981000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.fast-report.com
Source: PlanSwift.exe, 00000007.00000003.2262470356.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000007.00000003.2337279134.00000000069E3000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2358261010.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2425201679.0000000006BB3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: ps11.0.0.129pro.tmp, ps11.0.0.129pro.tmp, 00000001.00000000.1666665834.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: ps11.0.0.129pro.exe, ps11.0.0.129pro.exe, 00000000.00000000.1665343528.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: ps11.0.0.129pro.exe, 00000000.00000000.1665343528.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: PlanSwift.exe, 00000009.00000003.2425793276.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.planswift.com/activate/PlanSwiftActivation/
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=U
Source: ps11.0.0.129pro.exe, 00000000.00000003.1666090769.0000000002320000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1666302856.000000000210C000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, ps11.0.0.129pro.tmp, 00000001.00000000.1666665834.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: ps11.0.0.129pro.exe, 00000000.00000003.1666090769.0000000002320000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1666302856.000000000210C000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1666665834.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/Jcl8087.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclAnsiStrings.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclBase.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclCharsets.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclDateTime.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclFileUtils.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclIniFiles.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclLogic.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMath.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMime.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclRTTI.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclResources.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSimpleXml.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStreams.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStringConversions.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStrings.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSynch.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysInfo.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysUtils.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnicode.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnitVersioning.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclWideStrings.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclGraphUtils.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclVclResources.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclAppInst.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclConsole.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclRegistry.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclSecurity.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclShell.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclWin32.pas
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/Snmp.pas
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://ldapauth.planswift.net
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://ldapauth.planswift.netU
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://myaccount.planswift.com
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://myaccount.planswift.com/password/email
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://myaccount.planswift.com/password/emailU
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://myaccount.planswift.comU
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://planswift.com/support
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://plugins.planswift.com
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://plugins.planswift.comU
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://share.planswift.com
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://share.planswift.comU
Source: ps11.0.0.129pro.exe, 00000000.00000003.1665694428.0000000002320000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1665762973.00000000020F8000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.2483568739.00000000020F8000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.2483442313.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1667380568.0000000002228000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2310510471.0000000003464000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1948604214.000000000078B000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1667307291.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2477022758.0000000002228000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2252827367.0000000003464000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2471290854.000000000346C000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2473431795.0000000002224000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2472399532.0000000000769000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.constructconnect.com/privacy-policy
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.fast-report.com
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.fast-report.comU
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.com
Source: PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.planswift.com/activate/
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.com/eula/
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.com/eula/OpenU
Source: PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.com/pricing
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.com/purchase
Source: PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.com/removelicense/
Source: PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.planswift.com/requesttrial
Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.com/sVideoURL/?psVideoID=
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.com/sVideoURL/?psVideoID=U
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006D20000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.com/support
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.planswift.comU

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.144.71.249:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 199.60.103.30:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.4:49754 version: TLS 1.2

System Summary

.NET source code contains very large array initializations

Source: is-P9DH3.tmp.1.dr, ImagesAssemblyImageList.cs

Large array initialization: ImagesAssemblyImageList: array initializer size 4225

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00424014 NtdllDefWindowProc_A,	1_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0047A9E8 NtdllDefWindowProc_A,	1_2_0047A9E8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00412A68 NtdllDefWindowProc_A,	1_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0042FA00 NtdllDefWindowProc_A,	1_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_00457E24

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042EDC4

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00455E14

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_004088C0	0_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004688B8	1_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00482A88	1_2_00482A88
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00471FB0	1_2_00471FB0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00452194	1_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0043E240	1_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004905E0	1_2_004905E0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0043083C	1_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0046A974	1_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004449B8	1_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00434AB4	1_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00488E3C	1_2_00488E3C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00444F60	1_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004313C8	1_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00445658	1_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004357B8	1_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0045F954	1_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00445A64	1_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0045BA04	1_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00489D9C	1_2_00489D9C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 7_2_0040C27C	7_2_0040C27C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 7_2_004134E4	7_2_004134E4
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 9_2_0040C27C	9_2_0040C27C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 9_2_004134E4	9_2_004134E4
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_00BAC27C	11_2_00BAC27C

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 004587AC appears 81 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 004585A0 appears 120 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 00403684 appears 233 times
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: String function: 00407D84 appears 43 times
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: String function: 00CCCC98 appears 241 times
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: String function: 03AF7174 appears 45 times
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: String function: 0052CC98 appears 482 times
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: String function: 0040CD68 appears 34 times

Source: ps11.0.0.129pro.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: ps11.0.0.129pro.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: ps11.0.0.129pro.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-RQBTG.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-RQBTG.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-RQBTG.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: is-S2ENC.tmp.1.dr

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: ps11.0.0.129pro.exe, 00000000.00000003.1666090769.0000000002320000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs ps11.0.0.129pro.exe
Source: ps11.0.0.129pro.exe, 00000000.00000003.1666302856.000000000210C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs ps11.0.0.129pro.exe

Source: ps11.0.0.129pro.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus34.evad.winEXE@14/1587@4/4

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00455E14

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,

1_2_0045663C

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

Code function: 0_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_0040A10C

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

File created: C:\Program Files (x86)\PlanSwift11

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_416
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_5888
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Mutant created: \Sessions\1\BaseNamedObjects\firebird_trace_mutex
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_3140

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

File created: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp

Jump to behavior

Source: Yara match	File source: 9.2.PlanSwift.exe.f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PlanSwift.exe.f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.PlanSwift.exe.f80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2917164884.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2587147896.0000000006290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: ps11.0.0.129pro.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: PlanSwift.exe	String found in binary or memory: application/vnd.groove-help
Source: PlanSwift.exe	String found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: PlanSwift.exe	String found in binary or memory: application/x-install-instructions
Source: PlanSwift.exe	String found in binary or memory: Cache/getting-started.mht
Source: PlanSwift.exe	String found in binary or memory: /getting-started-licensed
Source: PlanSwift.exe	String found in binary or memory: /getting-started-expired
Source: PlanSwift.exe	String found in binary or memory: /getting-started-viewer
Source: PlanSwift.exe	String found in binary or memory: /getting-started-trial
Source: PlanSwift.exe	String found in binary or memory: /getting-started/
Source: PlanSwift.exe	String found in binary or memory: application/vnd.groove-help
Source: PlanSwift.exe	String found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: PlanSwift.exe	String found in binary or memory: application/x-install-instructions
Source: PlanSwift.exe	String found in binary or memory: Are you sure you want to continue with the plugin un-installation
Source: PlanSwift.exe	String found in binary or memory: Uninstallation of installed plugins will REQUIRE a restart of PlanSwift immediately after the plugin un-installation has completed
Source: PlanSwift.exe	String found in binary or memory: Package is already installed on your system. You will need to uninstall it before it can be re-installed. Do you want to uninstall plugin identified above
Source: PlanSwift.exe	String found in binary or memory: NATS-DANO-ADD
Source: PlanSwift.exe	String found in binary or memory: NATS-SEFI-ADD
Source: PlanSwift.exe	String found in binary or memory: Cache/getting-started.mht
Source: PlanSwift.exe	String found in binary or memory: /getting-started-licensed
Source: PlanSwift.exe	String found in binary or memory: /getting-started-expired
Source: PlanSwift.exe	String found in binary or memory: /getting-started-viewer
Source: PlanSwift.exe	String found in binary or memory: /getting-started-trial
Source: PlanSwift.exe	String found in binary or memory: /getting-started/
Source: PlanSwift.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: PlanSwift.exe	String found in binary or memory: jp-ocr-hand-add
Source: PlanSwift.exe	String found in binary or memory: jp-ocr-b-add
Source: PlanSwift.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: PlanSwift.exe	String found in binary or memory: ISO_6937-2-add
Source: PlanSwift.exe	String found in binary or memory: application/vnd.groove-help
Source: PlanSwift.exe	String found in binary or memory: application/vnd.adobe.air-application-installer-package+zip
Source: PlanSwift.exe	String found in binary or memory: application/x-install-instructions

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

File read: C:\Users\user\Desktop\ps11.0.0.129pro.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

graph_5-67

Source: unknown	Process created: C:\Users\user\Desktop\ps11.0.0.129pro.exe "C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp "C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp" /SL5="$20410,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp helper 105 0x3E4
Source: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /init
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" -o "Sample Plan"
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp "C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp" /SL5="$20410,54471570,58368,C:\Users\user\Desktop\ps11.0.0.129pro.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp helper 105 0x3E4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /init	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process created: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe "C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" -o "Sample Plan"	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: chilkatdelphixe.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: planswiftanalyticsservice.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: fpdfsdk.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wship6.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dspdf.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: gds32.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: icuuc30.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: icudt30.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ibxml.dll	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: chilkatdelphixe.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: planswiftanalyticsservice.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: fpdfsdk.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wship6.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netprofm.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: npmproxy.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dspdf.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: gds32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: icuuc30.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: icudt30.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ibxml.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: chilkatdelphixe.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: planswiftanalyticsservice.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: textinputframework.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: coremessaging.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: fpdfsdk.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wship6.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: netprofm.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: npmproxy.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dspdf.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: gds32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: icuuc30.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: icudt30.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ibxml.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ieframe.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msiso.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: mshtml.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: srpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: jscript9.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msimtf.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: mlang.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: uiautomationcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: d2d1.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dxcore.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Section loaded: uianimation.dll

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

File written: C:\Program Files (x86)\PlanSwift11\PERSIST.INI

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Automated click: I accept the agreement

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

File opened: C:\Windows\SysWOW64\Msftedit.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.CONSTRUCTCONNECT INC.PLANSWIFT SOFTWAREElectronic End User License AgreementNOTICE TO USER: This End User License Agreement ("Agreement") is a legal agreement. Please read the Agreement carefully before completing the installation process and using the Software. It provides a license to use the Software and contains warranty information and liability disclaimers. BY INSTALLING THE SOFTWARE YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. You ("Licensee") agree that this Agreement is like any written negotiated agreement signed by You. The Agreement is enforceable against You and any legal entity that obtains the Software and on whose behalf it is used. If You do not agree with the terms of this Agreement do not install or use the Software. The terms of this Agreement also apply to any Software upgrades patches modified versions Updates additions copies of the Software licensed to You by ConstructConnect or third parties and support services for the Software unless other terms accompany those items. If so those terms apply.1. Definitions"Licensee" means the entity that has purchased a license or licenses to use the Software."Licensor" means ConstructConnect Inc."Physical Server" means a computing device running an operating system on which other software or utilities are installed. The operating system runs directly on the hardware of the device not in an emulated or virtualized environment. A Virtual Server is not a Physical Server."Representative" means any representative of a Licensee whether employee agent independent contractor subcontractor or otherwise whom Licensee authorizes to access or use the Software on the Licensee's behalf."Reseller" means an authorized reseller of the Software in a Territory."Software" means (a) all of the information with which this Agreement is provided including but not limited to: (i) all software files and other computer files or information; (ii) sample and stock photographs images sounds clip art and other artistic works bundled with Software; and (iii) related explanatory written materials and files ("Documentation") and (b) any modified versions and copies of upgrades patches Updates and additions to such information provided to You by Licensor or third parties on behalf of Licensor at any time to the extent not provided under separate terms (collectively "Updates")."Territory" means a designated territory in which a Reseller has exclusive rights to distribute the Software."Updates" means those subsequent releases of the Software which are generally made available to compliant licensees of the Software who purchase them. Updates shall not include: (i) any releases enhancements functionality services or products that PlanSwift licenses separately or charges for separately; or (ii) an

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\Addins\SwiftExcel

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dea351d9-e184-49ac-833f-c98a60d0ae27_is1

Jump to behavior

Source: ps11.0.0.129pro.exe

Static PE information: certificate valid

Source: ps11.0.0.129pro.exe

Static file information: File size 54814096 > 1048576

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: ps11.0.0.129pro.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450A28

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_00406A50 push 00406A8Dh; ret	0_2_00406A85
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_004093EC push 0040941Fh; ret	0_2_00409417
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: 0_2_004085B8 push ecx; mov dword ptr [esp], eax	0_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00409DDC push 00409E19h; ret	1_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0041A0B8 push ecx; mov dword ptr [esp], ecx	1_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00452194 push ecx; mov dword ptr [esp], eax	1_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax	1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0040A2DF push ds; ret	1_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004605AC push ecx; mov dword ptr [esp], ecx	1_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00458848 push 00458880h; ret	1_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00410970 push ecx; mov dword ptr [esp], edx	1_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0049CD48 pushad ; retf	1_2_0049CD57
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00412DB8 push 00412E1Bh; ret	1_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0040D2C8 push ecx; mov dword ptr [esp], edx	1_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0040F828 push ecx; mov dword ptr [esp], edx	1_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004978C8 push ecx; mov dword ptr [esp], ecx	1_2_004978CD
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004878A0 push ecx; mov dword ptr [esp], ecx	1_2_004878A5
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00443930 push ecx; mov dword ptr [esp], ecx	1_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00479A30 push ecx; mov dword ptr [esp], edx	1_2_00479A31
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00459B60 push 00459BA4h; ret	1_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00451FD0 push 00452003h; ret	1_2_00451FFB

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-J8M7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-6IN84.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-P0OB4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-M0JQ2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S2ENC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-CPQJG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-NC4QM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-L2OVJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-LCN76.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-H37KB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-03RG0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-3TOPV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-LF9SO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-4KI03.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-OF3B7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-UQKVV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-GH56H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-38AFE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-BGR7A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-P9DH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-C6KMG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S1QUV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\is-RQBTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-KF882.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H8F7U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-9TO3L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-LNG1S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2UQDK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-RKMEQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	File created: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-C5VI4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-453AR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-EI8K0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-9HNDC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-PAU3O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-1G665.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-CD3K2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-R6F91.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VD39V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-EVE0N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-B71FA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-2G38J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-UJ625.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-QSKEV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7A7VE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	File created: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: FilemonClass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: RegmonClass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: FilemonClass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Window searched: window name: RegmonClass

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PlanSwift 11\PlanSwift 11.lnk

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0041815E IsIconic,SetWindowPos,	1_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0042466C IsIconic,SetActiveWindow,SetFocus,	1_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00424624 IsIconic,SetActiveWindow,	1_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00417A28 IsIconic,GetCapture,	1_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00485AAC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00485AAC

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F5A8

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Special instruction interceptor: First address: 2C91862 instructions caused by: Self-modifying code

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: E9A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: F720000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: F8A0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: F8C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: EFC0000 memory commit \| memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: ED40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 10A80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 15230000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 108C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 16030000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 10CB0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 10CD0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 10CF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 16840000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 16860000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Memory allocated: 15110000 memory reserve \| memory write watch

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-J8M7F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-6IN84.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-P0OB4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S2ENC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-M0JQ2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-CPQJG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-NC4QM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-L2OVJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-LCN76.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-H37KB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-03RG0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-3TOPV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-LF9SO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-4KI03.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-OF3B7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-UQKVV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-GH56H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-38AFE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-BGR7A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-P9DH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-C6KMG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S1QUV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\is-RQBTG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-KF882.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-9TO3L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H8F7U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-LNG1S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2UQDK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-RKMEQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-C5VI4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-453AR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-EI8K0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ru\is-9HNDC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-PAU3O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-1G665.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-CD3K2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-R6F91.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VD39V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-EVE0N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-B71FA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-UJ625.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-2G38J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7A7VE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-QSKEV.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5994

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	API coverage: 6.8 %
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	API coverage: 6.8 %
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	API coverage: 8.3 %

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00476DFC FindFirstFileA,FindNextFileA,FindClose,	1_2_00476DFC
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00453238 FindFirstFileA,GetLastError,	1_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0049ACD8 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_0049ACD8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: 1_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,	1_2_00463B44
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 7_2_0040E0C0 FindFirstFileW,FindClose,	7_2_0040E0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 7_2_0040DAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	7_2_0040DAEC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 9_2_0040E0C0 FindFirstFileW,FindClose,	9_2_0040E0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 9_2_0040DAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	9_2_0040DAEC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_00BAE0C0 FindFirstFileW,FindClose,	11_2_00BAE0C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_00BADAEC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	11_2_00BADAEC

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

Code function: 0_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_0040A050

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	Binary or memory string: TatVirtualMachines(<A
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	Binary or memory string: TatVirtualMachine
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TatVirtualMachines(<
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	Binary or memory string: TatVirtualMachines
Source: ps11.0.0.129pro.tmp, 00000001.00000003.2472918711.0000000000754000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\k
Source: PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TatVirtualMachineh=
Source: ps11.0.0.129pro.tmp, 00000001.00000003.2472918711.0000000000754000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ms
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	Binary or memory string: TatVirtualMachineh=A

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

API call chain: ExitProcess graph end node

graph_11-19234

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: regmonclass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: gbdyllo
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: procmon_window_class
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: ollydbg
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: filemonclass
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugObjectHandle
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Process queried: DebugPort

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Code function: 7_2_00412F5A IsDebuggerPresent,

7_2_00412F5A

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450A28

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Code function: 11_2_03951467 GetProcessHeap,HeapAlloc,

11_2_03951467

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_0047A42C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_0047A42C

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Process created: C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp helper 105 0x3E4

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042F294

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E52C

Source: PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWnd
Source: PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndU

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Code function: 7_2_00407AD4 cpuid

7_2_00407AD4

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: GetLocaleInfoA,	0_2_00405694
Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe	Code function: GetLocaleInfoA,	0_2_004056E0
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: GetLocaleInfoA,	1_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Code function: GetLocaleInfoA,	1_2_00408A44
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	7_2_0040E218
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: EnumSystemLocalesW,	7_2_00412D32
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: GetLocaleInfoW,	7_2_00412DC2
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: GetLocaleInfoW,	7_2_00412DCA
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_0040D688
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	9_2_0040E218
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: EnumSystemLocalesW,	9_2_00412D32
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: GetLocaleInfoW,	9_2_00412DC2
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: GetLocaleInfoW,	9_2_00412DCA
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_0040D688
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	11_2_00BAE218
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_00BAD688

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00458E58

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp

Code function: 1_2_00455DCC GetUserNameA,

1_2_00455DCC

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Code function: 7_2_00412EB2 GetTimeZoneInformation,

