Windows Analysis Report
https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe

Overview

General Information

Sample URL:	https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe
Analysis ID:	1432197
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for dropped file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Classes Autorun Keys Modification

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Machine Learning detection for dropped file

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uni4C5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uni4C5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uninstall.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\lua5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uninstall.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelperx86.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Images.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Office.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraPrinting.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fpdfview.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpusx86.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererCOMPlus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG1.PNG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG1.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG2.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG3.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG4.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG5.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG2.PNG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\srm.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\user\AppData\Local\Temp\Locklizard Safeguard - PDF Viewer Setup Log.txt

Jump to behavior

Source: unknown	HTTPS traffic detected: 18.173.166.10:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49755 version: TLS 1.2

Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShell\obj\Release\SharpShell.pdb, source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress19.2\obj\Release\PDCViewer.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraPrinting\DevExpress.Printing.Core\obj_netFW\Release\DevExpress.Printing.v19.2.Core.pdb\| source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000014707000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!ShellExtension\PDCViewer3ShellExt\PDCViewerShellExt\obj\Release\PDCViewerShellExt.pdb source: RegAsm.exe, 00000012.00000002.2428771066.000002089B57C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Utils\obj_netFW\Release\DevExpress.Utils.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2260562448.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001EAD2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000014707000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShellNativeBridge\Release\SharpShellNativeBridge32.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Office\DevExpress.Office.Core\obj_netFW\Release\DevExpress.Office.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2228931269.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000013F49000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000000.2445032323.00007FF7D7FE1000.00000080.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Office\DevExpress.Office.Core\obj_netFW\Release\DevExpress.Office.v19.2.Core.pdbDV&^V& PV&_CorDllMainmscoree.dll source: irsetup.exe, 0000000A.00000003.2228931269.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Utils\obj_netFW\Release\DevExpress.Utils.v19.2.pdbD source: irsetup.exe, 0000000A.00000003.2260562448.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001EAD2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShell\obj\Release\SharpShell.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: E:\CSharp\PdfViewer-USBAutorun\PDCViewer-USBAutorun\obj\Release\View Documents.pdbl1 source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraPrinting\DevExpress.Printing.Core\obj_netFW\Release\DevExpress.Printing.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Data\obj_netFW\Release\DevExpress.Data.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Drawing\obj_netFW\Release\DevExpress.Pdf.v19.2.Drawing.pdb source: irsetup.exe, 0000000A.00000003.2243934522.00000000075D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraDialogs\DevExpress.Dialogs.Core\obj_netFW\Release\DevExpress.Dialogs.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000013F49000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000000.2445032323.00007FF7D7FE1000.00000080.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.XtraPdfViewer\obj_netFW\Release\DevExpress.XtraPdfViewer.v19.2.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2801821100.000000001CF10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewer-USBAutorun\PDCViewer-USBAutorun\obj\Release\View Documents.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress19.2\obj\Release\PDCViewer.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\Tools\ServerRegistrationManager\obj\Release\ServerRegistrationManager.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!VCDLLs\comphelper\Release\comphelperx86.pdb source: irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Images\obj_netFW\Release\DevExpress.Images.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!ShellExtension\PDCViewer3ShellExt\PDCViewerShellExt\obj\Release\PDCViewerShellExt.pdbBSJB source: RegAsm.exe, 00000012.00000002.2428771066.000002089B57C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.XtraPdfViewer\obj_netFW\Release\DevExpress.XtraPdfViewer.v19.2.pdb source: PDCViewer64.exe, 00000014.00000002.2801821100.000000001CF10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\x64\Release\SharpShellNativeBridge64.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 20.2.PDCViewer64.exe.1b347e68.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.PDCViewer64.exe.12dc1928.2.raw.unpack, type: UNPACKEDPE

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.97
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.97
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /SafeguardPDFViewer_v3.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: downloads.locklizard.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGIyFr7EGIjB4A9FkmG0nP_1340exxGzPk9RM3r_-uXsGTpCNAhbioD-nBhNotciBT-0cxjjCdioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=RwlkKytBFEGbnj4HbVeUtogSXCli2feER8PkUvOyxvt1NSp1vIDA8LQ9GiBFxuw7RoMaaxYOLGK4WHPgqvbbWuiSUFr8zV5Ruqr1VRMoDOhDRSvSlqc_lgSBNy5e8a7jq83xIZclUA1SBWDPnSCou8J_ZZrOy2EKbB1WCtoLbRQ
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGIyFr7EGIjBHAnuCWcXgE4qbZ44XmT26pn0152eekS6qWshR58uLMbOX1SHuE4dokHmlvFieRTsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=ddvLbEZgvOJCqGusx3gABdX86Ju0MND1WprN9YIIaT3Dmbp5MgWiLcSQaiopeQEWLdkq-d2_6qP2wKxeZUYG0E2yoaJon6JjiI4DkVl9sJ4PccOHJ--Lvmmau-bVdYiUV2K5GeHmoRYf8-sQG74mhSJuzjtIe_mK50kW_7baJV8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=craEgWl5dVCXtwg&MD=zsFOv9HB HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=craEgWl5dVCXtwg&MD=zsFOv9HB HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /Manuals/LockLizard_Secure_PDF_Viewer_v3.pdf HTTP/1.1Host: www.locklizard.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.locklizard.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.locklizard.com/Manuals/LockLizard_Secure_PDF_Viewer_v3.pdfAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Update.inf HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Setup Factory 8.0Host: updates.locklizard.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: downloads.locklizard.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: updates.locklizard.com
Source: global traffic	DNS traffic detected: DNS query: www.locklizard.com

Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_BuyNow.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_BuyNow.aspxfhttps://go.devexpress.com/Demo_2013_BuyNow_ASP.aspxl
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_Chat.aspx
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_GetSupport.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_Help.aspx_Https://go.devexpress.com/Demo_2013_BuyNow.aspxghttps:
Source: irsetup.exe, 0000000A.00000003.1842348166.0000000005CAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Raz-Soft.com
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://creativecommons.org/ns#
Source: SafeguardPDFViewer_v3.exe, 00000009.00000002.3044774109.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SafeguardPDFViewer_v3.exe, 00000009.00000002.3044774109.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s5-3.crl0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://documentation.devexpress.com/
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://documentation.devexpress.com/;Client-Side
Source: SafeguardPDFViewer_v3.exe, 00000009.00000002.3044774109.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/officeDocument
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/sharedStrings
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printingcore/xtraprinting/native
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printingcore/xtraprinting/native/presentation
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printingcore/xtraprinting/native/presentation-embedded
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reportdesigner/native
Source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updates.locklizard.com
Source: irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://updates.locklizard.com/Update.inf
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000014D4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.codeproject.com/Tips/713824/Pin-a-shortcut-onto-the-Taskbar-or-Start-Menu
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.devexpress.com/example=E906.
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.devexpress.comEhttp://www.devexpress.com/productsGhttp://www.devexpress.com/downloadsahtt
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SafeguardPDFViewer_v3.exe, 00000009.00000002.3044774109.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com
Source: irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com/forums/threads/20321-Simulating-Refresh-%28Windows-Explorer%29
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com/forums/threads/30478-Can-not-get-the-correct-Folder-path-in-Win7-64bit-OS
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com/forums/threads/34511-Register-64-bit-DLL-from-32-bit-installer
Source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.locklizard.com
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.locklizard.com/pdf_drm_walkthrough.htm
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mindquake.com.br/code/108-centerdialogs
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mindquake.com.br/en/articles/deployment?start=1
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mindquake.com.br/en/code/110-cmdline?start=3
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mindquake.com.br/screens/shortcuts
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://DevExpress.ReportServer.ServiceModel.Client.FormsAuthenticationMessageInspector
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.l
Source: irsetup.exe, 0000000A.00000003.2253424158.0000000002D41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe
Source: wget.exe, 00000002.00000002.1784231023.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe=6PR
Source: wget.exe, 00000002.00000002.1784231023.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFViewer_v3.exeJONE
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFWriter_Enterprise_v4.exe
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFWriter_Enterprise_v5.exe
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFWriter_v3.exe
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFWriter_v4.exe
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/.NET_SafeProcess_Start.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_CompareSubscriptions.aspxmhttps://go.devexpress.com/Demo_2013_Do
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspx
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspxGDevExpress.Utils.Images.Support.svg
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspxzhttps://go.devexpress.com/Demo_2013_C
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_DownloadTrial.aspxIDevExpress.Utils.Images.Discount.svg
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Jan2019_Deserialization_Issue.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Jan2019_Deserialization_Issue_ServiceKnownTypeProvider.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Jan2019_Deserialization_Issue_Tag_Property.aspx
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/?s=Can%27t
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/?s=License
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-error-6794-error-opening-keystore-file/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-failed-to-check-document-or-product-access-ca
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-failed-to-import-form-values-no-form-values-a
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-failed-to-read-license-information-invalid-li
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-file-is-corrupt-or-incomplete/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-invalid-document-version-supported-version-by
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-invalid-license-file-the-license-you-are-usin
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-invalid-or-corrupt-keystore/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-license-check-failed-cant-find-your-account/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-locklizard-safeguard-secure-pdf-viewer-is-not
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-no-more-licenses-are-available-please-contact
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-this-document-has-expired-system-time-change-
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-this-document-is-no-longer-available-or-the-d
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-unexpected-server-response-request-could-not-
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-you-must-enable-desktop-composition-to-view-t
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001AF70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://locklizard.com
Source: irsetup.exe, 0000000A.00000003.2049664427.0000000006E6B000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2050271674.0000000006E6B000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2050436540.0000000006E6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.c
Source: irsetup.exe, 0000000A.00000003.2176714078.0000000001412000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2176516732.0000000001412000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2048764472.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oaut
Source: irsetup.exe, 0000000A.00000003.2048748080.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: irsetup.exe, 0000000A.00000003.2176735186.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: irsetup.exe, 0000000A.00000003.2176516732.000000000141C000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2048748080.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2S
Source: irsetup.exe, 0000000A.00000003.2049664427.0000000006E6B000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2050271674.0000000006E6B000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2050436540.0000000006E6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/a/21592191/1611054
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://www.devexpress.com/Products/NET/Controls/WinForms/get-started.xml
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://www.devexpress.com/Subscriptions/
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://www.devexpress.com/Subscriptions/Universal.xml
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.devexpress.com/Support/Center/Question/Details/KA18959/
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.devexpress.com/Support/Center/Question/Details/T313960
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.indigorose.com/webhelp/suf9/Program_Reference/Actions/SetupData.GetFileList.htm
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.indigorose.com/webhelp/suf9/Program_Reference/Actions/StatusDlg.Show.htm
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.indigorose.com/webhelp/suf9/index.htm#Program_Reference/Actions/File.Install_Examples.ht
Source: RegAsm.exe, 00000012.00000002.2428771066.000002089B2B2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.locklizard-evals.com/enterprise5/
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.co
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.co0%
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/Downloads/OLD/SafeguardPDFWriter_Enterprise.exe
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/Downloads/OLD/SafeguardPDFWriter_v26.exe
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/Manuals/LockLizard_Secure_PDF_Viewer_v3.pdf
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/open-pdc-file/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001AF70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/privacy/
Source: SafeguardPDFViewer_v3.exe, 00000009.00000000.1811914118.0000000000E3C000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.locklizard.com6
Source: SafeguardPDFViewer_v3.exe, 00000009.00000000.1811914118.0000000000E3C000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.locklizard.comF

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 18.173.166.10:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Code function: 18_2_00007FFD99280FF1		18_2_00007FFD99280FF1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Code function: 18_2_00007FFD992800AD		18_2_00007FFD992800AD

PE file contains more sections than normal

Source: comphelper.dll.10.dr

Static PE information: Number of sections : 13 > 10

Source: irsetup.exe.9.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9909402438160876
Source: uninstall.exe.10.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9909402438160876
Source: comphelper.dll.10.dr	Static PE information: Section: ZLIB complexity 1.0004185267857142
Source: comphelper.dll.10.dr	Static PE information: Section: ZLIB complexity 0.9891304347826086
Source: comphelper.dll.10.dr	Static PE information: Section: ZLIB complexity 1.017578125
Source: comphelper.dll.10.dr	Static PE information: Section: .boot ZLIB complexity 0.9968304425564869
Source: comphelper.dll.10.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal84.troj.evad.win@35/111@12/6

