Windows Analysis Report
PulseSecureAppLauncher.msi

Overview

General Information

Sample name:	PulseSecureAppLauncher.msi
Analysis ID:	1544660
MD5:	9fadc49ea06140e22dd3025384d8dde0
SHA1:	a0c005e2e4db3f84f9e0404c6ffbc1ffd264e652
SHA256:	2390077eb538a20bbe188b52c7189b7d8e62ced9c44a6e8fa11a65e2caa80226
Infos:

Detection

Score:	8
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Signatures

Source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_b6eccba3-6

Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdbe source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdbAA source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_JA.pdb source: dsWinClientResource_JA.dll1.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 08:51:49 2023 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\Win32\Release\lib\engines-1_1"not availabledes(long) source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb))) source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll1.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll1.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdbHHHGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source:	Binary string: d:\agent\_work\8\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: vcruntime140.dll1.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb source: psalswitch.exe.2.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 09:16:51 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\x64\Release\lib\engines-1_1"not available source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.0000000067205000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\PulseExt.pdb source: PulseExt64.exe.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdb source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb99 source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb?? source: libssl-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH_CN.pdb source: dsWinClientResource_ZH_CN.dll1.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb> source: psalswitch.exe.2.dr
Source:	Binary string: C:\agent\_work\82\s\build\ship\x86\wixca.pdb source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psal.pdb source: PulseApplicationLauncher.exe, 00000007.00000000.466523108.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473018711.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_FR.pdb source: dsWinClientResource_FR.dll0.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb source: libssl-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll0.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://wixtoolset.org
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: PulseApplicationLauncher.exe, 00000007.00000002.473453531.0000000069AAB000.00000002.00000001.01000000.00000008.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473332236.0000000067232000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr, libcrypto-1_1-x64.dll.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: https://www.openssl.org/H

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f69.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE496.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f6a.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f6a.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAC58.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f6c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f6c.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE496.tmp

Jump to behavior

PE file does not import any functions

Source: dsWinClientResource_DE.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_FR.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH_CN.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_FR.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ES.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_JA.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_JA.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_FR.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_DE.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_KO.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_KO.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_EN.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_KO.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_JA.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ES.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH_CN.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_EN.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_EN.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_DE.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ES.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH_CN.dll0.2.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: PulseSecureAppLauncher.msi

Binary or memory string: OriginalFilenamewixca.dll\ vs PulseSecureAppLauncher.msi

Source: metadata-2.2.dr	Binary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.dr	Binary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.dr	Binary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Source: classification engine

Classification label: clean8.winMSI@6/81@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Pulse Secure

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\PulseSecure.LogService.Settings.Mutex.v2
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Mutant created: NULL

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\~DF98004BD7CA64244C.TMP

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: PulseSecureAppLauncher.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PulseSecureAppLauncher.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: ucrtbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: dsopenssl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: wolfengine.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: wolfssl-fips.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8383852-FCD3-11D1-A6B9-006097DF5BD4}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File written: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\Version.ini

Jump to behavior

Source: PulseSecureAppLauncher.msi

Static file information: File size 7266304 > 1048576

Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdbe source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdbAA source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_JA.pdb source: dsWinClientResource_JA.dll1.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 08:51:49 2023 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\Win32\Release\lib\engines-1_1"not availabledes(long) source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb))) source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll1.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll1.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdbHHHGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source:	Binary string: d:\agent\_work\8\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: vcruntime140.dll1.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb source: psalswitch.exe.2.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 09:16:51 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\x64\Release\lib\engines-1_1"not available source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.0000000067205000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\PulseExt.pdb source: PulseExt64.exe.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdb source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb99 source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb?? source: libssl-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH_CN.pdb source: dsWinClientResource_ZH_CN.dll1.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb> source: psalswitch.exe.2.dr
Source:	Binary string: C:\agent\_work\82\s\build\ship\x86\wixca.pdb source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psal.pdb source: PulseApplicationLauncher.exe, 00000007.00000000.466523108.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473018711.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_FR.pdb source: dsWinClientResource_FR.dll0.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb source: libssl-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll0.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr

PE file contains sections with non-standard names

Source: PulseApplicationLauncher.exe0.2.dr	Static PE information: section name: _RDATA
Source: dsOpenSSL64.dll.2.dr	Static PE information: section name: .00cfg
Source: dsOpenSSL.dll.2.dr	Static PE information: section name: .00cfg
Source: dsOpenSSL.dll0.2.dr	Static PE information: section name: .00cfg
Source: PulseExt64.exe.2.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll1.2.dr	Static PE information: section name: _RDATA
Source: wolfssl-fips.dll.2.dr	Static PE information: section name: .fipsA
Source: wolfssl-fips.dll.2.dr	Static PE information: section name: .fipsB
Source: wolfssl-fips.dll0.2.dr	Static PE information: section name: .fipsA
Source: wolfssl-fips.dll0.2.dr	Static PE information: section name: .fipsB
Source: wolfssl-fips-x64.dll.2.dr	Static PE information: section name: .fipsA
Source: wolfssl-fips-x64.dll.2.dr	Static PE information: section name: .fipsB
Source: libcrypto-1_1.dll.2.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll0.2.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1-x64.dll.2.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.2.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll0.2.dr	Static PE information: section name: .00cfg
Source: libssl-1_1-x64.dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: msvcp140.dll0.2.dr	Static PE information: section name: .didat
Source: msvcp140.dll1.2.dr	Static PE information: section name: .didat

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libssl-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libssl-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfssl-fips.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsOpenSSL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfEngine.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfssl-fips.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE496.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfEngine.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsOpenSSL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSIE496.tmp

Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: metadata-2.2.dr	Binary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.2.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Creates or modifies windows services

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE496.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\msiexec.exe TID: 3300	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3808	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3336	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3620	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3620	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: PulseApplicationLauncher.exe.2.dr	Binary or memory string: AAppIdAppActionLaunchParamsURLServerTokensSrvCertMd5LocaleServerVersionTimeStampPSALSwitchTruehcHost CheckerepoacOdyssey Access ClientepjamPulse SecurectsPulse Secure Citrix Services ClientwtsPulse Terminal Services ClientpulsencNetwork ConnectsamSecure Application ManagercitrixvdiCitrix Xen DesktopvmwarevdiVMware DesktopLog UploadjsamhobautowtsWindows Terminal ServicesInvalid parameterPsal::CmdParsers:\ive\setup\psal\common\psalcmd.cppKey = %sKey = %s, Value = %sUnknown key. IgnoringFirefoxfirefoxEdgeChromechromeStartStopUninstallSetHCCookieInvalid 'AppAction' present in the input = %s'AppId' is not present in the inputInvalid 'AppId' present in the input'AppId' conatins unexpected character'AppAction' is not present in the inputInvalid 'AppAction' present in the input'AppAction' conatins unexpected characterpsalparams.cgiwelcome.cgimtgpleasewait.cgirdremediate.cgi'LaunchParamsURL' is not present in the inputInvalid 'LaunchParamsURL' present in the input.cgiInvalid 'LaunchParamsURL'. NO Qmark and No Cgi in LaunchURLInvalid 'LaunchParamsURL'. NO slash in LaunchURLInvalid 'LaunchParamsURL' Invalid start positionIndex of ? = %dIndex of slash = %dstrCGIFile = %s'Host' is not present in the inputInvalid 'Host' present in the input'ServerTokens' is not present in the inputInvalid 'ServerTokens' present in the input'SrvCertMd5' is not present in the inputInvalid 'SrvCertMd5' present in the input'SrvCertMd5' conatins unexpected character'UserAgent' is not present in the inputInvalid 'UserAgent' present in the input'Locale' is not present in the inputInvalid 'Locale' present in the input'Locale' conatins unexpected character'ServerVersion' is not present in the inputInvalid 'ServerVersion' present in the input'ServerVersion' conatins unexpected character'Timestamp' is not present in the inputInvalid 'Timestamp' present in the input'Timestamp' conatins unexpected characterlist too longPsal::ExtensionUtilsRead result = %ds:\ive\setup\psal\common\psalExtensionUtils.cppfread errorMessage length = %dRead result = %d, Message = %sMessage = %sError = %sMessage is emptyfwrite errorjson_dumps error
Source: metadata-2.2.dr	Binary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: PulseApplicationLauncher.exe.2.dr	Binary or memory string: vmwarevdi
Source: PulseApplicationLauncher.exe, 00000007.00000002.473018711.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: AppIdAppActionLaunchParamsURLServerTokensSrvCertMd5LocaleServerVersionTimeStampPSALSwitchTruehcHost CheckerepoacOdyssey Access ClientepjamPulse SecurectsPulse Secure Citrix Services ClientwtsPulse Terminal Services ClientpulsencNetwork ConnectsamSecure Application ManagercitrixvdiCitrix Xen DesktopvmwarevdiVMware DesktopLog UploadjsamhobautowtsWindows Terminal ServicesInvalid parameterPsal::CmdParsers:\ive\setup\psal\common\psalcmd.cppKey = %sKey = %s, Value = %sUnknown key. IgnoringFirefoxfirefoxEdgeChromechromeStartStopUninstallSetHCCookieInvalid 'AppAction' present in the input = %s'AppId' is not present in the inputInvalid 'AppId' present in the input'AppId' conatins unexpected character'AppAction' is not present in the inputInvalid 'AppAction' present in the input'AppAction' conatins unexpected characterpsalparams.cgiwelcome.cgimtgpleasewait.cgirdremediate.cgi'LaunchParamsURL' is not present in the inputInvalid 'LaunchParamsURL' present in the input.cgiInvalid 'LaunchParamsURL'. NO Qmark and No Cgi in LaunchURLInvalid 'LaunchParamsURL'. NO slash in LaunchURLInvalid 'LaunchParamsURL' Invalid start positionIndex of ? = %dIndex of slash = %dstrCGIFile = %s'Host' is not present in the inputInvalid 'Host' present in the input'ServerTokens' is not present in the inputInvalid 'ServerTokens' present in the input'SrvCertMd5' is not present in the inputInvalid 'SrvCertMd5' present in the input'SrvCertMd5' conatins unexpected character'UserAgent' is not present in the inputInvalid 'UserAgent' present in the input'Locale' is not present in the inputInvalid 'Locale' present in the input'Locale' conatins unexpected character'ServerVersion' is not present in the inputInvalid 'ServerVersion' present in the input'ServerVersion' conatins unexpected character'Timestamp' is not present in the inputInvalid 'Timestamp' present in the input'Timestamp' conatins unexpected characterlist too longPsal::ExtensionUtilsRead result = %ds:\ive\setup\psal\common\psalExtensionUtils.cppfread errorMessage length = %dRead result = %d, Message = %sMessage = %sError = %sMessage is emptyfwrite errorjson_dumps error
Source: metadata-2.2.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: PulseApplicationLauncher.exe.2.dr	Binary or memory string: VMware Desktop
Source: metadata-2.2.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.2.dr	Binary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_b6eccba3-6

Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdbe source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdbAA source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_JA.pdb source: dsWinClientResource_JA.dll1.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 08:51:49 2023 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\Win32\Release\lib\engines-1_1"not availabledes(long) source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb))) source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll1.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll1.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdbHHHGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source:	Binary string: d:\agent\_work\8\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: vcruntime140.dll1.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb source: psalswitch.exe.2.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 09:16:51 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\x64\Release\lib\engines-1_1"not available source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.0000000067205000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\PulseExt.pdb source: PulseExt64.exe.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdb source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb99 source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb?? source: libssl-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH_CN.pdb source: dsWinClientResource_ZH_CN.dll1.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb> source: psalswitch.exe.2.dr
Source:	Binary string: C:\agent\_work\82\s\build\ship\x86\wixca.pdb source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psal.pdb source: PulseApplicationLauncher.exe, 00000007.00000000.466523108.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473018711.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_FR.pdb source: dsWinClientResource_FR.dll0.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb source: libssl-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll0.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr	String found in binary or memory: http://wixtoolset.org
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: PulseApplicationLauncher.exe, 00000007.00000002.473453531.0000000069AAB000.00000002.00000001.01000000.00000008.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473332236.0000000067232000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr, libcrypto-1_1-x64.dll.2.dr, libssl-1_1-x64.dll.2.dr	String found in binary or memory: https://www.openssl.org/H

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f69.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE496.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f6a.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f6a.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAC58.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f6c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\754f6c.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE496.tmp

Jump to behavior

PE file does not import any functions

Source: dsWinClientResource_DE.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_FR.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH_CN.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_FR.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ES.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_JA.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_JA.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_FR.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_DE.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_KO.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_KO.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_EN.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_KO.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_JA.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ES.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH_CN.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_EN.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_EN.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH.dll.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_DE.dll0.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ES.dll1.2.dr	Static PE information: No import functions for PE file found
Source: dsWinClientResource_ZH_CN.dll0.2.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: PulseSecureAppLauncher.msi

Binary or memory string: OriginalFilenamewixca.dll\ vs PulseSecureAppLauncher.msi

Source: metadata-2.2.dr	Binary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.dr	Binary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.dr	Binary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.dr	Binary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Source: classification engine

Classification label: clean8.winMSI@6/81@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Pulse Secure

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\PulseSecure.LogService.Settings.Mutex.v2
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Mutant created: NULL

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\~DF98004BD7CA64244C.TMP

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: PulseSecureAppLauncher.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PulseSecureAppLauncher.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: ucrtbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: dsopenssl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: wolfengine.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: wolfssl-fips.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Section loaded: dwmapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8383852-FCD3-11D1-A6B9-006097DF5BD4}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File written: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\Version.ini

Jump to behavior

Source: PulseSecureAppLauncher.msi

Static file information: File size 7266304 > 1048576

Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdbe source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdbAA source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_JA.pdb source: dsWinClientResource_JA.dll1.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 08:51:49 2023 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\Win32\Release\lib\engines-1_1"not availabledes(long) source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb))) source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll1.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll1.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdbHHHGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source:	Binary string: d:\agent\_work\8\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: vcruntime140.dll1.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb source: psalswitch.exe.2.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 09:16:51 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\x64\Release\lib\engines-1_1"not available source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.0000000067205000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\PulseExt.pdb source: PulseExt64.exe.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdb source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb99 source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb?? source: libssl-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH_CN.pdb source: dsWinClientResource_ZH_CN.dll1.2.dr
Source:	Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb> source: psalswitch.exe.2.dr
Source:	Binary string: C:\agent\_work\82\s\build\ship\x86\wixca.pdb source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: libcrypto-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\psal.pdb source: PulseApplicationLauncher.exe, 00000007.00000000.466523108.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473018711.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_FR.pdb source: dsWinClientResource_FR.dll0.2.dr
Source:	Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb source: libssl-1_1-x64.dll.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll0.2.dr
Source:	Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll.2.dr
Source:	Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr

PE file contains sections with non-standard names

Source: PulseApplicationLauncher.exe0.2.dr	Static PE information: section name: _RDATA
Source: dsOpenSSL64.dll.2.dr	Static PE information: section name: .00cfg
Source: dsOpenSSL.dll.2.dr	Static PE information: section name: .00cfg
Source: dsOpenSSL.dll0.2.dr	Static PE information: section name: .00cfg
Source: PulseExt64.exe.2.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll1.2.dr	Static PE information: section name: _RDATA
Source: wolfssl-fips.dll.2.dr	Static PE information: section name: .fipsA
Source: wolfssl-fips.dll.2.dr	Static PE information: section name: .fipsB
Source: wolfssl-fips.dll0.2.dr	Static PE information: section name: .fipsA
Source: wolfssl-fips.dll0.2.dr	Static PE information: section name: .fipsB
Source: wolfssl-fips-x64.dll.2.dr	Static PE information: section name: .fipsA
Source: wolfssl-fips-x64.dll.2.dr	Static PE information: section name: .fipsB
Source: libcrypto-1_1.dll.2.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll0.2.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1-x64.dll.2.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.2.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll0.2.dr	Static PE information: section name: .00cfg
Source: libssl-1_1-x64.dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: msvcp140.dll0.2.dr	Static PE information: section name: .didat
Source: msvcp140.dll1.2.dr	Static PE information: section name: .didat

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libssl-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libssl-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfssl-fips.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsOpenSSL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfEngine.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfssl-fips.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE496.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfEngine.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsOpenSSL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSIE496.tmp

Jump to dropped file

May use bcdedit to modify the Windows boot settings

Source: metadata-2.2.dr	Binary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.2.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Creates or modifies windows services

