Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PulseSecureAppLauncher.msi

Overview

General Information

Sample name:PulseSecureAppLauncher.msi
Analysis ID:1544660
MD5:9fadc49ea06140e22dd3025384d8dde0
SHA1:a0c005e2e4db3f84f9e0404c6ffbc1ffd264e652
SHA256:2390077eb538a20bbe188b52c7189b7d8e62ced9c44a6e8fa11a65e2caa80226
Infos:

Detection

Score:8
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
Modifies existing windows services
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w7x64
  • msiexec.exe (PID: 3236 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PulseSecureAppLauncher.msi" MD5: AC2E7152124CEED36846BD1B6592A00F)
  • msiexec.exe (PID: 3304 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)
    • msiexec.exe (PID: 3600 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9 MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
    • PulseApplicationLauncher.exe (PID: 3800 cmdline: "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished MD5: A2659EA9E27E9096F3E91932F465A07E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----memstr_b6eccba3-6
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdbe source: libcrypto-1_1-x64.dll.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdbAA source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_JA.pdb source: dsWinClientResource_JA.dll1.2.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 08:51:49 2023 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\Win32\Release\lib\engines-1_1"not availabledes(long) source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source: Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb))) source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll1.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll1.2.dr
Source: Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdbHHHGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source: Binary string: d:\agent\_work\8\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: vcruntime140.dll1.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb source: psalswitch.exe.2.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 09:16:51 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\x64\Release\lib\engines-1_1"not available source: libcrypto-1_1-x64.dll.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.0000000067205000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source: Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\PulseExt.pdb source: PulseExt64.exe.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdb source: libcrypto-1_1-x64.dll.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb99 source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb?? source: libssl-1_1-x64.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH_CN.pdb source: dsWinClientResource_ZH_CN.dll1.2.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb> source: psalswitch.exe.2.dr
Source: Binary string: C:\agent\_work\82\s\build\ship\x86\wixca.pdb source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: libcrypto-1_1-x64.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psal.pdb source: PulseApplicationLauncher.exe, 00000007.00000000.466523108.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473018711.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_FR.pdb source: dsWinClientResource_FR.dll0.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb source: libssl-1_1-x64.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll0.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll.2.dr
Source: Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://ocsp.digicert.com0K
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://ocsp.digicert.com0O
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
Source: PulseSecureAppLauncher.msi, 754f69.msi.2.drString found in binary or memory: http://wixtoolset.org
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
Source: PulseSecureAppLauncher.msi, dsOpenSSL.dll0.2.dr, PulseApplicationLauncher.exe.2.dr, libcrypto-1_1.dll.2.dr, dsWinClientResource_KO.dll.2.dr, wolfEngine.dll.2.dr, dsOpenSSL.dll.2.dr, dsWinClientResource_ZH.dll0.2.dr, wolfssl-fips.dll0.2.dr, dsWinClientResource_FR.dll0.2.dr, psalswitch.exe.2.dr, PulseExt64.exe.2.dr, dsWinClientResource_JA.dll1.2.dr, dsWinClientResource_ZH_CN.dll1.2.dr, libcrypto-1_1-x64.dll.2.dr, dsWinClientResource_ZH.dll1.2.dr, dsWinClientResource_KO.dll1.2.dr, wolfEngine.dll0.2.dr, 754f69.msi.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
Source: PulseApplicationLauncher.exe, 00000007.00000002.473453531.0000000069AAB000.00000002.00000001.01000000.00000008.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473332236.0000000067232000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr, libcrypto-1_1-x64.dll.2.dr, libssl-1_1-x64.dll.2.drString found in binary or memory: https://www.openssl.org/H
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\754f69.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE496.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\754f6a.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\754f6a.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC58.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\754f6c.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\754f6c.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIE496.tmpJump to behavior
Source: dsWinClientResource_DE.dll.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_FR.dll0.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_ZH_CN.dll1.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_FR.dll.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_ES.dll.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_JA.dll0.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_JA.dll1.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_FR.dll1.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_ZH.dll0.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_DE.dll1.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_KO.dll.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_KO.dll1.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_ZH.dll1.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_EN.dll1.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_KO.dll0.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_JA.dll.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_ES.dll0.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_ZH_CN.dll.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_EN.dll0.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_EN.dll.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_ZH.dll.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_DE.dll0.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_ES.dll1.2.drStatic PE information: No import functions for PE file found
Source: dsWinClientResource_ZH_CN.dll0.2.drStatic PE information: No import functions for PE file found
Source: PulseSecureAppLauncher.msiBinary or memory string: OriginalFilenamewixca.dll\ vs PulseSecureAppLauncher.msi
Source: metadata-2.2.drBinary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.drBinary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.drBinary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.drBinary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.drBinary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.drBinary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.drBinary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.2.drBinary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.2.drBinary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.2.drBinary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: classification engineClassification label: clean8.winMSI@6/81@0/0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse SecureJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeMutant created: \Sessions\1\BaseNamedObjects\Global\PulseSecure.LogService.Settings.Mutex.v2
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeMutant created: NULL
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\~DF98004BD7CA64244C.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: PulseSecureAppLauncher.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PulseSecureAppLauncher.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinishedJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: bcrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: bcrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: devrtl.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: wow64win.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: wow64cpu.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: libcrypto-1_1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: ucrtbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: libssl-1_1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: dsopenssl.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: wolfengine.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: wolfssl-fips.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: bcrypt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F8383852-FCD3-11D1-A6B9-006097DF5BD4}\InProcServer32Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile written: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\Version.iniJump to behavior
Source: PulseSecureAppLauncher.msiStatic file information: File size 7266304 > 1048576
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdbe source: libcrypto-1_1-x64.dll.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libssl-1_1.pdbAA source: PulseApplicationLauncher.exe, 00000007.00000002.473443554.0000000069A8C000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_JA.pdb source: dsWinClientResource_JA.dll1.2.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 08:51:49 2023 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\Win32\Release\lib\engines-1_1"not availabledes(long) source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source: Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb))) source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll1.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll1.2.dr
Source: Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdbHHHGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source: Binary string: d:\agent\_work\8\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: vcruntime140.dll1.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb source: psalswitch.exe.2.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.00000000671A8000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473493357.0000000071671000.00000020.00000001.01000000.00000007.sdmp, vcruntime140.dll.2.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMICOpenSSL 1.1.1t 7 Feb 2023built on: Thu Dec 28 09:16:51 2023 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files (x86)\Pulse Secure\SSL"ENGINESDIR: "S:\pulse\out\dsOpenSSL\x64\Release\lib\engines-1_1"not available source: libcrypto-1_1-x64.dll.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x86-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473297345.0000000067205000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source: Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfssl\IDE\WIN10\DLL Release\Win32\wolfssl-fips.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473216003.000000005A07E000.00000002.00000001.01000000.0000000B.sdmp, wolfssl-fips.dll0.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\PulseExt.pdb source: PulseExt64.exe.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libcrypto-1_1-x64.pdb source: libcrypto-1_1-x64.dll.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\bin\winnt-x86-Release\dsOpenSSL.pdb99 source: PulseApplicationLauncher.exe, 00000007.00000002.473402713.0000000069A0A000.00000002.00000001.01000000.00000009.sdmp, dsOpenSSL.dll0.2.dr, dsOpenSSL.dll.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb?? source: libssl-1_1-x64.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\dsWinClientResource_ZH_CN.pdb source: dsWinClientResource_ZH_CN.dll1.2.dr
Source: Binary string: d:\agent\_work\1\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: PulseApplicationLauncher.exe, 00000007.00000002.473350170.0000000069471000.00000020.00000001.01000000.0000000C.sdmp, msvcp140.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb> source: psalswitch.exe.2.dr
Source: Binary string: C:\agent\_work\82\s\build\ship\x86\wixca.pdb source: PulseSecureAppLauncher.msi, 754f69.msi.2.dr
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W1 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DPULSESECURE_OPENSSL_BUILD -DOPENSSL_NO_ZLIB -DOPENSSL_NO_ZLIB_DYNAMIC source: libcrypto-1_1-x64.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psal.pdb source: PulseApplicationLauncher.exe, 00000007.00000000.466523108.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473018711.0000000000CF0000.00000002.00000001.01000000.00000005.sdmp, PulseApplicationLauncher.exe.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_FR.pdb source: dsWinClientResource_FR.dll0.2.dr
Source: Binary string: s:\pulse\out\components\dsOpenSSL\obj\winnt-x64-Release\OpenSSL\openssl-1.1.1t\libssl-1_1-x64.pdb source: libssl-1_1-x64.dll.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH.pdb source: dsWinClientResource_ZH.dll0.2.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_KO.pdb source: dsWinClientResource_KO.dll.2.dr
Source: Binary string: C:\Users\admin\Downloads\Wolfssl_\wolfEngine\windows\fips_140_2\DLL Release\Win32\wolfEngine.pdb source: PulseApplicationLauncher.exe, 00000007.00000002.473473916.000000006A000000.00000002.00000001.01000000.0000000A.sdmp, wolfEngine.dll.2.dr, wolfEngine.dll0.2.dr
Source: PulseApplicationLauncher.exe0.2.drStatic PE information: section name: _RDATA
Source: dsOpenSSL64.dll.2.drStatic PE information: section name: .00cfg
Source: dsOpenSSL.dll.2.drStatic PE information: section name: .00cfg
Source: dsOpenSSL.dll0.2.drStatic PE information: section name: .00cfg
Source: PulseExt64.exe.2.drStatic PE information: section name: _RDATA
Source: vcruntime140.dll1.2.drStatic PE information: section name: _RDATA
Source: wolfssl-fips.dll.2.drStatic PE information: section name: .fipsA
Source: wolfssl-fips.dll.2.drStatic PE information: section name: .fipsB
Source: wolfssl-fips.dll0.2.drStatic PE information: section name: .fipsA
Source: wolfssl-fips.dll0.2.drStatic PE information: section name: .fipsB
Source: wolfssl-fips-x64.dll.2.drStatic PE information: section name: .fipsA
Source: wolfssl-fips-x64.dll.2.drStatic PE information: section name: .fipsB
Source: libcrypto-1_1.dll.2.drStatic PE information: section name: .00cfg
Source: libcrypto-1_1.dll0.2.drStatic PE information: section name: .00cfg
Source: libcrypto-1_1-x64.dll.2.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll.2.drStatic PE information: section name: .00cfg
Source: libssl-1_1.dll0.2.drStatic PE information: section name: .00cfg
Source: libssl-1_1-x64.dll.2.drStatic PE information: section name: .00cfg
Source: msvcp140.dll.2.drStatic PE information: section name: .didat
Source: msvcp140.dll0.2.drStatic PE information: section name: .didat
Source: msvcp140.dll1.2.drStatic PE information: section name: .didat
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libssl-1_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libssl-1_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfssl-fips.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsOpenSSL.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfEngine.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfssl-fips.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libcrypto-1_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libcrypto-1_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE496.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfEngine.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsOpenSSL.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE496.tmpJump to dropped file
Source: metadata-2.2.drBinary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.2.drBinary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: C:\Windows\System32\msiexec.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisherJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestoreJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE496.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exe TID: 3300Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3808Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3336Thread sleep time: -360000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3620Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3620Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: PulseApplicationLauncher.exe.2.drBinary or memory string: AAppIdAppActionLaunchParamsURLServerTokensSrvCertMd5LocaleServerVersionTimeStampPSALSwitchTruehcHost CheckerepoacOdyssey Access ClientepjamPulse SecurectsPulse Secure Citrix Services ClientwtsPulse Terminal Services ClientpulsencNetwork ConnectsamSecure Application ManagercitrixvdiCitrix Xen DesktopvmwarevdiVMware DesktopLog UploadjsamhobautowtsWindows Terminal ServicesInvalid parameterPsal::CmdParsers:\ive\setup\psal\common\psalcmd.cppKey = %sKey = %s, Value = %sUnknown key. IgnoringFirefoxfirefoxEdgeChromechromeStartStopUninstallSetHCCookieInvalid 'AppAction' present in the input = %s'AppId' is not present in the inputInvalid 'AppId' present in the input'AppId' conatins unexpected character'AppAction' is not present in the inputInvalid 'AppAction' present in the input'AppAction' conatins unexpected characterpsalparams.cgiwelcome.cgimtgpleasewait.cgirdremediate.cgi'LaunchParamsURL' is not present in the inputInvalid 'LaunchParamsURL' present in the input.cgiInvalid 'LaunchParamsURL'. NO Qmark and No Cgi in LaunchURLInvalid 'LaunchParamsURL'. NO slash in LaunchURLInvalid 'LaunchParamsURL' Invalid start positionIndex of ? = %dIndex of slash = %dstrCGIFile = %s'Host' is not present in the inputInvalid 'Host' present in the input'ServerTokens' is not present in the inputInvalid 'ServerTokens' present in the input'SrvCertMd5' is not present in the inputInvalid 'SrvCertMd5' present in the input'SrvCertMd5' conatins unexpected character'UserAgent' is not present in the inputInvalid 'UserAgent' present in the input'Locale' is not present in the inputInvalid 'Locale' present in the input'Locale' conatins unexpected character'ServerVersion' is not present in the inputInvalid 'ServerVersion' present in the input'ServerVersion' conatins unexpected character'Timestamp' is not present in the inputInvalid 'Timestamp' present in the input'Timestamp' conatins unexpected characterlist too longPsal::ExtensionUtilsRead result = %ds:\ive\setup\psal\common\psalExtensionUtils.cppfread errorMessage length = %dRead result = %d, Message = %sMessage = %sError = %sMessage is emptyfwrite errorjson_dumps error
Source: metadata-2.2.drBinary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: PulseApplicationLauncher.exe.2.drBinary or memory string: vmwarevdi
Source: PulseApplicationLauncher.exe, 00000007.00000002.473018711.0000000000CF0000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: AppIdAppActionLaunchParamsURLServerTokensSrvCertMd5LocaleServerVersionTimeStampPSALSwitchTruehcHost CheckerepoacOdyssey Access ClientepjamPulse SecurectsPulse Secure Citrix Services ClientwtsPulse Terminal Services ClientpulsencNetwork ConnectsamSecure Application ManagercitrixvdiCitrix Xen DesktopvmwarevdiVMware DesktopLog UploadjsamhobautowtsWindows Terminal ServicesInvalid parameterPsal::CmdParsers:\ive\setup\psal\common\psalcmd.cppKey = %sKey = %s, Value = %sUnknown key. IgnoringFirefoxfirefoxEdgeChromechromeStartStopUninstallSetHCCookieInvalid 'AppAction' present in the input = %s'AppId' is not present in the inputInvalid 'AppId' present in the input'AppId' conatins unexpected character'AppAction' is not present in the inputInvalid 'AppAction' present in the input'AppAction' conatins unexpected characterpsalparams.cgiwelcome.cgimtgpleasewait.cgirdremediate.cgi'LaunchParamsURL' is not present in the inputInvalid 'LaunchParamsURL' present in the input.cgiInvalid 'LaunchParamsURL'. NO Qmark and No Cgi in LaunchURLInvalid 'LaunchParamsURL'. NO slash in LaunchURLInvalid 'LaunchParamsURL' Invalid start positionIndex of ? = %dIndex of slash = %dstrCGIFile = %s'Host' is not present in the inputInvalid 'Host' present in the input'ServerTokens' is not present in the inputInvalid 'ServerTokens' present in the input'SrvCertMd5' is not present in the inputInvalid 'SrvCertMd5' present in the input'SrvCertMd5' conatins unexpected character'UserAgent' is not present in the inputInvalid 'UserAgent' present in the input'Locale' is not present in the inputInvalid 'Locale' present in the input'Locale' conatins unexpected character'ServerVersion' is not present in the inputInvalid 'ServerVersion' present in the input'ServerVersion' conatins unexpected character'Timestamp' is not present in the inputInvalid 'Timestamp' present in the input'Timestamp' conatins unexpected characterlist too longPsal::ExtensionUtilsRead result = %ds:\ive\setup\psal\common\psalExtensionUtils.cppfread errorMessage length = %dRead result = %d, Message = %sMessage = %sError = %sMessage is emptyfwrite errorjson_dumps error
Source: metadata-2.2.drBinary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: PulseApplicationLauncher.exe.2.drBinary or memory string: VMware Desktop
Source: metadata-2.2.drBinary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.2.drBinary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinishedJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9Jump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeQueries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		Windows Management Instrumentation2
Windows Service		2
Windows Service		21
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Bootkit		11
Process Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS11
Peripheral Device Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Bootkit		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials13
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1544660 Sample: PulseSecureAppLauncher.msi Startdate: 29/10/2024 Architecture: WINDOWS Score: 8 5 msiexec.exe 111 101 2->5         started        8 msiexec.exe 3 2->8         started        file3 14 C:\Windows\Installer\MSIE496.tmp, PE32 5->14 dropped 16 C:\Users\user\AppData\...\wolfssl-fips.dll, PE32 5->16 dropped 18 C:\Users\user\AppData\...\wolfEngine.dll, PE32 5->18 dropped 20 49 other files (none is malicious) 5->20 dropped 10 PulseApplicationLauncher.exe 3 5->10         started        12 msiexec.exe 5->12         started        process4