7_2_00412EB2

Source: C:\Users\user\Desktop\ps11.0.0.129pro.exe

Code function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

0_2_00404654

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_0395538C CkBinData_AppendEncoded,	11_2_0395538C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039553C0 CkBinData_AppendEncodedSb,	11_2_039553C0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039553FC CkBinData_AppendSb,	11_2_039553FC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955324 CkBinData_AppendBinary,	11_2_03955324
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_0395535C CkBinData_AppendBom,	11_2_0395535C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955280 CkBinData_getLastMethodSuccess,	11_2_03955280
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039552A8 CkBinData_putLastMethodSuccess,	11_2_039552A8
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039552D0 CkBinData_getNumBytes,	11_2_039552D0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039552EC CkBinData_AppendBd,	11_2_039552EC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955214 CkBinData_Dispose,	11_2_03955214
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_0395520C CkBinData_Create,	11_2_0395520C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_0395579C CkBinData_WriteFile,	11_2_0395579C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955710 CkBinData_LoadFile,	11_2_03955710
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955740 CkBinData_RemoveChunk,	11_2_03955740
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955774 CkBinData_SecureClear,	11_2_03955774
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955684 CkBinData__getString,	11_2_03955684
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039556A4 CkBinData_LoadBinary,	11_2_039556A4
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039556DC CkBinData_LoadEncoded,	11_2_039556DC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_0395560C CkBinData_GetEncodedSb,	11_2_0395560C
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955648 CkBinData_GetString,	11_2_03955648
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955580 CkBinData__getEncoded,	11_2_03955580
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039555A0 CkBinData_GetEncodedChunk,	11_2_039555A0
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039555E4 CkBinData__getEncodedChunk,	11_2_039555E4
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955504 CkBinData_GetBinaryChunk,	11_2_03955504
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955544 CkBinData_GetEncoded,	11_2_03955544
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955494 CkBinData_ContentsEqual,	11_2_03955494
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_039554CC CkBinData_GetBinary,	11_2_039554CC
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_03955438 CkBinData_AppendString,	11_2_03955438
Source: C:\Program Files (x86)\PlanSwift11\PlanSwift.exe	Code function: 11_2_0395546C CkBinData_Clear,	11_2_0395546C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	21 Native API	1 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Windows Service	1 DLL Side-Loading	NTDS	147 System Information Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	13 Process Injection	2 Masquerading	LSA Secrets	651 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Modify Registry	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	341 Virtualization/Sandbox Evasion	DCSync	341 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	13 Process Injection	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ps11.0.0.129pro.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Data.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Images.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Pdf.v17.2.Core.dll (copy)	4%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Printing.v17.2.Core.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Sparkline.v17.2.Core.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.Utils.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraEditors.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraLayout.v17.2.dll (copy)	4%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\DevExpress.XtraTreeList.v17.2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelConnectService.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ExcelImport.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Microsoft.Office.Tools.Common.v4.0.Utilities.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\Newtonsoft.Json.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsService.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsSwift_Excel.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\PsTokenService.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Data.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Printing.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.Utils.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraEditors.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraLayout.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-2UQDK.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-38AFE.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-CD3K2.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-GH56H.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-KF882.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-LNG1S.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-R6F91.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\de\is-RKMEQ.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\PsSwift_Excel.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\en\is-4KI03.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Data.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Printing.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.Utils.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraEditors.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraLayout.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-03RG0.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-1G665.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-6IN84.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-9TO3L.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-C5VI4.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-CPQJG.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-EVE0N.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\es\is-L2OVJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-3TOPV.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-453AR.tmp	4%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-B71FA.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-C6KMG.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-EI8K0.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-H8F7U.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-J8M7F.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-LF9SO.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-M0JQ2.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-OF3B7.tmp	4%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-P9DH3.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-PAU3O.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-QSKEV.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S1QUV.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-S2ENC.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\is-VD39V.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Data.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Pdf.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Printing.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Sparkline.v17.2.Core.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.Utils.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraEditors.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraLayout.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\DevExpress.XtraTreeList.v17.2.resources.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-2G38J.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-7A7VE.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-BGR7A.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-H37KB.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-LCN76.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-NC4QM.tmp	0%	ReversingLabs
C:\Program Files (x86)\PlanSwift11\Tools\SwiftExcel\ja\is-UJ625.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe
http://www.remobjects.com/psU	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
https://ldapauth.planswift.netU	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclResources.pas	0%	Avira URL Cloud	safe
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclBase.pas	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.2/jquery.fancybox.min.css	0%	Avira URL Cloud	safe
https://hub.planswift.com/hubfs/bid-boss.jpg	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnitVersioning.pas	0%	Avira URL Cloud	safe
https://share.planswift.comU	0%	Avira URL Cloud	safe
https://www.planswift.com/removelicense/	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclDateTime.pas	0%	Avira URL Cloud	safe
https://www.planswift.com	0%	Avira URL Cloud	safe
https://www.planswift.comU	0%	Avira URL Cloud	safe
https://share.planswift.com	0%	Avira URL Cloud	safe
http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=U	0%	Avira URL Cloud	safe
ftp://ftp.000010002000300040005000600070008000900110012001300140015001600170018001900210022002300240	0%	Avira URL Cloud	safe
https://www.planswift.com/requesttrial	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStringConversions.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclFileUtils.pas	0%	Avira URL Cloud	safe
https://www.planswift.com/purchase	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclCharsets.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclShell.pas	0%	Avira URL Cloud	safe
https://www.planswift.com/getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129&	0%	Avira URL Cloud	safe
https://hub.planswift.com/hs-fs/hub/2347101/hub_generated/template_assets/9927841831/1580250760790/Custom/page/Planswift_May2017-theme/Planswift_May2017-style.min.css	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclLogic.pas	0%	Avira URL Cloud	safe
https://www.planswift.com/status/	0%	Avira URL Cloud	safe
https://plugins.planswift.comU	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.8.0/slick.min.css	0%	Avira URL Cloud	safe
https://hub.planswift.com/hs-fs/hubfs/PS%20-%20Getting%20Started/Whats%20New%20in%20PlanSwift%C2%AE%2011.png?width=500&name=Whats%20New%20in%20PlanSwift%C2%AE%2011.png	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclRTTI.pas	0%	Avira URL Cloud	safe
https://ldapauth.planswift.net	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysInfo.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnicode.pas	0%	Avira URL Cloud	safe
https://www.fast-report.com	0%	Avira URL Cloud	safe
https://www.planswift.com/pricing	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclConsole.pas	0%	Avira URL Cloud	safe
http://www.planswift.com/activate/PlanSwiftActivation/	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMime.pas	0%	Avira URL Cloud	safe
http://www.fast-report.com	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclVclResources.pas	0%	Avira URL Cloud	safe
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	0%	Avira URL Cloud	safe
http://www.chilkatsoft.com/rssComponent.html	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMath.pas	0%	Avira URL Cloud	safe
https://www.planswift.com/eula/OpenU	0%	Avira URL Cloud	safe
https://hub.planswift.com/hs-fs/hub/2347101/hub_generated/template_assets/23959717271/1580250761785/HubUI-PlanSwift/assets/production.min.css	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclRegistry.pas	0%	Avira URL Cloud	safe
https://hub.planswift.com/hubfs/PS%20-%20Getting%20Started/spaceFrame_700.jpg	0%	Avira URL Cloud	safe
https://www.planswift.com/eula/	0%	Avira URL Cloud	safe
https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/Snmp.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclWin32.pas	0%	Avira URL Cloud	safe
https://www.planswift.com/activate/	0%	Avira URL Cloud	safe
https://www.planswift.com/sVideoURL/?psVideoID=	0%	Avira URL Cloud	safe
https://www.fast-report.comU	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSimpleXml.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/Jcl8087.pas	0%	Avira URL Cloud	safe
https://myaccount.planswift.com/password/emailU	0%	Avira URL Cloud	safe
https://myaccount.planswift.comU	0%	Avira URL Cloud	safe
http://www..com	0%	Avira URL Cloud	safe
https://www.planswift.com/support	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclGraphUtils.pas	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.8.0/slick-theme.css	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclAnsiStrings.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclIniFiles.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStrings.pas	0%	Avira URL Cloud	safe
https://planswift.com/support	0%	Avira URL Cloud	safe
https://plugins.planswift.com	0%	Avira URL Cloud	safe
https://www.planswift.com/sVideoURL/?psVideoID=U	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclAppInst.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysUtils.pas	0%	Avira URL Cloud	safe
https://myaccount.planswift.com/password/email	0%	Avira URL Cloud	safe
https://myaccount.planswift.com	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStreams.pas	0%	Avira URL Cloud	safe
http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclSecurity.pas	0%	Avira URL Cloud	safe
https://hub.planswift.com/getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129&	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSynch.pas	0%	Avira URL Cloud	safe
https://www.constructconnect.com/privacy-policy	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclWideStrings.pas	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.planswift.com	18.144.71.249	true	false	unknown
group1.sites.hscoscdn00.net	199.60.103.30	true	false	unknown
cdnjs.cloudflare.com	104.17.25.14	true	false	unknown
maxcdn.bootstrapcdn.com	104.18.11.207	true	false	unknown
hub.planswift.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.2/jquery.fancybox.min.css	false	Avira URL Cloud: safe	unknown
https://hub.planswift.com/hubfs/bid-boss.jpg	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129&	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.8.0/slick.min.css	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/status/	false	Avira URL Cloud: safe	unknown
https://hub.planswift.com/hs-fs/hub/2347101/hub_generated/template_assets/9927841831/1580250760790/Custom/page/Planswift_May2017-theme/Planswift_May2017-style.min.css	false	Avira URL Cloud: safe	unknown
https://hub.planswift.com/hs-fs/hubfs/PS%20-%20Getting%20Started/Whats%20New%20in%20PlanSwift%C2%AE%2011.png?width=500&name=Whats%20New%20in%20PlanSwift%C2%AE%2011.png	false	Avira URL Cloud: safe	unknown
https://hub.planswift.com/hubfs/PS%20-%20Getting%20Started/spaceFrame_700.jpg	false	Avira URL Cloud: safe	unknown
https://hub.planswift.com/hs-fs/hub/2347101/hub_generated/template_assets/23959717271/1580250761785/HubUI-PlanSwift/assets/production.min.css	false	Avira URL Cloud: safe	unknown
https://maxcdn.bootstrapcdn.com/font-awesome/4.6.3/css/font-awesome.min.css	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.8.0/slick-theme.css	false	Avira URL Cloud: safe	unknown
https://hub.planswift.com/getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129&	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://share.planswift.comU	PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://ldapauth.planswift.netU	PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclResources.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	ps11.0.0.129pro.exe, 00000000.00000000.1665343528.0000000000401000.00000020.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclDateTime.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/removelicense/	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	PlanSwift.exe, 00000007.00000003.2262470356.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000007.00000003.2337279134.00000000069E3000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2358261010.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2425201679.0000000006BB3000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclBase.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnitVersioning.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/requesttrial	PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://share.planswift.com	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.comU	PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=U	PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStringConversions.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/purchase	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
ftp://ftp.000010002000300040005000600070008000900110012001300140015001600170018001900210022002300240	PlanSwift.exe	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclCharsets.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclFileUtils.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclShell.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclLogic.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclRTTI.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://ldapauth.planswift.net	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://plugins.planswift.comU	PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclUnicode.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysInfo.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.innosetup.com/	ps11.0.0.129pro.tmp, ps11.0.0.129pro.tmp, 00000001.00000000.1666665834.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://www.planswift.com/activate/PlanSwiftActivation/	PlanSwift.exe, 00000009.00000003.2425793276.00000000065BD000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fast-report.com	PlanSwift.exe, 00000009.00000002.2432296214.0000000001981000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclConsole.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fast-report.com	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/pricing	PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclVclResources.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	ps11.0.0.129pro.exe, ps11.0.0.129pro.exe, 00000000.00000000.1665343528.0000000000401000.00000020.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMime.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chilkatsoft.com/rssComponent.html	PlanSwift.exe	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/Snmp.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclMath.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/eula/	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/eula/OpenU	PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclRegistry.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclWin32.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/activate/	PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/psU	ps11.0.0.129pro.exe, 00000000.00000003.1666090769.0000000002320000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1666302856.000000000210C000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000000.1666665834.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://www.planswift.com/sVideoURL/?psVideoID=	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://myaccount.planswift.com/password/emailU	PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://myaccount.planswift.comU	PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSimpleXml.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/Jcl8087.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www..com	PlanSwift.exe, 00000007.00000003.2266073890.00000000064FB000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2360641025.000000000668B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fast-report.comU	PlanSwift.exe, 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/support	PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000007.00000003.2256979397.0000000006D20000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.0000000006EB0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/vcl/JclGraphUtils.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclAnsiStrings.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclIniFiles.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStrings.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://planswift.com/support	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://plugins.planswift.com	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.planswift.com/sVideoURL/?psVideoID=U	PlanSwift.exe, 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSysUtils.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclAppInst.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://myaccount.planswift.com/password/email	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	ps11.0.0.129pro.exe, 00000000.00000003.1666090769.0000000002320000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1666302856.000000000210C000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, ps11.0.0.129pro.tmp, 00000001.00000000.1666665834.0000000000401000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
https://myaccount.planswift.com	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclStreams.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.planswift.com/swifttube/player/SwiftTubePlayer2.swf?VID=	PlanSwift.exe, PlanSwift.exe, 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://www.constructconnect.com/privacy-policy	ps11.0.0.129pro.exe, 00000000.00000003.1665694428.0000000002320000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.1665762973.00000000020F8000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.2483568739.00000000020F8000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.exe, 00000000.00000003.2483442313.00000000020F4000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1667380568.0000000002228000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2310510471.0000000003464000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1948604214.000000000078B000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.1667307291.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2477022758.0000000002228000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2252827367.0000000003464000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2471290854.000000000346C000.00000004.00000020.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2473431795.0000000002224000.00000004.00001000.00020000.00000000.sdmp, ps11.0.0.129pro.tmp, 00000001.00000003.2472399532.0000000000769000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclSynch.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/windows/JclSecurity.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/trunk/jcl/source/common/JclWideStrings.pas	PlanSwift.exe, 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.18.11.207	maxcdn.bootstrapcdn.com	United States	13335	CLOUDFLARENETUS	false
18.144.71.249	www.planswift.com	United States	16509	AMAZON-02US	false
199.60.103.30	group1.sites.hscoscdn00.net	Canada	23181	QUICKSILVER1CA	false
104.17.25.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500780
Start date and time:	2024-08-28 22:39:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ps11.0.0.129pro.exe
Detection:	SUS
Classification:	sus34.evad.winEXE@14/1587@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.184.234, 142.250.186.163
Excluded domains from analysis (whitelisted): fonts.googleapis.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: ps11.0.0.129pro.exe

Simulations

Behavior and APIs

Time	Type	Description
16:41:47	API Interceptor	242x Sleep call for process: splwow64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.18.11.207	http://googlle.com	Get hash	malicious	Unknown	Browse	maxcdn.bootstrapcdn.com/font-awesome/4.1.0/fonts/fontawesome-webfont.woff?v=4.1.0
	https://city-of-goodyear.webnode.page/	Get hash	malicious	Unknown	Browse	maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap-theme.min.css
	http://Voyages.CNTraveler.com	Get hash	malicious	Unknown	Browse	maxcdn.bootstrapcdn.com/font-awesome/4.3.0/fonts/fontawesome-webfont.woff2?v=4.3.0
	http://185.67.82.114	Get hash	malicious	Unknown	Browse	maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js
	SecuriteInfo.com.Exploit.Siggen3.17149.4489.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.3543.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.3543.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.24514.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.12724.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
	SecuriteInfo.com.Exploit.Siggen3.17149.8245.xls	Get hash	malicious	Unknown	Browse	netdna.bootstrapcdn.com/font-awesome/3.2.1/css/font-awesome.css?ver=3.2.1
199.60.103.30	https://accountservicing.com/e3t/Ctc/2H+113/ccl-Y04/VVqYcj9d1pTLW16y89n4DRlWxW1xTZ7Q5jxmFNN5BW0Sj3qgyTW7Y8-PT6lZ3n-W7K16HT7thx4hV6kpN06fVkc-W7yxLrN95hXZjW4rblJ-6TSnSZW65gGqH4W43v4N3_YsqT-3YKYVxfV2W58G73YW3cFwVC8ny83jW8Fz12N8-V0SmW5SSzp43rM_L2W245fnt8p94jMW4PPrDY6Cb9HjW2Zf9wL3lKcTbW61Hhz233pYyDW5Qh4rN5z3QrwW1QwY5K38F8JxW433Jj716pqBlW5WlHSd1QR2ZcVsdP_h6JX3RcW6YQskh3NNSGKW9hbgq820G9QVW4RCZ8N3hkwKQW6Ykd0p7cQ_DrW48gHN96lLqMFW4402zd4Vsz0kW8KJCq78P_VX-f5RrgHM04	Get hash	malicious	Unknown	Browse
	https://jpmchase.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=cb.fraud.support%40jpmorgan.com&p=4f79d996-936e-4d5d-a540-5defd22d4f2e#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2F4f79d996-936e-4d5d-a540-5defd22d4f2e%2Fdata%2Fmetadata&dk=I5EC7descIWFFylbdh6NmXQ7qAI3%2BubbOr64PfYZWaU%3D	Get hash	malicious	Unknown	Browse
	https://jpmchase.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=noreplies.sua%40jpmchase.com&p=961fc2d4-d54b-4e27-b0ef-85377d25ec3e#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2F961fc2d4-d54b-4e27-b0ef-85377d25ec3e%2Fdata%2Fmetadata&dk=yarD3Ypd4wo8DD0GDaxf%2B35bfyFVndHAJ4GCt3tZfRQ%3D	Get hash	malicious	Unknown	Browse
	https://equifax.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=dcsdataquality%40equifax.com&p=dd344d89-e9f0-4ad2-b235-09d9246d1e0f#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2Fdd344d89-e9f0-4ad2-b235-09d9246d1e0f%2Fdata%2Fmetadata&dk=6iPNYDhOZu4bgqt2whRHwXK7U%2FAD3%2BLSMPIUpzwYeKw%3D	Get hash	malicious	Unknown	Browse
	https://jpmchase.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=cb.fraud.support40jpmorgan.com&p=fa9cd416-f12d-4ca6-9ede-e6b8c83c4a51v=3.0.0&d=https3A2F2Fapi.virtru.com2Fstorage2Fapi2Fpolicies2Ffa9cd416-f12d-4ca6-9ede-e6b8c83c4a512Fdata2Fmetadata&dk=yMl90AuSQMEzRCCwV9qeqdksefzqpu7fga3Wagk8u4I3D__;JSMlJSUlJSUlJSUl!!HkjQSg!0uP8FiMYlk3jO60MGS9hLQK-DpGcqhK4tP28hlMpQJ50EIQ5fdHAiEOfq-YjCoK5Zdcyv2Co3yyd4yCft4FhvBrIEKP9$	Get hash	malicious	Unknown	Browse
	https://api.virtru.com/accounts/email-activation?linkId=6a354426-d14b-461c-9068-d631a3772906-99eaadf1-1535-4926-b117-94d72b1cdf72&loginRedirectUrl=https://jpmchase.secure.virtru.com/secure-reader&userId=supplies@stinsons.com&senderEmail=noreplies.sua@jpmchase.com&c=E,1,GJLSrPtvth0tvKAsk9Y8SirlbwhoEVEruSrOswYM_LloAIiVFwyhuRHy64qpEnuVb816Gf3-lgJ8eHDKwE1BYzbKlN_iUmGn6C8RtrX3Te-ZHW3l4Q,,&typo=1	Get hash	malicious	Unknown	Browse
	https://info.virtualhealth.com/e3t/Ctc/GB+113/cmmfD04/VWRD9T8N6WzjN8MJTHvTlRp-W842MfZ5g9NL_N6-TN-l3qgyTW7Y8-PT6lZ3mfW56Rjx787zhFxW4_YPND6r6flrW4BlJlg1DphdCVWC28Z4PpMbRW6GGMRN2bfpFdW7hSWPP6KFbcRW4PBy7c6n3dRqN7ztR5NtV-d9W1y6F6Z799h-lN1ZbvtmQ73TLW5ShFj48-W2NPW1L2f016vN6bSW45yp6K7Xp_V9W1fy0nl6xLNR_N5n9x3txmtWFN2nZ6w9QgWwJW1rlxcq4rmPQZW2D31f_3FjFXjN7D51x8lx574V_S2G96X3V3rW3xJHsh5zkBZjW6M_Gg24KcjVwW2wm07P9jh6znVyVtyJ6VBB3ZW80wlHc6H0YX2W1stJK56XtGc2f45z9Cx04	Get hash	malicious	Unknown	Browse
	https://equifax.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=twn_noreply%40equifax.com&p=d5b52cbc-0569-42e0-86cf-8416889c1b1d#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2Fd5b52cbc-0569-42e0-86cf-8416889c1b1d%2Fdata%2Fmetadata&dk=CSTBBNbTEYumPZCavpjONtXXrHKWZsLJITyIS27OqaA%3D	Get hash	malicious	Unknown	Browse
	https://www.wealthguff.com/readme.html	Get hash	malicious	HTMLPhisher	Browse
	https://tracking.arbolus.com/u/gIKFUa0YUMyAXVmBzVV5WY2QkI/i02bj5CbpFWbnBUO3UzMxIXZtFmc0R3bjNnI/	Get hash	malicious	Unknown	Browse
104.17.25.14	http://tvchd.com	Get hash	malicious	Unknown	Browse	cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.4/webfonts/fa-solid-900.woff2

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cdnjs.cloudflare.com	https://07d6b6-35.myshopify.com/pages/enternal/#1aWdvYmVsaUBoaWxjb3JwLmNvbQ0=	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.17.24.14
	Play_VMNow-GlobalpCOINC.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	phish_alert_iocp_v1.4.48 (43).eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://shorturl.at/1l4Xw	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://pub-6a08b05596ae4c139f14fc7b92eb075c.r2.dev/NewOneDrive78.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://fb1f1d-d3.myshopify.com/pages/fb1f1d-d3-scanning#0YnJhbmRpLnRyeW9uQGFjYWRlbWljcGFydG5lcnNoaXBzLmNvbQ0=	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.17.24.14
	https://www.linkedin.com/redir/redirect?url=https://assets-usa.mkt.dynamics.com/2143bba1-f463-ef11-a66d-6045bd003910/digitalassets/standaloneforms/3d28dcfa-8464-ef11-bfe2-0022480a9151&urlhash=OzMH&trk=article-ssr-frontend-pulse_little-text-block	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://oh3y.ulvantiro.su/82xG/	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://www.linkedin.com/redir/redirect?url=https://assets-usa.mkt.dynamics.com/da18b4d8-ef63-ef11-a66d-002248282d21/digitalassets/standaloneforms/c645fb5a-f963-ef11-bfe3-7c1e52023edb&urlhash=Dt1u&trk=article-ssr-frontend-pulse_little-text-block	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	roquette.com PURCHASE ORDER.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
maxcdn.bootstrapcdn.com	https://shorturl.at/1l4Xw	Get hash	malicious	HTMLPhisher	Browse	104.18.10.207
	https://link.edgepilot.com/s/9af6615e/9PTSwESci0mLBHHjcB2qKA?u=https://niverapaints.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://cb1cd44761364cecb21c459c42a86757.svc.dynamics.com/t/t/oIX7RshqCPFFtVxUphHklxDHFg31zySxgRv75vmlL2Yx/ipf8JYDu9fTBRLVxBJ5f98zUiqcPZCqXAj98vZXuDQkx	Get hash	malicious	Unknown	Browse	104.18.11.207
	Documents_27-08.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://berajpaints.com.pk/tag/dolor/	Get hash	malicious	Unknown	Browse	104.18.11.207
	Proforma.Invoice.Payment.$$.html	Get hash	malicious	Unknown	Browse	104.18.10.207
	https://zngw.officeinvoicedoc.com/DhpuI	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://tekrollindustrial.com.br/wp-includes/kr.html#kh.jang@hyundaimovex.com	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://autoiothiatowers.web.app/0.05389702077273273	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://pub-4fc2ac5871b646109dbe90ceb8933125.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.18.10.207
group1.sites.hscoscdn00.net	https://share-eu1.hsforms.com/1sGud63SnQn2lKl1OUCRCgwfc604	Get hash	malicious	HTMLPhisher	Browse	199.60.103.226
	https://share-eu1.hsforms.com/1sGud63SnQn2lKl1OUCRCgwfc604	Get hash	malicious	HTMLPhisher	Browse	199.60.103.226
	https://share.hsforms.com/1fZer32exQtCYcCHJONVWXQcwuve	Get hash	malicious	HTMLPhisher	Browse	199.60.103.226