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Code function: 9_2_00E31B89 GetCurrentDirectoryA,GetTempPathA,lstrlenA,lstrlenA,lstrcpyA,lstrcpyA,lstrlenA,lstrcatA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,wsprintfA,wsprintfA,DeleteFileA,RemoveDirectoryA,GetFileAttributesA,CreateDirectoryA,CreateDirectoryA,lstrcpyA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpyA,CreateDirectoryA,SetCurrentDirectoryA,lstrcpyA,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,GetDiskFreeSpaceA,lstrcpyA,SetCurrentDirectoryA,

9_2_00E31B89

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Program Files\Locklizard Safeguard PDF Viewer\

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9040:120:WilError_03

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0

Jump to behavior

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: kernel32.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: kernel32.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: kernel32.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: ntmarta.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: PROPSYS.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: Secur32.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: /~DBG	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: @:	9_2_00E33990

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(5)%3cfnc1%3e(%02)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=2004,i,7086555652967495776,12374585124614321851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1992,i,3070133182868186284,11114087621646047524,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe "C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe"
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1804130 "__IRAFN:C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe" "__IRCT:3" "__IRTSS:52614381" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1002"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe" install "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll" -codebase -os64
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\regasm.exe" /codebase "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe" /setupappinstalled
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1992,i,3070133182868186284,11114087621646047524,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=2004,i,7086555652967495776,12374585124614321851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1804130 "__IRAFN:C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe" "__IRCT:3" "__IRTSS:52614381" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1002"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe" install "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll" -codebase -os64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe" /setupappinstalled	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\regasm.exe" /codebase "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll"	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: lua5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: I agree to the terms of this license agreement
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uni4C5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uni4C5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uninstall.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\lua5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uninstall.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelperx86.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Images.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Office.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraPrinting.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fpdfview.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpusx86.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererCOMPlus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG1.PNG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG1.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG2.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG3.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG4.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG5.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG2.PNG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\srm.exe	Jump to behavior

Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShell\obj\Release\SharpShell.pdb, source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress19.2\obj\Release\PDCViewer.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraPrinting\DevExpress.Printing.Core\obj_netFW\Release\DevExpress.Printing.v19.2.Core.pdb\| source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000014707000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!ShellExtension\PDCViewer3ShellExt\PDCViewerShellExt\obj\Release\PDCViewerShellExt.pdb source: RegAsm.exe, 00000012.00000002.2428771066.000002089B57C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Utils\obj_netFW\Release\DevExpress.Utils.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2260562448.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001EAD2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000014707000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShellNativeBridge\Release\SharpShellNativeBridge32.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Office\DevExpress.Office.Core\obj_netFW\Release\DevExpress.Office.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2228931269.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000013F49000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000000.2445032323.00007FF7D7FE1000.00000080.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Office\DevExpress.Office.Core\obj_netFW\Release\DevExpress.Office.v19.2.Core.pdbDV&^V& PV&_CorDllMainmscoree.dll source: irsetup.exe, 0000000A.00000003.2228931269.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Utils\obj_netFW\Release\DevExpress.Utils.v19.2.pdbD source: irsetup.exe, 0000000A.00000003.2260562448.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001EAD2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShell\obj\Release\SharpShell.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: E:\CSharp\PdfViewer-USBAutorun\PDCViewer-USBAutorun\obj\Release\View Documents.pdbl1 source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraPrinting\DevExpress.Printing.Core\obj_netFW\Release\DevExpress.Printing.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Data\obj_netFW\Release\DevExpress.Data.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Drawing\obj_netFW\Release\DevExpress.Pdf.v19.2.Drawing.pdb source: irsetup.exe, 0000000A.00000003.2243934522.00000000075D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraDialogs\DevExpress.Dialogs.Core\obj_netFW\Release\DevExpress.Dialogs.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000013F49000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000000.2445032323.00007FF7D7FE1000.00000080.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.XtraPdfViewer\obj_netFW\Release\DevExpress.XtraPdfViewer.v19.2.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2801821100.000000001CF10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewer-USBAutorun\PDCViewer-USBAutorun\obj\Release\View Documents.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress19.2\obj\Release\PDCViewer.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\Tools\ServerRegistrationManager\obj\Release\ServerRegistrationManager.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!VCDLLs\comphelper\Release\comphelperx86.pdb source: irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Images\obj_netFW\Release\DevExpress.Images.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!ShellExtension\PDCViewer3ShellExt\PDCViewerShellExt\obj\Release\PDCViewerShellExt.pdbBSJB source: RegAsm.exe, 00000012.00000002.2428771066.000002089B57C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.XtraPdfViewer\obj_netFW\Release\DevExpress.XtraPdfViewer.v19.2.pdb source: PDCViewer64.exe, 00000014.00000002.2801821100.000000001CF10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\x64\Release\SharpShellNativeBridge64.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: srm.exe.10.dr, Program.cs	.Net Code: HandleEmbeddedReferences System.Reflection.Assembly.Load(byte[])
Source: srm.exe0.10.dr, Program.cs	.Net Code: HandleEmbeddedReferences System.Reflection.Assembly.Load(byte[])

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Code function: 9_2_00E31A72 lstrcatA,wsprintfA,GetSystemDirectoryA,lstrlenA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,

9_2_00E31A72

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name: .boot

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FDB18 push esi; retf 0017h	2_3_010FDB7A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_01114672 push B9049268h; retf	2_3_011146B4
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FB37B pushad ; retn 0078h	2_3_010FB38D
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FF289 push ebx; retf	2_3_010FF38A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FFB89 push edx; ret	2_3_010FFBCA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FD281 push edi; retf	2_3_010FD382
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FEA81 push eax; retf	2_3_010FEB82
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FDB80 push esi; ret	2_3_010FDBC2
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_01103788 pushad ; ret	2_3_0110378B
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FFBA8 push edx; ret	2_3_010FFBCA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FE3A4 push ecx; retn 0014h	2_3_010FE3BA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FB2A0 pushfd ; retn 0000h	2_3_010FB373
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FDB18 push esi; retf 0017h	2_2_010FDB7A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FF289 push ebx; retf	2_2_010FF38A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FFB89 push edx; ret	2_2_010FFBCA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FD281 push edi; retf	2_2_010FD382
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FEA81 push eax; retf	2_2_010FEB82
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FDB80 push esi; ret	2_2_010FDBC2
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_01103788 pushad ; ret	2_2_0110378B
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FFBA8 push edx; ret	2_2_010FFBCA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FE3A4 push ecx; retn 0014h	2_2_010FE3BA
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Code function: 9_2_00E33AE5 push ecx; ret	9_2_00E33AF8