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PulseSecureAppLauncher.msi0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsOpenSSL.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libcrypto-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libssl-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfEngine.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfssl-fips.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsOpenSSL.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libcrypto-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libssl-1_1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfEngine.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfssl-fips.dll0%ReversingLabs
C:\Windows\Installer\MSIE496.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.openssl.org/H0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://wixtoolset.orgPulseSecureAppLauncher.msi, 754f69.msi.2.drfalse
    		unknown
    https://www.openssl.org/HPulseApplicationLauncher.exe, 00000007.00000002.473453531.0000000069AAB000.00000002.00000001.01000000.00000008.sdmp, PulseApplicationLauncher.exe, 00000007.00000002.473332236.0000000067232000.00000002.00000001.01000000.00000006.sdmp, libcrypto-1_1.dll.2.dr, libcrypto-1_1-x64.dll.2.dr, libssl-1_1-x64.dll.2.drfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1544660
    Start date and time:2024-10-29 16:08:32 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 49s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:9
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:PulseSecureAppLauncher.msi
    Detection:CLEAN
    Classification:clean8.winMSI@6/81@0/0
    Cookbook Comments:
    • Found application associated with file extension: .msi

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, VSSVC.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 2.21.22.106, 2.21.22.114
    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtCreateFile calls found.
    • Report size getting too big, too many NtFsControlFile calls found.
    • Report size getting too big, too many NtOpenFile calls found.
    • VT rate limit hit for: PulseSecureAppLauncher.msi

    Simulations

    Behavior and APIs

    TimeTypeDescription
    11:09:30API Interceptor2166x Sleep call for process: msiexec.exe modified
    11:10:18API Interceptor2x Sleep call for process: PulseApplicationLauncher.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Config.Msi\754f6b.rbs

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:modified
    Size (bytes):17599
    Entropy (8bit):5.675565086885248
    Encrypted:false
    SSDEEP:192:eJV5+eLetB4NB4Bm2cZJ+Hbp/TQN0Mnsp2m2nUi2OlS97:eJjWBIBe78cpm7Q
    MD5:BABF163C8B53ECD681612991F79B9EF0
    SHA1:B42A98B1712520D383D9CCF845A86877885838D9
    SHA-256:5155F7551E344DAADAECE0F8F935BC04A7FEC27235D04686DFED668197810803
    SHA-512:4661DAB355C9BC3049096F02A449A696DA572612A3CDB4DE4934F3D3B203860BE011BC2BDD5CD486CEC4F46F58229C31E9AF236A17C6ECF45AD3992E519EC492
    Malicious:false
    Reputation:low
    Preview:...@IXOS.@.....@D^]Y.@.....@.....@.....@.....@.....@......&.{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}..Pulse Application Launcher..PulseSecureAppLauncher.msi.@.....@.n...@.....@......psal.ico..&.{6AA15FA6-A504-4D12-8AB0-2C320EEE9B08}.....@.....@.....@.....@.......@.....@.....@.......@......Pulse Application Launcher......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{5C1CEC95-CCC9-4992-A94E-BC0CC818C6C5}&.{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}.@......&.{6F6299EA-015E-4F45-8AEE-5FFCE96D5ED4}&.{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}.@......&.{185E05BC-1868-4AB7-8560-D2868B7E19BF}&.{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}.@......&.{2771911D-60E8-4AD7-8216-C363033CCCC8}&.{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}.@......&.{7C2A6EE4-66EA-43E5-8876-E6EF45526C63}&.{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}.@......&.{33A6CEE9-AA80-493C-B18B-6771602B9816}&.{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}.@......&.{670CB25

    C:\System Volume Information\SPP\OnlineMetadataCache\{3967b973-d159-4ac9-84aa-d4e7a38128c9}_OnDiskSnapshotProp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):3088
    Entropy (8bit):3.672878439333603
    Encrypted:false
    SSDEEP:48:rh/kYme7N38RN3xp/7wP8c1SFjwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6Rey8:rhsveZ4PUiF8fHzbOHXOHB9Bpi
    MD5:F99CA402C932823088AF4AF389134785
    SHA1:AB28E1DEB9A60669CE5EF333FD2D15E9D5CA2112
    SHA-256:0F640F23A1A6CF0C3BF012C2D7E307C36C03C85D8990D668A5FEB70B5B5245CC
    SHA-512:B7B62CAF4713D2F48C9B7C1B1FEAB78E898A9ECD2AA5CD78EED1C6E44AA76EA536B3F6831CCAE5733FEF43D53C3CB6652DBF93D9BC0E38C3534228B1433280C1
    Malicious:false
    Reputation:low
    Preview:.D.....M..,....c.......................s.g9Y..J....(.9........B>..*..........M..0.<fK...; ...............................$.......8...%.......%...I.n.s.t.a.l.l.e.d. .P.u.l.s.e. .A.p.p.l.i.c.a.t.i.o.n. .L.a.u.n.c.h.e.r.................C.:.\.W.i.n.d.o.w.s.\...............9.3.6.9.0.5.................W.O.R.K.G.R.O.U.P.........l.c*@J.?.H........................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|...........%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.a.y.e.r. .2.5. .A.c.t.i.v.e.X. .2.5...0...0...1.2.7.....'.......'...A.d.o.b.e. .F.l.

    C:\System Volume Information\SPP\metadata-2

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:SysEx File - Twister
    Category:dropped
    Size (bytes):9068216
    Entropy (8bit):3.6793898181117437
    Encrypted:false
    SSDEEP:12288:vF4TYqYEzT4G09wqLB9K43gd8caDtDIY8/mhjTLQSI5JnJYKnAOYlTL9VZYbEIIw:90jq9g8caP7y0ljdAGmm/rmHp
    MD5:8397187A77B05E7B9FF891A899F40410
    SHA1:E7C2D6E9C78D5C860A0DD4BD5CF0CC5AC4D7440E
    SHA-256:CC5CC1531E808DE0D8788B8F0FF04826B4C1A5062E9F1C9E8DB55485281EC0F2
    SHA-512:942D05D6F36B0D58BBD5EA9454B8C8333846897598AD8A4D1167F10545411D4C54EBC2F487FD27363132881BAE42A441D291CDAD37218C846191978430812F4E
    Malicious:false
    Reputation:low
    Preview:.%..=..J.....>.(.0_?............^...................... ...Y.......Y...<.B.A.C.K.U.P._.C.O.M.P.O.N.E.N.T.S. .x.m.l.n.s.=.".x.-.s.c.h.e.m.a.:.#.V.s.s.C.o.m.p.o.n.e.n.t.M.e.t.a.d.a.t.a.". .v.e.r.s.i.o.n.=.".1...2.". .b.o.o.t.a.b.l.e.S.y.s.t.e.m.S.t.a.t.e.B.a.c.k.u.p.=.".y.e.s.". .s.e.l.e.c.t.C.o.m.p.o.n.e.n.t.s.=.".y.e.s.". .b.a.c.k.u.p.T.y.p.e.=.".f.u.l.l.". .p.a.r.t.i.a.l.F.i.l.e.S.u.p.p.o.r.t.=.".y.e.s.". .s.n.a.p.s.h.o.t.S.e.t.I.d.=.".3.9.6.7.b.9.7.3.-.d.1.5.9.-.4.a.c.9.-.8.4.a.a.-.d.4.e.7.a.3.8.1.2.8.c.9.".>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.n.s.t.a.n.c.e.I.d.=.".5.9.8.9.2.0.4.9.-.a.3.c.8.-.4.0.3.4.-.9.3.6.9.-.8.a.0.8.c.9.4.0.6.e.4.7.". .w.r.i.t.e.r.I.d.=.".e.8.1.3.2.9.7.5.-.6.f.9.3.-.4.4.6.4.-.a.5.3.e.-.1.0.5.0.2.5.3.a.e.2.2.0.". .b.a.c.k.u.p.S.c.h.e.m.a.=.".0.".>.<.C.O.M.P.O.N.E.N.T. .c.o.m.p.o.n.e.n.t.N.a.m.e.=.".S.y.s.t.e.m. .F.i.l.e.s.". .c.o.m.p.o.n.e.n.t.T.y.p.e.=.".f.i.l.e.g.r.o.u.p."./.>.<./.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S.>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.

    C:\System Volume Information\SPP\snapshot-2

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):3088
    Entropy (8bit):3.672878439333603
    Encrypted:false
    SSDEEP:48:rh/kYme7N38RN3xp/7wP8c1SFjwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6Rey8:rhsveZ4PUiF8fHzbOHXOHB9Bpi
    MD5:F99CA402C932823088AF4AF389134785
    SHA1:AB28E1DEB9A60669CE5EF333FD2D15E9D5CA2112
    SHA-256:0F640F23A1A6CF0C3BF012C2D7E307C36C03C85D8990D668A5FEB70B5B5245CC
    SHA-512:B7B62CAF4713D2F48C9B7C1B1FEAB78E898A9ECD2AA5CD78EED1C6E44AA76EA536B3F6831CCAE5733FEF43D53C3CB6652DBF93D9BC0E38C3534228B1433280C1
    Malicious:false
    Reputation:low
    Preview:.D.....M..,....c.......................s.g9Y..J....(.9........B>..*..........M..0.<fK...; ...............................$.......8...%.......%...I.n.s.t.a.l.l.e.d. .P.u.l.s.e. .A.p.p.l.i.c.a.t.i.o.n. .L.a.u.n.c.h.e.r.................C.:.\.W.i.n.d.o.w.s.\...............9.3.6.9.0.5.................W.O.R.K.G.R.O.U.P.........l.c*@J.?.H........................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...|...........%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.a.y.e.r. .2.5. .A.c.t.i.v.e.X. .2.5...0...0...1.2.7.....'.......'...A.d.o.b.e. .F.l.

    C:\Users\user\AppData\Local\Temp\~DF42CA10E670479EE7.TMP

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):32768
    Entropy (8bit):0.0755352159980956
    Encrypted:false
    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOOaTm5v6KTUL1QVky6lWt/:2F0i8n0itFzDHFBTm5vhyWt/
    MD5:E79AB14DA200E5A39CFFCA5F5AC069FE
    SHA1:CBD2BFF71F3EBC0BB4785A61140397BFBAC2A236
    SHA-256:C00A469B3A1185D8BCDD2AA285036A4086964FC0A82D9A879DAEF5DD153BC3E1
    SHA-512:BBCF3442B9D5C06AF4EA2B55643D57E2575A6873D0A3603874B6F3A176B87D1D037E0E82135C3DF35FBDC2BE580A6CCCDFE75CC1A19734257317D799DBF1FAD3
    Malicious:false
    Reputation:low
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DF496484BAC2C87FEA.TMP

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):512
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:BF619EAC0CDF3F68D496EA9344137E8B
    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
    Malicious:false
    Reputation:high, very likely benign file
    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\~DF98004BD7CA64244C.TMP

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):69632
    Entropy (8bit):0.13443602894581635
    Encrypted:false
    SSDEEP:24:X5tqbdqMipVxtqbdqMipV7VIwGTlrkgR+7T:XMnSOnS5crRk
    MD5:67700BBF5987F6C4B1047DDBF0B4D535
    SHA1:EC5A6E5E9E7C15ECAFCB22AC600F3CE85AA7FD90
    SHA-256:A0F1BA9B28E85A3AE9983BE2200827F72E7128A358AA905CA4713E685515A2E5
    SHA-512:337532D022460BCBA9A72A681F8EDD97792CFD6E5E389F5B3BDB6EA79587E9313DB5EC2428F2BE7093C6F000086F40DB0A61C8D6C6616F47E827B3732B854B38
    Malicious:false
    Reputation:low
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Microsoft\Installer\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}\psal.ico

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
    Category:dropped
    Size (bytes):4805
    Entropy (8bit):7.787172551725883
    Encrypted:false
    SSDEEP:96:PbRG9C9Ro9DRAaJj+VeKYRtnAYr7fdChACWjeM0oSrYOG6QL2Zij11:PViCaXj+onAcbdoApLS60C1
    MD5:B81F31C6EA548DDBF4CAE02106B3FA82
    SHA1:3916EE0C29BCB460792171E21B589B3BC71D4A07
    SHA-256:C2BD26142702BB86A175EDBEDD16765F8E29EB21EAF1AB0A5BAAACF71AAEC784
    SHA-512:46026B18B821D18B7329E1F6FD66C6B62187B0C10CF802FCB7F52E4B04C0CE006E0C08AE963E7D785E20F7A5284B08477F33BEC4803399C8B4D127AC59C13A04
    Malicious:false
    Preview:............ ..........PNG........IHDR.............\r.f...vIDATx...}lT............V.C.....a.....Uv7...+&..V%...h..TiR.*&+.M...,.M..H+.I.4EBq..&.V!.(..f=..R..3l.Z.....W..|..{..'Y..x.>.s.}......L&...a....n.mg.d.</.h...#p....gd...l.!....X..f...z.){..W..>..>..k.7.......f0.zc../...h.....su../z*.........eq..E.......1....G?..._pU.v&....?...c.(B,...+....a..mV..j=4U..vs.WP_...~"=...H-~..j.}..Z........|".d..1....V{P...[Z....^.".d_..([..?Q.T,.k..nn...O.8.....w.`vo.[.6.9x. |...TV...5.G........'J......~./.`77..bf..%.e.._[..|Y........vl<..3.....w..{.L.....p..,...GDD1.....eg2..._.=...G...Q.R..\.t.uu.GBD...u.).$."3Y..SH.V.....`/K.....dau.<.Gd.......yE "J.....X.D.c.....@d0....X.D.c.....@d0....X.D.c.....@d0....X.D.c.....@d0....X.D.c.....@d0....X.D.c.....@d0....X.D.c.....@d0....X.D.c.....@d0....X.D.c.....@d.E..@........M@.'.W,........8!{......l...-....?.d...3>..../..Wd/.;.6.8#{..\g..z..............?..q.x".X.*....h?.C4.... Af..O,....`......-....#..LQ..%@...d.2.,.r.. C..e...,....L........