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE496.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\msiexec.exe TID: 3300	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3808	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3336	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3620	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3620	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: PulseApplicationLauncher.exe.2.dr	Binary or memory string: AAppIdAppActionLaunchParamsURLServerTokensSrvCertMd5LocaleServerVersionTimeStampPSALSwitchTruehcHost CheckerepoacOdyssey Access ClientepjamPulse SecurectsPulse Secure Citrix Services ClientwtsPulse Terminal Services ClientpulsencNetwork ConnectsamSecure Application ManagercitrixvdiCitrix Xen DesktopvmwarevdiVMware DesktopLog UploadjsamhobautowtsWindows Terminal ServicesInvalid parameterPsal::CmdParsers:\ive\setup\psal\common\psalcmd.cppKey = %sKey = %s, Value = %sUnknown key. IgnoringFirefoxfirefoxEdgeChromechromeStartStopUninstallSetHCCookieInvalid 'AppAction' present in the input = %s'AppId' is not present in the inputInvalid 'AppId' present in the input'AppId' conatins unexpected character'AppAction' is not present in the inputInvalid 'AppAction' present in the input'AppAction' conatins unexpected characterpsalparams.cgiwelcome.cgimtgpleasewait.cgirdremediate.cgi'LaunchParamsURL' is not present in the inputInvalid 'LaunchParamsURL' present in the input.cgiInvalid 'LaunchParamsURL'. NO Qmark and No Cgi in LaunchURLInvalid 'LaunchParamsURL'. NO slash in LaunchURLInvalid 'LaunchParamsURL' Invalid start positionIndex of ? = %dIndex of slash = %dstrCGIFile = %s'Host' is not present in the inputInvalid 'Host' present in the input'ServerTokens' is not present in the inputInvalid 'ServerTokens' present in the input'SrvCertMd5' is not present in the inputInvalid 'SrvCertMd5' present in the input'SrvCertMd5' conatins unexpected character'UserAgent' is not present in the inputInvalid 'UserAgent' present in the input'Locale' is not present in the inputInvalid 'Locale' present in the input'Locale' conatins unexpected character'ServerVersion' is not present in the inputInvalid 'ServerVersion' present in the input'ServerVersion' conatins unexpected character'Timestamp' is not present in the inputInvalid 'Timestamp' present in the input'Timestamp' conatins unexpected characterlist too longPsal::ExtensionUtilsRead result = %ds:\ive\setup\psal\common\psalExtensionUtils.cppfread errorMessage length = %dRead result = %d, Message = %sMessage = %sError = %sMessage is emptyfwrite errorjson_dumps error
Source: metadata-2.2.dr	Binary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: PulseApplicationLauncher.exe.2.dr	Binary or memory string: vmwarevdi
Source: PulseApplicationLauncher.exe, 00000007.00000002.473018711.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: AppIdAppActionLaunchParamsURLServerTokensSrvCertMd5LocaleServerVersionTimeStampPSALSwitchTruehcHost CheckerepoacOdyssey Access ClientepjamPulse SecurectsPulse Secure Citrix Services ClientwtsPulse Terminal Services ClientpulsencNetwork ConnectsamSecure Application ManagercitrixvdiCitrix Xen DesktopvmwarevdiVMware DesktopLog UploadjsamhobautowtsWindows Terminal ServicesInvalid parameterPsal::CmdParsers:\ive\setup\psal\common\psalcmd.cppKey = %sKey = %s, Value = %sUnknown key. IgnoringFirefoxfirefoxEdgeChromechromeStartStopUninstallSetHCCookieInvalid 'AppAction' present in the input = %s'AppId' is not present in the inputInvalid 'AppId' present in the input'AppId' conatins unexpected character'AppAction' is not present in the inputInvalid 'AppAction' present in the input'AppAction' conatins unexpected characterpsalparams.cgiwelcome.cgimtgpleasewait.cgirdremediate.cgi'LaunchParamsURL' is not present in the inputInvalid 'LaunchParamsURL' present in the input.cgiInvalid 'LaunchParamsURL'. NO Qmark and No Cgi in LaunchURLInvalid 'LaunchParamsURL'. NO slash in LaunchURLInvalid 'LaunchParamsURL' Invalid start positionIndex of ? = %dIndex of slash = %dstrCGIFile = %s'Host' is not present in the inputInvalid 'Host' present in the input'ServerTokens' is not present in the inputInvalid 'ServerTokens' present in the input'SrvCertMd5' is not present in the inputInvalid 'SrvCertMd5' present in the input'SrvCertMd5' conatins unexpected character'UserAgent' is not present in the inputInvalid 'UserAgent' present in the input'Locale' is not present in the inputInvalid 'Locale' present in the input'Locale' conatins unexpected character'ServerVersion' is not present in the inputInvalid 'ServerVersion' present in the input'ServerVersion' conatins unexpected character'Timestamp' is not present in the inputInvalid 'Timestamp' present in the input'Timestamp' conatins unexpected characterlist too longPsal::ExtensionUtilsRead result = %ds:\ive\setup\psal\common\psalExtensionUtils.cppfread errorMessage length = %dRead result = %d, Message = %sMessage = %sError = %sMessage is emptyfwrite errorjson_dumps error