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://07d6b6-35.myshopify.com/pages/enternal/#1aWdvYmVsaUBoaWxjb3JwLmNvbQ0=	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.17.25.14
	Play_VMNow-GlobalpCOINC.html	Get hash	malicious	HTMLPhisher	Browse	172.67.206.58
	https://ca.docusign.net/Signing/EmailStart.aspx?a=1cdabf46-ff5a-4450-ae28-4b5293077687&etti=24&acct=938a1226-4cc2-4b96-95f9-d33be464ae6b&er=5b95ae4e-7414-40c0-b9fc-e2de228fcc1b	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://leembal.com.mx	Get hash	malicious	Unknown	Browse	104.18.95.41
	http://www.de-blizzard.com	Get hash	malicious	Unknown	Browse	104.18.86.42
	phish_alert_iocp_v1.4.48 (43).eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://www.chessmetrics.com/cm/DL/DL9.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	x64_installer__v4.5.6.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
AMAZON-02US	https://ca.docusign.net/Signing/EmailStart.aspx?a=1cdabf46-ff5a-4450-ae28-4b5293077687&etti=24&acct=938a1226-4cc2-4b96-95f9-d33be464ae6b&er=5b95ae4e-7414-40c0-b9fc-e2de228fcc1b	Get hash	malicious	Unknown	Browse	52.32.246.233
	GMP Architecture MailBox System shared _PROPOSAL REQUEST PORTAL_ with you.eml	Get hash	malicious	Unknown	Browse	13.227.219.36
	http://www.de-blizzard.com	Get hash	malicious	Unknown	Browse	18.238.248.46
	phish_alert_iocp_v1.4.48 (43).eml	Get hash	malicious	HTMLPhisher	Browse	13.32.145.9
	http://www.chessmetrics.com/cm/DL/DL9.html	Get hash	malicious	Unknown	Browse	54.69.173.176
	https://ca.docusign.net/Signing/EmailStart.aspx?a=f73cd823-d46e-4c1d-9aa7-a3313bd2d402&etti=24&acct=9d2cdf2a-d1fa-4c66-83f5-9dd312af890e&er=68a0e22a-40d9-446a-8837-385c38bcc4d8	Get hash	malicious	Unknown	Browse	18.244.28.50
	Ad#U043ebe_Activator.exe	Get hash	malicious	LummaC	Browse	185.166.143.50
	https://link.edgepilot.com/s/9af6615e/9PTSwESci0mLBHHjcB2qKA?u=https://niverapaints.com/	Get hash	malicious	Unknown	Browse	13.227.219.70
	Bonus_Acknowledgment_Letter.docx	Get hash	malicious	Unknown	Browse	34.252.40.201
	https://www.scribd.com/document/762765489/Advice-Notification#fullscreen&from_embed	Get hash	malicious	Unknown	Browse	18.239.18.124
CLOUDFLARENETUS	https://07d6b6-35.myshopify.com/pages/enternal/#1aWdvYmVsaUBoaWxjb3JwLmNvbQ0=	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.17.25.14
	Play_VMNow-GlobalpCOINC.html	Get hash	malicious	HTMLPhisher	Browse	172.67.206.58
	https://ca.docusign.net/Signing/EmailStart.aspx?a=1cdabf46-ff5a-4450-ae28-4b5293077687&etti=24&acct=938a1226-4cc2-4b96-95f9-d33be464ae6b&er=5b95ae4e-7414-40c0-b9fc-e2de228fcc1b	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://leembal.com.mx	Get hash	malicious	Unknown	Browse	104.18.95.41
	http://www.de-blizzard.com	Get hash	malicious	Unknown	Browse	104.18.86.42
	phish_alert_iocp_v1.4.48 (43).eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://www.chessmetrics.com/cm/DL/DL9.html	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	x64_installer__v4.5.6.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
QUICKSILVER1CA	https://d4g6kw04.na1.hubspotlinks.com/Ctc/I9+113/d4G6KW04/VVDXvw2129f7W9lgpSl3-BQgwW4125np5kh8PvN1n_9Xx5kBl-W50kH_H6lZ3lBW5xCLbK6c416cW6G0HMx6QhV7VVrZqSG3HBKSjV6wDNg4ZyZn6W7_FTpm1dqZm4W723tVM4rftccW3vWlSp1wGvTJW2zXXwV1X740xN1t2gyvnMRlqW7JdFVP1Ty-FHN3Fp_ww3m7TdW66_q2r1Q3VwtW7Dpks077Qf8bM1V49whQ40NW6RphCp8kpt1HV_HZcV84HKmBW5lF7ZC61FD66W73XZV57GJ9ZkVDMN0b9hXGx2W8dysfm3qm-8VMZTWKPM6VCVW6l8ws98dhwKqW4Z2gzl8fZ601N7pH1zqJ5vZ5N90-353vPlZ7VD24xR8Rht6PVyTztF65g6ScN24XQrJRlvxMW20qlrM4TTNP7W6Lc5vQ43Pq7NW32bHwR84HFLgVgWx3d5S85nlf8gcVNq04	Get hash	malicious	Unknown	Browse	199.60.103.31
	http://scratchpay.referralrock.com	Get hash	malicious	Unknown	Browse	199.60.103.29
	http://scratchpay.com	Get hash	malicious	Unknown	Browse	199.60.103.29
	https://shared.outlook.inky.com/link?domain=urldefense.proofpoint.com&t=h.eJxVUE2PmzAU_CsrDpxK-AazEuqyS5JqE9Jmg9IoF8sYQ0jABtvANlX_eyGHSr08vfdmNKOZ30rPa-X5SblI2YpnXZ_OnBSECrJoOWNFyyoqF5g1-mDN4Nc-fFA1O4KwRFT2dJq3nuLqhjh5UCEcW82KK4rrPicCtqxhMJtYAjYVJVDNw3hMVtGo4pD067OQGKVxXQ9Vs9yBzL-e-Nh9L7TBjeBb3pb0WFRVkqg8fIXd7u7ffby-lqdsKIVxMQ7yLfnx06k3JzJoxLu6EBvQitQmBGP3vi9cfgCb66cZO4BdtpvOWtXYGjbgWwnPbZWIAzp3MoW_Rin2BMS7Na8OOydFGVNFCCInhbL-vBDf-xg-_KPdrtDyCMHyvt5v35k2bFPZs9fs7KgkVL48Kbe5TUok42Uhfd-37CDQy4JP8QvG5cu_DdFcMCoe3XrIJ7nrBHaW2aZrmJ4BDDezPexlhmvngW5OOi5wbDdYmLMLebigehJgL-guCUZNM0vNYD6D_z3__AXAcKQ4.MEUCIB-PNKp_9-d3drOD5owphdjbOwtYz5OQxdgeN5g2hPNUAiEAleTizC6zi0EZIypSMBPG6kkRYgzdslitxgPkKL9II8M	Get hash	malicious	Unknown	Browse	199.60.103.2
	https://accountservicing.com/e3t/Ctc/2H+113/ccl-Y04/VVqYcj9d1pTLW16y89n4DRlWxW1xTZ7Q5jxmFNN5BW0Sj3qgyTW7Y8-PT6lZ3n-W7K16HT7thx4hV6kpN06fVkc-W7yxLrN95hXZjW4rblJ-6TSnSZW65gGqH4W43v4N3_YsqT-3YKYVxfV2W58G73YW3cFwVC8ny83jW8Fz12N8-V0SmW5SSzp43rM_L2W245fnt8p94jMW4PPrDY6Cb9HjW2Zf9wL3lKcTbW61Hhz233pYyDW5Qh4rN5z3QrwW1QwY5K38F8JxW433Jj716pqBlW5WlHSd1QR2ZcVsdP_h6JX3RcW6YQskh3NNSGKW9hbgq820G9QVW4RCZ8N3hkwKQW6Ykd0p7cQ_DrW48gHN96lLqMFW4402zd4Vsz0kW8KJCq78P_VX-f5RrgHM04	Get hash	malicious	Unknown	Browse	199.60.103.51
	AnyDesk.msi	Get hash	malicious	Unknown	Browse	199.60.103.28
	https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=VEPAnwijpUm87o3xy8ND1cJ8xINveHJMur3NEXJwuyVUMDZRQTJTMVUyUVRBUkdRRE1IQU5RTlpQNi4u	Get hash	malicious	HTMLPhisher	Browse	199.60.103.28
	(No subject) (43).eml	Get hash	malicious	Unknown	Browse	199.60.103.2
	AnyDesk.msi	Get hash	malicious	Unknown	Browse	199.60.103.28
	https://discovery.silvercloudhealth.com/signup/start/?code=9429330ddb3ea414c097c290e79322a8fc29edc7	Get hash	malicious	Unknown	Browse	199.60.103.2

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fed8d14fc5a67b40cd470ba239019785	5CxmQXL0LD.exe	Get hash	malicious	SystemBC	Browse	199.60.103.30 18.144.71.249
	RqrQG7s66x.dll	Get hash	malicious	Unknown	Browse	199.60.103.30 18.144.71.249
	RqrQG7s66x.dll	Get hash	malicious	Unknown	Browse	199.60.103.30 18.144.71.249
	f552fGDYQS.exe	Get hash	malicious	Socks5Systemz	Browse	199.60.103.30 18.144.71.249
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.18.11.207 199.60.103.30 104.17.25.14
	x64_installer__v4.5.6.msi	Get hash	malicious	Unknown	Browse	104.18.11.207 199.60.103.30 104.17.25.14
	Ad#U043ebe_Activator.exe	Get hash	malicious	LummaC	Browse	104.18.11.207 199.60.103.30 104.17.25.14
	file.exe	Get hash	malicious	Meduza Stealer	Browse	104.18.11.207 199.60.103.30 104.17.25.14
	file.exe	Get hash	malicious	Meduza Stealer	Browse	104.18.11.207 199.60.103.30 104.17.25.14
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.18.11.207 199.60.103.30 104.17.25.14
	0eyaBVo6tq.msi	Get hash	malicious	Unknown	Browse	104.18.11.207 199.60.103.30 104.17.25.14
	2ANivMQUch.msi	Get hash	malicious	Unknown	Browse	104.18.11.207 199.60.103.30 104.17.25.14
	NmJ4sVw68P.msi	Get hash	malicious	Unknown	Browse	104.18.11.207 199.60.103.30 104.17.25.14
	7Mr3U9Zd5W.msi	Get hash	malicious	Unknown	Browse	104.18.11.207 199.60.103.30 104.17.25.14

Process:	C:\Users\user\AppData\Local\Temp\is-HJDMM.tmp\ps11.0.0.129pro.tmp
File Type:	XML 1.0 document, ASCII text, with very long lines (954), with CRLF line terminators
Category:	dropped
Size (bytes):	6284
Entropy (8bit):	5.108886176656682
Encrypted:	false
SSDEEP:	96:kAz3qd2uI0MdOM2Wbd/ul0MdOM3bdwz0MdOMKebcwk0MdOMNMqbddy0MdOMrbddz:BdOzdOZdOXdOEMLdOvgdObZdO6dOsCd
MD5:	064897F8A4AB5A4EAAD98F71F2769994
SHA1:	9675608380259871523E40FA8529A0FA6F02492B
SHA-256:	BD704248CF74A6CE2818D43409881CFE7583A873F1E98F21C88D33B49EEF04DC
SHA-512:	C76243FD9EEE596B32CB417AEFD5E07565E2B0545EC0B60328CA4AA84D871D733B628F5BD8BEF1EF1E0E7624B7FA7B5FA64193D5C701990BD49B950D638DBC22
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="iso-8859-1"?>..<Item Class="Item" Name="Additional Help" GUID="{16E3A938-C463-48D8-AE99-1C57D688842F}">.. <Properties>.. <Property Class="Text" GUID="{8CBBCC61-5F73-44A0-9AA3-72A81DFCFF33}" Name="Name" inheritaction="" calculatebefore="0" inherited="False" input="True" inputcondition="" locked="False" hidden="False" systemlocked="False" systemhidden="False" required="True" units="" inputunits="" group="Item" PullFrom="" OrderIndex="0" Adjust="" ListType="Simple List" SimpleList="" List="" ListResultColumn="" TreeList="" ListFromProperty="False" ListShowSearch="False" ListColumnAutoWidth="False" ListVisibleColumnsInDropdown="" ListPropertiesToSet="" ListShowOnlyTypes="" ListReturnFullPath="False" ListShow1Level="False" PluginToExecute="" PluginToExecuteButtonCaption="" Expression="0" RememberValue="0" ToolHint="">Additional Help</Property>.. <Property Class="Type" GUID="{15330163-EE6B-4527-A3C0-43036726ADBB}" Name="Type" inheritaction="" calculatebef

Process:	C:\Program Files (x86)\PlanSwift11\PlanSwift.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (1336), with CRLF line terminators
Category:	dropped
Size (bytes):	17556
Entropy (8bit):	5.696128453610658
Encrypted:	false
SSDEEP:	192:26g2VPzXUc0W+NF8dvmp1+547hoodC50yaXwhJ17rPUW7MzJXOFF8IMaBR5sV:2eLXthmYMtOrPyzJOX6V
MD5:	A7FC1046CA40B0B214C4BD03D013F70F
SHA1:	4BCF2A09637C82743E228B7A057FCFB95BD9EA70
SHA-256:	4BBFC9B7B949F24B9D1628EA4E901A82620EA1539DA589826470E2FBCC12CB87
SHA-512:	D04CCF8FEA5B720F4C435C04C0A23AA6E630121DC1720B9334F734E7216C79702CAF31F2A1FEB7537852577C93D93D581D6324D2AED04522D06F35CD69B78AA4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<Item Class="Settings" Name="Settings" GUID="{A4856C53-A1F1-4E3A-88E0-D49EDFC4D231}">.. <Properties>.. <Property Class="Text" GUID="{8F9BB0CD-8826-493D-AFF9-B394C9537968}" Name="Name" inheritaction="Ignore" input="True" required="True" group="Item" OrderIndex="0" DecimalPlaces="">Settings</Property>.. <Property Class="Image" GUID="{604AE5E6-6631-4B26-B826-172EB09FE220}" Name="Icon" group="Item" OrderIndex="1" DecimalPlaces="" List="cmbList" Transparent="False" ImageType="TdxPNGImage" ImageData="iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAAsBAAALAQE2cE9bAAACxklEQVQ4T22Sa0zSURjG/7np6lNrWlZzuFUWoNZybtk018KZlU2cJLRMVFAhG4hCwyJMSJO8LktRiBTF2WVLydoyJ2CmIiKSl1pTFK/N9UE/ZTfe/tBASc7228553vd53p2dgwCAR8JPxew+eSaOceL0WZKnuhOPoh1xeXU4i1fwg8MXTDg1/6Cj3pt77GxsEMSLlJL+LJ6YpA7G45JSU6l91vkF0Gh7v4eEhJRFR0czKVSaJZZ46YjHgGwWJ11UWg5pGXTA43GQy8lDZYDxiUkgEGIgMjIKikruA/emc

Process:	C:\Users\user\Desktop\ps11.0.0.129pro.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	718848
Entropy (8bit):	6.516324966510223
Encrypted:	false
SSDEEP:	12288:cqIRz+f+ui8TrPO37fzH4A63RRwDNtuXUZERvDrNMRdT9Taslb0GtzCOpFyxyR:hIZg+uiirPO37fzH4A6haDzcUZEIdT95
MD5:	5ED68C2D50F4232A83D39C41722BC908
SHA1:	EB1ABA1A0406C34FD9601E7C2E61FCAFD0376D7A
SHA-256:	DE17FCE3B4BC0E4B95D25EBFB98E6FB97098AA96153973CB16585793CA23901B
SHA-512:	006E8131A50C9D79E654AB9D6D5A2467A5230205D82F43C2E5CE49FF011D163ED01CCD2182D6B99C2BD1422B81C8E70DD187DA3118423BF1E359A7A42B109C1C
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.........................................@.......................................@......@..............................2&...........................................................@......................................................CODE.... ........................... ..`DATA....D...........................@...BSS......................................idata..2&.......(..................@....tls.........0...........................rdata.......@......................@..P.reloc.......P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

Entrypoint:	0x40aad0
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	2fb819a19fe4dee5c03e8c6a79342f79

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	01/03/2023 00:00:00 28/02/2026 23:59:59
Subject Chain	CN="ConstructConnect, Inc.", O="ConstructConnect, Inc.", L=Cincinnati, S=Ohio, C=US
Version:	3
Thumbprint MD5:	586B3871E283983668E2AFCE9FD55F9B
Thumbprint SHA-1:	6F9296A617BDE8B5BBDD7CE3B48863D01A33DEFA
Thumbprint SHA-256:	7159CF6018A711D5EF3A3BFFB2BE9E5634B60A9346B3BE15A7BDE333770FA534
Serial:	0A9F66FA7F8798F17CF9F01CACCA424E

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe000	0x97c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x34453d0	0x11c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x10000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0xa208	0xa400	49513e676dadfb3919c4b137dd7c6d66	False	0.5959413109756098	data	6.6016742350943245	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xc000	0x250	0x400	0a7b48e75f6b6ef4a087528fee0d185c	False	0.30859375	data	2.771347682604831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xd000	0xe94	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xe000	0x97c	0xa00	df5f31e62e05c787fd29eed7071bf556	False	0.41796875	data	4.486076246232586	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xf000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x10000	0x18	0x200	14dfa4128117e7f94fe2f8d7dea374a0	False	0.05078125	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x11000	0x920	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x2c00	0x2c00	b520d4d57d6bb2631641bcab729029e5	False	0.33460582386363635	data	4.606450540099942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1247c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x129e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x12ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x13574	0x2f2	data			0.35543766578249336
RT_STRING	0x13868	0x30c	data			0.3871794871794872
RT_STRING	0x13b74	0x2ce	data			0.42618384401114207
RT_STRING	0x13e44	0x68	data			0.75
RT_STRING	0x13eac	0xb4	data			0.6277777777777778
RT_STRING	0x13f60	0xae	data			0.5344827586206896
RT_RCDATA	0x14010	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x1403c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1407c	0x4f4	data	English	United States	0.2870662460567823
RT_MANIFEST	0x14570	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 22:41:53.795352936 CEST	54816	53	192.168.2.4	1.1.1.1
Aug 28, 2024 22:41:53.830765009 CEST	53	54816	1.1.1.1	192.168.2.4
Aug 28, 2024 22:41:57.131422997 CEST	51798	53	192.168.2.4	1.1.1.1
Aug 28, 2024 22:41:57.310945988 CEST	53	51798	1.1.1.1	192.168.2.4
Aug 28, 2024 22:41:59.683242083 CEST	64668	53	192.168.2.4	1.1.1.1
Aug 28, 2024 22:41:59.689754963 CEST	53	64668	1.1.1.1	192.168.2.4
Aug 28, 2024 22:41:59.923715115 CEST	64777	53	192.168.2.4	1.1.1.1
Aug 28, 2024 22:41:59.930620909 CEST	53	64777	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:41:55 UTC	154	OUT	POST /status/ HTTP/1.1 Content-Type: multipart/form-data; boundary=------------000001050802010608020008 Host: www.planswift.com Content-Length: 375
2024-08-28 20:41:55 UTC	87	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 30 30 30 30 31 30 35 30 38 30 32 30 31 30 36 30 38 30 32 30 30 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 61 74 61 22 0d 0a 0d 0a Data Ascii: --------------000001050802010608020008Content-Disposition: form-data; name="data"
2024-08-28 20:41:55 UTC	244	OUT	Data Raw: 61 64 64 68 6d 64 62 62 69 6c 69 6e 61 6e 6f 62 69 6f 70 62 68 6e 63 67 67 62 67 62 70 6d 68 69 63 6e 6a 66 6d 67 6b 6f 70 63 6f 6f 68 6b 63 62 63 6d 65 6a 6d 66 6b 62 70 6f 69 66 69 67 61 65 67 63 6d 6a 61 66 6c 70 6c 69 68 69 6d 70 63 6e 69 6c 66 64 6c 66 69 62 6e 61 68 70 66 62 69 69 6d 63 6b 64 6c 62 6a 67 63 66 70 69 61 65 6b 70 64 66 62 66 69 63 70 6b 64 68 6e 67 6d 64 70 6d 6a 64 67 69 69 68 69 67 68 69 6a 67 69 65 64 6f 6e 66 69 6d 61 64 61 6c 6a 65 6f 64 69 68 6b 6e 6e 6f 64 66 68 6c 61 69 63 65 64 6a 6d 6b 65 6f 6b 68 6e 6e 6e 66 61 6a 6d 67 6b 6d 6a 6d 6d 63 6b 68 62 64 64 6e 65 6d 6f 62 61 66 70 70 61 70 63 6a 6a 70 6d 64 69 61 69 68 64 6d 6e 6c 6c 6a 69 67 6a 6e 67 63 64 6d 66 68 68 6f 62 68 6e 6d 63 69 66 6c Data Ascii: addhmdbbilinanobiopbhncggbgbpmhicnjfmgkopcoohkcbcmejmfkbpoifigaegcmjaflplihimpcnilfdlfibnahpfbiimckdlbjgcfpiaekpdfbficpkdhngmdpmjdgiihighijgiedonfimadaljeodihknnodfhlaicedjmkeokhnnnfajmgkmjmmckhbddnemobafppapcjjpmdiaihdmnlljigjngcdmfhhobhnmcifl
2024-08-28 20:41:55 UTC	2	OUT	Data Raw: 0d 0a Data Ascii:
2024-08-28 20:41:55 UTC	42	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 30 30 30 30 30 31 30 35 30 38 30 32 30 31 30 36 30 38 30 32 30 30 30 38 2d 2d 0d 0a Data Ascii: --------------000001050802010608020008--
2024-08-28 20:41:56 UTC	263	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 20:41:54 GMT Server: Apache X-Powered-By: PHP/5.5.9-1ubuntu4.21 Cache-Control: max-age=2592000 Expires: Fri, 27 Sep 2024 20:41:54 GMT Vary: User-Agent Content-Length: 12 Connection: close Content-Type: text/html
2024-08-28 20:41:56 UTC	12	IN	Data Raw: 52 45 53 55 4c 54 3d 54 52 55 45 0a Data Ascii: RESULT=TRUE

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:41:56 UTC	364	OUT	GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip Host: www.planswift.com
2024-08-28 20:41:57 UTC	364	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 28 Aug 2024 20:41:55 GMT Server: Apache Location: https://hub.planswift.com/getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& Cache-Control: max-age=2592000 Expires: Fri, 27 Sep 2024 20:41:55 GMT Content-Length: 328 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-08-28 20:41:57 UTC	328	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 75 62 2e 70 6c 61 6e 73 77 69 66 74 2e 63 6f 6d 2f 67 65 74 74 69 6e 67 2d 73 74 61 72 74 65 64 2d 76 69 65 77 65 72 3f 6c 69 63 65 6e 73 65 54 79 70 65 3d 56 69 65 77 65 72 26 61 6d 70 3b 65 64 69 74 69 6f Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://hub.planswift.com/getting-started-viewer?licenseType=Viewer&editio