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_DE.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):5665
    Entropy (8bit):5.416317218381333
    Encrypted:false
    SSDEEP:96:MWo91sNtTNIkzT1CQXcN/wNfaU6+ZJGHfqkW2Ujwwd7BtsoEnun9mBu3Fpm0d:MW2gTS/efa3ydgUj9BZIun9mBuXdd
    MD5:65439EDE5AC02DC4A2809ADC98BA5744
    SHA1:0EB27D2E52220EFF1AB34C1D6B34F05D033854C1
    SHA-256:1FA728FC8C8F0E271697AC99C8E7639A75B554F39E6E357A039FD0C75B84EEFA
    SHA-512:0B765F981AD5E9F96FFCF2AD9AF60D9C24A6F948BDD94E5BE148ADE4792808852DF3D9DEAA901F34AC7E9F851C006C1D7F71AF9A870D80EB118710AA8465ED40
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - Warnung....;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = Kontakt zwischen Pulse Secure und dem Server zulassen?....;IDS_PSAL_DLG_PRODUCT..[502]..Value = Produkt

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_EN.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):5269
    Entropy (8bit):5.368473890647591
    Encrypted:false
    SSDEEP:96:MWo91QNS7nqd61cmXcNYNEN68n4ufW5D37iBaDIf5tvB3hTLPTJKSAnY:MW2cAS2E41i8Dc53FLPTTiY
    MD5:20A330279C761056AA7AB501A0314D5D
    SHA1:A408FAADAB7317D15D401D5EA1819437A3794017
    SHA-256:C212FDEA7290E37FC912FAC45C6A1983D7299E462C7CC5C0A213A860EB8929C6
    SHA-512:AD9BAA653BD1751BFC718715C78B8DC4FD24D8BB8A4042D7599EA04DC14DD9446B02BF3881C8D59D28C893356BEF2439F025E27D49FFDBDB9B19B319EEF4249D
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - Warning....;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = Do you want to allow Pulse Secure to contact the server?....;IDS_PSAL_DLG_PRODUCT..[502]..Value = Produ

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_ES.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):5513
    Entropy (8bit):5.38113809674995
    Encrypted:false
    SSDEEP:96:MWo91YN5oAIuG3cEhwaXCNDNt66lfMdBJQl527hf3hO+q5MKgQ6Gykkk9:MW2g64RYc279/KVss
    MD5:55ADE44A0CF656C4C552CDF87B4F2B54
    SHA1:A29B83672164A5D7064913AD4ED74412393FAEF8
    SHA-256:BCB21B25487F1F83F370BB224B6155F72C8A3DB0F485A9B1411AFDFE06FD8C2F
    SHA-512:38C7A492586DB0364F1FD193B76E62AB03D6DE4234A614F79E9C176F57112557BAD2A82202F8A06E9D183EB7A6545E00750B341E779F4AC22A29A5AA61669BFC
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - Advertencia....;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = .Desea permitir que Pulse Secure conecte con el servidor ?....;IDS_PSAL_DLG_PRODUCT..[502]..Value

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_FR.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):5580
    Entropy (8bit):5.425225811690632
    Encrypted:false
    SSDEEP:96:MWo91QDN4cJLGyVuMXcNfNo76kBXmvUW+5d34sB32HJiKyB/nPflXmMMZq4pQ:MW2+R4GSVomq8lHJF63fpbZcQ
    MD5:31271C54497F887933703667B1E76FBE
    SHA1:39864F9D1747EB315982F1C7AD17C3917ABC9CF1
    SHA-256:5F4BD5D84236B5B4AFA3BCD1803BA00763B962EEFDBA19033689D2E4162E6754
    SHA-512:1FC4F163E70296FE85D2E0185FFB607910E359C7DD1F11D5A97915377B7D27DCC8384653865C3239761E60AE196D628D5236FE52FE06B162159ADFCA65E9BF1B
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - Avertissement....;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = Voulez-vous autoriser Pulse Secure . contacter le serveur ?....;IDS_PSAL_DLG_PRODUCT..[502]..Val

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_IT.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):5363
    Entropy (8bit):5.368838454853321
    Encrypted:false
    SSDEEP:96:MWo918NSPNIuvcceSpXcNccNQ6K9f4fSBDbkTgttPmtpqx1WbmA4LsOX4HdJP:MW2IXStStb78JIbk2zP
    MD5:69BBC74367D4BDEA666902F23266FAD4
    SHA1:6796A1F1AE5222FB5D4F7DEB0B76A838BB0E25AD
    SHA-256:A54098E7EF0C9DD9AF552D5FB9073202A294D273EA82D396A990461ADAF4FE37
    SHA-512:06FA1B23D13E65A6493763439CBD80A53D60382EF58ED6DB4DA7055F54F2523454D39465E3E7FDD2CD0EB1B6A60D1EAD1ED439DCF22983C2F8B0F2B1D71B0074
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - Avviso....;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = Do you want to allow Pulse Secure to contact the server?....;IDS_PSAL_DLG_PRODUCT..[502]..Value = Prodot

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_JA.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):6083
    Entropy (8bit):6.049558842366846
    Encrypted:false
    SSDEEP:96:MWo91NN3sdJ/nVBbXcNRNP0Of6lZolQNBA6qWsnFAugT4qhdH3+HZ+K+UDO+SLo2:MW253USXPhSZ/duWz3YHDO+aoxo
    MD5:7C2AF76FBD38B52B420A70ACECD1D34F
    SHA1:F9633B5D705C87FC687375D103C497D69A0059F6
    SHA-256:83599563E99B16D73AADB61B85C93AD50BB1894215E804FF9E126DF5A422B227
    SHA-512:7934F154BB4018B2F0BEA63CCBDDB82315B77D333E8E612D1A79D1DD82F0120EF1916DD8057452D955C37C4998E60DA30D1B8994DA719F01B572F7C72EFB9621
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - ......;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = Pulse Secure ........................;IDS_PSAL_DLG_PRODUCT..[502

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_KO.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):5800
    Entropy (8bit):6.095410361485782
    Encrypted:false
    SSDEEP:96:MWo914BNThuykCUdXwNhNJJ6/g5LW886JGFCAK2CCBExhK8MvBNBKa+ima2:MW2Cn+eHiRQz7ro5JA
    MD5:E182E51A994A43F10F33F5D13C4B1FF3
    SHA1:1F6C34A16CF36F4B65418CE52891298AC1AC6706
    SHA-256:EFAFA63D364827FE821AA362A5A39DAAEC0F55F72863E5551B2C4216F11F2F26
    SHA-512:6C8D7F85189285AAAA22037789DEFBA252D8A1C002483FBCBBC7DD175C7B54FE76A7698DF022E44AC307BEF41F7BDF017F733D5DE737B91C1BC95CB75FE0DA4E
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - ......;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = . Pulse Secure. ... ..... ........ ?....;IDS_PSAL_DLG_PRODUCT..[502]

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_PL.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):5674
    Entropy (8bit):5.6350870009666
    Encrypted:false
    SSDEEP:96:MWo916SNSRkI2p7Kx4XcNrNhjJo6RTMlB1qXNNOWtVkthDqlopJAUpF7nnM:MW2dXVSpvzNfPtWtY6pJAUpBnM
    MD5:45FA8AD98556BD4D234F4E800E96DBC6
    SHA1:780D9ECDAE1A9C499DBEC64B7E2D351A9529B10F
    SHA-256:61AD27EB85103C5658E6BFE8D9FB9C437DB4BD5F4C699196735EF97CD5E793A4
    SHA-512:06FC3C4B765764E4E4AEAB7722054F0C4171804CCD51202E052888BAF51EFC40547E4BC56F6E06A870948908C37CB4D34B35C8560828E479989D00DFEBFDF6F4
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - Ostrze.enie....;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = Do you want to allow Pulse Secure to contact the server?....;IDS_PSAL_DLG_PRODUCT..[502]..Value =

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_ZH-CN.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):4973
    Entropy (8bit):6.330565677703115
    Encrypted:false
    SSDEEP:96:MWo91NNG4LHGqZDI/VXPNsFNWQG6rpRLuCFndkuTKItbTuC8UivK9b:MW25GVxlsDWQZBKJCWvA
    MD5:9A7C44D043217741FBEC32A9516D040B
    SHA1:6D959EDE04C1828D4D5263CF1A653C837877E6D8
    SHA-256:905FACD66A13155226567C196C887E624449B5428BCCF6799737CBA39D329092
    SHA-512:F2AEF79292F6B57E75965B1497F60D1CCBF81FB1A18F5D1322B5705B09FD9112EE3CD8680061683FEFAC5DB43A9115850A64128E4081E140A93A8EB6D57DBC37
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - ......;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = .... Pulse Secure ...........;IDS_PSAL_DLG_PRODUCT..[502]..Value = .......;I

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_ZH.txt

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators
    Category:dropped
    Size (bytes):5066
    Entropy (8bit):6.343897591754207
    Encrypted:false
    SSDEEP:96:MWo91NNr3NIzZDIGkXWNsFNEm6rvf4L3A073YmgJJ6SaHW5VvK10F6WV33R:MW25K0EsDE5zMaeiJs04Cx
    MD5:4331FD68378A79A34B8C189E67E0255D
    SHA1:8D50128A44C4615529390759811CBFF73868A595
    SHA-256:176929B93C9E2DFD77EBAFB442657D5D8E077FBD68DB9D4A6800ADE821F3DE24
    SHA-512:1CB7D70E2D2A58DDB6A65C0BED442E6E7D2F91AA2197CF28C3DB8DD61778EC5A4B2B97F5C1A9785FF2A8601F56FA641B032C95D7E6897D1F7B00747A0917E7BE
    Malicious:false
    Preview:.; catalogUtil requires resource catalog files to be saved with UTF-8 encoding, which put 3 bytes {0xEF, 0xBB, 0xBF} at the file beginning called Byte Order Mark (BOM) for UTF-8 files . For modifications in this files, please use Text Editors which persist these BOM bytes (like Notepad.exe, Visual Studio IDE, etc).....; Following are English Resource Strings used in PSAL..; ----------------------------------------------------....; Notes: 1) Language Translation not needed for these:..; a) hyperlink anchor tags: <a>, </a>..; b) escape characters: \n, \r, \t....;IDS_PSAL_LONG_TEXT..[1]..Value = Pulse Secure Application Launcher....;IDS_PSAL_SHORT_TEXT..[2]..Value = PSAL....;IDS_PSAL_BINARY_NAME..[3]..Value = PulseApplicationLauncher.exe....;IDS_PSAL_DLG_WARNING..[500]..Value = Pulse Secure Application Launcher - ......;IDS_PSAL_DLG_CONSENT_MSG..[501]..Value = ...... Pulse Secure ..........;IDS_PSAL_DLG_PRODUCT..[502]..Value = ......

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1709952
    Entropy (8bit):6.655725704453741
    Encrypted:false
    SSDEEP:49152:ylP9FUrlkgsosQnHNzuSpt23yujPLp7KFhr:ylFFUrlZHNzu4t23rbdK
    MD5:A2659EA9E27E9096F3E91932F465A07E
    SHA1:C165E2F80D54F3F16E5CA3925994D0B475A61B11
    SHA-256:D1C2899B3FDF2688345F290F057437ACD2FB372E9DCB7A3FC8CD87434BDCEF37
    SHA-512:D3F15E3DF2916132880F993736A75A63412763A98351F50F047DF1C0FD5F17042CF928D300CFFA7A6818B8D5BF0F43834CDE816475A5F5F8BFD1B549543BDC98
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Q............................!R..........................................................................@.....j...................Rich............PE..L....G.e.....................F......fQ............@..........................P....../.....@.................................d...........(?...............#...0..........T...............................@...............h............................text............................... ..`.rdata...=.......>..................@..@.data...<....@...h..................@....rsrc...(?.......@..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1239424
    Entropy (8bit):6.691434752905817
    Encrypted:false
    SSDEEP:24576:Q/mPjgvwlqGvWVb2AIxUW38z/FqEixgt3aCr4JvtxjRe5OccbAw:imPUMvvWVb2AIxUtb1aCsJXte51c0w
    MD5:1BE06115885FB5C2A86CB2574B0465A0
    SHA1:1B2EF267DD7281C22B9D016A7AAECDE7F4A951BB
    SHA-256:53185F9A99CA2831F966D7D6C570329C0A759B8CC6C4BB765438EC7F4035F72E
    SHA-512:5BD9E7915D705A594CAAC0BA2AF12EFB8409F9B640269351C9E4FB6154573644B56C26BEDFE09D03D5B131ABD3F1B84690A5C84C067C2E915BEACCD75295BF66
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........9C..X-..X-..X-..3...X-..3(..X-.E...X-..7)..X-..7...X-..7(.AX-..3)..X-..3+..X-..3,..X-..7,..X-..X,.TY-..7(..X-..7..X-..X...X-..7/..X-.Rich.X-.................PE..L...kG.e.....................l......)?............@..........................@............@.................................@........`..p................#...p..t.......T...............................@............................................text.............................. ..`.rdata..............................@..@.data............L..................@....rsrc...p....`......................@..@.reloc..t....p......................@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):1662336
    Entropy (8bit):6.48923053766451
    Encrypted:false
    SSDEEP:24576:MjJwpZjnCLGJJnqArIfxpZjd6OF7d/5iR7u99SCu7dGaHs4V9:K27JqA+xjjd6OFSR7u99tMdnM
    MD5:F8E841A4F6BBB5C37F8BDEEF9106556D
    SHA1:9D22518031022EAC33E96A6F100CD1461CECF92C
    SHA-256:FFD5EE14065C5C8182E1246C24C63DBEAE7721D390B990C2BC9C16D2D7B2966A
    SHA-512:C594C2588CE55396FBD9BE23E2104EB0F38C658A5B719199F27943A2B636A8954359C1D28CE3F32538239BAFD378537A3543C2647010BC1ED6A063FD6DE5C56D
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......&.a.b..Kb..Kb..Kv..Jm..Kv..J...K.j.Kc..Ki..Jp..Ki..Jk..K...Jh..Ki..J...Kv..Jt..Kv..J`..Kv..Jw..K...Jd..Kb..K...K...JI..K...Kc..Kb.Kc..K...Jc..KRichb..K........................PE..d...IF.e..........".................,A.........@....................................,.....`............................................................p....p.......:...#......`...`K..T....................K..(....*..0............................................text...l........................... ..`.rdata..............................@..@.data...........\..................@....pdata.......p......................@..@_RDATA..............................@..@.rsrc...p...........................@..@.reloc..`...........................@..B........................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\Version.ini

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):52
    Entropy (8bit):4.757756064128517
    Encrypted:false
    SSDEEP:3:MMTRMQT5yDo5LsXXLSAN:NV5woEXmAN
    MD5:0504D2856D7F23B01A0E5D8EC228E19D
    SHA1:19F47890BDF469BDB5B79507BBCBC35A68455EE7
    SHA-256:09CA851394D2EDAAFF21650FF4292295A5C5A7A88BC96A5140B1C30AC20A8738
    SHA-512:01B5A6398924FC0236B0669D408941158BE8E97CEF57C0F59BE4B77DF2CB7171440EDFB29673B7F2D06850478BEC9B00DFC5BD87F18D0EED812016CFC6299110
    Malicious:false
    Preview:[Pulse Application Launcher] ..Version=22.7.28369 ..