Source: metadata-2.2.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: PulseApplicationLauncher.exe.2.dr	Binary or memory string: VMware Desktop
Source: metadata-2.2.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.2.dr	Binary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1544660
Product:	CloudBasic
Start time:	16:08:32
Start date:	29.10.2024
Sample:	PulseSecureAppLauncher.msi
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	9fadc49ea06140e22dd3025384d8dde0
SHA1:	a0c005e2e4db3f84f9e0404c6ffbc1ffd264e652
SHA256:	2390077eb538a20bbe188b52c7189b7d8e62ced9c44a6e8fa11a65e2caa80226
Filetype:	Microsoft Windows Installer (60509/1) 57.88%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\754f6b.rbs	data	BABF163C8B53ECD681612991F79B9EF0	B42A98B1712520D383D9CCF845A86877885838D9	5155F7551E344DAADAECE0F8F935BC04A7FEC27235D04686DFED668197810803
C:\System Volume Information\SPP\OnlineMetadataCache\{3967b973-d159-4ac9-84aa-d4e7a38128c9}_OnDiskSnapshotProp	data	F99CA402C932823088AF4AF389134785	AB28E1DEB9A60669CE5EF333FD2D15E9D5CA2112	0F640F23A1A6CF0C3BF012C2D7E307C36C03C85D8990D668A5FEB70B5B5245CC
C:\System Volume Information\SPP\metadata-2	SysEx File - Twister	8397187A77B05E7B9FF891A899F40410	E7C2D6E9C78D5C860A0DD4BD5CF0CC5AC4D7440E	CC5CC1531E808DE0D8788B8F0FF04826B4C1A5062E9F1C9E8DB55485281EC0F2
C:\System Volume Information\SPP\snapshot-2	data	F99CA402C932823088AF4AF389134785	AB28E1DEB9A60669CE5EF333FD2D15E9D5CA2112	0F640F23A1A6CF0C3BF012C2D7E307C36C03C85D8990D668A5FEB70B5B5245CC
C:\Users\user\AppData\Local\Temp\~DF42CA10E670479EE7.TMP	data	E79AB14DA200E5A39CFFCA5F5AC069FE	CBD2BFF71F3EBC0BB4785A61140397BFBAC2A236	C00A469B3A1185D8BCDD2AA285036A4086964FC0A82D9A879DAEF5DD153BC3E1
C:\Users\user\AppData\Local\Temp\~DF496484BAC2C87FEA.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DF98004BD7CA64244C.TMP	data	67700BBF5987F6C4B1047DDBF0B4D535	EC5A6E5E9E7C15ECAFCB22AC600F3CE85AA7FD90	A0F1BA9B28E85A3AE9983BE2200827F72E7128A358AA905CA4713E685515A2E5
C:\Users\user\AppData\Roaming\Microsoft\Installer\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}\psal.ico	MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel	B81F31C6EA548DDBF4CAE02106B3FA82	3916EE0C29BCB460792171E21B589B3BC71D4A07	C2BD26142702BB86A175EDBEDD16765F8E29EB21EAF1AB0A5BAAACF71AAEC784
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_DE.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	65439EDE5AC02DC4A2809ADC98BA5744	0EB27D2E52220EFF1AB34C1D6B34F05D033854C1	1FA728FC8C8F0E271697AC99C8E7639A75B554F39E6E357A039FD0C75B84EEFA
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_EN.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	20A330279C761056AA7AB501A0314D5D	A408FAADAB7317D15D401D5EA1819437A3794017	C212FDEA7290E37FC912FAC45C6A1983D7299E462C7CC5C0A213A860EB8929C6
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_ES.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	55ADE44A0CF656C4C552CDF87B4F2B54	A29B83672164A5D7064913AD4ED74412393FAEF8	BCB21B25487F1F83F370BB224B6155F72C8A3DB0F485A9B1411AFDFE06FD8C2F
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_FR.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	31271C54497F887933703667B1E76FBE	39864F9D1747EB315982F1C7AD17C3917ABC9CF1	5F4BD5D84236B5B4AFA3BCD1803BA00763B962EEFDBA19033689D2E4162E6754
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_IT.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	69BBC74367D4BDEA666902F23266FAD4	6796A1F1AE5222FB5D4F7DEB0B76A838BB0E25AD	A54098E7EF0C9DD9AF552D5FB9073202A294D273EA82D396A990461ADAF4FE37
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_JA.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	7C2AF76FBD38B52B420A70ACECD1D34F	F9633B5D705C87FC687375D103C497D69A0059F6	83599563E99B16D73AADB61B85C93AD50BB1894215E804FF9E126DF5A422B227
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_KO.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	E182E51A994A43F10F33F5D13C4B1FF3	1F6C34A16CF36F4B65418CE52891298AC1AC6706	EFAFA63D364827FE821AA362A5A39DAAEC0F55F72863E5551B2C4216F11F2F26
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_PL.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	45FA8AD98556BD4D234F4E800E96DBC6	780D9ECDAE1A9C499DBEC64B7E2D351A9529B10F	61AD27EB85103C5658E6BFE8D9FB9C437DB4BD5F4C699196735EF97CD5E793A4
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_ZH-CN.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	9A7C44D043217741FBEC32A9516D040B	6D959EDE04C1828D4D5263CF1A653C837877E6D8	905FACD66A13155226567C196C887E624449B5428BCCF6799737CBA39D329092