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:41:57 UTC	364	OUT	GET /getting-started-viewer?licenseType=Viewer&edition=Professional&version=11.0.0.129& HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip Host: hub.planswift.com
2024-08-28 20:41:58 UTC	1318	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 20:41:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Tue, 27 Aug 2024 00:08:13 GMT Link: </hs/hsstatic/cos-i18n/static-1.53/bundles/project.js>; rel=preload; as=script Strict-Transport-Security: max-age=31536000 Content-Security-Policy: upgrade-insecure-requests Edge-Cache-Tag: CT-45535632183,P-2347101,L-26579302320,W-1577943125483,W-1582317355899,W-1584039041720,W-1619544208046,W-1707932649488,CW-19235975964,CW-21621814999,CW-23959717279,E-23959717268,E-23959717269,E-23959717271,E-23959717273,E-23959717276,E-9927841831,PGS-ALL,SW-0 Referrer-Policy: no-referrer-when-downgrade X-HS-Cache-Config: BrowserCache-5s-EdgeCache-0s X-HS-Cache-Control: s-maxage=10800, max-age=0 X-HS-CF-Cache-Status: HIT X-HS-Content-Campaign-Id: 78641952-4343-4e94-b4b8-1a70ec13b0cc X-HS-Content-Id: 45535632183 X-HS-Hub-Id: 2347101 X-HS-Prerendered: two-phase;Tue, 27 Aug 2024 00:08:12 GMT Set-Cookie: __cf_bm=nFmJFGuY4.MIs3NTbQ4LKHUtpZYF9eNsbncK4aKjQA0-1724877717-1.0.1.1-z.yA7CXYuEVAIlAu.OMRsC7tU3BJcBnKCrdlQ8yuw9ha4FhthHo5ac7SHXwJCEZc6Pe1e5oeRFpiqQEB5kagJQ; path=/; expires=Wed, 28-Aug-24 21:11:57 GMT; domain=.hub.planswift.com; HttpOnly; Secure; SameSite=None
2024-08-28 20:41:58 UTC	558	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 73 4b 4b 54 4f 66 59 63 58 44 50 62 79 49 71 30 4b 53 42 54 46 4b 37 66 34 44 49 54 32 48 56 5a 59 37 6b 36 50 35 54 42 4e 6b 62 35 52 6a 38 4a 68 35 6b 30 63 57 52 55 4c 76 6c 39 59 43 4a 6a 62 59 71 35 38 56 59 56 77 4c 36 59 32 4b 25 32 42 43 4c 73 61 50 52 42 25 32 42 62 6c 67 46 6a 31 56 68 6e 25 32 46 67 25 32 42 39 6c 71 45 25 32 46 46 6a 64 44 66 25 32 42 75 36 54 45 38 31 31 38 73 4f 6a 38 6b 25 32 46 41 4c 64 41 39 70 4a 58 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sKKTOfYcXDPbyIq0KSBTFK7f4DIT2HVZY7k6P5TBNkb5Rj8Jh5k0cWRULvl9YCJjbYq58VYVwL6Y2K%2BCLsaPRB%2BblgFj1Vhn%2Fg%2B9lqE%2FFjdDf%2Bu6TE8118sOj8k%2FALdA9pJX"}],"group":"cf-nel","max_age":
2024-08-28 20:41:58 UTC	1369	IN	Data Raw: 37 35 34 34 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 20 6c 74 2d 69 65 37 22 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 20 6c 74 2d 69 65 38 22 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 20 20 20 20 20 20 20 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6c 74 2d 69 65 39 22 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 7544<!doctype html>...[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en" > <![endif]-->...[if IE 7]> <html class="no-js lt-ie9 lt-ie8" lang="en" > <![endif]-->...[if IE 8]> <html class="no-js lt-ie9" lang="en" >
2024-08-28 20:41:58 UTC	1369	IN	Data Raw: 70 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30 70 78 20 30 70 78 20 30 70 78 20 30 70 78 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 30 70 78 20 30 70 78 20 30 70 78 7d 2e 68 73 2d 62 72 65 61 64 63 72 75 6d 62 2d 6d 65 6e 75 2d 69 74 65 6d 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 20 30 70 78 20 31 30 70 78 20 31 30 70 78 7d 2e 68 73 2d 62 72 65 61 64 63 72 75 6d 62 2d 6d 65 6e 75 2d 64 69 76 69 64 65 72 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 27 e2 80 ba 27 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 31 30 70 78 7d 2e 68 73 2d 66 65 61 74 75 72 65 64 2d 69 6d 61 67 65 2d 6c 69 6e 6b 7b 62 6f 72 64 65 72 3a 30 7d 2e 68 73 2d 66 65 61 74 75 72 65 64 2d 69 6d 61 67 65 7b 66 6c 6f 61 74 3a 72 69 67 68 74 3b 6d 61 72 67 69 6e Data Ascii: pe:none;margin:0px 0px 0px 0px;padding:0px 0px 0px 0px}.hs-breadcrumb-menu-item{float:left;padding:10px 0px 10px 10px}.hs-breadcrumb-menu-divider:before{content:'';padding-left:10px}.hs-featured-image-link{border:0}.hs-featured-image{float:right;margin
2024-08-28 20:41:58 UTC	1369	IN	Data Raw: 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a 3d 64 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 73 29 2c 64 6c 3d 6c 21 3d 27 64 61 74 61 4c 61 79 65 72 27 3f 27 26 6c 3d 27 2b 6c 3a 27 27 3b 6a 2e 61 73 79 6e 63 3d 74 72 75 65 3b 6a 2e 73 72 63 3d 0a 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 6d 2e 6a 73 3f 69 64 3d 27 2b 69 2b 64 6c 3b 66 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 6a 2c 66 29 3b 0a 7d 29 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 2c 27 73 63 72 69 70 74 27 2c 27 64 61 74 61 4c 61 79 65 72 27 2c 27 47 54 4d 2d 4d 43 46 4e 48 34 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 45 6e 64 20 Data Ascii: .getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-MCFNH4');</script>... End
2024-08-28 20:41:58 UTC	1369	IN	Data Raw: 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 28 61 64 73 62 79 67 6f 6f 67 6c 65 20 3d 20 77 69 6e 64 6f 77 2e 61 64 73 62 79 67 6f 6f 67 6c 65 20 7c 7c 20 5b 5d 29 2e 70 75 73 68 28 7b 0a 20 20 20 20 67 6f 6f 67 6c 65 5f 61 64 5f 63 6c 69 65 6e 74 3a 20 22 63 61 2d 70 75 62 2d 37 33 32 38 33 33 32 32 37 32 30 32 34 31 34 32 22 2c 0a 20 20 20 20 65 6e 61 62 6c 65 5f 70 61 67 65 5f 6c 65 76 65 6c 5f 61 64 73 3a 20 74 72 75 65 0a 20 20 7d 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 45 6e 64 20 47 6f 6f 67 6c 65 20 41 64 53 65 6e 73 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 4d 61 72 6b 65 74 6f 20 4d 75 6e 63 68 6b 69 6e 20 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 21 66 75 6e 63 74 69 Data Ascii: /script><script> (adsbygoogle = window.adsbygoogle \|\| []).push({ google_ad_client: "ca-pub-7328332272024142", enable_page_level_ads: true });</script>... End Google AdSense -->... Marketo Munchkin <script type="text/javascript">!functi
2024-08-28 20:41:58 UTC	1369	IN	Data Raw: 2f 39 39 32 37 38 34 31 38 33 31 2f 31 35 38 30 32 35 30 37 36 30 37 39 30 2f 43 75 73 74 6f 6d 2f 70 61 67 65 2f 50 6c 61 6e 73 77 69 66 74 5f 4d 61 79 32 30 31 37 2d 74 68 65 6d 65 2f 50 6c 61 6e 73 77 69 66 74 5f 4d 61 79 32 30 31 37 2d 73 74 79 6c 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 75 62 2e 70 6c 61 6e 73 77 69 66 74 2e 63 6f 6d 2f 68 73 2d 66 73 2f 68 75 62 2f 32 33 34 37 31 30 31 2f 68 75 62 5f 67 65 6e 65 72 61 74 65 64 2f 74 65 6d 70 6c 61 74 65 5f 61 73 73 65 74 73 2f 32 33 39 35 39 37 31 37 32 37 31 2f 31 35 38 30 32 35 30 37 36 31 37 38 35 2f 48 75 62 55 49 2d 50 6c 61 6e 53 77 69 66 74 2f 61 73 73 65 74 73 2f 70 72 6f 64 75 63 74 Data Ascii: /9927841831/1580250760790/Custom/page/Planswift_May2017-theme/Planswift_May2017-style.min.css"><link rel="stylesheet" href="https://hub.planswift.com/hs-fs/hub/2347101/hub_generated/template_assets/23959717271/1580250761785/HubUI-PlanSwift/assets/product
2024-08-28 20:41:58 UTC	1369	IN	Data Raw: 70 78 3b 0a 20 20 7d 0a 20 20 0a 20 20 0a 20 20 0a 20 20 61 2e 63 74 61 5f 62 75 74 74 6f 6e 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 34 36 70 78 21 69 6d 70 6f 72 74 61 6e 74 3b 20 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 20 0a 20 20 7d 0a 20 20 0a 20 20 20 20 2e 68 65 72 6f 2d 73 6c 69 64 65 72 20 61 2e 62 74 6e 20 7b 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 39 70 78 20 34 32 70 78 20 31 36 70 78 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 7d 0a 20 20 0a 20 20 20 20 64 69 76 23 68 73 5f 63 6f 73 5f 77 72 61 70 70 65 72 5f 77 69 64 67 65 74 5f 31 35 37 37 39 34 33 31 32 35 34 38 33 20 7b 0a 20 20 20 20 64 69 73 70 Data Ascii: px; } a.cta_button { padding-bottom:46px!important; color: #fff!important; } .hero-slider a.btn { border: 0!important; padding: 19px 42px 16px!important; } div#hs_cos_wrapper_widget_1577943125483 { disp
2024-08-28 20:41:58 UTC	1369	IN	Data Raw: 66 6f 20 68 34 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 30 70 78 7d 0a 20 20 23 70 73 47 53 63 6f 6e 74 61 63 74 49 6e 66 6f 20 70 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 30 70 78 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 30 70 78 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 30 70 78 7d 0a 20 20 23 76 69 64 65 6f 54 75 74 49 6e 66 6f 20 3e 20 64 69 76 3a 6e 74 68 2d 63 68 69 6c 64 28 32 29 20 3e 20 64 69 76 3a 6e 74 68 2d 63 68 69 6c 64 28 31 29 20 3e 20 64 69 76 3a 6e 74 68 2d 63 68 69 6c 64 28 31 29 20 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 30 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 0a 23 76 69 64 65 6f 54 75 74 49 6e 66 6f 2e 73 65 63 Data Ascii: fo h4 {margin-top:0px;margin-bottom:0px} #psGScontactInfo p {margin-top:0px;margin-bottom:0px;padding-top:0px;padding-bottom:0px} #videoTutInfo > div:nth-child(2) > div:nth-child(1) > div:nth-child(1) {padding-bottom: 0px !important}#videoTutInfo.sec
2024-08-28 20:41:58 UTC	1369	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 28 66 61 6c 73 65 29 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 61 63 63 6f 75 6e 74 49 44 20 3d 20 67 65 74 51 75 65 72 79 56 61 72 69 61 62 6c 65 28 27 61 63 63 6f 75 6e 74 49 44 27 29 3b 0a 20 20 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 61 63 63 6f 75 6e 74 49 44 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 76 69 73 69 74 6f 72 49 44 20 3d 20 67 65 74 51 75 65 72 79 56 61 72 69 61 62 6c 65 28 27 76 69 73 69 74 6f 72 49 44 27 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 61 70 69 6b 65 79 20 3d 20 27 41 50 2d 59 44 44 32 4e 5a 48 4f 4b 38 52 58 2d 32 27 3b 20 2f 2f 67 65 74 51 75 65 72 79 56 61 72 69 61 62 6c 65 28 27 61 70 69 6b Data Ascii: return(false); } var accountID = getQueryVariable('accountID'); console.log(accountID); var visitorID = getQueryVariable('visitorID'); var apikey = 'AP-YDD2NZHOK8RX-2'; //getQueryVariable('apik
2024-08-28 20:41:58 UTC	1369	IN	Data Raw: 73 2d 70 61 67 65 20 22 20 73 74 79 6c 65 3d 22 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 2d 63 6f 6e 74 61 69 6e 65 72 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 2d 63 6f 6e 74 61 69 6e 65 72 20 63 6f 6e 74 61 69 6e 65 72 2d 66 6c 75 69 64 22 3e 0a 0a 0a 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 65 6e 64 20 68 65 61 64 65 72 20 2d 2d 3e 0a 3c 2f 64 69 76 3e 3c 21 2d 2d 65 6e 64 20 68 65 61 64 65 72 20 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 64 79 2d 63 6f 6e 74 61 69 6e 65 72 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 6f 64 79 2d 63 6f 6e 74 61 69 6e 65 72 20 63 6f 6e 74 61 69 6e 65 72 Data Ascii: s-page " style=""> <div class="header-container-wrapper"> <div class="header-container container-fluid"> </div>...end header --></div>...end header wrapper --><div class="body-container-wrapper"> <div class="body-container container

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:41:59 UTC	333	OUT	GET /hs-fs/hub/2347101/hub_generated/template_assets/23959717271/1580250761785/HubUI-PlanSwift/assets/production.min.css HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: hub.planswift.com Connection: Keep-Alive
2024-08-28 20:41:59 UTC	1366	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 20:41:59 GMT Content-Type: text/css Transfer-Encoding: chunked Connection: close CF-Ray: 8ba72012899b5e82-EWR CF-Cache-Status: HIT Age: 2734 Cache-Control: s-maxage=2592000, max-age=1209600, stale-while-revalidate=900,s-maxage=31536000, max-age=31536000 ETag: W/"b61d04c58751d53f129523762a1c1d46" Last-Modified: Tue, 28 Jan 2020 22:32:42 GMT Strict-Transport-Security: max-age=31536000 Vary: origin, Accept-Encoding Via: 1.1 936f33bed45438343f0ef2adff442814.cloudfront.net (CloudFront) Access-Control-Allow-Credentials: false Content-Security-Policy: upgrade-insecure-requests Timing-Allow-Origin: hub.planswift.com X-Amz-Cf-Id: x6IiOYQ5hrV2bL_92cUNRoznK-umdaorAbgfgH5B0Rhkh2xbn5IFlw== X-Amz-Cf-Pop: IAD89-C1 x-amz-id-2: WEH8y1aoeVieQgnjy7yKzppUxNVF/mWFQYt5ydIUaZ1GkHwnCbufAlZY0j9n9A+FfZdyIhcgVxk= x-amz-request-id: KX0RHVFMFF0WMZSZ x-amz-version-id: .k8CqpZABrfSHCTYGwsJcXuNyIlfCVPU X-Cache: Miss from cloudfront x-envoy-upstream-service-time: 232 x-evy-trace-listener: listener_https x-evy-trace-route-configuration: listener_https/all x-evy-trace-route-service-name: envoyset-translator x-evy-trace-served-by-pod: iad02/cms-hubfs-td/envoy-proxy-656644bdb-ts7f8 x-evy-trace-virtual-host: all X-HS-CF-Lambda: us-east-1.EnforceAclForReads 3 X-HS-CF-Lambda-Enforce: us-east-1.EnforceAclForReads 3
2024-08-28 20:41:59 UTC	916	IN	Data Raw: 78 2d 68 75 62 73 70 6f 74 2d 63 6f 72 72 65 6c 61 74 69 6f 6e 2d 69 64 3a 20 36 32 39 38 39 65 64 64 2d 36 66 33 38 2d 34 65 64 61 2d 61 34 66 35 2d 64 61 37 35 61 38 34 35 61 64 39 32 0d 0a 78 2d 72 65 71 75 65 73 74 2d 69 64 3a 20 36 32 39 38 39 65 64 64 2d 36 66 33 38 2d 34 65 64 61 2d 61 34 66 35 2d 64 61 37 35 61 38 34 35 61 64 39 32 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 5f 62 6d 3d 64 50 4c 57 59 44 65 4c 64 55 5a 4f 63 4a 72 35 6c 4f 56 66 70 30 35 49 61 6c 7a 67 41 33 46 63 79 41 4a 6f 47 46 42 6c 49 47 34 2d 31 37 32 34 38 37 37 37 31 39 2d 31 2e 30 2e 31 2e 31 2d 78 66 59 61 53 74 47 6d 33 65 57 75 4a 53 76 59 45 36 72 69 46 66 51 74 77 79 4c 69 53 37 4e 50 59 64 42 46 4e 69 54 37 67 30 31 42 33 61 4a 4d 35 4d 39 69 6f 70 49 61 Data Ascii: x-hubspot-correlation-id: 62989edd-6f38-4eda-a4f5-da75a845ad92x-request-id: 62989edd-6f38-4eda-a4f5-da75a845ad92Set-Cookie: __cf_bm=dPLWYDeLdUZOcJr5lOVfp05IalzgA3FcyAJoGFBlIG4-1724877719-1.0.1.1-xfYaStGm3eWuJSvYE6riFfQtwyLiS7NPYdBFNiT7g01B3aJM5M9iopIa
2024-08-28 20:41:59 UTC	1369	IN	Data Raw: 37 31 30 66 0d 0a 40 69 6d 70 6f 72 74 20 75 72 6c 28 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 66 61 6e 63 79 62 6f 78 2f 33 2e 35 2e 32 2f 6a 71 75 65 72 79 2e 66 61 6e 63 79 62 6f 78 2e 6d 69 6e 2e 63 73 73 22 29 3b 40 69 6d 70 6f 72 74 20 75 72 6c 28 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 73 6c 69 63 6b 2d 63 61 72 6f 75 73 65 6c 2f 31 2e 38 2e 30 2f 73 6c 69 63 6b 2d 74 68 65 6d 65 2e 63 73 73 22 29 3b 40 69 6d 70 6f 72 74 20 75 72 6c 28 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 73 6c 69 63 6b 2d 63 61 72 6f 75 73 65 Data Ascii: 710f@import url("https://cdnjs.cloudflare.com/ajax/libs/fancybox/3.5.2/jquery.fancybox.min.css");@import url("https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.8.0/slick-theme.css");@import url("https://cdnjs.cloudflare.com/ajax/libs/slick-carouse
2024-08-28 20:41:59 UTC	1369	IN	Data Raw: 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 36 30 70 78 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 36 30 70 78 7d 2e 67 72 69 64 20 2e 68 73 5f 63 6f 73 5f 77 72 61 70 70 65 72 5f 74 79 70 65 5f 63 75 73 74 6f 6d 5f 77 69 64 67 65 74 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 70 78 7d 2e 67 72 69 64 2e 68 61 72 64 2c 2e 67 72 69 64 2e 68 61 72 64 2d 2d 73 69 64 65 73 7b 77 69 64 74 68 3a 31 30 30 25 20 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 3b 6d 61 72 67 69 6e 2d 6c 65 Data Ascii: ox;box-sizing:border-box;padding-top:60px;padding-bottom:60px}.grid .hs_cos_wrapper_type_custom_widget{font-size:0px}.grid.hard,.grid.hard--sides{width:100% !important;max-width:100% !important}.grid__item{display:inline-block;vertical-align:top;margin-le
2024-08-28 20:41:59 UTC	1369	IN	Data Raw: 38 2e 31 36 36 36 36 38 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 66 69 76 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 6c 65 66 74 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 66 69 76 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 72 69 67 68 74 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 33 39 2e 39 31 36 36 36 38 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 66 69 76 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 66 69 76 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 73 69 64 65 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 34 31 2e 36 36 36 36 36 38 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 73 69 78 2d 74 77 65 6c 66 74 68 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 34 36 2e Data Ascii: 8.166668% !important}.five-twelfths.hard--left.grid__item,.five-twelfths.hard--right.grid__item{width:39.916668% !important}.five-twelfths.hard.grid__item,.five-twelfths.hard--sides.grid__item{width:41.666668% !important}.six-twelfths.grid__item{width:46.
2024-08-28 20:41:59 UTC	1369	IN	Data Raw: 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 74 65 6e 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 73 69 64 65 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 38 33 2e 33 33 33 33 33 36 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 65 6c 65 76 65 6e 2d 74 77 65 6c 66 74 68 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 38 38 2e 31 36 36 36 36 34 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 65 6c 65 76 65 6e 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 6c 65 66 74 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 65 6c 65 76 65 6e 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 72 69 67 68 74 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 38 39 2e 39 31 36 36 36 34 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 65 Data Ascii: twelfths.hard.grid__item,.ten-twelfths.hard--sides.grid__item{width:83.333336% !important}.eleven-twelfths.grid__item{width:88.166664% !important}.eleven-twelfths.hard--left.grid__item,.eleven-twelfths.hard--right.grid__item{width:89.916664% !important}.e
2024-08-28 20:41:59 UTC	1369	IN	Data Raw: 5f 69 74 65 6d 7b 77 69 64 74 68 3a 32 33 2e 32 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6f 6e 65 2d 66 6f 75 72 74 68 2e 68 61 72 64 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 6f 6e 65 2d 66 6f 75 72 74 68 2e 68 61 72 64 2d 2d 73 69 64 65 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 32 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6f 6e 65 2d 66 69 66 74 68 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 31 36 2e 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6f 6e 65 2d 66 69 66 74 68 2e 68 61 72 64 2d 2d 6c 65 66 74 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 6f 6e 65 2d 66 69 66 74 68 2e 68 61 72 64 2d 2d 72 69 67 68 74 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 31 38 2e 32 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6f 6e 65 2d Data Ascii: _item{width:23.25% !important}.one-fourth.hard.grid__item,.one-fourth.hard--sides.grid__item{width:25% !important}.one-fifth.grid__item{width:16.5% !important}.one-fifth.hard--left.grid__item,.one-fifth.hard--right.grid__item{width:18.25% !important}.one-
2024-08-28 20:41:59 UTC	1369	IN	Data Raw: 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 32 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 64 65 73 6b 2d 66 6f 75 72 2d 74 77 65 6c 66 74 68 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 32 39 2e 38 33 33 33 33 34 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 64 65 73 6b 2d 66 6f 75 72 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 6c 65 66 74 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 64 65 73 6b 2d 66 6f 75 72 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 72 69 67 68 74 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 33 31 2e 35 38 33 33 33 34 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 64 65 73 6b 2d 66 6f 75 72 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 64 65 73 6b 2d 66 6f 75 72 2d 74 77 Data Ascii: s.grid__item{width:25% !important}.desk-four-twelfths.grid__item{width:29.833334% !important}.desk-four-twelfths.hard--left.grid__item,.desk-four-twelfths.hard--right.grid__item{width:31.583334% !important}.desk-four-twelfths.hard.grid__item,.desk-four-tw
2024-08-28 20:41:59 UTC	1369	IN	Data Raw: 72 64 2d 2d 73 69 64 65 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 36 36 2e 36 36 36 36 36 34 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 64 65 73 6b 2d 6e 69 6e 65 2d 74 77 65 6c 66 74 68 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 37 31 2e 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 64 65 73 6b 2d 6e 69 6e 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 6c 65 66 74 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 64 65 73 6b 2d 6e 69 6e 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 72 69 67 68 74 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 37 33 2e 32 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 64 65 73 6b 2d 6e 69 6e 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 64 65 73 6b 2d 6e Data Ascii: rd--sides.grid__item{width:66.666664% !important}.desk-nine-twelfths.grid__item{width:71.5% !important}.desk-nine-twelfths.hard--left.grid__item,.desk-nine-twelfths.hard--right.grid__item{width:73.25% !important}.desk-nine-twelfths.hard.grid__item,.desk-n
2024-08-28 20:41:59 UTC	1369	IN	Data Raw: 6d 7b 77 69 64 74 68 3a 31 30 30 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 64 65 73 6b 2d 6f 6e 65 2d 68 61 6c 66 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 34 36 2e 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 64 65 73 6b 2d 6f 6e 65 2d 68 61 6c 66 2e 68 61 72 64 2d 2d 6c 65 66 74 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 64 65 73 6b 2d 6f 6e 65 2d 68 61 6c 66 2e 68 61 72 64 2d 2d 72 69 67 68 74 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 34 38 2e 32 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 64 65 73 6b 2d 6f 6e 65 2d 68 61 6c 66 2e 68 61 72 64 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 64 65 73 6b 2d 6f 6e 65 2d 68 61 6c 66 2e 68 61 72 64 2d 2d 73 69 64 65 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 35 30 25 20 21 69 6d 70 Data Ascii: m{width:100% !important}.desk-one-half.grid__item{width:46.5% !important}.desk-one-half.hard--left.grid__item,.desk-one-half.hard--right.grid__item{width:48.25% !important}.desk-one-half.hard.grid__item,.desk-one-half.hard--sides.grid__item{width:50% !imp
2024-08-28 20:41:59 UTC	1369	IN	Data Raw: 2d 6f 6e 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 6c 65 66 74 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 6c 61 70 2d 6f 6e 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 72 69 67 68 74 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 36 2e 35 38 33 33 33 33 35 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6c 61 70 2d 6f 6e 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2e 67 72 69 64 5f 5f 69 74 65 6d 2c 2e 6c 61 70 2d 6f 6e 65 2d 74 77 65 6c 66 74 68 73 2e 68 61 72 64 2d 2d 73 69 64 65 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 38 2e 33 33 33 33 33 33 25 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 6c 61 70 2d 74 77 6f 2d 74 77 65 6c 66 74 68 73 2e 67 72 69 64 5f 5f 69 74 65 6d 7b 77 69 64 74 68 3a 31 33 2e 31 36 36 36 36 37 25 20 21 69 Data Ascii: -one-twelfths.hard--left.grid__item,.lap-one-twelfths.hard--right.grid__item{width:6.5833335% !important}.lap-one-twelfths.hard.grid__item,.lap-one-twelfths.hard--sides.grid__item{width:8.333333% !important}.lap-two-twelfths.grid__item{width:13.166667% !i