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsOpenSSL.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):253824
    Entropy (8bit):5.389064682223317
    Encrypted:false
    SSDEEP:3072:PEK/2XDVADBHLuTeQqS3m9BJcQ7Z+8U5CFFCrtuHoG75Xb3Jku+:PgDVADBruT929J7gt4oiXm
    MD5:13AA4DB710A0CC2153F6ABD57A53F70C
    SHA1:638507053CBBC180932414B501EEE98A6B664E2E
    SHA-256:1A7A7784A0D487B169158321D2045E5A9C58F51E7D4B7BF2503D93D611D5A029
    SHA-512:0A36F8BA092156721A16EF26D5A07605D8F8D58EC237FB35C490BD53136F2722AA745EB23989CA61AE7967D79E269B0DA7E577F0206481B3843A3C0D0E5D9E5F
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..............................................................N.........4...N......N......N......N.......{....N......Rich............PE..L...l9.e...........!.........L...... ).......................................0............@A.............................'.. {..h........................#....... ......8...........................(...@............p.. ............................text...7........................... ..`.rdata..H...........................@..@.data....%...@......................@....idata...D...p...F...6..............@..@.gfids...............|..............@..@.tls................................@....00cfg..............................@..@.rsrc...............................@..@.reloc...%.......&..................@..B........................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):33664
    Entropy (8bit):5.339430613786117
    Encrypted:false
    SSDEEP:384:nFBKUbKIYmWtQI3U/qsFEV6DGTphj0JswNyb8E9VF3AM+oqE:nFIUbPEQI3U/qsS6DGTANENAMxf
    MD5:52C744BD93E3232203FEA38CEAE87CE9
    SHA1:50C24415951E7061610497EAC8BB24C468518B3C
    SHA-256:DB302A865CB55BED35286CD02D5ED01D7F509E4AE218278A8956774310C8A7B2
    SHA-512:AB66BFDD15F32F2B423CDEE87E268BECCFB4B78E37D46F56F94C41483451E2DDAD1678F101C361B92CC612CC6DB08543A18BF2EE42403C7445E4BA7436F14794
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...OG.e...........!.........^...........................................................@.......................................... ...Z...........`...#..............T............................................................................rdata..............................@..@.rsrc....Z... ...\..................@..@....OG.e........T...T...T.......OG.e........................OG.e........T...........RSDS....b.wD......y.....s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_DE.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$...V...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):32640
    Entropy (8bit):5.3759039098544505
    Encrypted:false
    SSDEEP:384:sBIfYXpUWtQI3U/qsFEpDGTphj0JswNyb8E9VF3AM+oTrasg:sYwQI3U/qsqpDGTANENAMxT
    MD5:BDB0F1BA9BBD5AF7FFBF34358DBDF44C
    SHA1:09A57B70301D160C95763F7B4A49C74985B30B72
    SHA-256:472148317DDF47AC3F2E994732ADA1EECEC35ADB954106466BE820F1C748C1FA
    SHA-512:12F59001851BECCB8A8E6B3CAAEF143B7DEA8BCFBB630A27F8F2BC3DF5EF1B5F672BDEDBE79C96A70457E9809FD1176F2D2A3BE96BE126D45C24EED0830D5229
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...<G.e...........!.........Z......................................................I.....@.......................................... ..8W...........\...#..............T............................................................................rdata..............................@..@.rsrc...8W... ...X..................@..@....<G.e........T...T...T.......<G.e........................<G.e........T...........RSDS.n.^...C.}#x.u......s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_EN.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$..XR...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):33152
    Entropy (8bit):5.355907006322346
    Encrypted:false
    SSDEEP:384:g/nMn24X/LBmWtQI3U/qsFZDGTphj0JswNyb8E9VF3AM+o43sfq:g/nM2m/LBtQI3U/qsPDGTANENAMx43l
    MD5:1A31044AF56E486E8210D7146E000827
    SHA1:E5D6CC5EA696691D3C585462148BB0FA48D3FFB0
    SHA-256:0C2F351D73A85272F1548DC933E12A8187358D5261ED5A83C0E768B47B0BF903
    SHA-512:49DB35C33A0A5E34E6B3DC899FED39F153B78BC5090CD78E248C7778A09D2230060E0B62582FB49B2EDFD62470619D828DDE8FDB0F96334D70CFA725FB33C72E
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...>G.e...........!.........\............................................................@.......................................... ..0Y...........^...#..............T............................................................................rdata..............................@..@.rsrc...0Y... ...Z..................@..@....>G.e........T...T...T.......>G.e........................>G.e........T...........RSDS..7Z.i.E..+qq..'....s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ES.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$..PT...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):33664
    Entropy (8bit):5.338803056514855
    Encrypted:false
    SSDEEP:384:KN4SBVKpWtQI3U/qsFuOPA6XDGTphj0JswNyb8E9VF3AM+oTt4eM:KN4S3vQI3U/qsMOPAqDGTANENAMxTt0
    MD5:B6911BB383D8D82D7167BFBCADACE6FF
    SHA1:BED01F495AAD65DE2EE28B8BB875C2FDA6C338B1
    SHA-256:F63A443E4C909A2D0E6D7DC05F46E84B44305191B340EE3103C7827162922F99
    SHA-512:5805DFA62DCAC1E7344BBB6A20DBF020C3E4589E313DFD0D9534EC7C2D450A2747477D36E8C19C091EE6C00151F2C7DEB03004703D1984A134E7AA4FB4C5BFE6
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...?G.e...........!.........^......................................................Mh....@.......................................... ...Z...........`...#..............T............................................................................rdata..............................@..@.rsrc....Z... ...\..................@..@....?G.e........T...T...T.......?G.e........................?G.e........T...........RSDSj;bW...@...%.0l.....s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_FR.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$...V...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):31104
    Entropy (8bit):5.622603245132341
    Encrypted:false
    SSDEEP:384:72t9fJ1/bwEb/WtQI3U/qsFLDGTphj0JswNyb8E9VF3AM+o35t:7iB1/Db+QI3U/qsFDGTANENAMx
    MD5:CE13658DEBD8DA32C4AA7D2F2E4473BB
    SHA1:C592E89503F29FA381224E603D35D524A11ABCD9
    SHA-256:38AB24468F1ECDAD1FE50F334A5EFD6C135E23854B729B89C98357E7377A5453
    SHA-512:1C96F6430518D64E50A52D8C4B8C9ADFD326B73EDB020E93EA06D3CA5CDBF7232B6F7D13A3F352DBB8C70AEFF510E2D69ADCF3C1041FD15FEDEE57E9AFBCE1FF
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...?G.e...........!.........T............................................................@.......................................... ...Q...........V...#..............T............................................................................rdata..............................@..@.rsrc....Q... ...R..................@..@....?G.e........T...T...T.......?G.e........................?G.e........T...........RSDS.<.C.].B..G...'^....s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_JA.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$...L...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):31104
    Entropy (8bit):5.6220057959424095
    Encrypted:false
    SSDEEP:384:bu/w/ZuTZwWtQI3U/qsFkHnDGTphj0JswNyb8E9VF3AM+o/EE:b/RuBQI3U/qsoDGTANENAMx/
    MD5:1FCF0ADA6704A5B5988C335D729FE609
    SHA1:7CCBE943C1B975F5F6A0C0B70BB37ADF04144054
    SHA-256:0D30A8504AF5C93EB1FE471475C8C742171361E9BB800234F76E718BD543350F
    SHA-512:5EA59E110B68A533BEBCB2E533C73F2B1FCCF1C8027097447C64E58DE88E83878D2DF4FB3F4A693A825959D8CAA11F430EDE5558130153F312138B90AB714D06
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...BG.e...........!.........T............................................................@.......................................... ..0Q...........V...#..............T............................................................................rdata..............................@..@.rsrc...0Q... ...R..................@..@....BG.e........T...T...T.......BG.e........................BG.e........T...........RSDS/..R.xI..8`........s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_KO.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$..PL...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):30592
    Entropy (8bit):5.56936835004406
    Encrypted:false
    SSDEEP:384:53e4DKaLn+WtQI3U/qsFXDGTphj0JswNyb8E9VF3AM+oIq8:5pdLFQI3U/qspDGTANENAMx
    MD5:5C96D19BCEBE1C52EB9565342BC6EABB
    SHA1:B5F2DB21098513A52AB3AB3BB70B11F68522FE56
    SHA-256:D2A31561D759E716E16086C235FC2AFBA6E954EFB3F8E3C795DA34A166194123
    SHA-512:D51FAF3A27C5A89AEAA5DC73F97A17D51F17786BF82F64724E9D643A80E7D628179D217676B0B18D49166752B3963A0B1D4AED3B7EE83B318D4302DB559C37B1
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...EG.e...........!.........R...............................................p...........@.......................................... ...N...........T...#..............T............................................................................rdata..............................@..@.rsrc....N... ...P..................@..@....EG.e........T...T...T.......EG.e........................EG.e........T...........RSDSz...9..N.O..........s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$...I...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):30592
    Entropy (8bit):5.549361490880815
    Encrypted:false
    SSDEEP:384:6ncO8WtQI3U/qsFrDGTphj0JswNyb8E9VF3AM+obCn:6c8QI3U/qsZDGTANENAMxI
    MD5:280BD481106A2C1E88B6D38170058A2E
    SHA1:35CC62AE13F21AD5F1A4D8FC7F59744F3E4794D8
    SHA-256:6600E69F9CED3A5136F880EC2197324A2D43359481EC8567AAF4B3F8371EEDE3
    SHA-512:A752D86A1FA48B1FD05B6DE1B0AE00FFCC02D28FA43818C700FCF069A263E009E435F290A2CBD3B406FDC023E5EAFD1D28B980635A61BFBA68CB8F38B62EA193
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...FG.e...........!.........R...............................................p......d.....@.......................................... ..0N...........T...#..............T............................................................................rdata..............................@..@.rsrc...0N... ...P..................@..@....FG.e........W...T...T.......FG.e........................FG.e........T...........RSDS...j.n.N..?r?B......s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH_CN.pdb..............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$..PI...rsrc$02........................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libcrypto-1_1.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):2341248
    Entropy (8bit):6.230961401021492
    Encrypted:false
    SSDEEP:49152:4r7ctGVlOZaKHYhoJtvCRu8kb1CPwDv3uFTUyei:67uGvOjHHJERu8c1CPwDv3uFTUy
    MD5:9CA0DD834C5E5A674CE9AE0476959ED0
    SHA1:B6B1C7BF73FBF1695FD5A42093FC047F079BE770
    SHA-256:563A8F33128EDABF92D9D3F6FC8091FB09383C5744AC5ACEB1CD76B9AA614D4D
    SHA-512:B23D8FC28642621AB8A5D5F32D68B713FC4F3097833669E252C042F55A371D2054FBD0B794E97B32E36E8B2B52783083E58EE0A4694B6572D992CE192C2FE749
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................._...................n.........Rich..........PE..L...%8.e...........!.....n...h.......C........................................$.......$...@......................... Y .(4..D.".@.... #.|.............#..#...0#.....= .8............................= .@.............".D............................text....m.......n.................. ..`.rdata..H............r..............@..@.data...xX....".......".............@....idata........".......".............@..@.00cfg........#.......".............@..@.rsrc...|.... #.......".............@..@.reloc..6....0#.......".............@..B........................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libssl-1_1.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):512896
    Entropy (8bit):5.772255814436183
    Encrypted:false
    SSDEEP:12288:LMm4o7Lzw/2XJIlgb2WVE03JwcDUGmMsRXV/+i8dPm:LMbo7LzK4DUZMiXV/+i8dPm
    MD5:7D0DFA6D5444B386E11C96C83B46EB6D
    SHA1:136BC820A5C673639C013EC7BA89A576879BCCB0
    SHA-256:BA122742040543A8E29AE8C2CD0D376E5EAEAE42880EDC1DC310E2D9EF24E50D
    SHA-512:E54C98A527186079F4DC06EC429465D5F79FDF816B3BB1F7F8817C384A764DB8CACC03B2DDCDE347C171CEF973C6BA1AD0BBD6360E8381F2D47634619CE31713
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G...)^..)^..)^...^..)^..(_..)^..,_..)^..-_..)^..*_..)^..(_..)^[.(_..)^..(^&.)^[.-_..)^[.)_..)^[..^..)^[.+_..)^Rich..)^................PE..L...Z8.e...........!.................................................................I....@.........................P...JH...i..........s................#......P3.....8...............................@............`...............................text............................... ..`.rdata...U.......V..................@..@.data...P0... ...,..................@....idata...=...`...>...,..............@..@.00cfg...............j..............@..@.rsrc...s............l..............@..@.reloc..i:.......<...t..............@..B................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\msvcp140.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):453920
    Entropy (8bit):6.66950080753057
    Encrypted:false
    SSDEEP:12288:tjBcSw+X+OLM+PBrWHPd9pGDXywWz08oumlBVhUgiW6QR7t5s03Ooc8dHkC2esrG:tjBcSw+1M+PBrWF9IWwWz08ay03Ooc87
    MD5:697220335E5C4B4126AF45F6F8207896
    SHA1:8106F2DD4665AEC0D1C652E29378EF46EA4E5801
    SHA-256:D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
    SHA-512:B820735E96600A1382D4097A7638F3286335D93032152B8C85E4EA8196439DFE687E1F8309A81F13A43705A323EDA12BD69EFAC50A09048E57498CEDE4924CF0
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8"2.|C\.|C\.|C\....~C\.u;.jC\.|C]..C\.w,]..C\.w,X.wC\.w,_.tC\.w,Y..C\.w,\.}C\.w,..}C\.w,^.}C\.Rich|C\.................PE..L...AW.^.........."!.....:.......... ........P............................................@A.........................y................................. A.......;...y..8...........................Hx..@...................Tv..@....................text...29.......:.................. ..`.data...t(...P.......>..............@....idata...............V..............@..@.didat..4............j..............@....rsrc................l..............@..@.reloc...;.......<...p..............@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):712064
    Entropy (8bit):6.656077240057258
    Encrypted:false
    SSDEEP:12288:j+CyAhzTaG+GaMBAk/q7O0qcfGwxlgdlo8V/Wj8TOEiwfQTeC9ARxwpKu7c3uToo:j+Cxx7y7O0qcfGwxq7mEiwfOJ9jR7c7+
    MD5:D293D88FBCABFE22F0123DD9F9EC8AB9
    SHA1:ADE244760996586599F08312D4C021A50574C81F
    SHA-256:94386EF5736A380EB92782A25BE426A4324AC6884B5222E736EEBAE5D1627BD2
    SHA-512:8BB869EF806CD024DE691D86A2DAA2080878F2DD8499D6D3C67F901292D350CD8DFD6ADB51A4F27D98A3013A35A908D97EE9BF3FADD12879BAB52336476221C8
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V...V...V...B...Y...B.......]...D...]...A...].......B...A...B...T...B...G...V..........[....1.W......W...RichV...................PE..L...bG.e.................f...p......)?............@.......................................@..................................(...........................#.......d......T..............................@............................................text....d.......f.................. ..`.rdata...............j..............@..@.data...,L...@.......$..............@....rsrc................R..............@..@.reloc...d.......f...T..............@..B................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalwin.json