Source: comphelper.dll.10.dr	Static PE information: section name: entropy: 7.993108244382584
Source: comphelper.dll.10.dr	Static PE information: section name: .boot entropy: 7.96475544918575

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\wget.exe	File created: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\lua5.1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraPrinting.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelperx86.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\suf_pendreboot.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\fpdfview.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpusx86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererCOMPlus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Images.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\srm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Office.v19.2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\user\AppData\Local\Temp\Locklizard Safeguard - PDF Viewer Setup Log.txt

Jump to behavior

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Safeguard Viewer.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Remove Viewer Keystore.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Viewer Proxy settings.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\About Viewer.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Uninstall Viewer.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Uninstall Viewer.lnk	Jump to behavior

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PDCViewer64.exe, 00000014.00000002.2654157450.0000000002465000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: IMPORTREC.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Memory allocated: 6BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Memory allocated: D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Memory allocated: 20880C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Memory allocated: 2089A640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Memory allocated: 1A9E0000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Window / User API: threadDelayed 1127			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 487			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraPrinting.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelperx86.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\es\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\suf_pendreboot.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\fpdfview.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpusx86.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererCOMPlus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\it\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Images.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\de\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Office.v19.2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe TID: 8264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 8236	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 8240	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 8240	Thread sleep count: 487 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 8224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe TID: 5660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Thread sleep count: Count: 1127 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: irsetup.exe, 0000000A.00000003.2176735186.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxB>
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.1784061581.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: regmonclass
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: procmon_window_class
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: filemonclass
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Code function: 9_2_00E3269A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_00E3269A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Code function: 9_2_00E31A72 lstrcatA,wsprintfA,GetSystemDirectoryA,lstrlenA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,

9_2_00E31A72

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Code function: 9_2_00E342C8 SetUnhandledExceptionFilter,	9_2_00E342C8
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Code function: 9_2_00E3269A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00E3269A
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Code function: 9_2_00E33114 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00E33114

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	NtQuerySystemInformation: Indirect: 0x7FF7D81058D1	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	NtQueryInformationProcess: Indirect: 0x7FF7D813AB23	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	NtSetInformationThread: Indirect: 0x7FF7D8136C94	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	NtQueryInformationProcess: Indirect: 0x7FF7D81486D7	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1804130 "__IRAFN:C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe" "__IRCT:3" "__IRTSS:52614381" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1002"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\regasm.exe" /codebase "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll"			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://downloads.locklizard.com/safeguardpdfviewer_v3.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://downloads.locklizard.com/safeguardpdfviewer_v3.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://downloads.locklizard.com/safeguardpdfviewer_v3.exe"	Jump to behavior

Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp

Binary or memory string: Shell_TrayWnd

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\wget.exe	Queries volume information: C:\Users\user\Desktop\download VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition\v4.0_4.0.0.0__b77a5c561934e089\System.ComponentModel.Composition.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\ReachFramework.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Code function: 9_2_00E34A8C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_00E34A8C

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
18.173.166.10	d2wdijjn7s4yas.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
142.250.64.196	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
18.217.61.96	updates.locklizard.com	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.4
192.168.2.5

Contacted Domains

Name	IP	Active
www.google.com	142.250.64.196	true
d2wdijjn7s4yas.cloudfront.net	18.173.166.10	true
updates.locklizard.com	18.217.61.96	true
www.locklizard.com	3.14.62.233	true
downloads.locklizard.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://www.locklizard.com/favicon.ico	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGIyFr7EGIjBHAnuCWcXgE4qbZ44XmT26pn0152eekS6qWshR58uLMbOX1SHuE4dokHmlvFieRTsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high
https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe	false	high
http://updates.locklizard.com/Update.inf	false	high
https://www.locklizard.com/Manuals/LockLizard_Secure_PDF_Viewer_v3.pdf	false	high
https://www.google.com/async/newtab_promos	false	high
https://www.google.com/async/ddljson?async=ntp:2	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGIyFr7EGIjB4A9FkmG0nP_1340exxGzPk9RM3r_-uXsGTpCNAhbioD-nBhNotciBT-0cxjjCdioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high

AV Detection

Machine Learning detection for dropped file

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uni4C5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uni4C5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uninstall.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\lua5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uninstall.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelperx86.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Images.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Office.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraPrinting.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fpdfview.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpusx86.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererCOMPlus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG1.PNG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG1.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG2.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG3.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG4.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG5.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG2.PNG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\srm.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\user\AppData\Local\Temp\Locklizard Safeguard - PDF Viewer Setup Log.txt

Jump to behavior

Source: unknown	HTTPS traffic detected: 18.173.166.10:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49755 version: TLS 1.2

Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShell\obj\Release\SharpShell.pdb, source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress19.2\obj\Release\PDCViewer.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraPrinting\DevExpress.Printing.Core\obj_netFW\Release\DevExpress.Printing.v19.2.Core.pdb\| source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000014707000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!ShellExtension\PDCViewer3ShellExt\PDCViewerShellExt\obj\Release\PDCViewerShellExt.pdb source: RegAsm.exe, 00000012.00000002.2428771066.000002089B57C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Utils\obj_netFW\Release\DevExpress.Utils.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2260562448.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001EAD2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000014707000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShellNativeBridge\Release\SharpShellNativeBridge32.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Office\DevExpress.Office.Core\obj_netFW\Release\DevExpress.Office.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2228931269.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000013F49000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000000.2445032323.00007FF7D7FE1000.00000080.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Office\DevExpress.Office.Core\obj_netFW\Release\DevExpress.Office.v19.2.Core.pdbDV&^V& PV&_CorDllMainmscoree.dll source: irsetup.exe, 0000000A.00000003.2228931269.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Utils\obj_netFW\Release\DevExpress.Utils.v19.2.pdbD source: irsetup.exe, 0000000A.00000003.2260562448.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001EAD2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShell\obj\Release\SharpShell.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: E:\CSharp\PdfViewer-USBAutorun\PDCViewer-USBAutorun\obj\Release\View Documents.pdbl1 source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraPrinting\DevExpress.Printing.Core\obj_netFW\Release\DevExpress.Printing.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Data\obj_netFW\Release\DevExpress.Data.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Drawing\obj_netFW\Release\DevExpress.Pdf.v19.2.Drawing.pdb source: irsetup.exe, 0000000A.00000003.2243934522.00000000075D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraDialogs\DevExpress.Dialogs.Core\obj_netFW\Release\DevExpress.Dialogs.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000013F49000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000000.2445032323.00007FF7D7FE1000.00000080.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.XtraPdfViewer\obj_netFW\Release\DevExpress.XtraPdfViewer.v19.2.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2801821100.000000001CF10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewer-USBAutorun\PDCViewer-USBAutorun\obj\Release\View Documents.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress19.2\obj\Release\PDCViewer.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\Tools\ServerRegistrationManager\obj\Release\ServerRegistrationManager.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!VCDLLs\comphelper\Release\comphelperx86.pdb source: irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Images\obj_netFW\Release\DevExpress.Images.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!ShellExtension\PDCViewer3ShellExt\PDCViewerShellExt\obj\Release\PDCViewerShellExt.pdbBSJB source: RegAsm.exe, 00000012.00000002.2428771066.000002089B57C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.XtraPdfViewer\obj_netFW\Release\DevExpress.XtraPdfViewer.v19.2.pdb source: PDCViewer64.exe, 00000014.00000002.2801821100.000000001CF10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\x64\Release\SharpShellNativeBridge64.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 20.2.PDCViewer64.exe.1b347e68.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.PDCViewer64.exe.12dc1928.2.raw.unpack, type: UNPACKEDPE

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 23.204.76.112
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.97
Source: unknown	TCP traffic detected without corresponding DNS query: 23.45.182.97
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /SafeguardPDFViewer_v3.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: downloads.locklizard.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGIyFr7EGIjB4A9FkmG0nP_1340exxGzPk9RM3r_-uXsGTpCNAhbioD-nBhNotciBT-0cxjjCdioyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=RwlkKytBFEGbnj4HbVeUtogSXCli2feER8PkUvOyxvt1NSp1vIDA8LQ9GiBFxuw7RoMaaxYOLGK4WHPgqvbbWuiSUFr8zV5Ruqr1VRMoDOhDRSvSlqc_lgSBNy5e8a7jq83xIZclUA1SBWDPnSCou8J_ZZrOy2EKbB1WCtoLbRQ
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGIyFr7EGIjBHAnuCWcXgE4qbZ44XmT26pn0152eekS6qWshR58uLMbOX1SHuE4dokHmlvFieRTsyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-15; NID=513=ddvLbEZgvOJCqGusx3gABdX86Ju0MND1WprN9YIIaT3Dmbp5MgWiLcSQaiopeQEWLdkq-d2_6qP2wKxeZUYG0E2yoaJon6JjiI4DkVl9sJ4PccOHJ--Lvmmau-bVdYiUV2K5GeHmoRYf8-sQG74mhSJuzjtIe_mK50kW_7baJV8
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=craEgWl5dVCXtwg&MD=zsFOv9HB HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=craEgWl5dVCXtwg&MD=zsFOv9HB HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /Manuals/LockLizard_Secure_PDF_Viewer_v3.pdf HTTP/1.1Host: www.locklizard.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.locklizard.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.locklizard.com/Manuals/LockLizard_Secure_PDF_Viewer_v3.pdfAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /Update.inf HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedUser-Agent: Setup Factory 8.0Host: updates.locklizard.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: downloads.locklizard.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: updates.locklizard.com
Source: global traffic	DNS traffic detected: DNS query: www.locklizard.com

Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_BuyNow.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_BuyNow.aspxfhttps://go.devexpress.com/Demo_2013_BuyNow_ASP.aspxl
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_Chat.aspx
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_GetSupport.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Https://go.devexpress.com/Demo_2013_Help.aspx_Https://go.devexpress.com/Demo_2013_BuyNow.aspxghttps:
Source: irsetup.exe, 0000000A.00000003.1842348166.0000000005CAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Raz-Soft.com
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://creativecommons.org/ns#
Source: SafeguardPDFViewer_v3.exe, 00000009.00000002.3044774109.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SafeguardPDFViewer_v3.exe, 00000009.00000002.3044774109.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s5-3.crl0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s5-6.crl0
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://documentation.devexpress.com/
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://documentation.devexpress.com/;Client-Side
Source: SafeguardPDFViewer_v3.exe, 00000009.00000002.3044774109.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/officeDocument
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/sharedStrings
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printingcore/xtraprinting/native
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printingcore/xtraprinting/native/presentation
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/printingcore/xtraprinting/native/presentation-embedded
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.devexpress.com/winfx/2008/xaml/reportdesigner/native
Source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://updates.locklizard.com
Source: irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://updates.locklizard.com/Update.inf
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000014D4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.codeproject.com/Tips/713824/Pin-a-shortcut-onto-the-Taskbar-or-Start-Menu
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.devexpress.com/example=E906.
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.devexpress.comEhttp://www.devexpress.com/productsGhttp://www.devexpress.com/downloadsahtt
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SafeguardPDFViewer_v3.exe, 00000009.00000002.3044774109.00000000030D0000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1849020546.0000000005CAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com
Source: irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com/forums/threads/20321-Simulating-Refresh-%28Windows-Explorer%29
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com/forums/threads/30478-Can-not-get-the-correct-Folder-path-in-Win7-64bit-OS
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indigorose.com/forums/threads/34511-Register-64-bit-DLL-from-32-bit-installer
Source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.locklizard.com
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.locklizard.com/pdf_drm_walkthrough.htm
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mindquake.com.br/code/108-centerdialogs
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mindquake.com.br/en/articles/deployment?start=1
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mindquake.com.br/en/code/110-cmdline?start=3
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mindquake.com.br/screens/shortcuts
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PDCViewer64.exe, 00000014.00000002.2796658702.000000001C962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://DevExpress.ReportServer.ServiceModel.Client.FormsAuthenticationMessageInspector
Source: wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.l
Source: irsetup.exe, 0000000A.00000003.2253424158.0000000002D41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe
Source: wget.exe, 00000002.00000002.1784231023.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe=6PR
Source: wget.exe, 00000002.00000002.1784231023.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFViewer_v3.exeJONE
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFWriter_Enterprise_v4.exe
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFWriter_Enterprise_v5.exe
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFWriter_v3.exe
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://downloads.locklizard.com/SafeguardPDFWriter_v4.exe
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/.NET_SafeProcess_Start.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_CompareSubscriptions.aspxmhttps://go.devexpress.com/Demo_2013_Do
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspx
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspxGDevExpress.Utils.Images.Support.svg
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_Competitive_Discounts.aspxzhttps://go.devexpress.com/Demo_2013_C
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://go.devexpress.com/Demo_2013_DownloadTrial.aspxIDevExpress.Utils.Images.Discount.svg
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Jan2019_Deserialization_Issue.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Jan2019_Deserialization_Issue_ServiceKnownTypeProvider.aspx
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.devexpress.com/Jan2019_Deserialization_Issue_Tag_Property.aspx
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/?s=Can%27t
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/?s=License
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-error-6794-error-opening-keystore-file/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-failed-to-check-document-or-product-access-ca
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-failed-to-import-form-values-no-form-values-a
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-failed-to-read-license-information-invalid-li
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-file-is-corrupt-or-incomplete/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-invalid-document-version-supported-version-by
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-invalid-license-file-the-license-you-are-usin
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-invalid-or-corrupt-keystore/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-license-check-failed-cant-find-your-account/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-locklizard-safeguard-secure-pdf-viewer-is-not
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-no-more-licenses-are-available-please-contact
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-this-document-has-expired-system-time-change-
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-this-document-is-no-longer-available-or-the-d
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-unexpected-server-response-request-could-not-
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://kb.locklizard.com/knowledge-base/error-message-you-must-enable-desktop-composition-to-view-t
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001AF70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://locklizard.com
Source: irsetup.exe, 0000000A.00000003.2049664427.0000000006E6B000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2050271674.0000000006E6B000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2050436540.0000000006E6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.c
Source: irsetup.exe, 0000000A.00000003.2176714078.0000000001412000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2176516732.0000000001412000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2048764472.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oaut
Source: irsetup.exe, 0000000A.00000003.2048748080.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: irsetup.exe, 0000000A.00000003.2176735186.00000000013CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: irsetup.exe, 0000000A.00000003.2176516732.000000000141C000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2048748080.000000000141B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2S
Source: irsetup.exe, 0000000A.00000003.2049664427.0000000006E6B000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2050271674.0000000006E6B000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2050436540.0000000006E6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: irsetup.exe, 0000000A.00000003.2183168895.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2182907403.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1855553920.0000000002D20000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2187334002.0000000002CF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/a/21592191/1611054
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://www.devexpress.com/Products/NET/Controls/WinForms/get-started.xml
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://www.devexpress.com/Subscriptions/
Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://www.devexpress.com/Subscriptions/Universal.xml
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.devexpress.com/Support/Center/Question/Details/KA18959/
Source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.devexpress.com/Support/Center/Question/Details/T313960
Source: wget.exe, 00000002.00000002.1784213334.0000000001132000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.0000000001126000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.1754836967.000000000112E000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2228931269.0000000007838000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2260562448.0000000008332000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2243934522.000000000763A000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2218104612.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp, irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2678931580.00000000132C1000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B848000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.indigorose.com/webhelp/suf9/Program_Reference/Actions/SetupData.GetFileList.htm
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.indigorose.com/webhelp/suf9/Program_Reference/Actions/StatusDlg.Show.htm
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.indigorose.com/webhelp/suf9/index.htm#Program_Reference/Actions/File.Install_Examples.ht
Source: RegAsm.exe, 00000012.00000002.2428771066.000002089B2B2000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://www.locklizard-evals.com/enterprise5/
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.co
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.co0%
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/Downloads/OLD/SafeguardPDFWriter_Enterprise.exe
Source: irsetup.exe, 0000000A.00000003.1955751017.0000000006680000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/Downloads/OLD/SafeguardPDFWriter_v26.exe
Source: irsetup.exe, 0000000A.00000003.1817118650.0000000005CA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/Manuals/LockLizard_Secure_PDF_Viewer_v3.pdf
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001B072000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/open-pdc-file/
Source: PDCViewer64.exe, 00000014.00000002.2750218262.000000001AF70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.locklizard.com/privacy/
Source: SafeguardPDFViewer_v3.exe, 00000009.00000000.1811914118.0000000000E3C000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.locklizard.com6
Source: SafeguardPDFViewer_v3.exe, 00000009.00000000.1811914118.0000000000E3C000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.locklizard.comF

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 18.173.166.10:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.204.76.112:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49755 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Code function: 18_2_00007FFD99280FF1		18_2_00007FFD99280FF1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Code function: 18_2_00007FFD992800AD		18_2_00007FFD992800AD

PE file contains more sections than normal

Source: comphelper.dll.10.dr

Static PE information: Number of sections : 13 > 10

Source: irsetup.exe.9.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9909402438160876
Source: uninstall.exe.10.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9909402438160876
Source: comphelper.dll.10.dr	Static PE information: Section: ZLIB complexity 1.0004185267857142
Source: comphelper.dll.10.dr	Static PE information: Section: ZLIB complexity 0.9891304347826086
Source: comphelper.dll.10.dr	Static PE information: Section: ZLIB complexity 1.017578125
Source: comphelper.dll.10.dr	Static PE information: Section: .boot ZLIB complexity 0.9968304425564869
Source: comphelper.dll.10.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal84.troj.evad.win@35/111@12/6

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

9_2_00E31B89

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Program Files\Locklizard Safeguard PDF Viewer\