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:42:00 UTC	359	OUT	GET /hs-fs/hubfs/PS%20-%20Getting%20Started/Whats%20New%20in%20PlanSwift%C2%AE%2011.png?width=500&name=Whats%20New%20in%20PlanSwift%C2%AE%2011.png HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: hub.planswift.com Connection: Keep-Alive
2024-08-28 20:42:00 UTC	1250	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 20:42:00 GMT Content-Type: image/png Content-Length: 16955 Connection: close CF-Ray: 8ba7201719b643e3-EWR CF-Cache-Status: HIT Accept-Ranges: bytes Access-Control-Allow-Origin: * Cache-Control: s-maxage=2592000, max-age=1209600, stale-while-revalidate=900 ETag: "cfoHZ-l9nODwd-pJzhWgZ_FNK_iQ6hd_SV2P5CaOb0DQ:2eebde4d2e46b2dfed4fcd0402bc5ef9" Last-Modified: Fri, 15 Jul 2022 14:20:12 GMT Strict-Transport-Security: max-age=31536000 Vary: Accept Via: 1.1 05b3bdb53d1146d1176c185d2da0d530.cloudfront.net (CloudFront) cache-tag: F-79303452704,FD-26637824551,P-2347101,FLS-ALL cf-bgj: imgq:99,h2pri cf-resized: internal=ok/m q=0 n=166+33 c=1+32 v=2024.8.1 l=16955 f=false content-security-policy: default-src 'none'; navigate-to 'none'; form-action 'none'; upgrade-insecure-requests priority: u=4;i=?0,cf-chb=(37;u=2;i=?0 825;u=5;i=?0) Timing-Allow-Origin: d8fk70yj6xfhx.cloudfront.net x-content-type-options: nosniff Set-Cookie: __cf_bm=Fq32U5I2XsXHUG7WsSUSUcWJaItcYtUGxojtZcpu0nM-1724877720-1.0.1.1-td.i2LGP613LdQS5lvAqHMeo3wR0vNgg9RRg2T70NOGTvDX0T6vrBiz.eTw90Q64WpQ_._czEs8NtOek6zotTg; path=/; expires=Wed, 28-Aug-24 21:12:00 GMT; domain=.hub.planswift.com; HttpOnly; Secure; SameSite=None
2024-08-28 20:42:00 UTC	522	IN	Data Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 30 30 4b 63 4e 7a 6a 58 49 32 35 54 54 47 79 41 50 53 75 33 67 46 62 68 6d 70 38 4d 62 7a 70 54 57 32 7a 77 31 46 5a 56 36 33 43 48 75 41 41 78 63 47 45 79 69 35 4f 74 56 32 25 32 46 64 6b 6a 44 37 32 78 4d 4a 57 25 32 42 31 6d 66 4f 47 44 58 32 76 53 6c 75 6a 33 31 38 64 51 25 32 42 62 79 49 51 36 5a 62 39 68 71 55 74 48 6c 33 79 46 61 31 31 56 73 33 50 68 32 76 4c 32 45 49 45 62 55 47 57 25 32 46 78 61 6c 35 4b 6c 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=00KcNzjXI25TTGyAPSu3gFbhmp8MbzpTW2zw1FZV63CHuAAxcGEyi5OtV2%2FdkjD72xMJW%2B1mfOGDX2vSluj318dQ%2BbyIQ6Zb9hqUtHl3yFa11Vs3Ph2vL2EIEbUGW%2Fxal5Kl"}],"group":"cf-nel","max_age":604800
2024-08-28 20:42:00 UTC	966	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 f4 00 00 01 18 08 03 00 00 00 9d 8e f4 41 00 00 03 00 50 4c 54 45 ff ff ff 6d c5 ff 54 bb ff 6e 66 64 fe fe ff 00 61 ba 6f c6 ff f8 fc ff 54 bb fe ff ff fe 3b a0 ea 6b c4 ff 69 c3 ff 7b cb ff c9 ea ff 8d d2 ff f9 f9 fa 3b a0 ec ff fe fe ff ff fc 6e 65 64 fe fe fd 6c 66 66 ff ff fd fe ff ff fe ff fe ff fe ff 00 61 b9 fe fd fd 55 bc fe ff fe fc 6c 66 64 6c 67 64 3a 9f e9 6e 67 66 65 5e 5d 4b b8 ff fe fc fd 9d d8 ff fe fd fb ff fd ff 00 62 bb 6a 63 62 6a 64 63 6b 65 64 65 60 5f fe fd ff 67 62 62 69 68 65 3a a0 e9 50 b7 fc 00 61 be 68 61 60 6d 66 64 fd fe ff 55 bc ff 00 63 bd 3a 9f eb fd fe fc 6d 66 65 f4 fc ff a2 9e 9e 63 63 5f fe ff fd 66 65 63 f1 ef ee f6 f5 f4 69 67 65 60 5d 5c 00 5b b5 54 bb fd 7b Data Ascii: PNGIHDRAPLTEmTnfdaoT;ki{;nedlffaUlfdlgd:ngfe^]Kbjcbjdckede`_gbbihe:Paha`mfdUc:mfecc_fecige`]\[T{
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 40 b1 d0 19 28 16 3a 03 c5 42 67 a0 58 e8 0c 14 0b 9d 81 62 a1 33 50 2c 74 06 8a 85 ce 40 b1 d0 19 28 16 3a 03 c5 42 67 a0 58 e8 0c 14 0b 9d 81 62 a1 33 50 2c 74 06 8a 85 ce 40 b1 d0 19 28 16 3a 03 c5 42 67 a0 58 e8 0c 14 0b 9d 81 62 a1 33 50 2c 74 06 8a 85 ce 40 b1 d0 19 28 16 3a 03 c5 42 67 a0 58 e8 0c 14 0b 9d 81 62 a1 33 50 2c 74 06 8a 85 ce 40 b1 d0 19 28 16 3a 03 c5 42 67 a0 58 e8 0c 14 0b 9d 81 62 a1 33 50 2c 74 06 8a 85 ce 40 b1 d0 19 28 16 3a 03 c5 42 67 a0 58 e8 0c 14 0b 9d 81 62 a1 33 50 2c 74 06 8a 85 ce 40 b1 d0 19 28 16 3a 03 c5 42 67 a0 58 e8 0c 14 0b 9d 81 62 a1 33 50 2c 74 06 8a 85 ce 40 b1 d0 19 28 16 3a 03 c5 42 67 a0 58 e8 0c 14 0b 9d 81 62 a1 33 50 2c 74 06 8a 85 ce 40 b1 d0 19 28 16 3a 03 c5 42 67 a0 58 e8 0c 14 0b 9d 81 62 a1 33 50 Data Ascii: @(:BgXb3P,t@(:BgXb3P,t@(:BgXb3P,t@(:BgXb3P,t@(:BgXb3P,t@(:BgXb3P,t@(:BgXb3P,t@(:BgXb3P,t@(:BgXb3P
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: bf 78 f3 f0 53 3e 3e 3e 3e a7 86 6f de bc 69 ad 47 b4 d5 2d 3b 40 f7 f0 70 80 0e b0 fa df 8b 17 4f 5c eb 11 dd ca 7c f4 e2 cd 9b 37 6f 7e a3 97 47 b4 47 d0 fc cd 8b 87 cf f4 f1 f1 99 39 7c f1 e6 f9 41 ff 7d c6 0e 27 0e d2 c2 bc 35 72 8b e2 b2 ea aa 41 8c 25 87 e4 e5 e5 2d 1f 8b b9 39 5c e4 9c e5 13 26 4c 58 5e 85 3b 46 da 39 21 68 e9 f2 5c 80 aa e5 79 13 26 84 94 02 94 84 4c 98 90 57 a3 e5 70 38 fc c4 09 6d ca 9b ad e6 73 38 fc d8 62 eb ef 90 39 4f 9e 26 78 be 96 de b3 4e af d7 eb 74 aa f0 f0 70 ba 8f 00 92 ba f5 2f 9b e4 15 d5 b0 63 35 46 88 a4 c2 4e 8f 86 7d f2 d7 86 86 86 bf 5e 05 2e bc 79 f6 82 e7 4c 4f cf be 9e af 7a 7a fe dd c7 67 d4 0f d1 36 ea 4e d0 a3 ff fc 97 3f da 1f e3 cc ff 8e 1f 3f 7d 74 5b ab eb e8 53 7d 7d 7c 4e 6d 5e eb d1 b5 d7 e2 51 3e Data Ascii: xS>>>>oiG-;@pO\\|7o~GG9\|A}'5rA%-9\&LX^;F9!h\y&LWp8ms8b9O&xNtp/c5FN}^.yLOzzg6N??}t[S}}\|Nm^Q>
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 79 33 7f c8 ef 2c 75 73 0f 0f 8f e8 e9 3e af 22 cc a3 e6 3f b4 ca 86 d4 fd bb 1f 66 7a f6 dd 64 a9 ac db a0 fb 8c 9f d8 ab f5 80 41 37 68 e8 2d 87 56 83 42 48 63 90 09 54 15 a0 c4 71 11 25 c2 30 0c 23 08 02 c3 71 bf 9a 54 6f 6f 99 b6 2e 81 6b 03 81 25 c7 69 7c 63 8b f5 7c be 76 79 db d3 80 82 44 15 87 af 9b 15 89 db 43 c7 71 52 09 0b e5 81 34 74 92 94 4a 51 d1 86 32 b3 5a 59 30 47 d5 96 91 b3 e7 2c 74 66 2c b2 57 87 3c 9e 0c 3a e6 22 ca c2 71 e7 f7 8f ab 84 88 46 5d aa b7 77 a7 c0 03 39 1c 79 6d 09 1c db 3f 49 e2 ef 9f 29 71 77 f7 77 77 1f 3a e9 dd 6d 04 15 e6 ea 34 c8 7b 8c f0 ef ef ef 2e 91 b4 4c da d7 93 68 6b 70 f1 08 1a 3d bd 2f 0a e7 7c 36 af 8d f6 70 82 de b5 1d f4 b2 19 a8 b2 e7 b9 38 88 5e dd 6a e9 37 d6 da 12 b0 88 fa 74 04 3d f3 c1 77 44 02 06 Data Ascii: y3,us>"?fzdA7h-VBHcTq%0#qToo.k%i\|c\|vyDCqR4tJQ2ZY0G,tf,W<:"qF]w9ym?I)qwww:m4{.Lhkp=/\|6p8^j7t=wD
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: bf db b5 a7 74 0e dd c3 02 dd dd ff ad 37 a5 3c 0c 70 28 d4 6b d0 8b eb eb ab d2 d5 8e 8d b1 7b 0c 55 71 be be 1c fd 2c cb b3 c9 ad 10 08 04 46 34 77 40 69 9c 26 50 15 4b 4f 19 82 e3 55 28 1b 2d 4f 86 f6 d0 01 46 26 09 f8 fc e7 06 fd 97 a9 f3 57 a4 55 38 34 5f d3 79 7b cb 9c 10 07 d3 91 bc 35 9c 0b 94 79 6b e4 c5 f5 b0 eb d6 20 c9 50 1a b8 44 e2 e8 e4 25 ee ee 99 83 d6 fd 1c 2f 34 64 e0 f6 6d d5 34 74 ff 7e fd 26 bd 8e 1e 9e 83 7b f7 08 7a 03 d5 c3 fa 7a 8e 76 2c d3 bb 5a a1 67 fc ef e2 99 7f 7f d5 b3 ad 35 65 bc 23 f4 99 13 7b b5 45 ef ad 96 ee 8e dc bb a5 1b 43 55 40 30 1f 65 16 f8 1c bd be 62 59 a4 2d 24 32 a4 cd 52 69 04 ba 8a 12 c0 c1 60 28 d1 09 04 ba 59 31 00 78 d3 1a 7d a0 4c 9d 47 fb f0 a6 73 02 19 1a ce 80 91 ae a0 b7 0f e4 7e 65 d0 71 98 57 11 Data Ascii: t7<p(k{Uq,F4w@i&PKOU(-OF&WU84_y{5yk PD%/4dm4t~&{zzv,Zg5e#{ECU@0ebY-$2Ri`(Y1x}LGs~eqW
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: ed 44 41 37 8d f5 1a 45 7b 77 d4 37 d2 a1 69 75 34 ca bb be 4a 5b 7a eb d6 41 a8 69 75 fc df 1f 11 ba 9f d4 a9 cd 11 87 c8 5a 54 63 d7 d4 59 7b 32 25 27 c9 f8 be fa 98 9c 59 3a be 6a f0 bc d6 06 b8 ea 74 35 27 58 17 b1 28 56 2d 10 c8 2a 5d 40 a7 7f bb 80 5e 8a 72 be ea c4 45 4f 11 d0 13 40 17 ba b9 5c 8c e3 90 9d 18 2e e3 07 06 76 0e 5d 15 3b 12 da c6 7d e0 94 49 2a fc f1 f8 ff b3 d3 7f 39 8b 5e f2 ff fe 79 b5 9c ab 30 60 76 d0 1b b6 97 29 78 43 7e 67 f5 d7 5d 3d a2 d7 de a0 0d 1d 8d 59 70 82 ee 49 43 7f a3 97 5d 86 75 2d dd 89 e2 51 a1 93 ed a0 0b eb 1b f5 36 4b 47 ca a9 d1 f3 7d 35 a5 8b d4 7c be 7c 19 e0 36 a3 24 53 f4 1c 8d a6 ba 40 2e 10 68 53 72 7f 01 74 f4 b6 70 34 be 8f 3f 13 6c 7b 3d 01 74 37 83 6b ea 50 10 1b 1a d5 81 67 6f 83 ae f6 2d 84 b6 a9 Data Ascii: DA7E{w7iu4J[zAiuZTcY{2%'Y:jt5'X(V-]@^rEO@\.v];}I9^y0`v)xC~g]=YpIC]u-Q6KG}5\|\|6$S@.hSrtp4?l{=t7kPgo-
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 8e d4 a3 71 c7 aa 10 b0 6f 20 ae d5 ca 64 f4 a8 55 5a 23 93 04 c1 34 74 bb 0e e9 dc b4 46 b9 2f 82 8e 24 2f 7e cc e9 be ed f5 34 a1 27 2c 8c 4b ed a8 6e de 06 5d 37 38 19 72 43 e8 3b 90 69 b4 8d b9 80 e3 5c e1 a5 f7 1a dc 25 16 33 f7 f7 77 0d 7d e8 d0 96 f7 76 81 d9 4c 1a da 41 27 e0 d8 9e f7 c6 db 46 92 fb 9c 9a 7e 23 da c6 1c 75 97 b2 4c 50 f1 1a 5d 4f 43 f3 4b 0c b7 12 f7 f4 39 35 7d e2 7f 77 8d 8e 1e 8f d6 2f 5e 8b da dd 46 0f a7 37 6e 0f fd 94 8f a4 61 d2 ba 37 15 38 e4 26 67 a9 f4 6a be 46 23 43 43 8b 35 2a 7d 4a 36 cd b6 95 2e 59 28 d7 e9 55 fa f4 5c d4 2f de 2e 5b 5a 2d 57 e9 55 7a 6d b3 43 6f bf d9 46 95 4a 65 2c b6 fe 5a 68 d4 e9 74 f2 0a b0 6f b9 26 c5 b9 79 71 6a 0e 3d 6e 59 66 4c 79 cc 49 80 ed f5 14 a1 37 6d 14 a4 3e bc 3c d7 0f ce 86 c8 62 Data Ascii: qo dUZ#4tF/$/~4',Kn]78rC;i\%3w}vLA'F~#uLP]OCK95}w/^F7na78&gjF#CC5*}J6.Y(U\/.[Z-WUzmCoFJe,Zhto&yqj=nYfLyI7m><b
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 43 a7 a6 5f bb 16 60 8c 1a 87 2c bd 6d c0 06 8e 93 09 64 eb 2e 4e f3 07 d9 dd 0d a0 e6 59 ba 4f 4e 6c fb f7 12 55 56 3a 78 07 09 8c 70 9e 36 c1 a2 87 41 77 3d 92 45 64 f7 36 e4 66 c5 69 9c 4b 70 6f 6f e7 31 e8 f2 9a 1c a8 9c 6c 9d 68 48 e6 ed d4 21 de db 3b ce 3b 2a 2f 12 8e ee 1f e4 5c a0 37 dc ba 0a 24 e9 86 f2 d4 ce d0 09 d7 d0 2d a5 bb 5f eb d6 75 da 9a 5c 68 ca 45 8d 79 f6 55 21 3a 01 2e 12 41 69 54 f8 b4 85 69 d0 3c 21 3d 7d 81 e5 55 8e 6c cb b6 70 a1 a7 65 da 4f 37 00 73 1a 5d 1b 4b 8b 45 9d 5a e9 37 41 08 e6 26 eb 4a dc fa 0a 00 98 73 7b 02 98 71 18 67 9c 45 6f 56 32 38 29 b1 38 06 d2 0a 6b 42 47 36 d1 de d6 7a 48 6b 36 36 a2 a9 ed ef 48 45 eb 8a 5c 3b 32 b9 91 f4 4b 57 a0 4b 74 ea 29 87 59 eb 96 1d 3b 90 c7 80 de d1 e8 25 b1 ad c3 00 06 11 29 a9 Data Ascii: C_`,md.NYONlUV:xp6Aw=Ed6fiKpoo1lhH!;;*/\7$-_u\hEyU!:.AiTi<!=}UlpeO7s]KEZ7A&Js{qgEoV28)8kBG6zHk66HE\;2KWKt)Y;%)
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 4b cf 5a 98 0b b8 34 37 4e 9b 8c 76 1e 97 1a 9a 0c a4 82 28 0c 9d 16 81 61 d8 ec a4 e2 9e f5 59 aa d9 f5 52 fa 8b 89 24 0d 5d 49 41 b2 2e 60 51 5b 03 ca 22 9d 60 0e 1a a4 5c 52 a1 db 08 25 93 b5 68 72 e8 05 b1 de 95 64 e4 1a 63 1e 34 11 0b d2 03 d0 e5 c5 16 2f ab 5b 56 97 6e ac 83 ba f0 59 25 40 70 71 48 50 10 c9 a1 e9 25 dc d6 a7 e1 f2 2b 0f 5c 69 07 1f 7f 40 fd f9 5a 6b 34 4f 52 4f cf 39 17 15 20 08 76 ae 73 b7 85 70 c1 a8 01 d8 5b 5b 9b 0b 28 09 0e 05 d7 f4 0f 83 1e 2c d0 25 66 43 fe c9 75 0d 12 f7 96 41 1f 6d c3 30 3f 3f bf f6 b3 84 5a af 5d 64 8e 8c 8c 2c 2f cf 6d c2 1d 16 23 8b b7 ab 01 e1 cb e5 29 91 98 82 84 ea a4 80 1c 48 a8 95 67 41 a3 bc b8 d5 f3 8d 8b 0a 58 d0 e6 21 b3 8c b5 40 91 24 1e 93 18 50 0a 05 e1 a1 f3 40 2a 5d 18 7e ae 19 a8 d2 8a 00 Data Ascii: KZ47Nv(aYR$]IA.`Q["`\R%hrdc4/[VnY%@pqHP%+\i@Zk4ORO9 vsp[[(,%fCuAm0??Z]d,/m#)HgAX!@$P@*]~

