Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

PulseSecureAppLauncher.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Pulse Application Launcher, Author: Ivanti, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Pulse Application Launcher., Template: Intel;1033, Revision Number: {6AA15FA6-A504-4D12-8AB0-2C320EEE9B08}, Create Time/Date: Thu Dec 28 10:03:24 2023, Last Saved Time/Date: Thu Dec 28 10:03:24 2023, Number of Pages: 300, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.0.4118), Security: 2

initial sample

C:\Config.Msi\754f6b.rbs

data

modified

C:\System Volume Information\SPP\OnlineMetadataCache\{3967b973-d159-4ac9-84aa-d4e7a38128c9}_OnDiskSnapshotProp

data

dropped

C:\System Volume Information\SPP\metadata-2

SysEx File - Twister

dropped

C:\System Volume Information\SPP\snapshot-2

data

dropped

C:\Users\user\AppData\Local\Temp\~DF42CA10E670479EE7.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF496484BAC2C87FEA.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF98004BD7CA64244C.TMP

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Installer\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}\psal.ico

MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_DE.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_EN.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_ES.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_FR.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_IT.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_JA.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_KO.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_PL.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_ZH-CN.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PSALResource_ZH.txt

Unicode text, UTF-8 (with BOM) text, with very long lines (315), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\Version.ini

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsOpenSSL.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_DE.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_EN.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ES.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_FR.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_JA.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_KO.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\dsWinClientResource_ZH_CN.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libcrypto-1_1.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\libssl-1_1.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalwin.json

JSON data

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalwinEdge.json

JSON data

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\pulse.png

PNG image data, 99 x 40, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\pulse_toolbar.png

PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfEngine.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\wolfssl-fips.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsOpenSSL64.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_DE.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_EN.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ES.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_FR.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_JA.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_KO.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\dsWinClientResource_ZH_CN.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libcrypto-1_1-x64.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\libssl-1_1-x64.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\msvcp140.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\vcruntime140.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfEngine-x64.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\wolfssl-fips-x64.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsOpenSSL.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_DE.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_EN.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ES.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_FR.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_JA.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_KO.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\dsWinClientResource_ZH_CN.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libcrypto-1_1.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\libssl-1_1.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\msvcp140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\vcruntime140.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfEngine.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\wolfssl-fips.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\Public\Pulse Secure\Logging\PulseClient.log

ASCII text, with CRLF line terminators

dropped

C:\Windows\Installer\754f69.msi

dropped

C:\Windows\Installer\754f6a.ipi

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Installer\754f6c.msi

dropped

C:\Windows\Installer\MSIAC58.tmp

data

dropped

C:\Windows\Installer\MSIE496.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\SourceHash{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

Composite Document File V2 Document, Cannot read section info

dropped

There are 72 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PulseSecureAppLauncher.msi"

Details

Is windows:	true
Is dropped:	false
PID:	3236
Target ID:	1
Parent PID:	1244
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PulseSecureAppLauncher.msi"
Size:	128512
MD5:	AC2E7152124CEED36846BD1B6592A00F
Time:	11:09:30
Date:	29/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff780000
Modulesize:	147456
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	3304
Target ID:	2
Parent PID:	404
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	128512
MD5:	AC2E7152124CEED36846BD1B6592A00F
Time:	11:09:31
Date:	29/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xff780000
Modulesize:	147456
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9

Details

Is windows:	true
Is dropped:	false
PID:	3600
Target ID:	5
Parent PID:	3304
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 5EA4F1DB765305D91232278ED78127E9
Size:	73216
MD5:	4315D6ECAE85024A0567DF2CB253B7B0
Time:	11:09:47
Date:	29/10/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x9d0000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

"C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished

Details

Is windows:	false
Is dropped:	true
PID:	3800
Target ID:	7
Parent PID:	3304
Name:	PulseApplicationLauncher.exe
Path:	C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe
Commandline:	"C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished
Size:	1709952
MD5:	A2659EA9E27E9096F3E91932F465A07E
Time:	11:10:18
Date:	29/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xbb0000
Modulesize:	1724416
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Launches processes in debugging mode, may be used to hinder debugging	Anti Debugging	Disable or Modify Tools
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://wixtoolset.org

unknown

https://www.openssl.org/H

unknown

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

IDENTIFY (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

IDENTIFY (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

PREPAREBACKUP (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

PREPAREBACKUP (Leave)