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9040:120:WilError_03

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0

Jump to behavior

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: kernel32.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: kernel32.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: kernel32.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: ntmarta.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: PROPSYS.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: Secur32.dll	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: /~DBG	9_2_00E31000
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Command line argument: @:	9_2_00E33990

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(5)%3cfnc1%3e(%02)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=2004,i,7086555652967495776,12374585124614321851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1992,i,3070133182868186284,11114087621646047524,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe "C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe"
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1804130 "__IRAFN:C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe" "__IRCT:3" "__IRTSS:52614381" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1002"
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe" install "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll" -codebase -os64
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\regasm.exe" /codebase "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe" /setupappinstalled
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1992,i,3070133182868186284,11114087621646047524,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=2004,i,7086555652967495776,12374585124614321851,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1804130 "__IRAFN:C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe" "__IRCT:3" "__IRTSS:52614381" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1002"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe" install "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll" -codebase -os64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe" /setupappinstalled	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\regasm.exe" /codebase "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll"	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: lua5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: I agree to the terms of this license agreement
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uni4C5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uni4C5A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uninstall.dat	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\lua5.1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\uninstall.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelperx86.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Images.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Office.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraPrinting.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fpdfview.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpusx86.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererCOMPlus.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererInstaller.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\PDCViewer.resources.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG1.PNG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG1.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG2.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG3.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG4.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG5.BMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRIMG2.PNG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Directory created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\srm.exe	Jump to behavior

Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShell\obj\Release\SharpShell.pdb, source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress19.2\obj\Release\PDCViewer.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraPrinting\DevExpress.Printing.Core\obj_netFW\Release\DevExpress.Printing.v19.2.Core.pdb\| source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000014707000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!ShellExtension\PDCViewer3ShellExt\PDCViewerShellExt\obj\Release\PDCViewerShellExt.pdb source: RegAsm.exe, 00000012.00000002.2428771066.000002089B57C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Utils\obj_netFW\Release\DevExpress.Utils.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2260562448.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001EAD2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Core\obj_netFW\Release\DevExpress.Pdf.v19.2.Core.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000014707000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShellNativeBridge\Release\SharpShellNativeBridge32.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Office\DevExpress.Office.Core\obj_netFW\Release\DevExpress.Office.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2228931269.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000013F49000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000000.2445032323.00007FF7D7FE1000.00000080.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Office\DevExpress.Office.Core\obj_netFW\Release\DevExpress.Office.v19.2.Core.pdbDV&^V& PV&_CorDllMainmscoree.dll source: irsetup.exe, 0000000A.00000003.2228931269.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Utils\obj_netFW\Release\DevExpress.Utils.v19.2.pdbD source: irsetup.exe, 0000000A.00000003.2260562448.0000000007FD0000.00000004.00000020.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2824901575.000000001EAD2000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\SharpShell\obj\Release\SharpShell.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: E:\CSharp\PdfViewer-USBAutorun\PDCViewer-USBAutorun\obj\Release\View Documents.pdbl1 source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraPrinting\DevExpress.Printing.Core\obj_netFW\Release\DevExpress.Printing.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2250834910.00000000075DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Data\obj_netFW\Release\DevExpress.Data.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2218104612.00000000075D0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.Pdf.Drawing\obj_netFW\Release\DevExpress.Pdf.v19.2.Drawing.pdb source: irsetup.exe, 0000000A.00000003.2243934522.00000000075D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.XtraDialogs\DevExpress.Dialogs.Core\obj_netFW\Release\DevExpress.Dialogs.v19.2.Core.pdb source: irsetup.exe, 0000000A.00000003.2220662628.00000000075D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000013F49000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000000.2445032323.00007FF7D7FE1000.00000080.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.XtraPdfViewer\obj_netFW\Release\DevExpress.XtraPdfViewer.v19.2.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2801821100.000000001CF10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewer-USBAutorun\PDCViewer-USBAutorun\obj\Release\View Documents.pdb source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress19.2\obj\Release\PDCViewer.pdbBSJB source: PDCViewer64.exe, 00000014.00000002.2678931580.0000000012BD5000.00000004.00000800.00020000.00000000.sdmp, PDCViewer64.exe, 00000014.00000002.2750218262.000000001B15C000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\Tools\ServerRegistrationManager\obj\Release\ServerRegistrationManager.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!VCDLLs\comphelper\Release\comphelperx86.pdb source: irsetup.exe, 0000000A.00000003.2214979378.00000000075DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Images\obj_netFW\Release\DevExpress.Images.v19.2.pdb source: irsetup.exe, 0000000A.00000003.2225765044.00000000075DE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\CSharp\PdfViewerDemo-devexpress18.2\!ShellExtension\PDCViewer3ShellExt\PDCViewerShellExt\obj\Release\PDCViewerShellExt.pdbBSJB source: RegAsm.exe, 00000012.00000002.2428771066.000002089B57C000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Program Files (x86)\DevExpress 19.2\Components\Sources\DevExpress.Pdf\DevExpress.XtraPdfViewer\obj_netFW\Release\DevExpress.XtraPdfViewer.v19.2.pdb source: PDCViewer64.exe, 00000014.00000002.2801821100.000000001CF10000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\sharpshell\SharpShell\x64\Release\SharpShellNativeBridge64.pdb source: irsetup.exe, 0000000A.00000003.1843796128.0000000005CA3000.00000004.00000020.00020000.00000000.sdmp, srm.exe, 00000010.00000000.2391626274.0000000000512000.00000002.00000001.01000000.00000013.sdmp, srm.exe, 00000010.00000002.2437254186.0000000003A11000.00000004.00000800.00020000.00000000.sdmp, srm.exe, 00000010.00000002.2437534721.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000012.00000002.2428366116.000002089AD82000.00000002.00000001.01000000.00000017.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: srm.exe.10.dr, Program.cs	.Net Code: HandleEmbeddedReferences System.Reflection.Assembly.Load(byte[])
Source: srm.exe0.10.dr, Program.cs	.Net Code: HandleEmbeddedReferences System.Reflection.Assembly.Load(byte[])

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Code function: 9_2_00E31A72 lstrcatA,wsprintfA,GetSystemDirectoryA,lstrlenA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,

9_2_00E31A72

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name:
Source: comphelper.dll.10.dr	Static PE information: section name: .boot

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FDB18 push esi; retf 0017h	2_3_010FDB7A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_01114672 push B9049268h; retf	2_3_011146B4
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FB37B pushad ; retn 0078h	2_3_010FB38D
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FF289 push ebx; retf	2_3_010FF38A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FFB89 push edx; ret	2_3_010FFBCA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FD281 push edi; retf	2_3_010FD382
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FEA81 push eax; retf	2_3_010FEB82
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FDB80 push esi; ret	2_3_010FDBC2
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_01103788 pushad ; ret	2_3_0110378B
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FFBA8 push edx; ret	2_3_010FFBCA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FE3A4 push ecx; retn 0014h	2_3_010FE3BA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_3_010FB2A0 pushfd ; retn 0000h	2_3_010FB373
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FDB18 push esi; retf 0017h	2_2_010FDB7A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FF289 push ebx; retf	2_2_010FF38A
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FFB89 push edx; ret	2_2_010FFBCA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FD281 push edi; retf	2_2_010FD382
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FEA81 push eax; retf	2_2_010FEB82
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FDB80 push esi; ret	2_2_010FDBC2
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_01103788 pushad ; ret	2_2_0110378B
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FFBA8 push edx; ret	2_2_010FFBCA
Source: C:\Windows\SysWOW64\wget.exe	Code function: 2_2_010FE3A4 push ecx; retn 0014h	2_2_010FE3BA
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Code function: 9_2_00E33AE5 push ecx; ret	9_2_00E33AF8

Source: comphelper.dll.10.dr	Static PE information: section name: entropy: 7.993108244382584
Source: comphelper.dll.10.dr	Static PE information: section name: .boot entropy: 7.96475544918575

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\wget.exe	File created: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\lua5.1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraPrinting.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelperx86.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\suf_pendreboot.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\fpdfview.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpusx86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererCOMPlus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Images.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\srm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\de\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Office.v19.2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File created: C:\Users\user\AppData\Local\Temp\Locklizard Safeguard - PDF Viewer Setup Log.txt

Jump to behavior

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Safeguard Viewer.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Remove Viewer Keystore.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Viewer Proxy settings.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\About Viewer.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Uninstall Viewer.lnk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Locklizard\Safeguard\PDF Viewer\Uninstall Viewer.lnk	Jump to behavior

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PDCViewer64.exe, 00000014.00000002.2654157450.0000000002465000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: IMPORTREC.EXE

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Memory allocated: 6BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Memory allocated: D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Memory allocated: 2A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Memory allocated: 20880C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Memory allocated: 2089A640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Memory allocated: 1A9E0000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Window / User API: threadDelayed 1127			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 487			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\de\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraPrinting.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelperx86.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\es\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\suf_pendreboot.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\fpdfview.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\tr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\Uninstall Viewer\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpusx86.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ko\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererCOMPlus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\it\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerCompatibleRendererInstaller.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Images.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\comphelper.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\de\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ja\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Office.v19.2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\ru\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\PDCViewer.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hans\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\fr\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\Helpus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\nl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pl\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\cs\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\pt\DevExpress.Pdf.v19.2.Core.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\es\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\it\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\zh-Hant\DevExpress.XtraPdfViewer.v19.2.resources.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Dropped PE file which has not been started: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe TID: 8264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 8236	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 8240	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 8240	Thread sleep count: 487 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe TID: 8224	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe TID: 5660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Thread sleep count: Count: 1127 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: irsetup.exe, 0000000A.00000003.2176735186.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxB>
Source: irsetup.exe, 0000000A.00000003.2176679648.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.1784061581.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: regmonclass
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: procmon_window_class
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: filemonclass
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Code function: 9_2_00E3269A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_00E3269A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Code function: 9_2_00E31A72 lstrcatA,wsprintfA,GetSystemDirectoryA,lstrlenA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,LoadLibraryA,GetProcAddress,FreeLibrary,

9_2_00E31A72

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Code function: 9_2_00E342C8 SetUnhandledExceptionFilter,	9_2_00E342C8
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Code function: 9_2_00E3269A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00E3269A
Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Code function: 9_2_00E33114 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00E33114

Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	NtQuerySystemInformation: Indirect: 0x7FF7D81058D1	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	NtQueryInformationProcess: Indirect: 0x7FF7D813AB23	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	NtSetInformationThread: Indirect: 0x7FF7D8136C94	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	NtQueryInformationProcess: Indirect: 0x7FF7D81486D7	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe	Process created: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe "C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1804130 "__IRAFN:C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe" "__IRCT:3" "__IRTSS:52614381" "__IRSID:S-1-5-21-2246122658-3693405117-2476756634-1002"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\regasm.exe" /codebase "C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll"			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://downloads.locklizard.com/safeguardpdfviewer_v3.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://downloads.locklizard.com/safeguardpdfviewer_v3.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://downloads.locklizard.com/safeguardpdfviewer_v3.exe"	Jump to behavior

Source: PDCViewer64.exe, 00000014.00000002.2824901575.000000001D6D2000.00000002.00000001.01000000.0000001F.sdmp

Binary or memory string: Shell_TrayWnd

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\wget.exe	Queries volume information: C:\Users\user\Desktop\download VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\srm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewerShellExt.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\SharpShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition\v4.0_4.0.0.0__b77a5c561934e089\System.ComponentModel.Composition.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Utils.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraBars.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Data.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraEditors.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Pdf.v19.2.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraGrid.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraDialogs.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Dialogs.v19.2.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraLayout.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.Printing.v19.2.Core.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Program Files\Locklizard Safeguard PDF Viewer\DevExpress.XtraTreeList.v19.2.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files\Locklizard Safeguard PDF Viewer\PDCViewer64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\ReachFramework.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\download\SafeguardPDFViewer_v3.exe

Code function: 9_2_00E34A8C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_00E34A8C

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Windows Analysis Report
https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1432197
Product:	CloudBasic
Start time:	17:03:45
Start date:	26.04.2024
Cookbook:	urldownload.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Windows Analysis Report https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
https://downloads.locklizard.com/SafeguardPDFViewer_v3.exe