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:JSON data
    Category:dropped
    Size (bytes):235
    Entropy (8bit):4.855976390563978
    Encrypted:false
    SSDEEP:6:3HWbp+We/YIJdFORV89tdTvFFaFlLulkNCwK5VHWDx7s:6p+hYI39v5UlLAjbHWV7s
    MD5:3D14885FB5872A3F79A8D74D3CDA6C5C
    SHA1:8A03048514EAE4E868750F03BE979670497C77D6
    SHA-256:797AC1C3EE5D9FEA99C22936E4001E85FE948D124BA3D9CB2EAE34E7DF4E54FF
    SHA-512:90EF7F04652532C9A9FDB87154C80B6620506FC361339AF331C2045486EBA5E5C3406A3BD172CFBC47089BA4168CF81FFB0D469C05129B1AA5C3767E9A073DE4
    Malicious:false
    Preview:{.. "name": "com.ivanti.psal",.. "description": "PSAL native messaging",.. "path": "./PulseApplicationLauncher.exe",.. "type": "stdio",.. "allowed_origins": [.. "chrome-extension://cikpkfgjohfbacpbglmbpefgfdegoolg/".. ]..}....

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalwinEdge.json

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:JSON data
    Category:dropped
    Size (bytes):250
    Entropy (8bit):4.811295314784939
    Encrypted:false
    SSDEEP:6:3HWbptG4We/YIJdFORV89tdTvFFaFlLulkNC29GLXKus:6ptGeYI39v5UlLAjoGLXHs
    MD5:34C1B7A75EAC7A19E45AF7337C7A3E25
    SHA1:5BFCBB5A09DBE2C7625AF75AB67E2E99F99A1929
    SHA-256:F427FCEEB8FAF6960112F0147A434EA89EA34ABE9B362852973B0AA3A8541D38
    SHA-512:8827E1780BB9252838288C85A1239B30CD48461AB4F597433F8B32B9CE619146E7528AEDE0AD605CF91B86B515AD88CC3C06AD831BFCC7F305757F49A339F20F
    Malicious:false
    Preview:{.. "name": "com.ivanti.psal.microsoft.edge",.. "description": "PSAL native messaging",.. "path": "./PulseApplicationLauncher.exe",.. "type": "stdio",.. "allowed_origins": [.. "chrome-extension://heckaoaclddnafajfldillfkdaaailjo/".. ]..}....

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\pulse.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 99 x 40, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):2493
    Entropy (8bit):7.5638469388440175
    Encrypted:false
    SSDEEP:48:t1kNn2VlerJ39fY/oUgpGzaC7z9HYnkXaSir7LTTYmw:Y22w/wp6aC7R4YuLTsmw
    MD5:A9B5E382C0FC5CE9A2DB276DBC7EC706
    SHA1:09A662ADCBBCF1DDE47C2F8829C2F47F3BEFBBA7
    SHA-256:867F49DE07FA0A3A8FD7EDF915CF4A0387108A733C8F3725C89A04EABA9BB7FB
    SHA-512:FBC2BD2C5C8A396040D7CBDB026F7AA5F76051A5C257242D1B6C577612E25CC340582D4AAF44C69DB7C27740DB3E2971E71E1F6D133DA3CB156140A3013224E0
    Malicious:false
    Preview:.PNG........IHDR...c...(......D:....tEXtSoftware.Adobe ImageReadyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)" xmpMM:InstanceID="xmp.iid:0A0C529A486611E48263CA2290DEA2A1" xmpMM:DocumentID="xmp.did:0A0C529B486611E48263CA2290DEA2A1"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0A0C5298486611E48263CA2290DEA2A1" stRef:documentID="xmp.did:0A0C5299486611E48263CA2290DEA2A1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.......+IDATx..[.lTU...S.X..P#(Rw......P.X...X.q.Dm$...F...H.E(!b. "*...J.J..F.&.cM.*.cEii.s........y79yo.}.

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\pulse_toolbar.png

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
    Category:dropped
    Size (bytes):1326
    Entropy (8bit):6.810067346733856
    Encrypted:false
    SSDEEP:24:E1hnBWwjx82lY2T3JbVXL4oyJ3Vs9qGXw0nIWpOCwfYWfvxsbn:K1kNn2VJ4rJ3GqAnNpOC+Bvxon
    MD5:E5EE7835C023475F026ADA1B3B80C461
    SHA1:E87EBEAEFD92024767A42FDDFD4E523843F2F279
    SHA-256:B3F0597C0F040F48C176318B4A30A8C8B46FB250590DD108D42D966F7E3CD02C
    SHA-512:2C916C41B077841447E57842D2C641CFC87821527F9146831B9D1D162F95C2DC892728260C1555EBA773C729FFC594E787E087A6D805A86CB767E0A2CA9FE10B
    Malicious:false
    Preview:.PNG........IHDR.....................tEXtSoftware.Adobe ImageReadyq.e<...(iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2014 (Macintosh)" xmpMM:InstanceID="xmp.iid:0A0C5296486611E48263CA2290DEA2A1" xmpMM:DocumentID="xmp.did:0A0C5297486611E48263CA2290DEA2A1"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0A0C5294486611E48263CA2290DEA2A1" stRef:documentID="xmp.did:0A0C5295486611E48263CA2290DEA2A1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.p......IDATx..?H.a....S;K.2........n...[....n..AC4.[KF8.....AC". .F..\r...).........x...O...\..a4...A.#,..FR