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000

Sequence

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

GETSTATE (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

GETSTATE (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

DOSNAPSHOT (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

DOSNAPSHOT (Leave)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts

C:\Config.Msi\754f6b.rbs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts

C:\Config.Msi\754f6b.rbsLow

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Components\59CEC1C59CCC29949AE4CBC08C816C5C

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Components\AE9926F6E51054F4A8EEF5CF9ED6E54D

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Components\CB50E58186817BA458062D68B8E791FB

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Components\D11917728E067DA428613C3630C3CC8C

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Components\4EE6A2C7AE665E3488676EFE5425C636

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Components\9EEC6A3308AAC3941BB8761706B28961

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Components\252BC076D61FF7A46B6703EE6320E888

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Components\66DE2D24E41F1A54AB4F05173A249203

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Pulse Secure\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\

HKEY_CURRENT_USER\Software\Pulse Secure\PSAL

Version

HKEY_CURRENT_USER\Software\Pulse Secure\PSAL

Downloader64Installed

HKEY_CURRENT_USER\Software\Pulse Secure\PSAL

DownloaderInstalled

HKEY_CURRENT_USER\Software\Pulse Secure\PSAL

x86Installed

HKEY_CURRENT_USER\Software\Pulse Secure\PSAL

x64Installed

HKEY_CURRENT_USER\Software\Pulse Secure\PSAL

psalswitch

HKEY_CURRENT_USER\Software\Pulse Secure\PSAL

ResourcesInstalled

HKEY_CURRENT_USER\Software\Pulse Secure\PSAL

AppletPath

HKEY_CURRENT_USER_CLASSES\PulseSecure

NULL

HKEY_CURRENT_USER_CLASSES\PulseSecure

URL Protocol

HKEY_CURRENT_USER_CLASSES\PulseSecure

EditFlags

HKEY_CURRENT_USER_CLASSES\PulseSecure\shell\open\command

NULL

HKEY_CURRENT_USER\Software\Google\Chrome\NativeMessagingHosts\com.ivanti.psal

NULL

HKEY_CURRENT_USER\Software\Google\Chrome\NativeMessagingHosts\com.ivanti.psal.microsoft.edge

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

LocalPackage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

AuthorizedCDFPrefix

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

Comments

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

Contact

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

HelpLink

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

HelpTelephone

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

InstallDate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

InstallLocation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

InstallSource

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

ModifyPath

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

NoModify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

Publisher

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

Readme

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

Size

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

EstimatedSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

UninstallString

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

URLInfoAbout

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

URLUpdateInfo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

VersionMajor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

VersionMinor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

WindowsInstaller

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

Language

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

AuthorizedCDFPrefix

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

Comments

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

Contact

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

DisplayVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

HelpLink

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

HelpTelephone

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

InstallDate

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

InstallLocation

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

InstallSource

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

ModifyPath

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

NoModify

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

Publisher

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

Readme

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

Size

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

EstimatedSize

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

UninstallString

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

URLInfoAbout

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

URLUpdateInfo

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

VersionMajor

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

VersionMinor

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

WindowsInstaller

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

Version

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

Language

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\ADCEB3F769BFE9543814E6B950DBF46B

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\InstallProperties

DisplayName

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}

DisplayName

HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\6222B86E66D46DF498E3F3A7F70B1B65

PulseAppLauncher

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\Features

PulseAppLauncher

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Microsoft\Installer\{E68B2226-4D66-4FD6-893E-3F7A7FB0B156}\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Microsoft\Installer\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-966771315-3019405637-367336477-1006\Products\6222B86E66D46DF498E3F3A7F70B1B65\Patches

AllPatches

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

ProductName

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

PackageCode

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

Language

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

Version

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

Assignment

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

AdvertiseFlags

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

ProductIcon

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

InstanceType

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

AuthorizedLUAApp

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

DeploymentFlags

HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\ADCEB3F769BFE9543814E6B950DBF46B

6222B86E66D46DF498E3F3A7F70B1B65

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65\SourceList

PackageName

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65\SourceList\Net

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65\SourceList\Media

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65

Clients

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6222B86E66D46DF498E3F3A7F70B1B65\SourceList