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:42:00 UTC	267	OUT	GET /font-awesome/4.6.3/css/font-awesome.min.css HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: maxcdn.bootstrapcdn.com Connection: Keep-Alive
2024-08-28 20:42:00 UTC	917	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 20:42:00 GMT Content-Type: text/css; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding CDN-PullZone: 252412 CDN-Uid: b1941f61-b576-4f40-80de-5677acb38f74 CDN-RequestCountryCode: DE CDN-EdgeStorageId: 632 CDN-EdgeStorageId: 617 CDN-EdgeStorageId: 617 Last-Modified: Mon, 25 Jan 2021 22:04:55 GMT CDN-CachedAt: 2021-06-08 21:31:13 CDN-RequestPullSuccess: True CDN-RequestPullCode: 200 Cache-Control: public, max-age=31919000 timing-allow-origin: * cross-origin-resource-policy: cross-origin access-control-allow-origin: * x-content-type-options: nosniff CDN-RequestId: 5bb5196854d77b3b0bd1d55200ac7249 CDN-Status: 200 CDN-Cache: HIT CF-Cache-Status: HIT Age: 14533747 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Server: cloudflare CF-RAY: 8ba720177d600f70-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 20:42:00 UTC	452	IN	Data Raw: 37 31 38 37 0d 0a 2f 2a 21 0a 20 2a 20 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 34 2e 36 2e 33 20 62 79 20 40 64 61 76 65 67 61 6e 64 79 20 2d 20 68 74 74 70 3a 2f 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2e 69 6f 20 2d 20 40 66 6f 6e 74 61 77 65 73 6f 6d 65 0a 20 2a 20 20 4c 69 63 65 6e 73 65 20 2d 20 68 74 74 70 3a 2f 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2e 69 6f 2f 6c 69 63 65 6e 73 65 20 28 46 6f 6e 74 3a 20 53 49 4c 20 4f 46 4c 20 31 2e 31 2c 20 43 53 53 3a 20 4d 49 54 20 4c 69 63 65 6e 73 65 29 0a 20 2a 2f 40 66 6f 6e 74 2d 66 61 63 65 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 27 46 6f 6e 74 41 77 65 73 6f 6d 65 27 3b 73 72 63 3a 75 72 6c 28 27 2e 2e 2f 66 6f 6e 74 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 77 65 62 66 6f 6e 74 2e 65 6f 74 3f 76 3d 34 2e 36 Data Ascii: 7187/! Font Awesome 4.6.3 by @davegandy - http://fontawesome.io - @fontawesome * License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License) */@font-face{font-family:'FontAwesome';src:url('../fonts/fontawesome-webfont.eot?v=4.6
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 76 3d 34 2e 36 2e 33 27 29 20 66 6f 72 6d 61 74 28 27 77 6f 66 66 27 29 2c 75 72 6c 28 27 2e 2e 2f 66 6f 6e 74 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 77 65 62 66 6f 6e 74 2e 74 74 66 3f 76 3d 34 2e 36 2e 33 27 29 20 66 6f 72 6d 61 74 28 27 74 72 75 65 74 79 70 65 27 29 2c 75 72 6c 28 27 2e 2e 2f 66 6f 6e 74 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 77 65 62 66 6f 6e 74 2e 73 76 67 3f 76 3d 34 2e 36 2e 33 23 66 6f 6e 74 61 77 65 73 6f 6d 65 72 65 67 75 6c 61 72 27 29 20 66 6f 72 6d 61 74 28 27 73 76 67 27 29 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 7d 2e 66 61 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 3a 6e 6f 72 6d 61 6c 20 6e 6f 72 6d 61 6c 20 6e Data Ascii: v=4.6.3') format('woff'),url('../fonts/fontawesome-webfont.ttf?v=4.6.3') format('truetype'),url('../fonts/fontawesome-webfont.svg?v=4.6.3#fontawesomeregular') format('svg');font-weight:normal;font-style:normal}.fa{display:inline-block;font:normal normal n
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 61 6e 73 66 6f 72 6d 3a 72 6f 74 61 74 65 28 30 64 65 67 29 7d 31 30 30 25 7b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 72 6f 74 61 74 65 28 33 35 39 64 65 67 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 72 6f 74 61 74 65 28 33 35 39 64 65 67 29 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 66 61 2d 73 70 69 6e 7b 30 25 7b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 72 6f 74 61 74 65 28 30 64 65 67 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 72 6f 74 61 74 65 28 30 64 65 67 29 7d 31 30 30 25 7b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 72 6f 74 61 74 65 28 33 35 39 64 65 67 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 72 6f 74 61 74 65 28 33 35 39 64 65 67 29 7d 7d 2e 66 61 2d 72 6f 74 61 74 65 2d 39 30 7b 2d 6d 73 2d 66 69 6c 74 65 72 3a 22 70 72 6f 67 Data Ascii: ansform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}@keyframes fa-spin{0%{-webkit-transform:rotate(0deg);transform:rotate(0deg)}100%{-webkit-transform:rotate(359deg);transform:rotate(359deg)}}.fa-rotate-90{-ms-filter:"prog
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 75 74 65 3b 6c 65 66 74 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 66 61 2d 73 74 61 63 6b 2d 31 78 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 69 6e 68 65 72 69 74 7d 2e 66 61 2d 73 74 61 63 6b 2d 32 78 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 65 6d 7d 2e 66 61 2d 69 6e 76 65 72 73 65 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 66 61 2d 67 6c 61 73 73 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 30 30 22 7d 2e 66 61 2d 6d 75 73 69 63 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 30 31 22 7d 2e 66 61 2d 73 65 61 72 63 68 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 30 32 22 7d 2e 66 61 2d 65 6e 76 65 6c 6f 70 65 2d 6f 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c Data Ascii: ute;left:0;width:100%;text-align:center}.fa-stack-1x{line-height:inherit}.fa-stack-2x{font-size:2em}.fa-inverse{color:#fff}.fa-glass:before{content:"\f000"}.fa-music:before{content:"\f001"}.fa-search:before{content:"\f002"}.fa-envelope-o:before{content:"\
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 32 34 22 7d 2e 66 61 2d 68 65 61 64 70 68 6f 6e 65 73 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 32 35 22 7d 2e 66 61 2d 76 6f 6c 75 6d 65 2d 6f 66 66 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 32 36 22 7d 2e 66 61 2d 76 6f 6c 75 6d 65 2d 64 6f 77 6e 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 32 37 22 7d 2e 66 61 2d 76 6f 6c 75 6d 65 2d 75 70 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 32 38 22 7d 2e 66 61 2d 71 72 63 6f 64 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 32 39 22 7d 2e 66 61 2d 62 61 72 63 6f 64 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 32 61 22 7d 2e 66 61 2d 74 61 67 3a 62 65 66 6f 72 65 7b 63 6f Data Ascii: {content:"\f024"}.fa-headphones:before{content:"\f025"}.fa-volume-off:before{content:"\f026"}.fa-volume-down:before{content:"\f027"}.fa-volume-up:before{content:"\f028"}.fa-qrcode:before{content:"\f029"}.fa-barcode:before{content:"\f02a"}.fa-tag:before{co
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 61 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 34 39 22 7d 2e 66 61 2d 62 61 63 6b 77 61 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 34 61 22 7d 2e 66 61 2d 70 6c 61 79 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 34 62 22 7d 2e 66 61 2d 70 61 75 73 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 34 63 22 7d 2e 66 61 2d 73 74 6f 70 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 34 64 22 7d 2e 66 61 2d 66 6f 72 77 61 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 34 65 22 7d 2e 66 61 2d 66 61 73 74 2d 66 6f 72 77 61 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 35 30 22 7d 2e 66 61 2d 73 74 65 70 2d 66 6f 72 77 61 72 64 3a 62 65 66 Data Ascii: ard:before{content:"\f049"}.fa-backward:before{content:"\f04a"}.fa-play:before{content:"\f04b"}.fa-pause:before{content:"\f04c"}.fa-stop:before{content:"\f04d"}.fa-forward:before{content:"\f04e"}.fa-fast-forward:before{content:"\f050"}.fa-step-forward:bef
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 30 22 7d 2e 66 61 2d 77 61 72 6e 69 6e 67 3a 62 65 66 6f 72 65 2c 2e 66 61 2d 65 78 63 6c 61 6d 61 74 69 6f 6e 2d 74 72 69 61 6e 67 6c 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 37 31 22 7d 2e 66 61 2d 70 6c 61 6e 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 37 32 22 7d 2e 66 61 2d 63 61 6c 65 6e 64 61 72 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 37 33 22 7d 2e 66 61 2d 72 61 6e 64 6f 6d 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 37 34 22 7d 2e 66 61 2d 63 6f 6d 6d 65 6e 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 37 35 22 7d 2e 66 61 2d 6d 61 67 6e 65 74 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 37 36 22 7d 2e 66 61 2d 63 68 65 76 72 6f 6e 2d 75 Data Ascii: 0"}.fa-warning:before,.fa-exclamation-triangle:before{content:"\f071"}.fa-plane:before{content:"\f072"}.fa-calendar:before{content:"\f073"}.fa-random:before{content:"\f074"}.fa-comment:before{content:"\f075"}.fa-magnet:before{content:"\f076"}.fa-chevron-u
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 71 75 61 72 65 2d 6f 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 39 36 22 7d 2e 66 61 2d 62 6f 6f 6b 6d 61 72 6b 2d 6f 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 39 37 22 7d 2e 66 61 2d 70 68 6f 6e 65 2d 73 71 75 61 72 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 39 38 22 7d 2e 66 61 2d 74 77 69 74 74 65 72 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 39 39 22 7d 2e 66 61 2d 66 61 63 65 62 6f 6f 6b 2d 66 3a 62 65 66 6f 72 65 2c 2e 66 61 2d 66 61 63 65 62 6f 6f 6b 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 39 61 22 7d 2e 66 61 2d 67 69 74 68 75 62 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 39 62 22 7d 2e 66 61 2d 75 6e 6c 6f 63 6b 3a 62 65 66 6f 72 65 7b 63 Data Ascii: quare-o:before{content:"\f096"}.fa-bookmark-o:before{content:"\f097"}.fa-phone-square:before{content:"\f098"}.fa-twitter:before{content:"\f099"}.fa-facebook-f:before,.fa-facebook:before{content:"\f09a"}.fa-github:before{content:"\f09b"}.fa-unlock:before{c
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 2d 6f 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 63 37 22 7d 2e 66 61 2d 73 71 75 61 72 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 63 38 22 7d 2e 66 61 2d 6e 61 76 69 63 6f 6e 3a 62 65 66 6f 72 65 2c 2e 66 61 2d 72 65 6f 72 64 65 72 3a 62 65 66 6f 72 65 2c 2e 66 61 2d 62 61 72 73 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 63 39 22 7d 2e 66 61 2d 6c 69 73 74 2d 75 6c 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 63 61 22 7d 2e 66 61 2d 6c 69 73 74 2d 6f 6c 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 63 62 22 7d 2e 66 61 2d 73 74 72 69 6b 65 74 68 72 6f 75 67 68 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 63 63 22 7d 2e 66 61 2d 75 6e 64 65 72 6c 69 6e 65 3a Data Ascii: -o:before{content:"\f0c7"}.fa-square:before{content:"\f0c8"}.fa-navicon:before,.fa-reorder:before,.fa-bars:before{content:"\f0c9"}.fa-list-ul:before{content:"\f0ca"}.fa-list-ol:before{content:"\f0cb"}.fa-strikethrough:before{content:"\f0cc"}.fa-underline:
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 65 66 6f 72 65 2c 2e 66 61 2d 63 6c 69 70 62 6f 61 72 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 65 61 22 7d 2e 66 61 2d 6c 69 67 68 74 62 75 6c 62 2d 6f 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 65 62 22 7d 2e 66 61 2d 65 78 63 68 61 6e 67 65 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 65 63 22 7d 2e 66 61 2d 63 6c 6f 75 64 2d 64 6f 77 6e 6c 6f 61 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 65 64 22 7d 2e 66 61 2d 63 6c 6f 75 64 2d 75 70 6c 6f 61 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 65 65 22 7d 2e 66 61 2d 75 73 65 72 2d 6d 64 3a 62 65 66 6f 72 65 7b 63 6f 6e 74 65 6e 74 3a 22 5c 66 30 66 30 22 7d 2e 66 61 2d 73 74 65 74 68 6f 73 63 6f 70 65 3a 62 65 66 6f Data Ascii: efore,.fa-clipboard:before{content:"\f0ea"}.fa-lightbulb-o:before{content:"\f0eb"}.fa-exchange:before{content:"\f0ec"}.fa-cloud-download:before{content:"\f0ed"}.fa-cloud-upload:before{content:"\f0ee"}.fa-user-md:before{content:"\f0f0"}.fa-stethoscope:befo

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:42:00 UTC	236	OUT	GET /hubfs/bid-boss.jpg HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: hub.planswift.com Connection: Keep-Alive
2024-08-28 20:42:00 UTC	1358	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 20:42:00 GMT Content-Type: image/jpeg Content-Length: 11940 Connection: close CF-Ray: 8ba72018ce0c41f2-EWR CF-Cache-Status: HIT Accept-Ranges: bytes Access-Control-Allow-Origin: * Age: 95835 Cache-Control: s-maxage=2592000, max-age=1209600, stale-while-revalidate=900 ETag: "ad942d77e27dbb892f4e7bfc45ca88c4" Last-Modified: Wed, 28 Feb 2024 16:28:12 GMT Strict-Transport-Security: max-age=31536000 Vary: Accept Via: 1.1 1721c5705940b20c9d951889ca1932b6.cloudfront.net (CloudFront) Access-Control-Allow-Methods: GET cache-tag: F-158740573213,P-2347101,FLS-ALL Cf-Bgj: imgq:85,h2pri Cf-Polished: degrade=85, origSize=44599 Content-Security-Policy: upgrade-insecure-requests Edge-Cache-Tag: F-158740573213,P-2347101,FLS-ALL Timing-Allow-Origin: d8fk70yj6xfhx.cloudfront.net X-Amz-Cf-Id: m3WRKStY3RG6qesnUTUBNqCeILCq5_KjmWML6R3yB3BObQzs5inkUg== X-Amz-Cf-Pop: JFK50-P6 x-amz-id-2: t5zswaMhpk2oAoRpYqNLF9VNDOPJxS3Pm+1jKpuNu986b/k3za53EPm+5VRcuiYc5X9TUTbgtm4= x-amz-meta-cache-tag: F-158740573213,P-2347101,FLS-ALL x-amz-meta-created-unix-time-millis: 1709137691022 x-amz-meta-index-tag: all x-amz-replication-status: COMPLETED x-amz-request-id: 20RD2HERGXKW19HJ x-amz-server-side-encryption: AES256 x-amz-storage-class: INTELLIGENT_TIERING x-amz-version-id: jq2ohsz1FO22rAAKd4dl7JvRhd4amaPI
2024-08-28 20:42:00 UTC	995	IN	Data Raw: 58 2d 43 61 63 68 65 3a 20 4d 69 73 73 20 66 72 6f 6d 20 63 6c 6f 75 64 66 72 6f 6e 74 0d 0a 58 2d 48 53 2d 41 6c 74 65 72 6e 61 74 65 2d 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 58 2d 48 53 2d 43 46 2d 4c 61 6d 62 64 61 3a 20 75 73 2d 65 61 73 74 2d 31 2e 45 6e 66 6f 72 63 65 41 63 6c 46 6f 72 52 65 61 64 73 20 33 0d 0a 58 2d 48 53 2d 43 46 2d 4c 61 6d 62 64 61 2d 45 6e 66 6f 72 63 65 3a 20 75 73 2d 65 61 73 74 2d 31 2e 45 6e 66 6f 72 63 65 41 63 6c 46 6f 72 52 65 61 64 73 20 33 0d 0a 58 2d 52 6f 62 6f 74 73 2d 54 61 67 3a 20 61 6c 6c 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 5f 62 6d 3d 46 4c 45 70 76 45 4b 59 79 49 6e 54 4e 69 48 6b 4b 34 73 44 33 77 34 42 65 4e 48 61 56 6a 66 50 71 31 56 4f 6b 7a 75 38 Data Ascii: X-Cache: Miss from cloudfrontX-HS-Alternate-Content-Type: text/plainX-HS-CF-Lambda: us-east-1.EnforceAclForReads 3X-HS-CF-Lambda-Enforce: us-east-1.EnforceAclForReads 3X-Robots-Tag: allSet-Cookie: __cf_bm=FLEpvEKYyInTNiHkK4sD3w4BeNHaVjfPq1VOkzu8
2024-08-28 20:42:00 UTC	385	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 05 05 05 05 05 05 05 06 06 05 08 08 07 08 08 0b 0a 09 09 0a 0b 11 0c 0d 0c 0d 0c 11 1a 10 13 10 10 13 10 1a 17 1b 16 15 16 1b 17 29 20 1c 1c 20 29 2f 27 25 27 2f 39 33 33 39 47 44 47 5d 5d 7d 01 05 05 05 05 05 05 05 06 06 05 08 08 07 08 08 0b 0a 09 09 0a 0b 11 0c 0d 0c 0d 0c 11 1a 10 13 10 10 13 10 1a 17 1b 16 15 16 1b 17 29 20 1c 1c 20 29 2f 27 25 27 2f 39 33 33 39 47 44 47 5d 5d 7d ff c2 00 11 08 01 a4 02 58 03 01 22 00 02 11 01 03 21 01 ff c4 00 35 00 01 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 07 08 05 06 09 04 03 02 01 01 01 00 03 01 01 01 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 05 06 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 a9 83 e8 bc d0 00 00 00 00 00 00 00 00 Data Ascii: JFIF) )/'%'/9339GDG]]}) )/'%'/9339GDG]]}X"!5
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 a6 d8 a7 99 2e 8e fb 30 da 79 ad 2f e2 a7 4d 6b 4a a5 8e da f5 4d 2f 8b 64 d6 fa d3 83 ab 92 c3 ab 94 5e ea b9 85 ed 1a 6e 7a 64 df b6 4d 33 07 2d dc 5e 5e ae 5e 61 Data Ascii: .0y/MkJM/d^nzdM3-^^^a
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 0f ff c4 00 37 10 00 02 02 03 00 01 02 03 06 03 05 09 00 00 00 00 04 05 03 06 01 02 07 00 08 13 11 12 14 10 15 16 36 37 50 18 20 30 35 40 55 56 a0 17 22 23 24 31 41 51 60 70 ff da 00 08 01 01 00 01 0c 00 ff 00 4f 7d 57 87 df 6d e9 b4 70 08 83 42 23 65 4c 11 b2 31 63 21 77 1c cf b3 f0 6d bf da f7 bf 0a b7 f6 bf 96 95 41 b2 5f d8 4a 0a 31 74 df 37 8e 71 68 e7 c4 0b 13 b1 63 c4 62 d4 ed 47 0f 11 22 56 5a 4e 3c b1 4b 04 b2 43 34 7b 47 2f ef 28 68 34 19 2b e9 66 9a 96 93 7d fd ff 00 4e bf f8 a4 f9 37 36 e4 17 35 bb cc 02 35 12 8d d4 f9 ec fc e6 cb b2 cf a8 d8 80 e8 5e a3 2b e8 2a 8a 14 3a 4e c3 62 af 16 7d ae 76 c7 4f f6 1b d8 fb 77 fc 9d b7 db c2 69 d5 07 1c e1 71 8c ea ea cd 2b b0 80 02 be 93 69 0c 00 a1 14 5f 38 c7 56 0b 9b 16 de Data Ascii: 767P 05@UV"#$1AQ`pO}WmpB#eL1c!wmA_J1t7qhcbG"VZN<KC4{G/(h4+f}N7655^+*:Nb}vOwiq+i_8V
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: fc 1f 3d 29 7e 66 b4 f9 75 e6 f5 5b e6 cb 76 7c 34 d3 67 4f 4f 3c ae 3d f4 db ee 82 b7 c5 9a fd 46 e6 c9 bd 99 4c 1b 4d a9 dd 30 fa cd fc 8b 64 90 fb b8 cc 9c eb b0 57 71 17 ce 3b 40 ab 5c c3 9f 73 d9 67 6e 10 7a 41 37 77 eb cb ad 10 e9 59 ae 91 ef af a5 73 2e 4b 69 a3 a4 0f fe 45 91 88 fd 3b d0 ab ee 41 6f 11 ad 48 97 bf f4 84 19 af cf 50 5e c6 12 4e 55 c9 79 0d ae ae 9e 11 30 29 bb d4 f8 45 2a 98 ec 57 a2 98 ce 72 7d 45 74 a4 4d 15 8b 54 4c 74 45 cb fb 2c 72 49 0e fa c9 1c 9b 69 b9 ac d9 32 db 4d 8e 60 41 3b 7f 52 39 24 87 7d 64 8e 4d b4 dc c6 cd 58 e3 4d 4d 66 51 38 fe ac 52 cb 0c 9a c9 14 9b 69 b9 ac 98 b2 db 4d 8e 60 41 3b 79 a6 fb c7 be bb e9 be 75 dc 97 6e 4c 83 03 94 dc c9 e1 f2 29 65 82 4d 64 8a 4d a3 dc c7 2e 18 69 ac 66 b5 2c 9d 3f f6 e5 2b a4 Data Ascii: =)~fu[v\|4gOO<=FLM0dWq;@\sgnzA7wYs.KiE;AoHP^NUy0)E*Wr}EtMTLtE,rIi2M`A;R9$}dMXMMfQ8RiM`A;yunL)eMdM.if,?+
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 34 ba 5c 7e af 64 89 b6 22 1c f3 3b d6 b6 3f c3 79 ae 11 f7 a5 97 98 5e 2a 3b 87 87 08 a4 87 48 f8 3f 54 df 25 e3 f0 be da e5 37 2f bd d8 07 28 85 95 d9 a7 d2 c9 ce 2e 55 46 0b 57 34 4b 26 84 3d e4 1d 0e b6 a3 2e 19 57 64 8c 3a c7 2b bd dc 01 cb 04 e8 b7 94 3a ef 08 6a e6 a1 6a 2a 71 0e 86 cc 58 b3 82 59 42 13 1f c9 3f ee 94 06 21 56 e9 57 96 f9 ce 34 6b 49 5c 85 7c b5 c6 c0 69 2e 0e e9 d6 e1 ab 35 1d 2a d9 de 19 2c 8c 52 bd b1 53 69 64 25 1a 73 c3 47 5a b1 08 a2 dd 5a 90 6d c6 b0 56 13 35 ab a2 bb b1 b1 ab 24 25 bd 70 b2 65 eb 96 1d f7 23 7d b6 78 1b 43 5f db 80 3e 90 6b ba fd 82 b5 28 d4 a7 e8 d3 ed 23 3f 2c cd 65 cd e6 91 82 e7 f8 0b 4d a3 59 a1 ec f8 34 b5 33 8c 03 d4 ce ec 95 6a 29 68 83 9c f5 ea ea 76 48 eb d7 64 32 ac 9b 2e 04 58 ee e7 c4 6b 69 a8 Data Ascii: 4\~d";?y^;H?T%7/(.UFW4K&=.Wd:+:jjqXYB?!VW4kI\\|i.5*,RSid%sGZZmV5$%pe#}xC_>k(#?,eMY43j)hvHd2.Xki
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 8b b7 f9 99 d5 af fe 5d 3d 1f 36 c7 f9 b9 e1 ee 7f e4 99 e0 bf 9c e2 83 2f 41 08 07 67 62 4b 95 1e 7e 67 d7 ed cb 61 62 8d db b5 47 1f d9 7b 94 e0 ad 57 87 c3 93 61 8e 51 48 9f 1b c7 8e e3 9e de 17 2a bf 28 a6 0b aa 3e d8 97 a1 9e 34 f0 d3 c5 db 70 4e f2 22 fa 2e d9 48 b7 03 7e 0a 7c d9 fe 0a 37 39 5a 98 af 54 95 e6 23 e2 bc 55 8a ee 37 db 21 b2 96 56 53 a6 ee 7a aa dc f7 fe bf 2e d6 78 5c 81 b7 9b 0f 26 1f 03 94 e7 78 64 1e f4 3b 6e 3d c7 b8 f4 7c db 1f e6 e5 f5 b2 65 f1 71 c8 fb 74 4a 6d b7 07 4c f5 a4 49 34 4d ff 00 51 91 f3 52 a8 25 11 ca 37 92 16 61 b6 e8 de a6 53 d9 86 51 29 5d 1f d6 52 29 9d 49 c3 15 92 3f bd dc 67 ce 95 f6 e3 f7 39 8e 7f 87 1c f0 c8 57 7f be 24 5e 19 42 04 ab 15 82 8c d0 cd 1a 0d 97 cd 77 e0 71 f7 72 b4 6c a4 33 7c 48 81 d4 e2 4a Data Ascii: ]=6/AgbK~gabG{WaQH*(>4pN".H~\|79ZT#U7!VSz.x\&xd;n=\|eqtJmLI4MQR%7aSQ)]R)I?g9W$^Bwqrl3\|HJ
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: b9 e9 17 1b f2 92 5c a5 46 4b 94 6c 69 cb d2 86 50 9d d2 44 c8 b5 a9 62 ae ac a1 0c ce 7b 2c 92 01 b9 8c 66 83 4f c6 c1 36 9c 82 34 95 06 e7 83 01 94 b5 de 10 ab 28 57 90 98 e3 09 1b 49 dc 47 b9 cd 2a 83 de a5 63 4d 41 10 7e 1f a8 f9 3d b7 af a7 e9 bb 16 81 11 3c 9a 69 86 69 15 5e dd 69 ea c0 61 ad 65 10 16 78 99 33 5d ab e2 db c7 8e 75 eb 42 76 21 42 65 67 94 5f a4 c1 5b 4d b0 85 0a ae d1 65 cd 0a 07 4d 46 58 37 b5 5f 99 71 b4 4d f6 45 1b be 3f 4a 06 17 97 79 0a 10 55 78 03 c7 06 a6 6d d8 db d6 b2 be f2 01 f1 04 e5 79 2c dd 9c 88 5e 10 6c d9 72 4f 94 81 72 c6 bb 1d a8 ab 74 dc ef 10 11 82 dc c0 e3 9a 2d d9 e7 12 1a 8f 64 4f 1c 8c cc 78 f0 fd fc b9 aa 46 fa 70 30 4a 0d 88 23 74 d9 fb 6c 87 61 8f a5 58 81 64 11 bc 9b c8 e5 48 1b 46 1b d1 52 43 26 99 aa d7 Data Ascii: \FKliPDb{,fO64(WIG*cMA~=<ii^iaex3]uBv!Beg_[MeMFX7_qME?JyUxmy,^lrOrt-dOxFp0J#tlaXdHFRC&
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: ee 05 31 ec d9 80 b7 3e 64 cb 5d 82 c9 bf e2 7e d5 9d c3 cb 46 ec 09 66 bb b8 f2 0d c1 fb 37 bc 64 a3 69 23 d2 6b 25 4e 5f e2 5d db 09 dc 93 e6 49 38 46 c5 e1 91 a3 6d be 2a 46 16 e7 d4 2c 4b 72 ef be fd f7 c5 5e 2a d3 48 d2 10 3d 80 b1 38 4e e5 d8 92 49 f8 9c 9f fa e6 8e 56 53 26 ff 00 78 83 e7 8e 85 1c a3 15 2c ad dc 1d bb 83 9b 01 b9 3b f9 01 b0 19 5c ef 02 99 9c 88 bf 70 6f f4 71 86 c5 a1 91 a3 24 7c 54 8c e4 5b aa ae 43 ee 7b 9d fb e3 6f bc 91 c8 c8 c7 7f 69 19 cb 97 57 91 e7 cb db bf 7d f1 7b 3c b2 33 b0 db de 71 7b 4a 5c 97 1f 03 92 3f 39 14 b9 21 9b da c3 d6 71 3e a4 65 89 55 f8 0c 4f a9 13 ca cc 8b f0 52 76 18 e3 66 e9 48 c9 c8 7b f8 91 9b 93 d4 56 21 bc fd e3 01 24 72 24 f9 b7 99 3f 8f fc 99 ff c4 00 3a 11 00 02 02 01 02 04 03 05 03 0a 07 00 00 Data Ascii: 1>d]~Ff7di#k%N_]I8FmF,Kr^H=8NIVS&x,;\poq$\|T[C{oiW}{<3q{J\?9!q>eUORvfH{V!$r$?:
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 94 04 fb 2b 2b d9 43 b6 56 56 50 ca ca 1f e9 3f ff c4 00 43 11 00 02 02 01 02 04 03 03 05 0c 09 05 00 00 00 00 01 02 03 11 00 04 12 13 21 31 41 22 51 61 05 10 32 14 23 71 81 a1 15 20 24 33 50 52 53 72 73 74 91 b2 30 34 35 42 90 b1 c1 c2 d1 43 60 62 92 b3 ff da 00 08 01 03 01 01 3f 00 ff 00 0f dd 20 f9 5e 9b 4d 3a f2 13 44 92 05 ee 37 8b ac e0 ff 00 e6 30 41 7d 24 19 24 2f 10 52 c3 c2 dd 18 74 35 90 6d 60 78 86 98 31 15 d0 57 6c 99 63 59 08 8c da d0 fe 35 cf df a3 80 6a 46 94 96 ae 28 4b f4 dd ef 89 78 bc 4a 35 b1 b6 fd 80 ff 00 ae 4b 11 89 f6 13 7c 94 ff 00 11 7e e5 b3 28 0d ca 3a ea 3a de 48 90 08 b7 2b f8 f7 01 5e 9d ce 68 8f ca a0 32 9f 09 12 cc 95 fb 39 0a 7d b5 93 20 8a 59 63 06 f6 b9 5b fa 0f f4 0e db 6b 95 b1 34 aa 3a 93 83 4e 79 5b 01 93 42 d0 b9 Data Ascii: ++CVVP?C!1A"Qa2#q $3PRSrst045BC`b? ^M:D70A}$$/Rt5m`x1WlcY5jF(KxJ5K\|~(::H+^h29} Yc[k4:Ny[B