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_ZH.txt	Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators	4331FD68378A79A34B8C189E67E0255D	8D50128A44C4615529390759811CBFF73868A595	176929B93C9E2DFD77EBAFB442657D5D8E077FBD68DB9D4A6800ADE821F3DE24
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A2659EA9E27E9096F3E91932F465A07E	C165E2F80D54F3F16E5CA3925994D0B475A61B11	D1C2899B3FDF2688345F290F057437ACD2FB372E9DCB7A3FC8CD87434BDCEF37
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe	PE32 executable (GUI) Intel 80386, for MS Windows	1BE06115885FB5C2A86CB2574B0465A0	1B2EF267DD7281C22B9D016A7AAECDE7F4A951BB	53185F9A99CA2831F966D7D6C570329C0A759B8CC6C4BB765438EC7F4035F72E
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe	PE32+ executable (GUI) x86-64, for MS Windows	F8E841A4F6BBB5C37F8BDEEF9106556D	9D22518031022EAC33E96A6F100CD1461CECF92C	FFD5EE14065C5C8182E1246C24C63DBEAE7721D390B990C2BC9C16D2D7B2966A
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\Version.ini	ASCII text, with CRLF line terminators	0504D2856D7F23B01A0E5D8EC228E19D	19F47890BDF469BDB5B79507BBCBC35A68455EE7	09CA851394D2EDAAFF21650FF4292295A5C5A7A88BC96A5140B1C30AC20A8738
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsOpenSSL.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	13AA4DB710A0CC2153F6ABD57A53F70C	638507053CBBC180932414B501EEE98A6B664E2E	1A7A7784A0D487B169158321D2045E5A9C58F51E7D4B7BF2503D93D611D5A029
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	52C744BD93E3232203FEA38CEAE87CE9	50C24415951E7061610497EAC8BB24C468518B3C	DB302A865CB55BED35286CD02D5ED01D7F509E4AE218278A8956774310C8A7B2
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BDB0F1BA9BBD5AF7FFBF34358DBDF44C	09A57B70301D160C95763F7B4A49C74985B30B72	472148317DDF47AC3F2E994732ADA1EECEC35ADB954106466BE820F1C748C1FA
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1A31044AF56E486E8210D7146E000827	E5D6CC5EA696691D3C585462148BB0FA48D3FFB0	0C2F351D73A85272F1548DC933E12A8187358D5261ED5A83C0E768B47B0BF903
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B6911BB383D8D82D7167BFBCADACE6FF	BED01F495AAD65DE2EE28B8BB875C2FDA6C338B1	F63A443E4C909A2D0E6D7DC05F46E84B44305191B340EE3103C7827162922F99
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CE13658DEBD8DA32C4AA7D2F2E4473BB	C592E89503F29FA381224E603D35D524A11ABCD9	38AB24468F1ECDAD1FE50F334A5EFD6C135E23854B729B89C98357E7377A5453
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1FCF0ADA6704A5B5988C335D729FE609	7CCBE943C1B975F5F6A0C0B70BB37ADF04144054	0D30A8504AF5C93EB1FE471475C8C742171361E9BB800234F76E718BD543350F
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	5C96D19BCEBE1C52EB9565342BC6EABB	B5F2DB21098513A52AB3AB3BB70B11F68522FE56	D2A31561D759E716E16086C235FC2AFBA6E954EFB3F8E3C795DA34A166194123
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	280BD481106A2C1E88B6D38170058A2E	35CC62AE13F21AD5F1A4D8FC7F59744F3E4794D8	6600E69F9CED3A5136F880EC2197324A2D43359481EC8567AAF4B3F8371EEDE3
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libcrypto-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9CA0DD834C5E5A674CE9AE0476959ED0	B6B1C7BF73FBF1695FD5A42093FC047F079BE770	563A8F33128EDABF92D9D3F6FC8091FB09383C5744AC5ACEB1CD76B9AA614D4D
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libssl-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7D0DFA6D5444B386E11C96C83B46EB6D	136BC820A5C673639C013EC7BA89A576879BCCB0	BA122742040543A8E29AE8C2CD0D376E5EAEAE42880EDC1DC310E2D9EF24E50D
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	697220335E5C4B4126AF45F6F8207896	8106F2DD4665AEC0D1C652E29378EF46EA4E5801	D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe	PE32 executable (GUI) Intel 80386, for MS Windows	D293D88FBCABFE22F0123DD9F9EC8AB9	ADE244760996586599F08312D4C021A50574C81F	94386EF5736A380EB92782A25BE426A4324AC6884B5222E736EEBAE5D1627BD2
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalwin.json	JSON data	3D14885FB5872A3F79A8D74D3CDA6C5C	8A03048514EAE4E868750F03BE979670497C77D6	797AC1C3EE5D9FEA99C22936E4001E85FE948D124BA3D9CB2EAE34E7DF4E54FF
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalwinEdge.json	JSON data	34C1B7A75EAC7A19E45AF7337C7A3E25	5BFCBB5A09DBE2C7625AF75AB67E2E99F99A1929	F427FCEEB8FAF6960112F0147A434EA89EA34ABE9B362852973B0AA3A8541D38
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\pulse.png	PNG image data, 99 x 40, 8-bit/color RGBA, non-interlaced	A9B5E382C0FC5CE9A2DB276DBC7EC706	09A662ADCBBCF1DDE47C2F8829C2F47F3BEFBBA7	867F49DE07FA0A3A8FD7EDF915CF4A0387108A733C8F3725C89A04EABA9BB7FB
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\pulse_toolbar.png	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	E5EE7835C023475F026ADA1B3B80C461	E87EBEAEFD92024767A42FDDFD4E523843F2F279	B3F0597C0F040F48C176318B4A30A8C8B46FB250590DD108D42D966F7E3CD02C
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	4C360F78DE1F5BAAA5F110E65FAC94B4	20A2E66FD577293B33BA1C9D01EF04582DEAF3A5	AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfEngine.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5DC35C0FF3454E732E088E1E672FDA60	2D899A31998B49ED969E382CD649E2E72A18F3BD	9F8198508047069F5BF0A4E06D7B961915E4B12D9584677D05569B80A5ABB930
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfssl-fips.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C68BB24461101B1888C547C9AC911857	D030A252447F0F4089B79CD9E144ACA43A611E17	2D7BD97CA2CB377EBE437A49ACAEBE666FC48BF5CE81DBDA6D56E6B24547073C
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe	PE32+ executable (GUI) x86-64, for MS Windows	661FD6909BD359EE0BBCAD29254917AE	01EC7B33D2CD36B3901F510DD643331108AFE44C	4DE5AEE11F699959412D5191A21A252D63F8B8F595FCC0BF0D6D762ABA607AB8
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	98BA74CAA5599621427CD7E8C708645E	D78B8A23D782C6EC066168B6FF8285707647BD2D	66BFE5FFA9DDAEC6452AF008C96ACDCB432D66AA157F445B32891605AF26F332
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	497A12A5BB0C6CA28ACE44D4FDE2BF22	A6D588F881D1BD1C8BF6E20804FB5FA3DEA1B0EF	4FBA78616770178876C73492C1EC0591CFDC60914D418F60424E286FC1DF1A14
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	6BB8257D400D837F580EBB181317246E	EAA9D369397D50484E8F8C0CF13A7CC760B1E396	FA54E88B34FE6CD4DC297D876D98755F3D11FA2EB9C44D1491FEAAFB275200CC
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	844350CD187AC194306EB9E9058A7663	2D19BD72BA939AA72075D693C962DAAB960E1AC8	3A84E2F1D1BF24BD990D88F7C3CC07B676794A434FC7B74F5FACAF46DC3DE951
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	524B2AA7485E824072F2F91B6B8D76B6	A6A242A2234277983695DCEEE78AF3B3DF9C641C	6B538C2417342FC2946E45F5E0E02D843C57C4C518FD04AC467179CA9BBA76D2
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	7CAA1477D4DA1ADAEED8563B2C8BCB72	22315354D3F5D19144F8C921BD2704EF21920DDD	1768C3427BC2E52BE5943FBC0BB7188F1C884FD63A329C7268857F4971FA16AD
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	AB504252C2A7209E567898365BE21678	DAFED6F4AA1621712329015A0871376C74B7F2CB	CFB5C799FA7F8862BD1A647290EA7FACCF2666505ED22804E38F214F0380920B
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	CFE89847907E278B8B70D0A57942BA15	CA8D1A7FC175B303A4464C8FDFCEB836320E843E	5D35678AE24B20A69EFE539266DC21B56655F71F114068D76C52506F853B4E72
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	CE29CB498CDD5A5E0C5B9692EEE81BAC	57419CF64DDB4430A04CAF28B02CCAE8975A36BD	26A5BCA1B9E480C92C10F173462B99BEBBFF555F8CC297237AC6BBBA6C0A1543
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	A636A64D2DC9E71A196235EBC0E2A184	AEFD80A2DA0FE57B25B0A86AE5D636126BE944D0	9528601D660EC8901299EF0C65A0F1F71EED611C5A42A7386A91C6A94202C99F
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	303F706C639AA24A25E4BBAC4ED747FF	6658EDBC0DD6F01697918500F49943EF5EA959B8	7900BCC7786428E0E7A1AE27523B2D0F7711D3593450D4955973163EF2E56F34
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\msvcp140.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	A11A1D761D757D367146F0F772632D8C	9FD3EEE4C4111DC386510A930192D56A2E938DFE	2CC02C5E6654AA9175D5963F811CAC222F4A2604DC28553139C675B1A78995A7
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\vcruntime140.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	6BA0DBCD2DB8F44243799C891DBD2A59	30A2719D4B8667FD237BCFB781660901C993D9FC	263988A0868053B6B01835CD2959C8F71E3F943610421B269DA646F2D9E3B333
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0B68590A71F75BBAC7F20BC6A12F2836	9F80A5CB9B8990D880C6FABB28C7B3B8908FF18D	82B61D31163CE35BDCD0DF4640F80FEC7E3C743F4047C94A77F41D4FF5ED78B6
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	E110B1D9042D1561F73A49A6E2BE1560	79C2A0E6125EF1CC61D6CB2FFE536813DD672C51	0FA51D50B0CE8C94AA5988902FBBB919455015B0489A12C2C6A12E1D7DB602C7
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe	PE32 executable (GUI) Intel 80386, for MS Windows	A2A82E410D7CE3889DDB850498F32143	D6DE71C9612321783B4EF8C492BA23F5A4BEE135	7C03B813EF9994C63AA0274F742954C455F80E8DF8D332E4B5C90A392A7A9A22
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsOpenSSL.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	97C9C71B3482E67C229BBC178AF9BAB3	D5269BD1664741B5A491B268C4201C30524EAFB4	09AB075960E0E8011A108179C5A7124E9CA24AA891BE3F93FABEE64F4A72BD57
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1F7E8117B57FD074CF5182967C97D14A	5EDFF021B18386212C5770B59EF8E40B8AF3C566	8EB87EB15547ECB65085F2B69114812F953056EDD3EB76A513922411B4A033BB
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	2CC5855E61F8EE07E9EDBA115A218830	3AE03273473E28EC3C531306949806FE5E179EAF	235F2BA79AB52CCA7B4F6DD6501FDCD429B7683CB1DE81045C3850BF15B484AC
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C7D9D3305CEE47E54D67A7A48EBB274E	A2B31C9C9012471B4285745248A18C6B05649FE8	30916F77081FA60D7F0EC4236154A3AF21183694FC5B9C6D47603EDA8F5D05AE
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	494724673A03378A2A12338A208E25E8	2BB4D0B857456ACE097975422FCD65516AEEE65F	908F44ED75D11242A520E53CA13ECBC8E078CCC3E5402A9EC6F2CF7BBEC298D5
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D8574B6315AF2CF2F17A739AB4E5A403	FD3E3FCEA43E168C91D0D01100028212CF4E9422	706E71ACCDEF023E81088D6CE23A79C9A690FF7546BD36C6EC2C64DBF4012440
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	FABB7B49EFE8137543B633A6E030A91D	9F4B02BD877DB30F63171A89C79A64FC7771396D	80D5808D0A64F43C659970DA07A10A79A729F4FB38EC745D7FB39DBEBF1532C9
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D4881B37A874D8B7E305C398248A8644	A55A0C923F39291F26D078BC879F170891846E18	8F69EB91510215BB444D8D440B79EC9AABE5CE71B94ECEF8767D3D5E6B35A920
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D0B8063EDF74966288EE44517622E95E	21887C5571FF1A7C8B01DACA40C1F68CE7E449DF	3E9B2AC8AFF5514E1EE50C50E9F6E2CDF869F80FC1F5B91DCFA4EF035A3C19B5
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libcrypto-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7E001CFB956DE7CDF2C7A2412568DEEF	232E58F3CF1E9582762612271CA49B3530605A73	2FECDD8F01C91EAD2C3165125D4BC7B01C6DA663DD322ABEB6A77965234381B4
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libssl-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	47F8A325B1419EAFF7B415C0857D3F0B	B870BB9646A5328F1F3E337D77F7BC56FADA0660	CE0AD21AA7664EC4F4412346F4946F86F166E99CEC99044FE3CDF804A3157923
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	697220335E5C4B4126AF45F6F8207896	8106F2DD4665AEC0D1C652E29378EF46EA4E5801	D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	4C360F78DE1F5BAAA5F110E65FAC94B4	20A2E66FD577293B33BA1C9D01EF04582DEAF3A5	AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfEngine.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	DE71165A2B4AF8EE0C3FAF7BE7E28A68	0AC1A657D4585D3AD44FD95B313356EF316DAE3D	DE92BDFE667C5F53ADBA98E9A3FA3855FD3A742044050D25E79A8198B7DFBC4B
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfssl-fips.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	498CE7DC027A54841A21F4FD06041218	950017F3EC9A24F5D1D2DDE63F191CF5FAA58807	328218CE190D6B407E2EDA6B89E650E08F60CC51E0A5BE771D2472F9824E990A
C:\Users\Public\Pulse Secure\Logging\PulseClient.log	ASCII text, with CRLF line terminators	E6EEA614465B622EF72BD36D04BA97BD	255CE5C9BF06FB5B680E9200CFDC26A17266BAC0	5C5F4308EA32C0338BDB7F82FE8C28AFFA52FA81B732A65F48A72C6C9F042FBC
C:\Windows\Installer\754f69.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Pulse Application Launcher, Author: Ivanti, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Pulse Application Launcher., Template: Intel;1033, Revision Number: {6AA15FA6-A504-4D12-8AB0-2C320EEE9B08}, Create Time/Date: Thu Dec 28 10:03:24 2023, Last Saved Time/Date: Thu Dec 28 10:03:24 2023, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.0.4118), Security: 2	9FADC49EA06140E22DD3025384D8DDE0	A0C005E2E4DB3F84F9E0404C6FFBC1FFD264E652	2390077EB538A20BBE188B52C7189B7D8E62CED9C44A6E8FA11A65E2CAA80226
C:\Windows\Installer\754f6a.ipi	Composite Document File V2 Document, Cannot read section info	CAFC42354ADFC0871FECF8FA216A1BB7	80D4303C5CC588006ACDD39209E11F8B5E644F33	F33ED8423A94EB5AF6AE737B2B2110804CC87A94942B65FBB3279624D3D9DAF5
C:\Windows\Installer\754f6c.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Pulse Application Launcher, Author: Ivanti, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Pulse Application Launcher., Template: Intel;1033, Revision Number: {6AA15FA6-A504-4D12-8AB0-2C320EEE9B08}, Create Time/Date: Thu Dec 28 10:03:24 2023, Last Saved Time/Date: Thu Dec 28 10:03:24 2023, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.0.4118), Security: 2	9FADC49EA06140E22DD3025384D8DDE0	A0C005E2E4DB3F84F9E0404C6FFBC1FFD264E652	2390077EB538A20BBE188B52C7189B7D8E62CED9C44A6E8FA11A65E2CAA80226
C:\Windows\Installer\MSIAC58.tmp	data	25C5DC205F44941FBA15DECBC483F8C1	0FF8E983331BC5F18950B2CBAF58C31D8162E47A	8E754FA5AB4833F4E4CEA6B106FCFB3E6A56BC1A0B3328B6B99E2FE6BEC34D40
C:\Windows\Installer\MSIE496.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E05884F57BC8BC8E131C2B0E50CEDEF0	29C6CBD9F66E91F6E221F0DDAF1A651685F197DF	7548A0F20CB0AE214DA3F0A4D3F21A59C6F50CE9F2E5BD666A471D6BB70BE74C
C:\Windows\Installer\SourceHash{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}	Composite Document File V2 Document, Cannot read section info	8AF4A5162E47DFAE726FCABC38F80435	C71BBD10300981FDC1C2CB61A20B8BFC9113DC6B	66C7F9A876F7688F899F2D9DF5F9260BE7AE7D5D5D44824D5AB33F0922F87118

Windows Analysis Report
PulseSecureAppLauncher.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report PulseSecureAppLauncher.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
PulseSecureAppLauncher.msi