LastUsedSource

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

SrCreateRp (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppCreate (Enter)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP

LastIndex

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppGatherWriterMetadata (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppGatherWriterMetadata (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppAddInterestingComponents (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppAddInterestingComponents (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppCreate (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

SrCreateRp (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

SrCreateRp (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppCreate (Enter)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP

LastIndex

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppGatherWriterMetadata (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

IDENTIFY (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

IDENTIFY (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppGatherWriterMetadata (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppAddInterestingComponents (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppAddInterestingComponents (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

PREPAREBACKUP (Enter)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

PREPAREBACKUP (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP

SppCreate (Leave)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

SrCreateRp (Leave)

There are 123 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

671C8000

unkown

page readonly

BB0000

unkown

page readonly

270F000

stack

page read and write

5A09A000

unkown

page readonly

25C0000

heap

page read and write

2A84000

heap

page read and write

71681000

unkown

page readonly

69FF0000

unkown

page readonly

D3F000

unkown

page readonly

620000

heap

page read and write

699E0000

unkown

page readonly

D3F000

unkown

page readonly

687000

heap

page read and write

687000

heap

page read and write

69A1C000

unkown

page readonly

28B2000

heap

page read and write

6A000000

unkown

page readonly

5A000000

unkown

page readonly

671A8000

unkown

page readonly

D34000

unkown

page write copy

627000

heap

page read and write

D3D000

unkown

page read and write

2894000

heap

page read and write

2A0E000

stack

page read and write

180000

unclassified section

page read and write

69AAB000

unkown

page readonly

390000

heap

page read and write

71680000

unkown

page read and write

682000

heap

page read and write

69A8C000

unkown

page readonly

67205000

unkown

page readonly

644000

heap

page read and write

6A6000

heap

page read and write

694D5000

unkown

page read and write

699E1000

unkown

page execute read

694D8000

unkown

page readonly

396000

heap

page read and write

2A80000

heap

page read and write

2890000

heap

page read and write

69AA6000

unkown

page readonly

2D4000

stack

page read and write

10000

heap

page read and write

BB1000

unkown

page execute read

8A000

stack

page read and write

4C0000

heap

page read and write

69470000

unkown

page readonly

699E6000

unkown

page execute read

5A097000

unkown

page read and write

69A17000

unkown

page readonly

69A0A000

unkown

page readonly

684000

heap

page read and write

65E000

heap

page read and write

67232000

unkown

page readonly

69A14000

unkown

page read and write

69A000

heap

page read and write

6705B000

unkown

page execute read

D34000

unkown

page read and write

6704A000

unkown

page execute read

694DB000

unkown

page readonly

67229000

unkown

page read and write

6A007000

unkown

page readonly

6A6000

heap

page read and write

D3A000

unkown

page read and write

687000

heap

page read and write

71670000

unkown

page readonly

69FF1000

unkown

page execute read

D37000

unkown

page write copy

67001000

unkown

page execute read

5A07E000

unkown

page readonly

69A1F000

unkown

page readonly

6A6000

heap

page read and write

69AA2000

unkown

page read and write

6A6000

heap

page read and write

BB0000

unkown

page readonly

33E000

stack

page read and write

410000

heap

page read and write

699E9000

unkown

page execute read

71671000

unkown

page execute read

67019000

unkown

page execute read

69A000

heap

page read and write

6A006000

unkown

page read and write

67000000

unkown

page readonly

CF0000

unkown

page readonly

69A30000

unkown

page readonly

67F000

heap

page read and write

5A001000

unkown

page execute read

BB1000

unkown

page execute read

440000

heap

page read and write

CF0000

unkown

page readonly

671EB000

unkown

page readonly

69471000

unkown

page execute read

664000

heap

page read and write

A8E000

stack

page read and write

6722F000

unkown

page readonly

6700C000

unkown

page execute read

69A31000

unkown

page execute read

2A8B000

heap

page read and write

69A000

heap

page read and write

350000

heap

page read and write

2A88000

heap

page read and write

67062000

unkown

page execute read

69A06000

unkown

page execute read

There are 92 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
PulseSecureAppLauncher.msi

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPulseSecureAppLauncher.msi

Files

Processes

URLs

Registry

Memdumps

IOC Report
PulseSecureAppLauncher.msi