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\vcruntime140.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):83232
    Entropy (8bit):6.884071103046351
    Encrypted:false
    SSDEEP:1536:DbLqOxUSsdRwFUzVCNkU1jXCizVaYecbv4MUqQmFk:DaOxfsd6FUp3uhecbv4MU
    MD5:4C360F78DE1F5BAAA5F110E65FAC94B4
    SHA1:20A2E66FD577293B33BA1C9D01EF04582DEAF3A5
    SHA-256:AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
    SHA-512:C6BBA093D2E83B178A783D1DDFD1530C3ADCB623D299D56DB1B94ED34C0447E88930200BF45E5FB961F8FD7AD691310B586A7D754D7A6D7D27D58B74986A4DB8
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T...............Q........q.........8...................................................Rich............................PE..L...;W.^.........."!.........................................................@......g.....@A......................................... .................. A...0..8....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfEngine.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):97664
    Entropy (8bit):6.638004727171103
    Encrypted:false
    SSDEEP:1536:LTApaCDhrh+PEzSWAMREjkssn1bzKVuH9HgB/qumJLnsBM0QB99xm:LTKDhsPEzSWAGQW1/yuH9ABwsBM0Qy
    MD5:5DC35C0FF3454E732E088E1E672FDA60
    SHA1:2D899A31998B49ED969E382CD649E2E72A18F3BD
    SHA-256:9F8198508047069F5BF0A4E06D7B961915E4B12D9584677D05569B80A5ABB930
    SHA-512:5B8753FEE0B33C31C3CEC4B2EAD2F2F837A14BC962AEE5587D312BA6EBC1AEC4CD2377ACF15DF4594C20E4DA01F07763832FEACD3901BDEF044274888672076B
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................z............................%....q........%....%....%.......~....%....Rich...................PE..L...O..c...........!.........t......p.....................................................@A.........................1.. ....3.......p..H............Z...#......8....-..T...........................p-..@............................................text...Q........................... ..`.rdata...S.......T..................@..@.data........`.......>..............@....rsrc...H....p.......@..............@..@.reloc..8............F..............@..B................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfssl-fips.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):666496
    Entropy (8bit):6.870589081506813
    Encrypted:false
    SSDEEP:12288:g7NLHG1fnkZ34Enno4WnZQcRdHllpzIlK8YWnDPp90yf+T:g7NEfnkZDo/ZQcRaK/kDz08
    MD5:C68BB24461101B1888C547C9AC911857
    SHA1:D030A252447F0F4089B79CD9E144ACA43A611E17
    SHA-256:2D7BD97CA2CB377EBE437A49ACAEBE666FC48BF5CE81DBDA6D56E6B24547073C
    SHA-512:1AA37EE5A1E96689624C45BC5F36F5118D5FF5FE4697BCE87E39FAE1A30BD06523FC33A5EB957D6410EEEA00A01B0501F5E48FB37C3570DA31C4B597332415EE
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........~..a-..a-..a-...-..a-@.`,..a-@.d,..a-@.e,..a-@.b,..a-.`,..a-..`-..a-i.i,..a-i.a,..a-i..-..a-...-..a-i.c,..a-Rich..a-........PE..L...K..c...........!.........`......p..............Z.........................p.............A.............................W...a....... ..p................#...0..(0......p...................H.......H...@...............L............................text............................... ..`.fipsA.............................. ..`.rdata.............................@..@.data....&...p.......X..............@....fipsB...r.......t...Z..............@..@.rsrc...p.... ......................@..@.reloc..(0...0...2..................@..B........................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):2218880
    Entropy (8bit):6.48898998599528
    Encrypted:false
    SSDEEP:49152:aRGXrcx46Yj1faWESmLBEAWoCAd39qtphQ/HOSWVNc7:ZsYj1STfC/Cu0
    MD5:661FD6909BD359EE0BBCAD29254917AE
    SHA1:01EC7B33D2CD36B3901F510DD643331108AFE44C
    SHA-256:4DE5AEE11F699959412D5191A21A252D63F8B8F595FCC0BF0D6D762ABA607AB8
    SHA-512:B09DBEE56A0FF5C6E508245CFCCF7996F1CB7418E158EEFF92385BEFEE5C6E4722FF05ED4CC07F4A73D37E4BC890CF518A05DFBF27AE5DB5BBA3AC6A8820FB41
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........>}..P...P...P...S/..P...U/C.P.._....P...T/..P...S/..P...U/6.P...T/..P...V/..P.T.Q/..P...Q/..P...Q.F.P.T.Y/..P.T.T/..P.T.U/..P.T.....P.......P.T.R/..P.Rich..P.................PE..d...WF.e.........."............................@.............................P"......3"...`..................................................d........!.(?...p ..\....!..#... "..#..4O..T....................O..(.......0............ ...... Y.......................text...|........................... ..`.rdata...n... ...p..................@..@.data............~...v..............@....pdata...\...p ..^..................@..@_RDATA........!......R!.............@..@.rsrc...(?....!..@...T!.............@..@.reloc...#... "..$....!.............@..B........................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):306048
    Entropy (8bit):5.171876952568191
    Encrypted:false
    SSDEEP:3072:3Fv3NAzswBw0sMtxXi0jJ+s79+IdJjxD9md3kF:3Fv3mzsOw0ntx791dJSd0
    MD5:98BA74CAA5599621427CD7E8C708645E
    SHA1:D78B8A23D782C6EC066168B6FF8285707647BD2D
    SHA-256:66BFE5FFA9DDAEC6452AF008C96ACDCB432D66AA157F445B32891605AF26F332
    SHA-512:64E77D1B0CC83BE7F593011BCB61B459FF455FB19F2D9279B4E2B90CA7B48B0D7F1CB8C8579B25CEFD52D4D9F99FFBAA7D95AB146B4915ADF896E8EF9C46A7C0
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......4..Cpg..pg..pg..y...~g..{...xg..{...sg..{...jg..{...vg..d...qg..d...zg......rg......ug..pg...f......dg......qg......qg....k.qg..pg..qg......qg..Richpg..........PE..d...V?.e.........." ................p=...............................................Z....`A.............................................)...f..|............ .. ".......#......T...dY..8...................p_..(....Y..0............P...............................text............................... ..`.rdata..............................@..@.data...9...........................@....pdata...&... ...(..................@..@.idata...\...P...^..................@..@.gfids..d............h..............@..@.tls.................r..............@....00cfg..Q............v..............@..@.rsrc................x..............@..@.reloc..,...........................@..B................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):34176
    Entropy (8bit):5.281528383606252
    Encrypted:false
    SSDEEP:384:7FBKUbKIYmWtQI3U/qsFEVTDGTphj0JswNyb8E9VF3AM+oOA3+:7FIUbPEQI3U/qsSTDGTANENAMxO6+
    MD5:497A12A5BB0C6CA28ACE44D4FDE2BF22
    SHA1:A6D588F881D1BD1C8BF6E20804FB5FA3DEA1B0EF
    SHA-256:4FBA78616770178876C73492C1EC0591CFDC60914D418F60424E286FC1DF1A14
    SHA-512:76E75A49047C24FA0C4A5CE251A6AC6CAE784B49838CB5F85B6B4BD46DDAD2E22C335AE5E8A4EDD60DEA6BC05726636EF1E901E0562A366D39C3AF14981518C1
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........................PE..d...,F.e.........." .........^......................................................sv....`.......................................................... ...Z...........b...#..............T............................................................................rdata..............................@..@.rsrc....Z... ...\..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):33152
    Entropy (8bit):5.312988480292972
    Encrypted:false
    SSDEEP:384:IBIfYXpUWtQI3U/qsFEiDGTphj0JswNyb8E9VF3AM+o7H:IYwQI3U/qsqiDGTANENAMxj
    MD5:6BB8257D400D837F580EBB181317246E
    SHA1:EAA9D369397D50484E8F8C0CF13A7CC760B1E396
    SHA-256:FA54E88B34FE6CD4DC297D876D98755F3D11FA2EB9C44D1491FEAAFB275200CC
    SHA-512:9125B1BD8DFA40C3935FF5050302E61471FC6DA1C9E26E6E29D7B1B7FE18566C682DED7CE2FBE399B666A3EA7CA65A6F212ADBEC5FD87620CA98FC80FF35C531
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........................PE..d....F.e.........." .........Z......................................................T.....`.......................................................... ..8W...........^...#..............T............................................................................rdata..............................@..@.rsrc...8W... ...X..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):33664
    Entropy (8bit):5.29836488711809
    Encrypted:false
    SSDEEP:384:+nMn24X/LBmWtQI3U/qsFuDGTphj0JswNyb8E9VF3AM+odD:+nM2m/LBtQI3U/qs8DGTANENAMxd
    MD5:844350CD187AC194306EB9E9058A7663
    SHA1:2D19BD72BA939AA72075D693C962DAAB960E1AC8
    SHA-256:3A84E2F1D1BF24BD990D88F7C3CC07B676794A434FC7B74F5FACAF46DC3DE951
    SHA-512:AF7E56E57CD7A355DCCA6C08AE3589A9829FA5A0F5CBDEB5F94CEB9CED8E7A0A2AAB924BF42673C0A6E36F4991902DD7797E44911C0254097F53D44467E989F5
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........................PE..d....F.e.........." .........\......................................................A1....`.......................................................... ..0Y...........`...#..............T............................................................................rdata..............................@..@.rsrc...0Y... ...Z..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):34176
    Entropy (8bit):5.278164582493974
    Encrypted:false
    SSDEEP:384:OFN4SBVKpWtQI3U/qsFuOPA6UDGTphj0JswNyb8E9VF3AM+ov:aN4S3vQI3U/qsMOPAJDGTANENAMx
    MD5:524B2AA7485E824072F2F91B6B8D76B6
    SHA1:A6A242A2234277983695DCEEE78AF3B3DF9C641C
    SHA-256:6B538C2417342FC2946E45F5E0E02D843C57C4C518FD04AC467179CA9BBA76D2
    SHA-512:C5F45E10DA8EB85D4AF37D66F078594A745894E949C1CB971FCC79AF1185EF6D044961B140C25B9A2CCF1A9B428341D2D145E6FEE1CD77941E4BF26CB3ECC0E1
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........................PE..d....F.e.........." .........^............................................................`.......................................................... ...Z...........b...#..............T............................................................................rdata..............................@..@.rsrc....Z... ...\..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):31616
    Entropy (8bit):5.558069266695789
    Encrypted:false
    SSDEEP:384:72t9fJ1/bwEb/WtQI3U/qsF8DGTphj0JswNyb8E9VF3AM+oftdT:7iB1/Db+QI3U/qsGDGTANENAMxfL
    MD5:7CAA1477D4DA1ADAEED8563B2C8BCB72
    SHA1:22315354D3F5D19144F8C921BD2704EF21920DDD
    SHA-256:1768C3427BC2E52BE5943FBC0BB7188F1C884FD63A329C7268857F4971FA16AD
    SHA-512:BEBF7DA1A492255E131F35D27E96E0E02935C4007926897F78E34A8BCB34514F2B2BE0B4292126642ECBF05941406A8C93431F8955E037C37342796E71083101
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........................PE..d....F.e.........." .........T......................................................W.....`.......................................................... ...Q...........X...#..............T............................................................................rdata..............................@..@.rsrc....Q... ...R..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):31616
    Entropy (8bit):5.558676395594512
    Encrypted:false
    SSDEEP:384:Tu/w/ZuTZwWtQI3U/qsFkHyDGTphj0JswNyb8E9VF3AM+oBp:T/RuBQI3U/qsNDGTANENAMxB
    MD5:AB504252C2A7209E567898365BE21678
    SHA1:DAFED6F4AA1621712329015A0871376C74B7F2CB
    SHA-256:CFB5C799FA7F8862BD1A647290EA7FACCF2666505ED22804E38F214F0380920B
    SHA-512:DE373AD005573D03F5E4CA346420A6F1371E98B695DB3E8E84D649ABADCC0314292E196A1AD1E679C731E639EC870F3E059D490A195DF8FB13D7DD506C594DC5
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........................PE..d... F.e.........." .........T.......................................................g....`.......................................................... ..0Q...........X...#..............T............................................................................rdata..............................@..@.rsrc...0Q... ...R..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):31104
    Entropy (8bit):5.50058096712631
    Encrypted:false
    SSDEEP:384:h3e4DKaLn+WtQI3U/qsFYgDGTphj0JswNyb8E9VF3AM+oENK:hpdLFQI3U/qslDGTANENAMx
    MD5:CFE89847907E278B8B70D0A57942BA15
    SHA1:CA8D1A7FC175B303A4464C8FDFCEB836320E843E
    SHA-256:5D35678AE24B20A69EFE539266DC21B56655F71F114068D76C52506F853B4E72
    SHA-512:CFC929F23CD87429844B6329133376A1F62F5977996FEC6E2140FEE67810359BE1A4B5D009A9DB30E953163909176459927F817F48BABD95F12643ABB78B7FD2
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........................PE..d..."F.e.........." .........R...............................................p.......1....`.......................................................... ...N...........V...#..............T............................................................................rdata..............................@..@.rsrc....N... ...P..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):31104
    Entropy (8bit):5.4826167411776225
    Encrypted:false
    SSDEEP:384:LncO8WtQI3U/qsFIDGTphj0JswNyb8E9VF3AM+oU5c:Lc8QI3U/qsODGTANENAMx2
    MD5:CE29CB498CDD5A5E0C5B9692EEE81BAC
    SHA1:57419CF64DDB4430A04CAF28B02CCAE8975A36BD
    SHA-256:26A5BCA1B9E480C92C10F173462B99BEBBFF555F8CC297237AC6BBBA6C0A1543
    SHA-512:FE50DD4175F0BA0D352FB0607A671931849F6C1B9542AF13BD881723B1F64DE753F35727E3BD34D4EFE570AED759E7B8514C1BA5EF870BBECDC92CF19EA513A4
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........................PE..d...#F.e.........." .........R...............................................p.......&....`.......................................................... ..0N...........V...#..............T............................................................................rdata..............................@..@.rsrc...0N... ...P..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):3184000
    Entropy (8bit):6.104109038832897
    Encrypted:false
    SSDEEP:49152:0VwASOVIU6iUTGtlqtRc7lTNX8Z5WjLNEiqFGem/u3NHHNPwE5stWSfy1CPwDv3J:X+ll98wUHHuE5s1y1CPwDv3uFTU
    MD5:A636A64D2DC9E71A196235EBC0E2A184
    SHA1:AEFD80A2DA0FE57B25B0A86AE5D636126BE944D0
    SHA-256:9528601D660EC8901299EF0C65A0F1F71EED611C5A42A7386A91C6A94202C99F
    SHA-512:B56AADAF688A71C1BC1FC05D1E05C458020C6F2B3BD1017B39842BDBA044D07357DC318D1C9DEA94F0F0199FB12104D925ADA1773946D635C3C1F08F2F0E9A65
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........?..bl..bl..bl...l..bl..cm..bl..gm..bl..fm..bl..am..bl..cm..bl..cl8.bl..bl..blc.fm.blc.bm..blc..l..blc.`m..blRich..bl........PE..d....>.e.........." .....\"..`.......h........................................1.......0...`...........................................+.,4..PJ0.,.....0.|.......ps...r0..#....0..K....).8............................).0............@0.P............................text....["......\"................. ..`.rdata.......p"......`".............@..@.data....w... ...*..................@....pdata...............:..............@..@.idata...!...@0.."..../.............@..@.00cfg..Q....p0......./.............@..@.rsrc...|.....0......./.............@..@.reloc...q....0..r....0.............@..B................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):654208
    Entropy (8bit):5.542084614693543
    Encrypted:false
    SSDEEP:12288:pbzf8W9fCuciM4TDIjQEpru4Wxh9MjKiIybD2b56cPzFYxrhIrQV/+i8O:Rl44TDIhOiIybD2llxYxvV/+i8O
    MD5:303F706C639AA24A25E4BBAC4ED747FF
    SHA1:6658EDBC0DD6F01697918500F49943EF5EA959B8
    SHA-256:7900BCC7786428E0E7A1AE27523B2D0F7711D3593450D4955973163EF2E56F34
    SHA-512:B7D0090956E6B7E434928E1245F9A85F6BF27FE5F7599DE4F6457C91F4DE2A8CF44AE0809F07E5603D31CD5AF2E2D08E07D18E4DD9BA21CC5CD8A8DECAC34C32
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...T.T.T.T.T.T.,}T.T.T.;.U.T.T.;.U.T.T.;.U.T.T.;.U.T.T.?.U.T.T.;.U.T.T.T.T.U.T.;.U.T.T.;.U.T.T.;.T.T.T.;.U.T.TRich.T.T........................PE..d...;>.e.........." .................$....................................... .......6....`.............................................OH..............s....0...F.......#...........%..8............................%..0............................................text...l........................... ..`.rdata..............................@..@.data....?.......6..................@....pdata...N...0...P..................@..@.idata..jQ.......R...b..............@..@.00cfg..Q...........................@..@.rsrc...s...........................@..@.reloc..............................@..B................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\msvcp140.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
    Category:dropped
    Size (bytes):590112
    Entropy (8bit):6.466935832340687
    Encrypted:false
    SSDEEP:12288:fFrCZUcfGI/O+bE9krdFFM5lle0dkM4X2n08ukSIAg6wQEKZm+jWodEEVrR+:9rCZUNYX2nSkGg6wQEKZm+jWodEE9R+
    MD5:A11A1D761D757D367146F0F772632D8C
    SHA1:9FD3EEE4C4111DC386510A930192D56A2E938DFE
    SHA-256:2CC02C5E6654AA9175D5963F811CAC222F4A2604DC28553139C675B1A78995A7
    SHA-512:6FBBB77766EE9846D6D3BDE2CED5EEAAFE721DE5524A410A4821DFA6C08EDBD00905BEC2B9237B8F7986D6D06DBE444C5845130193DA537CADAF29EA784C48E1
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............v}..v}..v}kR.}..v}..}..v}..w}..v}.w|..v}.r|..v}.u|..v}.s|M.v}.v|..v}..}..v}.t|..v}Rich..v}................PE..d...&U.^.........." .....@..........0$...............................................V....`A........................................Pi..h....C..,...............X;...... A......,... ...8...............................0............P......|e..@....................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data....:...`..."...N..............@....pdata..X;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\vcruntime140.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
    Category:dropped
    Size (bytes):100880
    Entropy (8bit):6.563642954927723
    Encrypted:false
    SSDEEP:1536:ymvjI3Bn7RjCR3jgLexGWDvGBx4MelIm+2ecbQ0XF1I94g:y04cgEKe+R2ecbQ0XFex
    MD5:6BA0DBCD2DB8F44243799C891DBD2A59
    SHA1:30A2719D4B8667FD237BCFB781660901C993D9FC
    SHA-256:263988A0868053B6B01835CD2959C8F71E3F943610421B269DA646F2D9E3B333
    SHA-512:94DEA85EF50D55CEC0D1BBAE4671386CE8CA02E870CE417ABFEF0A8499FDF0BD0EB5BA38DEBD07C213F7DA39CBEA63A18143484B05E9C7CA36B2F68E4520BB4D
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.a..............................!..................................................Rich....................PE..d... U.^.........." .........^......P................................................b....`A.........................................0..4....8.......p.......P.......H...B..............8...............................0............................................text...T........................... ..`.rdata...>.......@..................@..@.data........@.......0..............@....pdata.......P.......4..............@..@_RDATA.......`.......@..............@..@.rsrc........p.......B..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
    Category:dropped
    Size (bytes):112000
    Entropy (8bit):6.243237721816776
    Encrypted:false
    SSDEEP:3072:P4DiPUFZnUgtz9ivI796qFJQjtvY2aM0:PWFeg3iUca
    MD5:0B68590A71F75BBAC7F20BC6A12F2836
    SHA1:9F80A5CB9B8990D880C6FABB28C7B3B8908FF18D
    SHA-256:82B61D31163CE35BDCD0DF4640F80FEC7E3C743F4047C94A77F41D4FF5ED78B6
    SHA-512:36BC15EA0D6C31C9E6B26F13D087D04A104173B590695ED15BAC5E84B4321E70F54C75B7A0330C310AB0F428019BAC6ED39E17E8830D25E3758446F2A612B627
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................V....).....)......)......).................T.........................:......R..........Rich...........PE..d......c.........." .................................................................!....`.........................................pf..$....h..........H................#......l....S..T...........................`S..8............ ...............................text............................... ..`.rdata...m... ...n..................@..@.data................x..............@....pdata...............z..............@..@.rsrc...H...........................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):810368
    Entropy (8bit):6.709574677438758
    Encrypted:false
    SSDEEP:12288:ZxcX1kSpPht7QQbelD4VtUbpPi7XQmOd3L6UniIlEXioDTgZ:ZK2SpX7NbmD4VKb0TYL6OiIlEXNDTs
    MD5:E110B1D9042D1561F73A49A6E2BE1560
    SHA1:79C2A0E6125EF1CC61D6CB2FFE536813DD672C51
    SHA-256:0FA51D50B0CE8C94AA5988902FBBB919455015B0489A12C2C6A12E1D7DB602C7
    SHA-512:EAC01930CF05CE450297C5ECABB9F454764343C00F43E31154AD26C871186E5B95450182BE2B6A296E01B9ABB8C9170D456FE4C1827F9EF45A1789AEF46C96E0
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Cy.a..g2..g2..g2.`.2..g2.if3..g2.ib3..g2.ic3..g2.id3..g2.sf3..g2..f2L.g2.jd3..g2.jo35.g2.jg3..g2.j.2..g2...2..g2.je3..g2Rich..g2........PE..d......c.........." .........Z.......K.................................................... A............................................DX...S..........p.......<l...:...#...........I..p....................L..(...`J..8............ ...............................text...xJ.......L.................. ..`.fipsA..6....`.......P.............. ..`.rdata...<... ...>..................@..@.data...A,...`.......J..............@....pdata..<l.......n...L..............@..@.fipsB..@u.......v..................@..@.rsrc...p............0..............@..@.reloc...............8..............@..B........................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):1709952
    Entropy (8bit):6.6557193823107825
    Encrypted:false
    SSDEEP:49152:4lP9FUrlkgsosQnHNzuSpt23yujPLp7KFhr:4lFFUrlZHNzu4t23rbdK
    MD5:A2A82E410D7CE3889DDB850498F32143
    SHA1:D6DE71C9612321783B4EF8C492BA23F5A4BEE135
    SHA-256:7C03B813EF9994C63AA0274F742954C455F80E8DF8D332E4B5C90A392A7A9A22
    SHA-512:2149B12AC4FE8744A20C6E3443D57E70BE7B7FBE9ECEA520C16E4B0745F0DD14FBD3B1F1B22D64B383B6BB9E8D5E3257CE1A5C84C715726B9354BA09596CC840
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Q............................!R..........................................................................@.....j...................Rich............PE..L....G.e.....................F......fQ............@..........................P.......C....@.................................d...........(?...............#...0..........T...............................@...............h............................text............................... ..`.rdata...=.......>..................@..@.data...<....@...h..................@....rsrc...(?.......@..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsOpenSSL.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):253824
    Entropy (8bit):5.389052857045027
    Encrypted:false
    SSDEEP:3072:qEK/2XDVADBHLuTeQqS3m9BJcQ7Z+8U5CFFCrtuHoG75Xb3Jku+:qgDVADBruT929J7gt4oiXm
    MD5:97C9C71B3482E67C229BBC178AF9BAB3
    SHA1:D5269BD1664741B5A491B268C4201C30524EAFB4
    SHA-256:09AB075960E0E8011A108179C5A7124E9CA24AA891BE3F93FABEE64F4A72BD57
    SHA-512:95D6A85C782AFA585832657599884474CDC8417F796708F600DB895076FF4397EAC7B6C1F047B485FA0044845063B0519319506E9906D3CD710F0D55A85E6CA3
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..............................................................N.........4...N......N......N......N.......{....N......Rich............PE..L...l9.e...........!.........L...... ).......................................0............@A.............................'.. {..h........................#....... ......8...........................(...@............p.. ............................text...7........................... ..`.rdata..H...........................@..@.data....%...@......................@....idata...D...p...F...6..............@..@.gfids...............|..............@..@.tls................................@....00cfg..............................@..@.rsrc...............................@..@.reloc...%.......&..................@..B........................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):33664
    Entropy (8bit):5.3383433283640365
    Encrypted:false
    SSDEEP:384:dFBKUbKIYmWtQI3U/qsFEV6DGTphj0JswNyb8E9VF3AM+omoyN:dFIUbPEQI3U/qsS6DGTANENAMxwN
    MD5:1F7E8117B57FD074CF5182967C97D14A
    SHA1:5EDFF021B18386212C5770B59EF8E40B8AF3C566
    SHA-256:8EB87EB15547ECB65085F2B69114812F953056EDD3EB76A513922411B4A033BB
    SHA-512:48FC1315741AA36AA04D2C896EB3E96C4DF350DF13987FA8A4BD735A05B4B11781C08A07ADD3C7A02DE911BAC1FCC200263058E7B66578EB77F91D80D0659626
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...OG.e...........!.........^...........................................................@.......................................... ...Z...........`...#..............T............................................................................rdata..............................@..@.rsrc....Z... ...\..................@..@....OG.e........T...T...T.......OG.e........................OG.e........T...........RSDS....b.wD......y.....s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_DE.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$...V...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):32640
    Entropy (8bit):5.376112425225672
    Encrypted:false
    SSDEEP:384:IBIfYXpUWtQI3U/qsFEpDGTphj0JswNyb8E9VF3AM+oZr:IYwQI3U/qsqpDGTANENAMxZ
    MD5:2CC5855E61F8EE07E9EDBA115A218830
    SHA1:3AE03273473E28EC3C531306949806FE5E179EAF
    SHA-256:235F2BA79AB52CCA7B4F6DD6501FDCD429B7683CB1DE81045C3850BF15B484AC
    SHA-512:9266A694A96E4391751E771A788757EA1FF8D8EB2A0181810D1697829AC0A320026B66A02BC8A8A46A58D8B3CA90A129AF884F1D4040D3979A62331C4896A605
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...<G.e...........!.........Z.......................................................Y....@.......................................... ..8W...........\...#..............T............................................................................rdata..............................@..@.rsrc...8W... ...X..................@..@....<G.e........T...T...T.......<G.e........................<G.e........T...........RSDS.n.^...C.}#x.u......s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_EN.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$..XR...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):33152
    Entropy (8bit):5.355325411676814
    Encrypted:false
    SSDEEP:384:cnMn24X/LBmWtQI3U/qsFZDGTphj0JswNyb8E9VF3AM+o43g:cnM2m/LBtQI3U/qsPDGTANENAMx43
    MD5:C7D9D3305CEE47E54D67A7A48EBB274E
    SHA1:A2B31C9C9012471B4285745248A18C6B05649FE8
    SHA-256:30916F77081FA60D7F0EC4236154A3AF21183694FC5B9C6D47603EDA8F5D05AE
    SHA-512:C4662C0543AD65BDF4CAF880E97E6BC4C95EFA6E49DF5B2BCA6F065718A1FAF7C769FFB943A07303A3D7BC2B8EA0E3EAB38DC94F6333972B01AF2A3E9A3A2B42
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...>G.e...........!.........\............................................................@.......................................... ..0Y...........^...#..............T............................................................................rdata..............................@..@.rsrc...0Y... ...Z..................@..@....>G.e........T...T...T.......>G.e........................>G.e........T...........RSDS..7Z.i.E..+qq..'....s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ES.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$..PT...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):33664
    Entropy (8bit):5.338819238762527
    Encrypted:false
    SSDEEP:384:qN4SBVKpWtQI3U/qsFuOPA6XDGTphj0JswNyb8E9VF3AM+oTti:qN4S3vQI3U/qsMOPAqDGTANENAMxTt
    MD5:494724673A03378A2A12338A208E25E8
    SHA1:2BB4D0B857456ACE097975422FCD65516AEEE65F
    SHA-256:908F44ED75D11242A520E53CA13ECBC8E078CCC3E5402A9EC6F2CF7BBEC298D5
    SHA-512:38E1AF3EF1D0C5A8F801425CD5B390118ACD0C9687621E10D05A1FB8C34A3E1351D79470ECC8D25AD41858C99B1475FD33B7D0A8B51E36127718938B197353ED
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...?G.e...........!.........^......................................................].....@.......................................... ...Z...........`...#..............T............................................................................rdata..............................@..@.rsrc....Z... ...\..................@..@....?G.e........T...T...T.......?G.e........................?G.e........T...........RSDSj;bW...@...%.0l.....s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_FR.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$...V...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):31104
    Entropy (8bit):5.623196328400307
    Encrypted:false
    SSDEEP:384:g2t9fJ1/bwEb/WtQI3U/qsFLDGTphj0JswNyb8E9VF3AM+o3dL7:giB1/Db+QI3U/qsFDGTANENAMxF
    MD5:D8574B6315AF2CF2F17A739AB4E5A403
    SHA1:FD3E3FCEA43E168C91D0D01100028212CF4E9422
    SHA-256:706E71ACCDEF023E81088D6CE23A79C9A690FF7546BD36C6EC2C64DBF4012440
    SHA-512:FA476A7748F3411D7F647603D3B9F19180CC7274E9E6C59B0219077BE4EE2FF7717E71BD21258FD53F1646DB9D38D717493E394327DE5A6F6F7A652FFCD0DF10
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...?G.e...........!.........T......................................................p'....@.......................................... ...Q...........V...#..............T............................................................................rdata..............................@..@.rsrc....Q... ...R..................@..@....?G.e........T...T...T.......?G.e........................?G.e........T...........RSDS.<.C.].B..G...'^....s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_JA.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$...L...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):31104
    Entropy (8bit):5.622471827457363
    Encrypted:false
    SSDEEP:384:6u/w/ZuTZwWtQI3U/qsFkHnDGTphj0JswNyb8E9VF3AM+o/yv:6/RuBQI3U/qsoDGTANENAMx/k
    MD5:FABB7B49EFE8137543B633A6E030A91D
    SHA1:9F4B02BD877DB30F63171A89C79A64FC7771396D
    SHA-256:80D5808D0A64F43C659970DA07A10A79A729F4FB38EC745D7FB39DBEBF1532C9
    SHA-512:D5526B34C854C4E40596C7F879E0767B2D1CB9332BC0ABD6334F069138E2F29C31B7EE6DAC6FD850748525EDB2F595FC0670D34C1D3B1D5D79ACBDA791D42EB6
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...BG.e...........!.........T......................................................"_....@.......................................... ..0Q...........V...#..............T............................................................................rdata..............................@..@.rsrc...0Q... ...R..................@..@....BG.e........T...T...T.......BG.e........................BG.e........T...........RSDS/..R.xI..8`........s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_KO.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$..PL...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):30592
    Entropy (8bit):5.566863655969325
    Encrypted:false
    SSDEEP:384:b3e4DKaLn+WtQI3U/qsFXDGTphj0JswNyb8E9VF3AM+oIaN:bpdLFQI3U/qspDGTANENAMx
    MD5:D4881B37A874D8B7E305C398248A8644
    SHA1:A55A0C923F39291F26D078BC879F170891846E18
    SHA-256:8F69EB91510215BB444D8D440B79EC9AABE5CE71B94ECEF8767D3D5E6B35A920
    SHA-512:EEE24DA62A91D5A4D00184797C2C0F0FACD855016859FEB98F3C2A8F5F28ED28911963E1A65CEDB5B3D758AE71453DBBA7209F34563E7A2CEA2CDB7CDA6F3DD5
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...EG.e...........!.........R...............................................p......X.....@.......................................... ...N...........T...#..............T............................................................................rdata..............................@..@.rsrc....N... ...P..................@..@....EG.e........T...T...T.......EG.e........................EG.e........T...........RSDSz...9..N.O..........s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH.pdb.............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$...I...rsrc$02............................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):30592
    Entropy (8bit):5.548306332657038
    Encrypted:false
    SSDEEP:384:GncO8WtQI3U/qsFrDGTphj0JswNyb8E9VF3AM+oQ:Gc8QI3U/qsZDGTANENAMx
    MD5:D0B8063EDF74966288EE44517622E95E
    SHA1:21887C5571FF1A7C8B01DACA40C1F68CE7E449DF
    SHA-256:3E9B2AC8AFF5514E1EE50C50E9F6E2CDF869F80FC1F5B91DCFA4EF035A3C19B5
    SHA-512:CC021C1B4804AD7653314B486795D44F909A296F31D60D9D675D18284606C6EA56EAA6471822AC336EC0E954F5B7DAF1FD0539A2D6CF31D7AF278B65E28C7AD7
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.-.-....,.-...,...,.Rich-.........PE..L...FG.e...........!.........R...............................................p............@.......................................... ..0N...........T...#..............T............................................................................rdata..............................@..@.rsrc...0N... ...P..................@..@....FG.e........W...T...T.......FG.e........................FG.e........T...........RSDS...j.n.N..?r?B......s:\ive\out\bin\winnt-x86-Release\dsWinClientResource_ZH_CN.pdb..............................T....rdata..T........rdata$zzzdbg.... .......rsrc$01.....$..PI...rsrc$02........................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libcrypto-1_1.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):2341248
    Entropy (8bit):6.2309700638062075
    Encrypted:false
    SSDEEP:49152:dr7ctGVlOZaKHYhoJtvCRu8kb1CPwDv3uFTUyei:V7uGvOjHHJERu8c1CPwDv3uFTUy
    MD5:7E001CFB956DE7CDF2C7A2412568DEEF
    SHA1:232E58F3CF1E9582762612271CA49B3530605A73
    SHA-256:2FECDD8F01C91EAD2C3165125D4BC7B01C6DA663DD322ABEB6A77965234381B4
    SHA-512:499516F0CED195FD29426BE40C70746268E4879A731151E09DB3E3AD1FBD87EAD191819FADF3D0642A63FB35148F870201918D546E61BDE387B99E6DC75308D7
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................._...................n.........Rich..........PE..L...%8.e...........!.....n...h.......C........................................$.....x:$...@......................... Y .(4..D.".@.... #.|.............#..#...0#.....= .8............................= .@.............".D............................text....m.......n.................. ..`.rdata..H............r..............@..@.data...xX....".......".............@....idata........".......".............@..@.00cfg........#.......".............@..@.rsrc...|.... #.......".............@..@.reloc..6....0#.......".............@..B........................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libssl-1_1.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):512896
    Entropy (8bit):5.772184945792763
    Encrypted:false
    SSDEEP:12288:zMm4o7Lzw/2XJIlgb2WVE03JwcDUGmMsRXV/+i8dPm:zMbo7LzK4DUZMiXV/+i8dPm
    MD5:47F8A325B1419EAFF7B415C0857D3F0B
    SHA1:B870BB9646A5328F1F3E337D77F7BC56FADA0660
    SHA-256:CE0AD21AA7664EC4F4412346F4946F86F166E99CEC99044FE3CDF804A3157923
    SHA-512:355D02E6D2D0986A22664D82C5C5E6ABB5C4EB1A8345BF35AA35DC8D82A2E23C68F5386AE0B4C7BF9DD6A9644B0557403208ED62CE69C5AE84A496CC6821DE43
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G...)^..)^..)^...^..)^..(_..)^..,_..)^..-_..)^..*_..)^..(_..)^[.(_..)^..(^&.)^[.-_..)^[.)_..)^[..^..)^[.+_..)^Rich..)^................PE..L...Z8.e...........!.................................................................C....@.........................P...JH...i..........s................#......P3.....8...............................@............`...............................text............................... ..`.rdata...U.......V..................@..@.data...P0... ...,..................@....idata...=...`...>...,..............@..@.00cfg...............j..............@..@.rsrc...s............l..............@..@.reloc..i:.......<...t..............@..B................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\msvcp140.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):453920
    Entropy (8bit):6.66950080753057
    Encrypted:false
    SSDEEP:12288:tjBcSw+X+OLM+PBrWHPd9pGDXywWz08oumlBVhUgiW6QR7t5s03Ooc8dHkC2esrG:tjBcSw+1M+PBrWF9IWwWz08ay03Ooc87
    MD5:697220335E5C4B4126AF45F6F8207896
    SHA1:8106F2DD4665AEC0D1C652E29378EF46EA4E5801
    SHA-256:D7446822C53CF6B9E31D5610D838EBF26ED08BF7497A3E022C47FF193CCDE0BE
    SHA-512:B820735E96600A1382D4097A7638F3286335D93032152B8C85E4EA8196439DFE687E1F8309A81F13A43705A323EDA12BD69EFAC50A09048E57498CEDE4924CF0
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8"2.|C\.|C\.|C\....~C\.u;.jC\.|C]..C\.w,]..C\.w,X.wC\.w,_.tC\.w,Y..C\.w,\.}C\.w,..}C\.w,^.}C\.Rich|C\.................PE..L...AW.^.........."!.....:.......... ........P............................................@A.........................y................................. A.......;...y..8...........................Hx..@...................Tv..@....................text...29.......:.................. ..`.data...t(...P.......>..............@....idata...............V..............@..@.didat..4............j..............@....rsrc................l..............@..@.reloc...;.......<...p..............@..B........................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\vcruntime140.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):83232
    Entropy (8bit):6.884071103046351
    Encrypted:false
    SSDEEP:1536:DbLqOxUSsdRwFUzVCNkU1jXCizVaYecbv4MUqQmFk:DaOxfsd6FUp3uhecbv4MU
    MD5:4C360F78DE1F5BAAA5F110E65FAC94B4
    SHA1:20A2E66FD577293B33BA1C9D01EF04582DEAF3A5
    SHA-256:AD1B0992B890BFE88EF52D0A830873ACC0AECC9BD6E4FC22397DBCCF4D2B4E37
    SHA-512:C6BBA093D2E83B178A783D1DDFD1530C3ADCB623D299D56DB1B94ED34C0447E88930200BF45E5FB961F8FD7AD691310B586A7D754D7A6D7D27D58B74986A4DB8
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T...............Q........q.........8...................................................Rich............................PE..L...;W.^.........."!.........................................................@......g.....@A......................................... .................. A...0..8....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..8....0......................@..B................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfEngine.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):97664
    Entropy (8bit):6.637320627628555
    Encrypted:false
    SSDEEP:1536:GTApaCDhrh+PEzSWAMREjkssn1bzKVuH9HgB/qumJLnsBM0QB99xmL:GTKDhsPEzSWAGQW1/yuH9ABwsBM0QyL
    MD5:DE71165A2B4AF8EE0C3FAF7BE7E28A68
    SHA1:0AC1A657D4585D3AD44FD95B313356EF316DAE3D
    SHA-256:DE92BDFE667C5F53ADBA98E9A3FA3855FD3A742044050D25E79A8198B7DFBC4B
    SHA-512:887953F678CFEEC1C4DED1198D062DC847DD9741EB86B14E4D3BDA76B55E067F6FFC30EAB234F7FF33695B5A9892EE9FDF15FB36F0AA26D573C86174676F3D66
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................z............................%....q........%....%....%.......~....%....Rich...................PE..L...O..c...........!.........t......p................................................<....@A.........................1.. ....3.......p..H............Z...#......8....-..T...........................p-..@............................................text...Q........................... ..`.rdata...S.......T..................@..@.data........`.......>..............@....rsrc...H....p.......@..............@..@.reloc..8............F..............@..B................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfssl-fips.dll