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:42:00 UTC	269	OUT	GET /ajax/libs/fancybox/3.5.2/jquery.fancybox.min.css HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: cdnjs.cloudflare.com Connection: Keep-Alive
2024-08-28 20:42:00 UTC	940	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 20:42:00 GMT Content-Type: text/css; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=30672000 ETag: W/"5eb03e58-3611" Last-Modified: Mon, 04 May 2020 16:10:00 GMT cf-cdnjs-via: cfworker/kv Cross-Origin-Resource-Policy: cross-origin Timing-Allow-Origin: * X-Content-Type-Options: nosniff CF-Cache-Status: MISS Expires: Mon, 18 Aug 2025 20:42:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ogqq4pJ13pbFRlsZE63oBH3M7mtDa4Bz%2BvhmsEenRsGqMCDiiod%2FTKECn2rlB%2BoyE9BtXp1ol%2BaLmNR%2B%2BnFfDJVSWU8Ig1ZXBIVXejAo0xVjl4lRQuyCV%2FPR16JBu6vvbN89G80Y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=15780000 Server: cloudflare CF-RAY: 8ba720191a6a0f64-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 20:42:00 UTC	429	IN	Data Raw: 33 36 31 31 0d 0a 62 6f 64 79 2e 63 6f 6d 70 65 6e 73 61 74 65 2d 66 6f 72 2d 73 63 72 6f 6c 6c 62 61 72 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 2e 66 61 6e 63 79 62 6f 78 2d 61 63 74 69 76 65 7b 68 65 69 67 68 74 3a 61 75 74 6f 7d 2e 66 61 6e 63 79 62 6f 78 2d 69 73 2d 68 69 64 64 65 6e 7b 6c 65 66 74 3a 2d 39 39 39 39 70 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 21 69 6d 70 6f 72 74 61 6e 74 3b 74 6f 70 3a 2d 39 39 39 39 70 78 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 2e 66 61 6e 63 79 62 6f 78 2d 63 6f 6e 74 61 69 6e 65 72 7b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 66 61 63 65 2d 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 6c 65 66 74 3a 30 3b Data Ascii: 3611body.compensate-for-scrollbar{overflow:hidden}.fancybox-active{height:auto}.fancybox-is-hidden{left:-9999px;margin:0;position:absolute!important;top:-9999px;visibility:hidden}.fancybox-container{-webkit-backface-visibility:hidden;height:100%;left:0;
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 61 6e 73 6c 61 74 65 5a 28 30 29 3b 77 69 64 74 68 3a 31 30 30 25 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 39 32 7d 2e 66 61 6e 63 79 62 6f 78 2d 63 6f 6e 74 61 69 6e 65 72 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 7d 2e 66 61 6e 63 79 62 6f 78 2d 62 67 2c 2e 66 61 6e 63 79 62 6f 78 2d 69 6e 6e 65 72 2c 2e 66 61 6e 63 79 62 6f 78 2d 6f 75 74 65 72 2c 2e 66 61 6e 63 79 62 6f 78 2d 73 74 61 67 65 7b 62 6f 74 74 6f 6d 3a 30 3b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 72 69 67 68 74 3a 30 3b 74 6f 70 3a 30 7d 2e 66 61 6e 63 79 62 6f 78 2d 6f 75 74 65 72 7b 2d 77 65 62 6b 69 74 2d 6f 76 65 72 66 6c 6f 77 2d 73 63 72 6f 6c 6c 69 6e 67 3a 74 6f 75 63 68 3b 6f 76 65 72 66 6c 6f 77 2d 79 3a 61 75 74 6f 7d Data Ascii: anslateZ(0);width:100%;z-index:99992}.fancybox-container *{box-sizing:border-box}.fancybox-bg,.fancybox-inner,.fancybox-outer,.fancybox-stage{bottom:0;left:0;position:absolute;right:0;top:0}.fancybox-outer{-webkit-overflow-scrolling:touch;overflow-y:auto}
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 5a 28 30 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 5a 28 30 29 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 39 34 7d 2e 66 61 6e 63 79 62 6f 78 2d 69 73 2d 6f 70 65 6e 20 2e 66 61 6e 63 79 62 6f 78 2d 73 74 61 67 65 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 2e 66 61 6e 63 79 62 6f 78 2d 73 6c 69 64 65 7b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 66 61 63 65 2d 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 3b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 6c 65 66 74 3a 30 3b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 3b 6f 76 65 72 66 6c 6f 77 3a 61 75 74 6f 3b 2d 77 65 62 6b 69 74 2d 6f 76 Data Ascii: erflow:visible;-webkit-transform:translateZ(0);transform:translateZ(0);z-index:99994}.fancybox-is-open .fancybox-stage{overflow:hidden}.fancybox-slide{-webkit-backface-visibility:hidden;display:none;height:100%;left:0;outline:none;overflow:auto;-webkit-ov
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 3a 76 69 73 69 62 6c 65 3b 70 61 64 64 69 6e 67 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 74 6f 70 20 6c 65 66 74 3b 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 74 6f 70 20 6c 65 66 74 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 70 72 6f 70 65 72 74 79 3a 6f 70 61 63 69 74 79 2c 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 70 72 6f 70 65 72 74 79 3a 74 72 61 6e 73 66 6f 72 6d 2c 6f 70 61 63 69 74 79 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 70 72 6f 70 65 72 74 79 3a 74 72 61 6e 73 66 6f 72 6d 2c 6f 70 61 63 69 74 79 2c 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3b 2d 77 65 62 6b 69 74 2d 75 73 65 72 Data Ascii: :visible;padding:0;position:absolute;top:0;-webkit-transform-origin:top left;transform-origin:top left;transition-property:opacity,-webkit-transform;transition-property:transform,opacity;transition-property:transform,opacity,-webkit-transform;-webkit-user
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 79 62 6f 78 2d 69 66 72 61 6d 65 2c 2e 66 61 6e 63 79 62 6f 78 2d 76 69 64 65 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 3a 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 6d 61 72 67 69 6e 3a 30 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 70 61 64 64 69 6e 67 3a 30 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 66 61 6e 63 79 62 6f 78 2d 69 66 72 61 6d 65 7b 6c 65 66 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74 6f 70 3a 30 7d 2e 66 61 6e 63 79 62 6f 78 2d 65 72 72 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 75 72 73 6f 72 3a 64 65 66 61 75 6c 74 3b 6d 61 78 2d 77 69 64 74 68 3a 34 30 30 70 78 3b 70 61 64 64 69 6e 67 3a 34 30 70 78 Data Ascii: ybox-iframe,.fancybox-video{background:transparent;border:0;display:block;height:100%;margin:0;overflow:hidden;padding:0;width:100%}.fancybox-iframe{left:0;position:absolute;top:0}.fancybox-error{background:#fff;cursor:default;max-width:400px;padding:40px
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 30 29 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 30 3b 74 72 61 6e 73 66 6f 72 6d 2d 6f 72 69 67 69 6e 3a 30 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 70 72 6f 70 65 72 74 79 3a 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 70 72 6f 70 65 72 74 79 3a 74 72 61 6e 73 66 6f 72 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 70 72 6f 70 65 72 74 79 3a 74 72 61 6e 73 66 6f 72 6d 2c 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 74 69 6d 69 6e 67 2d 66 75 6e 63 74 69 6f 6e 3a 6c 69 6e 65 61 72 3b 7a 2d 69 6e 64 65 78 3a 39 39 39 39 38 7d 2e 66 61 6e 63 79 62 6f 78 2d 63 6c 6f 73 65 2d 73 6d 61 6c 6c 7b 62 61 63 6b 67 Data Ascii: ansform:scaleX(0);-webkit-transform-origin:0;transform-origin:0;transition-property:-webkit-transform;transition-property:transform;transition-property:transform,-webkit-transform;transition-timing-function:linear;z-index:99998}.fancybox-close-small{backg
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 7a 34 32 52 77 51 33 41 4d 41 67 44 6a 66 63 66 75 70 38 57 6f 52 79 6b 66 42 41 4b 35 6d 51 48 4b 53 7a 35 72 62 58 4a 50 69 73 31 68 6a 69 56 33 43 49 71 67 47 30 68 4c 5a 50 6b 56 6b 41 34 70 34 78 35 6f 52 31 62 56 65 44 72 64 43 4c 72 57 32 51 30 44 35 62 63 77 59 33 54 47 4d 48 62 64 77 33 6d 50 52 75 4f 74 61 73 70 59 50 31 77 2f 2f 47 31 4f 49 63 57 31 34 38 48 30 44 4d 43 71 49 2f 33 6d 4d 4d 41 41 41 41 41 53 55 56 4f 52 4b 35 43 59 49 49 3d 29 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 72 65 70 65 61 74 2d 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 63 6f 6e 74 61 69 6e 3b 62 6f 74 74 6f 6d 3a 30 3b 63 6f 6e 74 65 6e 74 3a 22 22 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6c 65 66 74 3a 30 3b 70 6f 69 6e 74 65 72 2d 65 Data Ascii: z42RwQ3AMAgDjfcfup8WoRykfBAK5mQHKSz5rbXJPis1hjiV3CIqgG0hLZPkVkA4p4x5oR1bVeDrdCLrW2Q0D5bcwY3TGMHbdw3mPRuOtaspYP1w//G1OIcW148H0DMCqI/3mMMAAAAASUVORK5CYII=);background-repeat:repeat-x;background-size:contain;bottom:0;content:"";display:block;left:0;pointer-e
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 66 61 64 65 2e 66 61 6e 63 79 62 6f 78 2d 73 6c 69 64 65 2d 2d 6e 65 78 74 2c 2e 66 61 6e 63 79 62 6f 78 2d 66 78 2d 66 61 64 65 2e 66 61 6e 63 79 62 6f 78 2d 73 6c 69 64 65 2d 2d 70 72 65 76 69 6f 75 73 7b 6f 70 61 63 69 74 79 3a 30 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 74 69 6d 69 6e 67 2d 66 75 6e 63 74 69 6f 6e 3a 63 75 62 69 63 2d 62 65 7a 69 65 72 28 2e 31 39 2c 31 2c 2e 32 32 2c 31 29 7d 2e 66 61 6e 63 79 62 6f 78 2d 66 78 2d 66 61 64 65 2e 66 61 6e 63 79 62 6f 78 2d 73 6c 69 64 65 2d 2d 63 75 72 72 65 6e 74 7b 6f 70 61 63 69 74 79 3a 31 7d 2e 66 61 6e 63 79 62 6f 78 2d 66 78 2d 7a 6f 6f 6d 2d 69 6e 2d 6f 75 74 2e 66 61 6e 63 79 62 6f 78 2d 73 6c 69 64 65 2d 2d 70 72 65 76 69 6f 75 73 7b 6f 70 61 63 69 74 79 3a 30 3b 2d 77 65 62 6b 69 74 2d 74 72 61 Data Ascii: fade.fancybox-slide--next,.fancybox-fx-fade.fancybox-slide--previous{opacity:0;transition-timing-function:cubic-bezier(.19,1,.22,1)}.fancybox-fx-fade.fancybox-slide--current{opacity:1}.fancybox-fx-zoom-in-out.fancybox-slide--previous{opacity:0;-webkit-tra
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 33 64 28 2d 31 30 30 25 2c 30 2c 30 29 20 73 63 61 6c 65 28 2e 31 29 20 73 6b 65 77 28 2d 31 30 64 65 67 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 33 64 28 2d 31 30 30 25 2c 30 2c 30 29 20 73 63 61 6c 65 28 2e 31 29 20 73 6b 65 77 28 2d 31 30 64 65 67 29 7d 2e 66 61 6e 63 79 62 6f 78 2d 66 78 2d 74 75 62 65 2e 66 61 6e 63 79 62 6f 78 2d 73 6c 69 64 65 2d 2d 6e 65 78 74 7b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 33 64 28 31 30 30 25 2c 30 2c 30 29 20 73 63 61 6c 65 28 2e 31 29 20 73 6b 65 77 28 31 30 64 65 67 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 33 64 28 31 30 30 25 2c 30 2c 30 29 20 73 63 61 6c 65 28 2e 31 29 20 73 Data Ascii: ransform:translate3d(-100%,0,0) scale(.1) skew(-10deg);transform:translate3d(-100%,0,0) scale(.1) skew(-10deg)}.fancybox-fx-tube.fancybox-slide--next{-webkit-transform:translate3d(100%,0,0) scale(.1) skew(10deg);transform:translate3d(100%,0,0) scale(.1) s
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 2d 2d 66 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 62 35 39 39 38 7d 2e 66 61 6e 63 79 62 6f 78 2d 73 68 61 72 65 5f 5f 62 75 74 74 6f 6e 2d 2d 66 62 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 33 34 34 65 38 36 7d 2e 66 61 6e 63 79 62 6f 78 2d 73 68 61 72 65 5f 5f 62 75 74 74 6f 6e 2d 2d 70 74 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 62 64 30 38 31 64 7d 2e 66 61 6e 63 79 62 6f 78 2d 73 68 61 72 65 5f 5f 62 75 74 74 6f 6e 2d 2d 70 74 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 61 61 30 37 31 39 7d 2e 66 61 6e 63 79 62 6f 78 2d 73 68 61 72 65 5f 5f 62 75 74 74 6f 6e 2d 2d 74 77 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 31 64 61 31 66 32 7d 2e 66 61 6e 63 79 62 6f 78 2d 73 68 61 72 65 5f 5f 62 75 74 74 6f 6e 2d 2d 74 77 3a 68 6f 76 Data Ascii: --fb{background:#3b5998}.fancybox-share__button--fb:hover{background:#344e86}.fancybox-share__button--pt{background:#bd081d}.fancybox-share__button--pt:hover{background:#aa0719}.fancybox-share__button--tw{background:#1da1f2}.fancybox-share__button--tw:hov