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):666496
    Entropy (8bit):6.8706028579978495
    Encrypted:false
    SSDEEP:12288:S7NLHG1fnkZ34Enno4WnZQcRdHllpzIlK8YWnDPp90yf+T+:S7NEfnkZDo/ZQcRaK/kDz08L
    MD5:498CE7DC027A54841A21F4FD06041218
    SHA1:950017F3EC9A24F5D1D2DDE63F191CF5FAA58807
    SHA-256:328218CE190D6B407E2EDA6B89E650E08F60CC51E0A5BE771D2472F9824E990A
    SHA-512:88758F74BAA85D135ADBA8B08C8261DA2C37FBF30A9CD89C351C9F8C240327B945EBEEF87E9824B59143C736AEC4E18650A7C9A7A96B8492FC80C673596A802C
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........~..a-..a-..a-...-..a-@.`,..a-@.d,..a-@.e,..a-@.b,..a-.`,..a-..`-..a-i.i,..a-i.a,..a-i..-..a-...-..a-i.c,..a-Rich..a-........PE..L...K..c...........!.........`......p..............Z.........................p......w......A.............................W...a....... ..p................#...0..(0......p...................H.......H...@...............L............................text............................... ..`.fipsA.............................. ..`.rdata.............................@..@.data....&...p.......X..............@....fipsB...r.......t...Z..............@..@.rsrc...p.... ......................@..@.reloc..(0...0...2..................@..B........................................................................................................................................................................................................................

    C:\Users\Public\Pulse Secure\Logging\PulseClient.log

    Download File
    Process:C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):2721
    Entropy (8bit):5.146149614748581
    Encrypted:false
    SSDEEP:48:febIcebGebkPebcf9ebGSeb2/eb4IdNWebveb3dLneb3tebZteb+tebfr+NebceR:fy1yGyGyeyGSy2/y4IdIyvy3hny3tyZw
    MD5:E6EEA614465B622EF72BD36D04BA97BD
    SHA1:255CE5C9BF06FB5B680E9200CFDC26A17266BAC0
    SHA-256:5C5F4308EA32C0338BDB7F82FE8C28AFFA52FA81B732A65F48A72C6C9F042FBC
    SHA-512:B107EF05DBF7677F529F3EF12C1E44119CCF4348AB2D0BEBEAB2C08577D4EF2B09F89AD45BE294CEA68FC8358595FE94883F7509308C9B819E738B37D62C7EE7
    Malicious:false
    Preview:00204,09 2024/10/29 11:10:18.357 0 user PulseApplicationLauncher.exe PSAL p3800 tEDC dsWinLogserviceApiLib.cpp:1454 - '***' **************************************************************************************..00150,09 2024/10/29 11:10:18.357 0 user PulseApplicationLauncher.exe PSAL p3800 tEDC dsWinLogserviceApiLib.cpp:1455 - '***' PulseApplicationLauncher.exe..00119,09 2024/10/29 11:10:18.373 0 user PulseApplicationLauncher.exe PSAL p3800 tEDC dsWinLogserviceApiLib.cpp:1456 - '***' ..00168,09 2024/10/29 11:10:18.373 0 user PulseApplicationLauncher.exe PSAL p3800 tEDC dsWinLogserviceApiLib.cpp:1457 - '***' Tue Oct/29/2024 11:10:18 Eastern Daylight Time..00154,09 2024/10/29 11:10:18.373 0 user PulseApplicationLauncher.exe PSAL p3800 tEDC dsWinLogserviceApiLib.cpp:1458 - '***' Build Version: 22, 7, 1, 28369..00154,09 2024/10/29 11:10:18.373 0 user PulseApplicationLauncher.exe PSAL p3800 tEDC dsWinLogserviceApiLib.cpp:1459 - '***' Product Version: 22, 7, 1, 2836

    C:\Windows\Installer\754f69.msi

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Pulse Application Launcher, Author: Ivanti, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Pulse Application Launcher., Template: Intel;1033, Revision Number: {6AA15FA6-A504-4D12-8AB0-2C320EEE9B08}, Create Time/Date: Thu Dec 28 10:03:24 2023, Last Saved Time/Date: Thu Dec 28 10:03:24 2023, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.0.4118), Security: 2
    Category:dropped
    Size (bytes):7266304
    Entropy (8bit):7.987875453730002
    Encrypted:false
    SSDEEP:196608:+aWRQago3mlZTrDH6+ZUReoLyOY9SZII3L+b7q6ie4:+/gpl1PlqR/PLOQCb7q
    MD5:9FADC49EA06140E22DD3025384D8DDE0
    SHA1:A0C005E2E4DB3F84F9E0404C6FFBC1FFD264E652
    SHA-256:2390077EB538A20BBE188B52C7189B7D8E62CED9C44A6E8FA11A65E2CAA80226
    SHA-512:410C37E57055D6E6FF924555B7E118FDA5EB4BB591C3BC030835501237B047B38FB752379CB219311647CC17DEC4C68364CFDF5AA6CEAA6501C4CE5B9C5A560D
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\754f6a.ipi

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):20480
    Entropy (8bit):1.5605784058018473
    Encrypted:false
    SSDEEP:24:Jfb8FC/lkm6cpmUHCADvuyXTk+EtqbdqMipV7VIwGTlrkgdtqbdqMipVC:9A0AcDHhvugkcnS5crAnSI
    MD5:CAFC42354ADFC0871FECF8FA216A1BB7
    SHA1:80D4303C5CC588006ACDD39209E11F8B5E644F33
    SHA-256:F33ED8423A94EB5AF6AE737B2B2110804CC87A94942B65FBB3279624D3D9DAF5
    SHA-512:594DEBB1FA6E8CB1B352484BFD9F61165FF8DFD20BFA6D2768BC436B1E8CFE6EA0174A49D15168A5BFEA5018A22A141D4A7F6B73F82F0570FD437E714E91B229
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\754f6c.msi

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Pulse Application Launcher, Author: Ivanti, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Pulse Application Launcher., Template: Intel;1033, Revision Number: {6AA15FA6-A504-4D12-8AB0-2C320EEE9B08}, Create Time/Date: Thu Dec 28 10:03:24 2023, Last Saved Time/Date: Thu Dec 28 10:03:24 2023, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.0.4118), Security: 2
    Category:dropped
    Size (bytes):7266304
    Entropy (8bit):7.987875453730002
    Encrypted:false
    SSDEEP:196608:+aWRQago3mlZTrDH6+ZUReoLyOY9SZII3L+b7q6ie4:+/gpl1PlqR/PLOQCb7q
    MD5:9FADC49EA06140E22DD3025384D8DDE0
    SHA1:A0C005E2E4DB3F84F9E0404C6FFBC1FFD264E652
    SHA-256:2390077EB538A20BBE188B52C7189B7D8E62CED9C44A6E8FA11A65E2CAA80226
    SHA-512:410C37E57055D6E6FF924555B7E118FDA5EB4BB591C3BC030835501237B047B38FB752379CB219311647CC17DEC4C68364CFDF5AA6CEAA6501C4CE5B9C5A560D
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\Installer\MSIAC58.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:data
    Category:dropped
    Size (bytes):24260
    Entropy (8bit):6.412136283264882
    Encrypted:false
    SSDEEP:384:mJIE2nPkyJstpj15dTOBs3OyBKi/c/DwacsI0FyqqfMcPX4ggex+IkshzUvsy93d:mJIE8CzYggevYN93gihSWUm
    MD5:25C5DC205F44941FBA15DECBC483F8C1
    SHA1:0FF8E983331BC5F18950B2CBAF58C31D8162E47A
    SHA-256:8E754FA5AB4833F4E4CEA6B106FCFB3E6A56BC1A0B3328B6B99E2FE6BEC34D40
    SHA-512:EA90F16F2AAAD711E201C107D547C5CE0C653DE28604571003B63311F01D6C57B873BAE7AC76A315C68F71613FF517F8AE74E321B36A4C8400433F562C356D8A
    Malicious:false
    Preview:...@IXOS.@.....@.^]Y.@.....@.....@.....@.....@.....@......&.{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}..Pulse Application Launcher..PulseSecureAppLauncher.msi.@.....@.n...@.....@......psal.ico..&.{6AA15FA6-A504-4D12-8AB0-2C320EEE9B08}.....@.....@.....@.....@.......@.....@.....@.......@......Pulse Application Launcher......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{5C1CEC95-CCC9-4992-A94E-BC0CC818C6C5}&.01:\Software\Pulse Secure\PSAL\Version.@.......@.....@.....@......&.{6F6299EA-015E-4F45-8AEE-5FFCE96D5ED4}4.01:\Software\Pulse Secure\PSAL\Downloader64Installed.@.......@.....@.....@......&.{185E05BC-1868-4AB7-8560-D2868B7E19BF}2.01:\Software\Pulse Secure\PSAL\DownloaderInstalled.@.......@.....@.....@......&.{2771911D-60E8-4AD7-8216-C363033CCCC8}+.01:\Software\Pulse Secure\PSAL\x86Installed.@.......@.....@.....@......&.{7C2A6EE4-66EA-43E5-8876-E6EF45526C

    C:\Windows\Installer\MSIE496.tmp

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):221104
    Entropy (8bit):6.646093303952969
    Encrypted:false
    SSDEEP:3072:YENVk+GJpYjqOfIEzkHdDz4JjxMfVryQv25ZC3X+YI+Jc12uqxAgWvUflQnbs+/s:YEUXAzk9DUGW7C3PTJM2Ugyv0tP9
    MD5:E05884F57BC8BC8E131C2B0E50CEDEF0
    SHA1:29C6CBD9F66E91F6E221F0DDAF1A651685F197DF
    SHA-256:7548A0F20CB0AE214DA3F0A4D3F21A59C6F50CE9F2E5BD666A471D6BB70BE74C
    SHA-512:DFC94133EA0C81B8CDE4BE8510F65A1D1A606C2F9340F90173E7FAD705A7EE6E30784A52D02364BA7673DAA7BEB15A8B913078464A6DD16AACBBA717690A5ED3
    Malicious:false
    Antivirus:
    • Antivirus: ReversingLabs, Detection: 0%
    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........'...F.I.F.I.F.I. .H.F.I. .H=F.I...H.F.I...H.F.I...H.F.I. .H.F.I. .H.F.I. .H.F.I.F.IMF.I,/.H.F.I,/.H.F.I,/.I.F.I.F`I.F.I,/.H.F.IRich.F.I........................PE..L...:..^...........!.........P............... ......................................Q.....@.........................p.......0........`..x............@.......p..........T...............................@............ ..4............................text............................... ..`.rdata....... ......................@..@.data....#...0......................@....rsrc...x....`......................@..@.reloc.......p......."..............@..B........................................................................................................................................................................................................................................................................

    C:\Windows\Installer\SourceHash{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

    Download File
    Process:C:\Windows\System32\msiexec.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):20480
    Entropy (8bit):1.1694756592385795
    Encrypted:false
    SSDEEP:12:JSbX72Fj0+aAGiLIlHVRp9h/7777777777777777777777777vDHFBTm5vhyWt/z:JVaQI5ZBF
    MD5:8AF4A5162E47DFAE726FCABC38F80435
    SHA1:C71BBD10300981FDC1C2CB61A20B8BFC9113DC6B
    SHA-256:66C7F9A876F7688F899F2D9DF5F9260BE7AE7D5D5D44824D5AB33F0922F87118
    SHA-512:CB8F96850B8A66BFC553E89718A1FFC51F2F3E48B3B95600A5FBD4E43C6DD7650B602DC10D6C0810BFE8442434CBE663A82C4FE438D800503015B6B13AD66D12
    Malicious:false
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Pulse Application Launcher, Author: Ivanti, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Pulse Application Launcher., Template: Intel;1033, Revision Number: {6AA15FA6-A504-4D12-8AB0-2C320EEE9B08}, Create Time/Date: Thu Dec 28 10:03:24 2023, Last Saved Time/Date: Thu Dec 28 10:03:24 2023, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.0.4118), Security: 2
    Entropy (8bit):7.987875453730002
    TrID:
    • Microsoft Windows Installer (60509/1) 57.88%
    • ClickyMouse macro set (36024/1) 34.46%
    • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
    File name:PulseSecureAppLauncher.msi
    File size:7'266'304 bytes
    MD5:9fadc49ea06140e22dd3025384d8dde0
    SHA1:a0c005e2e4db3f84f9e0404c6ffbc1ffd264e652
    SHA256:2390077eb538a20bbe188b52c7189b7d8e62ced9c44a6e8fa11a65e2caa80226
    SHA512:410c37e57055d6e6ff924555b7e118fda5eb4bb591c3bc030835501237b047b38fb752379cb219311647cc17dec4c68364cfdf5aa6ceaa6501c4ce5b9c5a560d
    SSDEEP:196608:+aWRQago3mlZTrDH6+ZUReoLyOY9SZII3L+b7q6ie4:+/gpl1PlqR/PLOQCb7q
    TLSH:F7763350BAC4B93FE6664E36641BE1605F3CBE340A1044ABD394BD1F4EF19B266B3352
    File Content Preview:........................>......................................................................................................................................................................................................................................

    File Icon

    Icon Hash:2d2e3797b32b2b99

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:1
    Start time:11:09:30
    Start date:29/10/2024
    Path:C:\Windows\System32\msiexec.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PulseSecureAppLauncher.msi"
    Imagebase:0xff780000
    File size:128'512 bytes
    MD5 hash:AC2E7152124CEED36846BD1B6592A00F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:2
    Start time:11:09:31
    Start date:29/10/2024
    Path:C:\Windows\System32\msiexec.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\msiexec.exe /V
    Imagebase:0xff780000
    File size:128'512 bytes
    MD5 hash:AC2E7152124CEED36846BD1B6592A00F
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:false

    General

    Target ID:5
    Start time:11:09:47
    Start date:29/10/2024
    Path:C:\Windows\SysWOW64\msiexec.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9
    Imagebase:0x9d0000
    File size:73'216 bytes
    MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:moderate
    Has exited:true

    General

    Target ID:7
    Start time:11:10:18
    Start date:29/10/2024
    Path:C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished
    Imagebase:0xbb0000
    File size:1'709'952 bytes
    MD5 hash:A2659EA9E27E9096F3E91932F465A07E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Antivirus matches:
    • Detection: 0%, ReversingLabs
    Reputation:low
    Has exited:true

    Disassembly

    No disassembly