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:42:00 UTC	267	OUT	GET /ajax/libs/slick-carousel/1.8.0/slick-theme.css HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: cdnjs.cloudflare.com Connection: Keep-Alive
2024-08-28 20:42:00 UTC	933	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 20:42:00 GMT Content-Type: text/css; charset=utf-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=30672000 ETag: W/"5eb03fd5-c49" Last-Modified: Mon, 04 May 2020 16:16:21 GMT cf-cdnjs-via: cfworker/kv Cross-Origin-Resource-Policy: cross-origin Timing-Allow-Origin: * X-Content-Type-Options: nosniff CF-Cache-Status: MISS Expires: Mon, 18 Aug 2025 20:42:00 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5avpirlKEh1%2FYjXMCCMkaPuvIUc2zQAvEABZrddtHlKdHiseJ4m9BCsn1tjc4liXXYDBdvFET38%2BnswgUN7OPfvB90bNWiEkUDtpIM30ZK57Wcla8V%2BaEuy4jnmG%2FZa05BzIV3q6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=15780000 Server: cloudflare CF-RAY: 8ba72018fd887d06-EWR alt-svc: h3=":443"; ma=86400
2024-08-28 20:42:00 UTC	436	IN	Data Raw: 63 34 39 0d 0a 40 63 68 61 72 73 65 74 20 27 55 54 46 2d 38 27 3b 0a 2f 2a 20 53 6c 69 64 65 72 20 2a 2f 0a 2e 73 6c 69 63 6b 2d 6c 6f 61 64 69 6e 67 20 2e 73 6c 69 63 6b 2d 6c 69 73 74 0a 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 20 75 72 6c 28 27 2e 2f 61 6a 61 78 2d 6c 6f 61 64 65 72 2e 67 69 66 27 29 20 63 65 6e 74 65 72 20 63 65 6e 74 65 72 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2f 2a 20 49 63 6f 6e 73 20 2a 2f 0a 40 66 6f 6e 74 2d 66 61 63 65 0a 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 73 6c 69 63 6b 27 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 74 79 6c 65 3a 20 6e 6f 72 6d 61 6c 3b 0a 0a 20 20 20 20 73 72 63 3a 20 75 72 6c 28 27 2e Data Ascii: c49@charset 'UTF-8';/* Slider /.slick-loading .slick-list{ background: #fff url('./ajax-loader.gif') center center no-repeat;}/ Icons */@font-face{ font-family: 'slick'; font-weight: normal; font-style: normal; src: url('.
2024-08-28 20:42:00 UTC	1369	IN	Data Raw: 27 2e 2f 66 6f 6e 74 73 2f 73 6c 69 63 6b 2e 73 76 67 23 73 6c 69 63 6b 27 29 20 66 6f 72 6d 61 74 28 27 73 76 67 27 29 3b 0a 7d 0a 2f 2a 20 41 72 72 6f 77 73 20 2a 2f 0a 2e 73 6c 69 63 6b 2d 70 72 65 76 2c 0a 2e 73 6c 69 63 6b 2d 6e 65 78 74 0a 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 30 3b 0a 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 0a 20 20 20 20 77 69 64 74 68 3a 20 32 30 70 78 3b 0a 20 20 20 20 68 65 69 67 68 74 3a 20 32 30 70 78 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d Data Ascii: './fonts/slick.svg#slick') format('svg');}/* Arrows */.slick-prev,.slick-next{ font-size: 0; line-height: 0; position: absolute; top: 50%; display: block; width: 20px; height: 20px; padding: 0; -webkit-transform
2024-08-28 20:42:00 UTC	1347	IN	Data Raw: 65 0a 7b 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 27 e2 86 92 27 3b 0a 7d 0a 5b 64 69 72 3d 27 72 74 6c 27 5d 20 2e 73 6c 69 63 6b 2d 6e 65 78 74 3a 62 65 66 6f 72 65 0a 7b 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3a 20 27 e2 86 90 27 3b 0a 7d 0a 0a 2f 2a 20 44 6f 74 73 20 2a 2f 0a 2e 73 6c 69 63 6b 2d 64 6f 74 74 65 64 2e 73 6c 69 63 6b 2d 73 6c 69 64 65 72 0a 7b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 7d 0a 0a 2e 73 6c 69 63 6b 2d 64 6f 74 73 0a 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 32 35 70 78 3b 0a 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 70 61 64 64 69 Data Ascii: e{ content: '';}[dir='rtl'] .slick-next:before{ content: '';}/* Dots */.slick-dotted.slick-slider{ margin-bottom: 30px;}.slick-dots{ position: absolute; bottom: -25px; display: block; width: 100%; paddi
2024-08-28 20:42:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-08-28 20:42:00 UTC	269	OUT	GET /hubfs/PS%20-%20Getting%20Started/spaceFrame_700.jpg HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko Host: hub.planswift.com Connection: Keep-Alive
2024-08-28 20:42:01 UTC	1364	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 20:42:01 GMT Content-Type: image/jpeg Content-Length: 111911 Connection: close CF-Ray: 8ba7201c1ea6431c-EWR CF-Cache-Status: HIT Accept-Ranges: bytes Access-Control-Allow-Origin: * Age: 95836 Cache-Control: s-maxage=2592000, max-age=1209600, stale-while-revalidate=900 ETag: "655df3c13e0c13fb99e69dea2d46515a" Last-Modified: Fri, 13 Mar 2020 19:47:01 GMT Strict-Transport-Security: max-age=31536000 Vary: Accept-Encoding Via: 1.1 c36b03c9737c294317e3651e77ee0c4a.cloudfront.net (CloudFront) Access-Control-Allow-Methods: GET cache-tag: F-27019193501,FD-26637824551,P-2347101,FLS-ALL Cf-Bgj: imgq:85,h2pri Cf-Polished: degrade=85, origSize=124643, status=webp_bigger Content-Security-Policy: upgrade-insecure-requests Edge-Cache-Tag: F-27019193501,FD-26637824551,P-2347101,FLS-ALL Timing-Allow-Origin: d8fk70yj6xfhx.cloudfront.net X-Amz-Cf-Id: 2AtZ0eU_WYJQuCVdFldPJgOvKkR9VGOhE2gP6XZ3JxKLaTS0Br36AQ== X-Amz-Cf-Pop: JFK50-P6 x-amz-id-2: KKrw3ri55FhA+T0XCfy1u2Az0kWBSbc8lRHGw1QWkXEawWvaOyM28BUCk3i0LWY3W6CRF/+G+DXl2jt7gbVVxQ== x-amz-meta-cache-tag: F-27019193501,FD-26637824551,P-2347101,FLS-ALL x-amz-request-id: 20R303YQ7FDWN2CY x-amz-server-side-encryption: AES256 x-amz-version-id: TOcbI3af4QIhNwsdHPfoltDQamc_1QBg X-Cache: Miss from cloudfront X-HS-CF-Lambda: us-east-1.EnforceAclForReads 3
2024-08-28 20:42:01 UTC	858	IN	Data Raw: 58 2d 48 53 2d 43 46 2d 4c 61 6d 62 64 61 2d 45 6e 66 6f 72 63 65 3a 20 75 73 2d 65 61 73 74 2d 31 2e 45 6e 66 6f 72 63 65 41 63 6c 46 6f 72 52 65 61 64 73 20 33 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 5f 5f 63 66 5f 62 6d 3d 67 6f 6e 56 56 30 6d 61 4e 59 63 72 43 76 4a 56 67 46 63 44 69 5f 59 69 6f 43 43 6c 56 43 4b 36 4b 6c 4f 38 70 70 53 35 46 37 55 2d 31 37 32 34 38 37 37 37 32 31 2d 31 2e 30 2e 31 2e 31 2d 71 49 46 73 72 43 69 33 58 61 36 62 77 71 55 36 36 5a 79 74 76 78 7a 53 64 73 38 6b 4b 41 75 30 59 4f 71 46 57 58 44 62 6e 47 6c 63 31 2e 70 59 6e 76 79 42 69 6c 74 48 54 32 5a 54 30 68 4d 76 5f 4d 46 30 4a 5a 4b 55 64 6f 34 78 49 64 6d 5f 5f 47 68 6c 34 77 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 57 65 64 2c 20 32 38 2d 41 75 67 2d Data Ascii: X-HS-CF-Lambda-Enforce: us-east-1.EnforceAclForReads 3Set-Cookie: __cf_bm=gonVV0maNYcrCvJVgFcDi_YioCClVCK6KlO8ppS5F7U-1724877721-1.0.1.1-qIFsrCi3Xa6bwqU66ZytvxzSds8kKAu0YOqFWXDbnGlc1.pYnvyBiltHT2ZT0hMv_MF0JZKUdo4xIdm__Ghl4w; path=/; expires=Wed, 28-Aug-
2024-08-28 20:42:01 UTC	1369	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 05 05 05 05 05 05 05 06 06 05 08 08 07 08 08 0b 0a 09 09 0a 0b 11 0c 0d 0c 0d 0c 11 1a 10 13 10 10 13 10 1a 17 1b 16 15 16 1b 17 29 20 1c 1c 20 29 2f 27 25 27 2f 39 33 33 39 47 44 47 5d 5d 7d 01 05 05 05 05 05 05 05 06 06 05 08 08 07 08 08 0b 0a 09 09 0a 0b 11 0c 0d 0c 0d 0c 11 1a 10 13 10 10 13 10 1a 17 1b 16 15 16 1b 17 29 20 1c 1c 20 29 2f 27 25 27 2f 39 33 33 39 47 44 47 5d 5d 7d ff c2 00 11 08 01 d3 02 bc 03 01 22 00 02 11 01 03 11 01 ff c4 00 34 00 00 02 02 03 01 01 01 00 00 00 00 00 00 00 00 00 06 07 04 05 00 03 08 02 01 09 01 00 03 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 01 02 03 04 05 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 e7 72 e8 25 9d bc 4b 5c 9d 23 2d 6b 6c a3 Data Ascii: JFIF) )/'%'/9339GDG]]}) )/'%'/9339GDG]]}"4r%K\#-kl
2024-08-28 20:42:01 UTC	1369	IN	Data Raw: 2a e6 ad 56 79 59 12 01 9b 2a 68 62 32 3c eb 54 a2 08 fd 05 14 8b e2 9d e6 c3 cd 39 16 eb 3b 08 06 37 fa d3 d3 84 3f 33 e1 45 8e e6 c8 b9 ea c2 5f 38 50 8d 5f ce 95 b9 a8 e5 83 f7 8e 56 c4 62 65 d3 73 7e 34 01 6a 2f 0b 16 79 79 da 2e e2 9f 65 b1 00 65 98 9d c1 b1 92 ec da a6 e9 4c 49 4c 3a 5e 88 5e b1 b7 c9 7b 71 47 31 33 45 19 fd 9c b5 4b 8d 5a c9 e4 e9 e8 c3 8f ce b7 0a 7d 7f f4 1c c6 2c 7f 80 de 42 37 1d 18 d3 f1 ea 2b ee 7c f2 3c 8d 27 19 cb a8 37 00 f6 90 2f d3 c2 3c fc 2f d1 4d fc 1d d3 91 4d 5c cd 73 4b be 76 bd ab d7 36 d3 7e 57 ac ee 0f 9b 0c 1c 61 73 1a d4 71 f5 75 c5 8e b9 0c 35 95 22 75 3d 7a ba 5d 74 9c 57 18 99 75 0f 2f 31 bb 51 cd 6c a4 35 5e 8a 27 e2 ac cc 50 2a 5a 59 79 5c ed 80 1b 80 75 dd 34 a9 36 53 c5 27 a4 bc a2 1d 29 cc 4e f6 1a a9 Data Ascii: VyYhb2<T9;7?3E_8P_Vbes~4j/yy.eeLIL:^^{qG13EKZ},B7+\|<'7/</MM\sKv6~Wasqu5"u=z]tWu/1Ql5^'P*ZYy\u46S')N
2024-08-28 20:42:01 UTC	1369	IN	Data Raw: 8d ad b1 db 89 af fa e3 9c 6e 3c 53 30 93 fb 64 a9 ee 45 52 8b 2d bb bb 39 17 a5 b2 bf 5c e7 6a be d6 39 cf 5e 9d 71 5b 2b fc 42 9a 98 52 35 69 70 54 0f 0f 6b 5a 48 6a ed 26 ac 74 6b f5 4b 35 de 0d a2 0e ca fb 89 bf b7 43 56 02 28 d8 37 b6 e2 56 bf 6c 92 8c c1 5c 2a 7d 72 a1 26 31 55 4d b3 44 bd 11 ca 64 0e b1 dc 33 7c 5e ea 3a 46 35 d2 48 10 05 d8 14 77 1a 27 a2 62 be e6 69 96 9f 4e 74 b7 8d f2 e5 c1 f8 b3 e5 b1 46 ee 4c 6e 26 13 2a 68 d0 e2 58 93 06 dc 11 00 92 dc ab 60 64 18 fd 18 5b 51 fa 0d 86 a7 bc 68 5a e7 a0 90 7d 25 06 7a f6 e6 ee 59 62 13 68 3f 4e de 72 6c 39 66 b4 b2 e5 69 b1 cd 9d dd 73 81 f0 4a 23 80 f6 c5 68 f8 54 90 ea 9d 27 02 71 74 de b0 a9 8a 30 fc 96 0d ec db ec 5a fc 22 27 bd f1 dc 9b d2 f3 12 28 cb a5 39 da 6b 52 8e f5 93 50 9d e8 90 Data Ascii: n<S0dER-9\j9^q[+BR5ipTkZHj&tkK5CV(7Vl\}r&1UMDd3\|^:F5Hw'biNtFLn&hX`d[QhZ}%zYbh?Nrl9fisJ#hT'qt0Z"'(9kRP
2024-08-28 20:42:01 UTC	1369	IN	Data Raw: 0b ba aa 67 00 4d 78 33 99 5d 4d ce 79 07 a2 39 5c 3a 17 4d ff 00 13 9c f2 1d c5 79 82 17 70 ce 01 ca ae b5 24 83 17 47 eb d6 c8 a9 10 be 57 8d 9a 42 a7 b1 d7 26 8a a8 8e 18 18 2d ee b4 a6 33 6d 7e 7d 9e 88 8c 22 d2 14 76 da f4 85 b3 19 66 79 4b a1 49 79 3e ed cf 70 f3 14 95 60 d5 65 f6 8f b0 e5 c7 0d da ec 3a c2 8f 8b cf d1 72 36 17 7c cb a6 e0 da 6c 3f 40 69 b8 69 f4 e0 db 9d 66 d5 ab bf a0 f3 76 e6 c7 a0 78 ee 59 5d a5 cb 61 c5 64 91 64 3b 6b 81 36 20 dd 0b 98 95 90 34 67 b5 6d 13 b0 2a 5e e3 41 30 a6 32 83 eb e0 06 e6 e8 01 03 99 b0 26 08 31 90 9d bd a5 8a 8a 6b 4f 68 c6 50 68 fd 73 5e 4f c0 61 cd 33 76 29 f0 3b c0 eb 8d 9f b7 99 67 0b f4 bf 23 2a 63 32 b9 d7 13 3c 74 f2 d4 86 bb f3 d7 26 41 79 8f 7a 1b f5 37 d1 02 23 ed 3b 94 d5 28 5c 59 08 e0 94 89 Data Ascii: gMx3]My9\:Myp$GWB&-3m~}"vfyKIy>p`e:r6\|l?@iifvxY]add;k6 4gm^A02&1kOhPhs^Oa3v);g#c2<t&Ayz7#;(\Y
2024-08-28 20:42:01 UTC	1369	IN	Data Raw: ec 8a 4f 4a 60 03 24 46 e2 a3 0e 45 62 eb 34 fa c9 ad 37 55 33 13 9d b8 7f 7b 0e 25 89 42 72 71 30 64 a3 a7 9b 55 5d ac e7 3a e8 ac ab a3 41 62 b8 37 18 ed d4 17 1c 53 bb 2a e9 8d 21 67 5d fc 04 49 99 6e 2c 77 58 73 ab 25 6d 96 ec 5f 9d 51 af 4c b8 9b 43 0c 19 55 c3 e3 97 8b d5 77 d4 ee 26 39 10 2d 78 87 db 8c a4 d8 c3 96 a3 2a 2c 90 52 cf 08 2b e5 f9 b0 af a8 1b 62 fd 0f 33 4c ba a7 9f 1a 02 bb 71 33 39 c5 ec 8c 9b 14 b0 97 65 cd dd 2e f0 55 84 d8 04 2b 91 f7 35 56 d5 7b a6 ed 1e 08 b3 ed f8 e3 d1 d9 14 c5 28 e0 6c f3 9f 4c f3 a5 b3 42 e0 30 f3 60 83 9b 00 f6 7a d0 75 3e a5 79 cf 5f a6 e2 b7 f7 0d 14 d0 f9 4a 71 6a ca ab c5 4f 61 7b 46 d4 48 96 1a d5 d7 6c d7 a6 1e 4a d7 0d 33 7b 55 bc ad 32 b0 93 5f 2c aa 3d 3b 0e 26 87 2a 18 96 f5 0a 0d b6 90 b3 d2 56 Data Ascii: OJ`$FEb47U3{%Brq0dU]:Ab7S!g]In,wXs%m_QLCUw&9-x,R+b3Lq39e.U+5V{(lLB0`zu>y_JqjOa{FHlJ3{U2_,=;&*V
2024-08-28 20:42:01 UTC	1369	IN	Data Raw: d4 e6 4d 6d 8f 98 2f be b3 02 1c ac c1 f6 af 24 e6 3c b6 d3 66 2d 2a ef 73 07 d1 5c d5 99 70 6b 1f 31 a0 b9 59 88 28 0f cc 73 53 2b 33 1e 89 45 d9 95 1f a0 7f 98 99 97 1a ed 33 33 d3 ee fc cd 22 cc 73 31 4e da cc c9 d6 76 9c c5 30 6c f3 07 f6 46 63 76 94 39 82 8d 7b 99 53 1e 3e 64 de 40 cc 47 ff c4 00 3e 10 00 02 02 02 00 06 01 03 02 04 05 03 04 01 03 05 03 04 02 05 01 06 00 07 11 12 13 14 21 15 22 23 31 32 10 16 24 33 08 20 25 41 42 17 34 61 35 43 51 52 62 45 46 81 53 63 65 71 72 ff da 00 08 01 01 00 01 0c 00 d5 96 8b ae 58 36 c0 e2 48 93 5c ac 63 e7 18 20 a4 dd 71 12 7a 4b 2c c4 a7 9f 61 f5 fe 18 5e 25 8c 6c 41 fe e3 20 f8 54 c3 9c e3 98 12 32 e1 b6 bc 2b 90 bd dd 32 28 c5 1d 5d 5c 4f e0 96 c4 8d 55 5d 58 27 f3 2d 29 03 b4 84 98 3b 45 c1 39 92 66 40 da Data Ascii: Mm/$<f-*s\pk1Y(sS+3E33"s1Nv0lFcv9{S>d@G>!"#12$3 %AB4a5CQRbEFSceqrX6H\c qzK,a^%lA T2+2(]\OU]X'-);E9f@
2024-08-28 20:42:01 UTC	1369	IN	Data Raw: 29 2c 3d b1 d0 15 bd c8 7a d0 19 83 72 bc 3c 76 bd 92 4b 2d 2f f4 c5 ad 6b 2c 97 fa 75 a5 78 b2 00 eb db 26 aa e4 ad f4 7b 82 f1 a6 f3 b6 a2 f2 70 ae d8 03 f4 6b 48 ca 3f 1f c1 85 80 e0 0a bb 21 19 43 b6 72 55 66 73 37 35 a3 7a c5 c5 a5 ce b6 c9 11 b7 54 90 91 a2 a6 d0 01 fb 0b f9 12 da e8 41 ae 3a bc 57 7a 46 87 2a 79 a9 5b a5 0c f5 96 55 5f d1 d5 da d6 5d a4 17 eb 1f 0b 6a 3e df a8 28 f6 7c 94 71 08 47 2c e3 ed 1f d5 2a e2 cb 57 36 b6 0b 2c b5 b7 3a b5 1a fe e8 a7 13 bf 3b 7e 79 6c 8d c6 51 ac 40 08 c6 ca fa f2 ed a2 32 fd 81 59 3d 5e a5 7d 75 38 fa c9 13 38 7b 96 a4 a4 a6 7a de e2 d8 42 1e a3 ae 26 e2 06 b5 7d 6e a0 be e5 d5 c3 cb c1 8a c5 7a 02 8f 51 b4 a7 7f df b9 56 42 35 65 06 c1 64 bc cd 5b 5c 56 03 4b 6a 91 42 b8 00 c6 21 36 df 94 52 37 e3 97 90 Data Ascii: ),=zr<vK-/k,ux&{pkH?!CrUfs75zTA:WzFy[U_]j>(\|qG,W6,:;~ylQ@2Y=^}u88{zB&}nzQVB5ed[\VKjB!6R7
2024-08-28 20:42:01 UTC	1369	IN	Data Raw: df c3 fc 44 ed 79 61 aa 9d 3d 19 70 05 23 32 2a 84 3f 67 29 a8 24 c5 83 56 a7 17 40 ff 00 0c ff 00 06 56 59 b0 1d 76 97 19 c3 b2 f2 7c 12 84 c9 ae 31 01 f0 d0 cd 5e e9 a1 98 90 47 b5 b5 6c 40 6a 1e c7 41 f2 be f5 cd 10 92 d8 a7 4d 16 55 d5 f7 5d 7b 6c 0c a5 5c f7 53 ee 5c a3 d6 36 e9 11 de c9 21 6b b2 eb fb 6e 94 29 25 b4 55 0e de 80 54 7e 63 86 cf 4f b4 2e 59 d3 7f c4 0b e8 4b 35 db a2 92 62 3b 96 e5 59 b0 05 28 d3 b8 07 6b 5a 60 d5 5a f9 0e 2f 26 6d 74 7d 66 1a ae ba 9a 32 8c 72 d6 cc da db f6 fb eb 4c f1 c6 b9 a7 a6 5e 6f f3 3d ab f6 96 97 d1 38 30 44 c0 8a 22 86 24 15 e7 2c 07 e2 2c a8 25 08 0e ce b4 c8 b2 65 98 09 d6 77 55 61 b7 4a 61 90 92 2e 64 3a b9 6d cf 16 92 ae ba 0b d6 73 20 fa e5 b7 af ba ea 02 f4 2a f6 bd 5d fa 29 dc d5 58 ac 6a da 5b 34 99 Data Ascii: Dya=p#2?g)$V@VYv\|1^Gl@jAMU]{l\S\6!kn)%UT~cO.YK5b;Y(kZ`Z/&mt}f2rL^o=80D"$,,%ewUaJa.d:ms ])Xj[4
2024-08-28 20:42:01 UTC	1369	IN	Data Raw: 5d 46 53 50 99 8e ed cc 5b 0d a2 9f 15 46 54 50 6e e5 a0 f8 d1 41 79 75 5e a3 ba a9 1b cb fe ec 47 8e 58 d5 5e 6a ba f0 5e 1a 12 eb ed c7 99 1c d9 ac 1b 70 f1 d3 ca a9 07 b3 17 95 21 16 37 31 fc af a8 8e 96 6b c8 c9 8d cb cb b3 83 48 d0 e9 c7 30 d4 85 c1 56 02 44 ee 82 8a 5a 5e b1 68 95 cd f9 e1 98 39 ca 3a 38 89 b7 2e 08 3c 78 ea d2 ca 29 08 64 96 32 4b cd 7e 97 62 4f d4 b4 40 4c 8f 71 e4 65 82 78 33 3a eb 12 7d 76 91 3a a4 32 cc 84 82 21 91 ee c4 b3 0f 8e 0d 63 b2 8a af e9 18 76 cf e8 e9 19 53 41 3a b1 9b b4 9c af d7 7d ab 8f 68 83 e8 b4 78 eb fe 5e 67 ec 98 b9 d8 19 8c 27 d5 2b 36 e4 15 c9 d2 5f 93 fc 3e 69 f9 aa a0 3e c6 d4 3a 35 b0 6a 94 db 2c 21 97 95 fc fb 57 2b ee 2a 20 63 88 39 b2 4c 0f b8 92 be b9 46 2b 1a ca d8 30 9b 91 b4 d4 2d 8a b3 ba bf 39 Data Ascii: ]FSP[FTPnAyu^GX^j^p!71kH0VDZ^h9:8.<x)d2K~bO@Lqex3:}v:2!cvSA:}hx^g'+6_>i>:5j,!W+* c9LF+0-9

Target ID:	0
Start time:	16:40:10
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\ps11.0.0.129pro.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ps11.0.0.129pro.exe"
Imagebase:	0x400000
File size:	54'814'096 bytes
MD5 hash:	FC13BC8B09702EC0CA1A48F7E9157380
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ps11.0.0.129pro.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Bitcoin Miner

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\PlanSwift11\Data\Developers\Additional Help\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\Additional Help\is-4OIJL.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\About\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\About\is-VVUUP.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\BeginFormulaUpdate\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\BeginFormulaUpdate\is-6QE92.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\BeginUpdate\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\BeginUpdate\is-S0L1M.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CancelTool\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CancelTool\is-OM1N5.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CloseJob\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CloseJob\is-EIV5N.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CompareVersion\Data.xml (copy)

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CompareVersion\is-I8GUR.tmp

C:\Program Files (x86)\PlanSwift11\Data\Developers\_PlanSwift Help\COM Object Model\IPlanSwift\CopyItem\Data.xml (copy)

Windows Analysis Report
ps11.0.0.129pro.exe

Target ID:	5
Start time:	16:40:42
Start date:	28/08/2024
Path:	C:\Users\user\AppData\Local\Temp\is-K4N7C.tmp\_isetup\_setup64.tmp
Wow64 process (32bit):	false
Commandline:	helper 105 0x3E4
Imagebase:	0x140000000
File size:	6'144 bytes
MD5 hash:	E4211D6D009757C078A9FAC7FF4F03D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	7
Start time:	16:41:07
Start date:	28/08/2024
Path:	C:\Program Files (x86)\PlanSwift11\PlanSwift.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /regserver
Imagebase:	0xf80000
File size:	15'557'072 bytes
MD5 hash:	B157207600DF34B69CA9AA91F1659383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000002.2340509901.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000003.2256979397.0000000006320000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	16:41:17
Start date:	28/08/2024
Path:	C:\Program Files (x86)\PlanSwift11\PlanSwift.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" /init
Imagebase:	0xf80000
File size:	15'557'072 bytes
MD5 hash:	B157207600DF34B69CA9AA91F1659383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000003.2357414981.00000000064B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000002.2432296214.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	16:41:30
Start date:	28/08/2024
Path:	C:\Program Files (x86)\PlanSwift11\PlanSwift.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PlanSwift11\PlanSwift.exe" -o "Sample Plan"
Imagebase:	0xf80000
File size:	15'557'072 bytes
MD5 hash:	B157207600DF34B69CA9AA91F1659383
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000002.2917164884.0000000000F81000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000B.00000003.2587147896.0000000006290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	1560
Total number of Limit Nodes:	21

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	91

Execution Coverage:	56.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	33
Total number of Limit Nodes:	5

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	103
Total number of Limit Nodes:	10

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	201
Total number of Limit Nodes:	11

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre