Analysis
-
max time kernel
268s -
max time network
274s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
05-04-2022 14:06
Static task
static1
Behavioral task
behavioral1
Sample
PulseSecure.x64.msi
Resource
win10v2004-20220331-en
General
-
Target
PulseSecure.x64.msi
-
Size
27.0MB
-
MD5
4a743fbe0ccfc7dc593281803a07949e
-
SHA1
efcaf34a6a7591d3fb8768bae15db671095e5dd0
-
SHA256
78be59991f40ec589c204bb1c879aaaceee6e5ce108876558db65f207705881e
-
SHA512
d85515b611594148351722db179b64c25023a924f6ccec917a17fedcb5f1ce541b8d075f3c5378e831416416dff52eaa10c54bfc9f84633c6db5aaf059e36b57
Malware Config
Signatures
-
Detected Egregor ransomware 2 IoCs
Processes:
resource yara_rule C:\Windows\Installer\MSI6F1C.tmp family_egregor C:\Windows\Installer\MSI6F1C.tmp family_egregor -
Egregor Ransomware
Variant of the Sekhmet ransomware first seen in September 2020.
-
Registers COM server for autorun 1 TTPs
-
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 9 4936 msiexec.exe 11 4936 msiexec.exe 19 4936 msiexec.exe 24 4936 msiexec.exe -
Drops file in Drivers directory 9 IoCs
Processes:
MsiExec.exeMsiExec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\system32\Drivers\PulseSAM.sys MsiExec.exe File created C:\Windows\system32\DRIVERS\SET1CB.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\jnprns.sys MsiExec.exe File opened for modification C:\Windows\System32\drivers\SET824.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET824.tmp DrvInst.exe File created C:\Windows\system32\Drivers\PulseSAM.sys MsiExec.exe File opened for modification C:\Windows\System32\drivers\jnprvamgr.sys DrvInst.exe File created C:\Windows\system32\Drivers\jnprTdi_9111_9451.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SET1CB.tmp MsiExec.exe -
Executes dropped EXE 10 IoCs
Processes:
MSI6F1C.tmpMSI20E8.tmpPSSetupClientInstaller.exePulseSetupClient.exePulseSecureService.exePulseSetupClientOCX.exePulseSetupClientOCX64.exejamcommand.exePulse.exePulseSecureService.exepid process 4552 MSI6F1C.tmp 4872 MSI20E8.tmp 4564 PSSetupClientInstaller.exe 4384 PulseSetupClient.exe 5056 PulseSecureService.exe 932 PulseSetupClientOCX.exe 2712 PulseSetupClientOCX64.exe 4728 jamcommand.exe 3656 Pulse.exe 744 PulseSecureService.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PulseSetupClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation PulseSetupClient.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exePSSetupClientInstaller.exePulseSecureService.exePulseSetupClientOCX.exePulseSetupClientOCX64.exeregsvr32.exePulse.exePulseSecureService.exepid process 4388 MsiExec.exe 4388 MsiExec.exe 4388 MsiExec.exe 4388 MsiExec.exe 4440 MsiExec.exe 4388 MsiExec.exe 4388 MsiExec.exe 4388 MsiExec.exe 4388 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 1936 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 4588 MsiExec.exe 2148 MsiExec.exe 4104 MsiExec.exe 4864 MsiExec.exe 4864 MsiExec.exe 3832 MsiExec.exe 3832 MsiExec.exe 2416 MsiExec.exe 344 MsiExec.exe 4876 MsiExec.exe 2800 MsiExec.exe 2800 MsiExec.exe 4564 PSSetupClientInstaller.exe 2800 MsiExec.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 932 PulseSetupClientOCX.exe 2800 MsiExec.exe 2712 PulseSetupClientOCX64.exe 2392 regsvr32.exe 1936 MsiExec.exe 3656 Pulse.exe 3656 Pulse.exe 5056 PulseSecureService.exe 3656 Pulse.exe 5056 PulseSecureService.exe 5056 PulseSecureService.exe 3656 Pulse.exe 5056 PulseSecureService.exe 744 PulseSecureService.exe 744 PulseSecureService.exe 744 PulseSecureService.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PulseSecure = "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\Pulse.exe -tray" msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Drops file in System32 directory 64 IoCs
Processes:
MsiExec.exeDrvInst.exeDrvInst.exeDrvInst.exedescription ioc process File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netvchannel.inf_amd64_ba3e73aa330c95d6\netvchannel.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\jnprns.inf_amd64_9fc29f3268c7ae2e\jnprns.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\jnprvamgr.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAA8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_9957a38c3d2283ed\usbncm.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\jnprva.inf_amd64_2d3776125086d638\jnprva.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\SET6CE.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\dc21x4vm.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlanu.inf_amd64_1815bafd14dc59f0\netrtwlanu.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAA7.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\SET6CE.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_8d5ca5ab1472fc44\netl1e64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\msux64w10.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAD8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\netwmbclass.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a958ace3-883e-fe44-b2d3-2dc500bf3ab0}\SET3D0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{a958ace3-883e-fe44-b2d3-2dc500bf3ab0}\jnprva.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF MsiExec.exe File opened for modification C:\Windows\system32\DRVSTORE MsiExec.exe File created C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAD8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_cc87c915f33d1c27\net7500-x64-n650f.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\jnprvamgr.cat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\jnprvamgr.inf_amd64_a6b97483d4e0add9\jnprvamgr.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\usbnet.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\netwbw02.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\netavpna.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF MsiExec.exe File created C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\net8192se64.PNF MsiExec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\print.css msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-solve-connection-issue.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-remediation-info-viewing.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\access-control-connect-client-view-properties.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\g033413.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\notecaution.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033408.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033409.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\notewarning-laser.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\vpnAccessMethod\MessageCatalogVpnAM_KO.txt msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-suspending.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-log-file-saving.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\g033408.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\container-book.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\g033413.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\bestpractice.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\access-control-connect-client-extend.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033423.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\help.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-accessibility-features.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-configuration-overview.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\print.css msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\PulseSAM\pulseWFPInst.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\access-control-connect-client-extend.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-window-resizing.html msiexec.exe File opened for modification C:\Program Files (x86)\Common Files\Pulse Secure\Connection Manager\versionInfo.ini msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\access-control-connect-client-jtac-contacting.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\plus.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\container.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\tip.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.inf msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\g033408.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\g033405.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\g033410.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-version-viewing.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\eapService\MessageCatalogEapAM_JA.txt msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\access-control-connect-client-meeting-joining.html msiexec.exe File created C:\Program Files (x86)\Pulse Secure\Pulse\PulseHelper.exe msiexec.exe File opened for modification C:\Program Files (x86)\Common Files\Pulse Secure\ConnectionStore\versionInfo.ini msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\g033422.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\access-control-connect-client-meeting-joining.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\access-control-connect-client-forget-credentials.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-extend.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\blank.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\TNC Client Plugin\hcUtils.dll msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\access-control-connect-client-meeting-joining.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\book-access-control-connect-client.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-smartcard-overview.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\access-control-connect-client-ui.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseResource_ZH.txt msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\access-control-delete-client-connection-status.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\IT\access-control-connect-client-adding.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\g033468.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\Integration\MessageCatalogIntegrationAM_KO.txt msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\g033405.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\standard.css msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033400.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\access-control-connect-client-window-resizing.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\access-control-connect-client-disconnect.html msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\bestpractice.gif msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\eapService\MessageCatalogEapAM_ZH-CN.txt msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\book-utils.js msiexec.exe File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\access-control-connect-client-tray-icon.html msiexec.exe File opened for modification C:\Program Files (x86)\Common Files\Pulse Secure\TNC Client Plugin\versionInfo.ini msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exePulseSetupClientOCX64.exeMsiExec.exeMsiExec.exeDrvInst.exexcopy.exePulseSetupClientOCX.exeDrvInst.exeDrvInst.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\MSI9312.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF838.tmp msiexec.exe File created C:\Windows\Downloaded Program Files\PulseSetupClient64.inf PulseSetupClientOCX64.exe File opened for modification C:\Windows\Downloaded Program Files\PulseSetupClient64.ocx PulseSetupClientOCX64.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI6C97.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI769F.tmp msiexec.exe File created C:\Windows\INF\oem2.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSI307.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI657E.tmp msiexec.exe File created C:\Windows\INF\oem4.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSI307D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI31B8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D73.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF70D.tmp msiexec.exe File created C:\Windows\Installer\wix{DF894007-8BB3-42E4-83EA-5D05969C2517}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\MSI28D9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5CC1.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{DF894007-8BB3-42E4-83EA-5D05969C2517} msiexec.exe File opened for modification C:\Windows\Installer\MSI180A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C65.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI628E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7631.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\SysWOW64 xcopy.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI615.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C45.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI65ED.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6BAB.tmp msiexec.exe File created C:\Windows\Downloaded Program Files\PulseSetupClientCtrlUninstaller.exe PulseSetupClientOCX.exe File created C:\Windows\Downloaded Program Files\PulseExt64.exe PulseSetupClientOCX64.exe File opened for modification C:\Windows\Installer\MSI3139.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9370.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI20E8.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIAAB.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Downloaded Program Files\PulseSetupClient.inf PulseSetupClientOCX.exe File created C:\Windows\Downloaded Program Files\PulseSetupClient.ocx PulseSetupClientOCX.exe File opened for modification C:\Windows\Installer\e585a02.msi msiexec.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\Downloaded Program Files\install.log PulseSetupClientOCX.exe File created C:\Windows\Downloaded Program Files\PulseExt.exe PulseSetupClientOCX.exe File opened for modification C:\Windows\Installer\MSI2098.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI24B1.tmp msiexec.exe File created C:\Windows\Installer\e585a04.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF74D.tmp msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\Downloaded Program Files\install.log PulseSetupClientOCX64.exe File opened for modification C:\Windows\Installer\MSI6E40.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6F1C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI315A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6C67.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI182A.tmp msiexec.exe File created C:\Windows\Downloaded Program Files\PulseSetupClientCtrlUninstaller64.exe PulseSetupClientOCX64.exe File opened for modification C:\Windows\Installer\MSI9FE.tmp msiexec.exe File created C:\Windows\Downloaded Program Files\PulseSetupClient64.ocx PulseSetupClientOCX64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DrvInst.exesvchost.exeMsiExec.exesvchost.exeDrvInst.exeDrvInst.exevssvc.exeDrvInst.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007b114b607c81ab010000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007b114b600000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007b114b60000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007b114b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007b114b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID MsiExec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
PulseSetupClient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 PulseSetupClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz PulseSetupClient.exe -
Processes:
PSSetupClientInstaller.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights PSSetupClientInstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Pulse Secure\\Setup Client" PSSetupClientInstaller.exe Set value (int) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119}\Policy = "3" PSSetupClientInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Pulse.exe = "11000" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PulseSecureService.exe = "11000" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119} PSSetupClientInstaller.exe Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy PSSetupClientInstaller.exe Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119}\AppName = "PulseSetupClient.exe" PSSetupClientInstaller.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
PulseSecureService.exePulseSecureService.exeDrvInst.exeDrvInst.exeDrvInst.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\SimAuth.dll,-1003 = "EAP-AKA'" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%windir%\system32\drivers\netbios.sys,-501 = "NetBIOS Interface" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs PulseSecureService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs PulseSecureService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\drivers\mslldp.sys,-211 = "Microsoft LLDP Protocol Driver" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs PulseSecureService.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\wkssvc.dll,-1010 = "Client for Microsoft Networks" svchost.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeregsvr32.exePulseSetupClientOCX.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A407658-288A-48A9-86E4-59FE723BF6DF}\NumMethods\ = "12" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dsATLSetupCtrl64.PulseSetupClientCont regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081CB686-E56B-4C26-A0A9-E7A4A4ADC094} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91DD713B-801E-43B2-88D1-2C1CC7827936}\NumMethods\ = "47" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44090970-D42F-4B80-A44B-117AC24B7626}\ = "IUiModelService" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C0F1C9-6F7D-4401-A959-8111D5E9E973}\TypeLib\ = "{1FA1F2EF-0DCD-4228-8025-74CD7749C878}" PulseSetupClientOCX.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\700498FD3BB84E2438AED55069C95271\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5669C0F7-C43F-4E79-AAA2-81C72067EA20} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1B8F498F-DB53-4B0C-85C0-D4E188DDDB02} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DFD0DE0A-B9FD-4F8B-83DB-ABEF6966313E} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05C0F1C9-6F7D-4401-A959-8111D5E9E973}\InProcServer32 PulseSetupClientOCX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C0F1C9-6F7D-4401-A959-8111D5E9E973}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" PulseSetupClientOCX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24C9FAED-1510-4BE4-9D1A-FBD5F1DCD8F9}\ = "IPulseSetupClientControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FEE7FE9-F273-4D77-AE00-81D6F3FA0188}\ = "IDSAccessService" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{93DBDC46-C99C-4266-A871-9208213282A1}\ = "PSFactoryBuffer" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0686490E-1C1B-49BB-99C8-4159B0387278} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E375A63-C616-46F1-AC77-59DF78F3A826}\ProgID\ = "dsATLSetupCtrl.PulseSetupClientCont.1" PulseSetupClientOCX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B284C66D-1D9E-4E4F-8E3D-98AE9D6E5F9A}\ = "IDSAccessServiceEvents" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FEB6927-4918-48BD-865C-6F576795547F}\ = "IJamUIPromptPlugin3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dsATLSetupCtrl64.PulseSetupClientCo.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA1F2EF-0DCD-4228-8025-74CD7749C878} PulseSetupClientOCX.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDF36C56-A2F1-452A-BD29-F4E43C987EF3}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0686490E-1C1B-49BB-99C8-4159B0387278}\NumMethods\ = "8" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E60EAB20-C294-4757-8507-E14A72676EA9}\VersionIndependentProgID\ = "PulseSecureServicePS.DSAccessPluginMonitor" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\ = "IUiModelPreLogin" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B9CAC01-6732-40d0-8B8F-B5B340F9D44F}\ = "Pulse Secure SSO OneX Password Credential Provider Class" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{71A878AF-F1B7-49DB-B9E0-B5DAE00CDAA0}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{627CFA44-B791-4C6B-8E37-3E5D7C1727C7} msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{673867FA-2CD8-495A-A22C-820A3800A9F5}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDDE791B-B8B5-4B20-A65E-17B38C537BC2}\ProxyStubClsid32\ = "{BDDE791B-B8B5-4B20-A65E-17B38C537BC2}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\uiModelServicePS64.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC5D8B78-4C89-43B3-83FA-E4D3000352A1}\ProxyStubClsid32\ = "{93DBDC46-C99C-4266-A871-9208213282A1}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B61004C8-7A80-4006-84E9-8499E4F123F8}\ProxyStubClsid32\ = "{C1FAF476-B9C2-4F01-A323-074F00A90EA1}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61FE4786-084E-4598-8F16-30DED15B6125} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5669C0F7-C43F-4E79-AAA2-81C72067EA20}\ = "IJamUIProvider2" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\NumMethods MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44090970-D42F-4B80-A44B-117AC24B7626} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D169455C-DDBA-4288-8DB5-B182C6E4814C}\ = "IPulseObjectEvents" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E375A63-C616-46F1-AC77-59DF78F3A826}\ToolboxBitmap32\ = "C:\\Windows\\Downloaded Program Files\\PulseSetupClient.ocx, 102" PulseSetupClientOCX.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{627CFA44-B791-4C6B-8E37-3E5D7C1727C7}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{583C990C-2D38-410c-9A4A-0932D66A754F}\AppID = "{F0F68EE4-3331-424A-BED2-3B8E561275A5}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PulseSecureClient\shell\open\command\ = "\"C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\Pulse.exe\" %1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C43482F-6F8E-46D2-8FDC-DBE8B3FC9560} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B208CF-EABD-4BE5-88C0-2ADBB0D75E84}\NumMethods\ = "49" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7C92C70A-46F0-4A41-ACA8-C4858AC07472}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74D0078-6B9F-4928-BF49-163F885B1332}\InprocServer32\ThreadingModel = "Both" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EE8499B-5411-496A-92F5-B4E379F55FB7}\ = "ICloudAppVisibilityCallback" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA1F2EF-0DCD-4228-8025-74CD7749C878}\1.0\ = "PulseSetupClientATL 1.0 Type Library" PulseSetupClientOCX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1FAF476-B9C2-4F01-A323-074F00A90EA1}\ProxyStubClsid32\ = "{D169455C-DDBA-4288-8DB5-B182C6E4814C}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E375A63-C616-46F1-AC77-59DF78F3A826}\ToolboxBitmap32 PulseSetupClientOCX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3884BCAA-C611-4e2d-9105-E11B1203294E}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\jamSSOCredProv64.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D169455C-DDBA-4288-8DB5-B182C6E4814C} MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C1FAF476-B9C2-4F01-A323-074F00A90EA1} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F3404B-3474-470D-987D-BDAB0329EF46}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D169455C-DDBA-4288-8DB5-B182C6E4814C}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24C9FAED-1510-4BE4-9D1A-FBD5F1DCD8F9}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61FE4786-084E-4598-8F16-30DED15B6125}\ = "IDSAccessPluginEvents" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D622A6A-24F5-4EF1-B5E9-5305B0626810}\NumMethods msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E60EAB20-C294-4757-8507-E14A72676EA9} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CBB168F-3886-49F7-8602-1B9769A7150C}\NumMethods\ = "4" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B051258-5990-46D6-855F-A764FE81A35B}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A915D786-7A01-445D-A37B-2751A66AA62D}\NumMethods\ = "20" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9C0A2DF-5D3F-448A-9F14-6903EAB54DD5} MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
MSI6F1C.tmpMSI20E8.tmpPulseSetupClient.exejamcommand.exepid process 4552 MSI6F1C.tmp 4552 MSI6F1C.tmp 4872 MSI20E8.tmp 4872 MSI20E8.tmp 4384 PulseSetupClient.exe 4384 PulseSetupClient.exe 4728 jamcommand.exe 4728 jamcommand.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Pulse.exepid process 3656 Pulse.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 648 648 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4936 msiexec.exe Token: SeIncreaseQuotaPrivilege 4936 msiexec.exe Token: SeSecurityPrivilege 4164 msiexec.exe Token: SeCreateTokenPrivilege 4936 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4936 msiexec.exe Token: SeLockMemoryPrivilege 4936 msiexec.exe Token: SeIncreaseQuotaPrivilege 4936 msiexec.exe Token: SeMachineAccountPrivilege 4936 msiexec.exe Token: SeTcbPrivilege 4936 msiexec.exe Token: SeSecurityPrivilege 4936 msiexec.exe Token: SeTakeOwnershipPrivilege 4936 msiexec.exe Token: SeLoadDriverPrivilege 4936 msiexec.exe Token: SeSystemProfilePrivilege 4936 msiexec.exe Token: SeSystemtimePrivilege 4936 msiexec.exe Token: SeProfSingleProcessPrivilege 4936 msiexec.exe Token: SeIncBasePriorityPrivilege 4936 msiexec.exe Token: SeCreatePagefilePrivilege 4936 msiexec.exe Token: SeCreatePermanentPrivilege 4936 msiexec.exe Token: SeBackupPrivilege 4936 msiexec.exe Token: SeRestorePrivilege 4936 msiexec.exe Token: SeShutdownPrivilege 4936 msiexec.exe Token: SeDebugPrivilege 4936 msiexec.exe Token: SeAuditPrivilege 4936 msiexec.exe Token: SeSystemEnvironmentPrivilege 4936 msiexec.exe Token: SeChangeNotifyPrivilege 4936 msiexec.exe Token: SeRemoteShutdownPrivilege 4936 msiexec.exe Token: SeUndockPrivilege 4936 msiexec.exe Token: SeSyncAgentPrivilege 4936 msiexec.exe Token: SeEnableDelegationPrivilege 4936 msiexec.exe Token: SeManageVolumePrivilege 4936 msiexec.exe Token: SeImpersonatePrivilege 4936 msiexec.exe Token: SeCreateGlobalPrivilege 4936 msiexec.exe Token: SeBackupPrivilege 4948 vssvc.exe Token: SeRestorePrivilege 4948 vssvc.exe Token: SeAuditPrivilege 4948 vssvc.exe Token: SeBackupPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe Token: SeTakeOwnershipPrivilege 4164 msiexec.exe Token: SeRestorePrivilege 4164 msiexec.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
Processes:
msiexec.exePulse.exepid process 4936 msiexec.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 4936 msiexec.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe -
Suspicious use of SendNotifyMessage 39 IoCs
Processes:
Pulse.exepid process 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
PulseSetupClientOCX.exePulseSetupClientOCX64.exePulse.exepid process 932 PulseSetupClientOCX.exe 2712 PulseSetupClientOCX64.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe 3656 Pulse.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.exesvchost.execmd.exewevtutil.exeMSI20E8.tmpPSSetupClientInstaller.exePulseSetupClient.exedescription pid process target process PID 4164 wrote to memory of 3368 4164 msiexec.exe srtasks.exe PID 4164 wrote to memory of 3368 4164 msiexec.exe srtasks.exe PID 4164 wrote to memory of 4388 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4388 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4388 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4440 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4440 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 2800 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 2800 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 2800 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4552 4164 msiexec.exe MSI6F1C.tmp PID 4164 wrote to memory of 4552 4164 msiexec.exe MSI6F1C.tmp PID 4164 wrote to memory of 4552 4164 msiexec.exe MSI6F1C.tmp PID 2800 wrote to memory of 2404 2800 MsiExec.exe icacls.exe PID 2800 wrote to memory of 2404 2800 MsiExec.exe icacls.exe PID 2800 wrote to memory of 2404 2800 MsiExec.exe icacls.exe PID 4164 wrote to memory of 1936 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 1936 4164 msiexec.exe MsiExec.exe PID 2036 wrote to memory of 4336 2036 svchost.exe DrvInst.exe PID 2036 wrote to memory of 4336 2036 svchost.exe DrvInst.exe PID 2036 wrote to memory of 2180 2036 svchost.exe DrvInst.exe PID 2036 wrote to memory of 2180 2036 svchost.exe DrvInst.exe PID 2036 wrote to memory of 4888 2036 svchost.exe DrvInst.exe PID 2036 wrote to memory of 4888 2036 svchost.exe DrvInst.exe PID 2036 wrote to memory of 4316 2036 svchost.exe DrvInst.exe PID 2036 wrote to memory of 4316 2036 svchost.exe DrvInst.exe PID 4164 wrote to memory of 2400 4164 msiexec.exe cmd.exe PID 4164 wrote to memory of 2400 4164 msiexec.exe cmd.exe PID 2400 wrote to memory of 2304 2400 cmd.exe xcopy.exe PID 2400 wrote to memory of 2304 2400 cmd.exe xcopy.exe PID 2800 wrote to memory of 2040 2800 MsiExec.exe wevtutil.exe PID 2800 wrote to memory of 2040 2800 MsiExec.exe wevtutil.exe PID 2800 wrote to memory of 2040 2800 MsiExec.exe wevtutil.exe PID 2040 wrote to memory of 2196 2040 wevtutil.exe wevtutil.exe PID 2040 wrote to memory of 2196 2040 wevtutil.exe wevtutil.exe PID 4164 wrote to memory of 4588 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4588 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 2148 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 2148 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4104 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4104 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4864 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4864 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4864 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 3832 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 3832 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 2416 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 2416 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 344 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 344 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4876 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4876 4164 msiexec.exe MsiExec.exe PID 4164 wrote to memory of 4872 4164 msiexec.exe MSI20E8.tmp PID 4164 wrote to memory of 4872 4164 msiexec.exe MSI20E8.tmp PID 4164 wrote to memory of 4872 4164 msiexec.exe MSI20E8.tmp PID 4872 wrote to memory of 4564 4872 MSI20E8.tmp PSSetupClientInstaller.exe PID 4872 wrote to memory of 4564 4872 MSI20E8.tmp PSSetupClientInstaller.exe PID 4872 wrote to memory of 4564 4872 MSI20E8.tmp PSSetupClientInstaller.exe PID 4564 wrote to memory of 4384 4564 PSSetupClientInstaller.exe PulseSetupClient.exe PID 4564 wrote to memory of 4384 4564 PSSetupClientInstaller.exe PulseSetupClient.exe PID 4564 wrote to memory of 4384 4564 PSSetupClientInstaller.exe PulseSetupClient.exe PID 4384 wrote to memory of 932 4384 PulseSetupClient.exe PulseSetupClientOCX.exe PID 4384 wrote to memory of 932 4384 PulseSetupClient.exe PulseSetupClientOCX.exe PID 4384 wrote to memory of 932 4384 PulseSetupClient.exe PulseSetupClientOCX.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PulseSecure.x64.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 899233030C5A7A60AE461828A6A149ED2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding DBB176194EB4BC1023A71506FB2D06782⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EDAEBDA37523AB2378CBC9EC16612A7F E Global\MSI00002⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\ProgramData\Pulse Secure" /T /C /RESET3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\wevtutil.exe"wevtutil.exe" im "C:\Program Files (x86)\Pulse Secure\Pulse\AllEvents.man"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wevtutil.exe"wevtutil.exe" im "C:\Program Files (x86)\Pulse Secure\Pulse\AllEvents.man" /fromwow644⤵
-
C:\Windows\SYSTEM32\netcfg.exenetcfg -v -b jnprna3⤵
-
C:\Windows\SYSTEM32\netcfg.exenetcfg -v -s n3⤵
-
C:\Windows\SYSTEM32\netcfg.exenetcfg -v -s a3⤵
-
C:\Windows\Installer\MSI6F1C.tmp"C:\Windows\Installer\MSI6F1C.tmp" /Stop /ProcessName pulse.exe /FilePathToRun "C:\Program Files (x86)\Common Files\Juniper Networks\JamUI\pulse.exe" /CLIArgsForProcess -stop2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 137A9AB0EBD6D23E39EA9769388BBA3B E Global\MSI00002⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Pulse Secure\VC142.CRT\copyCRT.bat" 1 "C:\Program Files (x86)\Pulse Secure\VC142.CRT\" "C:\Windows\SysWOW64\" "pnp.bat" >> C:\Users\Admin\AppData\Local\Temp\psinstall.log"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exeXCOPY "C:\Program Files (x86)\Pulse Secure\VC142.CRT\pnp.bat" "C:\Windows\SysWOW64\" /Q /H /R /Y3⤵
- Drops file in Windows directory
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureServicePS64.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\uiPromptPluginPS64.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\uiModelServicePS64.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamSSOCredProv.dll"2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamSSOCredProv64.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\Integration\IntegrationAccessMethodPS64.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\8021xAccessMethod\8021xAccessMethodPS64.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\8021xAccessMethod\JNPRTtlsProvider.dll"2⤵
- Loads dropped DLL
-
C:\Windows\Installer\MSI20E8.tmp"C:\Windows\Installer\MSI20E8.tmp" /Run /ProcessName explorer.exe /FilePathToRun "C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe" /CLIArgsForProcess /S2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe"C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe" /S3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe"C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe" -install4⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe"C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe"C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\Downloaded Program Files\PulseSetupClient64.ocx"6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamcommand.exe"C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamcommand.exe" -tray2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe"C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe" -tray3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Windows\system32\DRVSTORE\jnprns_260C6334D987C71B41EC39304CE4AE75D6794E54\jnprns.inf" "9" "4643d6d13" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Windows\system32\DRVSTORE\jnprns_260C6334D987C71B41EC39304CE4AE75D6794E54"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprva\jnprva.inf" "9" "44586aa07" "000000000000016C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprva"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprvamgr\jnprvamgr.inf" "9" "49e869bf7" "0000000000000168" "WinSta0\Default" "0000000000000100" "208" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprvamgr"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\JNPRVAMGR\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:2b880b3aaa1342d2:JnprVaMgr_Device:9.1.11.6235:jnprvamgr," "4fbf82383" "0000000000000168"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe"C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exeC:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe /host HostCheckerService2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Eaphost1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\COMMON~1\JUNIPE~1\JNPRNA\Drivers\jnprva\jnprva.catFilesize
9KB
MD51fdfdd5815f595b8d97ba80eb6473c91
SHA1abebdbe347fe8817f8a9631c19d38f123ed37592
SHA2560d797ee30e07cc0ed90e92df2aa451c3edcb6dbf1179e013feae67cc5d70343e
SHA5129364539a9055490fd8889ad687c05491baa3ddabf370d93889c5978b5ba3d6a4e38a1e534eb94f083d4d22fc421f0cafc70e755c188737bdab7f469b7c4c9a89
-
C:\PROGRA~2\COMMON~1\JUNIPE~1\JNPRNA\Drivers\jnprva\jnprva.sysFilesize
72KB
MD56af27b10861e98fa0addd6ed5d10f8c5
SHA1f8293d562fbf7a560d533d1e18f0ac56405d41e7
SHA256aeea7c1c2a06a8d739651b073b26007da7c352260585e109028fffaaf3c34de0
SHA512720bcfe5e28511ade7bc4fc0dacefa1290a401bbbf7399d097dc3d03ae62e6ab56dd8f72068ae0a934993c049f48dd1b80fabb792b87434e51c5e93c368643db
-
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.catFilesize
8KB
MD510a4f5e080cc472035f4fe44f671f381
SHA1260c6334d987c71b41ec39304ce4ae75d6794e54
SHA256a011a0f7907469b473801f7bfa24501d24fbd2a62f61c83a0c46e4c0a6b70911
SHA512c441d0c81f8dce9bbf6ec705ff3cea080bb365df3fb62233ef4324073454ed711ab6e8bfc89d58b614c9d569c14400725186b74448d6f10b5f407b97b8442e7d
-
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.infFilesize
3KB
MD559f3bffb290ea8c28da403fc633de069
SHA16c7646767e20fdb9c200f265b91f4bcd15c68cec
SHA2564865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b
SHA51236c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb
-
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.sysFilesize
495KB
MD56d15d02704d1947a3bbb9638d0001593
SHA1d60de16e970a363653f4a7b1eb2b5db13bd18383
SHA256fcfdc26b2fc5dbe1e56cd8d707f3ab1655df1f1c43511ec48d6d563146cb5dc0
SHA512a46a52c8ec5376643df8a227f18427c385b63f5504d629188afdb2d216d8305b94ef3cee5351235386de68ecd450a656db5c9687f670bb5bb28dfff31a2848ff
-
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprva\jnprva.infFilesize
3KB
MD57e92b226a1ff75f5b3f8523df2dd0b1b
SHA15d204e9eb26c7857b75cb837006a9b4eb901b79b
SHA2565c59527c9ee43cd201282edba90ecce3af28653962800a4d6d2cf40dfd5b295a
SHA512fa06819c5c122bca5fc78d1609359e2e3bda5b23648975993c00bbb995fddf235993dec3c2f7e5c71e258a63076ab67aa2517e8da088dd4d76fa7b92512222f8
-
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprvamgr\jnprvamgr.infFilesize
2KB
MD5cdce8d87e76ab195443a08252d3fc807
SHA11329dcf816971d26b0496276b3fdd4b4141da255
SHA25674dcf667f9f9fb6fcdfbe02f3e678769f0addb5da004734e79c04e94c1ca421c
SHA512abe16681810a025669942a4d8ac47e00ba4c77724862b1d2bc0fd92bfbb2b7589b7e388627b51770386e358c31970fbf554f0731adedd93c9089e4d6763760a2
-
C:\Program Files (x86)\Common Files\Pulse Secure\PulseSAM\PulseSAM.sysFilesize
146KB
MD5de563e8326794fe7b4c652869a5dba91
SHA1a7490f7dbddb1403510283e9241620d4d016369b
SHA2569942835f5c4182840401b90ef226a4d4496fd93d724594f772d9186aabb1c406
SHA512ca2be1c4cd41e63d2e172c492c4dc3e729eaf0fcfcdb23593c03844c0dc16bbba0215b94bf4c4e96e1fe3729701540f6305431db4762c3fb087227c5772880fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5Filesize
471B
MD5099f6c60c99bec55d1a1d404efdbf54e
SHA1e08f2b845a9678e68abfbd75ab87abfe19082bb6
SHA256722b2a9e1e78c82ec7a2385f1014952cd93cabcf8fbfa24e0651786ce433f28b
SHA51263f7e096ff234c4811d2d92410edaa2a40cb44f6514c441915b8bbdebf1376643f711122f935823ae5d4fe0debf5a863b2014d54a74fa3eb8841d362286d2416
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_6F051139928C549506C1CA842E999B7FFilesize
471B
MD53e65f096255c3143231a09fe5d94d6f3
SHA116db405b059cfca6f21547ed06ff4912aa3aab6c
SHA256bc9040afd0a9fadb57dbebb32dfcbd8c1486278fae6b06e86ec65a58fdb856f7
SHA512ae26b34f0efbbb31b807b3bc7377d4ae2700a9c10ae1b06af93d37a2e5b05e43b3b097d607e06eefd7770fb8614bba7949e0f61aa629a301f661ce89a7d6c450
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5Filesize
434B
MD552555ead38f08ef81019f8f9bc1acc29
SHA17e859756e4c9988f829ce2a34fc742df1faf6f8b
SHA2562891ddce651405a92a1b3ce008f3b2af943c9710df40d518f38fdf4c84976699
SHA512270f73d848ca9f15944c793735e87c3a2718669c9f1330ecf1878ade444384a9f7e4e689e465adaa8c6030795fe815fe5c11e29922c0c2fced56debb07dc40e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_6F051139928C549506C1CA842E999B7FFilesize
434B
MD58dd51ba4d83f012bd9a794dfb6803d50
SHA1674692f7b56eb3cf061df479693d114990c281af
SHA256544e09008f231f1eecb4762f4dd515792fc04c4d8826d46a88efb59ea6ccf50e
SHA5122cd839fc8bc1d5d01c8db11ad578271f94d15c70d28030d56623d3f4afb95e289b2b82f11e8075c3043c016bb717b70fdf5a7c0888bbec23f42e973d394525d6
-
C:\Users\Public\Pulse Secure\Logging\debuglog.logFilesize
489B
MD5a5e27f7a5cce645eb8276ab6bde64232
SHA1f682327e38da24720da36bddf1c5c57bac68db85
SHA2563df4c9c009633e8c054edf0c4e74ffd8f0a3006b985c791da3162f747ac0e72b
SHA5127d7f7baa3ff3312594f17321cb6e9e92b05781ed00a93f02944256be88a71d70d7b4d953f5253872277e158e0baa245fb69057b737d4ac8e6ad47ecd02cb2a56
-
C:\Windows\INF\oem2.infFilesize
3KB
MD559f3bffb290ea8c28da403fc633de069
SHA16c7646767e20fdb9c200f265b91f4bcd15c68cec
SHA2564865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b
SHA51236c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb
-
C:\Windows\Installer\MSI307.tmpFilesize
690KB
MD58deb7d2f91c7392925718b3ba0aade22
SHA1fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA51237f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c
-
C:\Windows\Installer\MSI307.tmpFilesize
690KB
MD58deb7d2f91c7392925718b3ba0aade22
SHA1fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA51237f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c
-
C:\Windows\Installer\MSI5CC1.tmpFilesize
101KB
MD599a04ab918dc90a034b35ab4a5e516ea
SHA195b3208fffa56331b8b6374282515713b8d5ed00
SHA256760f4876c623c5f2893e1348206931378a43821f2c3a45561c7616aa33c384e7
SHA512f07fceefb831a38b600fd03321f244c3b01951fb52ab2fffa76884f5b3de5a678093fa02bb724aed4c7a2ebbb0cdac58ac68e684b5fef2af20495a9f97bf7bda
-
C:\Windows\Installer\MSI5CC1.tmpFilesize
101KB
MD599a04ab918dc90a034b35ab4a5e516ea
SHA195b3208fffa56331b8b6374282515713b8d5ed00
SHA256760f4876c623c5f2893e1348206931378a43821f2c3a45561c7616aa33c384e7
SHA512f07fceefb831a38b600fd03321f244c3b01951fb52ab2fffa76884f5b3de5a678093fa02bb724aed4c7a2ebbb0cdac58ac68e684b5fef2af20495a9f97bf7bda
-
C:\Windows\Installer\MSI615.tmpFilesize
690KB
MD58deb7d2f91c7392925718b3ba0aade22
SHA1fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA51237f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c
-
C:\Windows\Installer\MSI615.tmpFilesize
690KB
MD58deb7d2f91c7392925718b3ba0aade22
SHA1fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA51237f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c
-
C:\Windows\Installer\MSI628E.tmpFilesize
625KB
MD517caf74e3a3dbeab40d4261528db647d
SHA1f7ebf2d9cb83c72503f9a1149965b161151868d2
SHA2564b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c
SHA5128fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb
-
C:\Windows\Installer\MSI628E.tmpFilesize
625KB
MD517caf74e3a3dbeab40d4261528db647d
SHA1f7ebf2d9cb83c72503f9a1149965b161151868d2
SHA2564b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c
SHA5128fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb
-
C:\Windows\Installer\MSI657E.tmpFilesize
168KB
MD5a0962dd193b82c1946dc67e140ddf895
SHA17f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751
-
C:\Windows\Installer\MSI657E.tmpFilesize
168KB
MD5a0962dd193b82c1946dc67e140ddf895
SHA17f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751
-
C:\Windows\Installer\MSI65ED.tmpFilesize
261KB
MD592297f7a0b78aa6dab28e23bb4562d71
SHA1bb384155b0730962584cfd38571681a198e9bfa4
SHA256b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8
SHA5124a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182
-
C:\Windows\Installer\MSI65ED.tmpFilesize
261KB
MD592297f7a0b78aa6dab28e23bb4562d71
SHA1bb384155b0730962584cfd38571681a198e9bfa4
SHA256b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8
SHA5124a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182
-
C:\Windows\Installer\MSI6BAB.tmpFilesize
149KB
MD5418322f7be2b68e88a93a048ac75a757
SHA109739792ff1c30f73dacafbe503630615922b561
SHA256ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef
-
C:\Windows\Installer\MSI6BAB.tmpFilesize
149KB
MD5418322f7be2b68e88a93a048ac75a757
SHA109739792ff1c30f73dacafbe503630615922b561
SHA256ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef
-
C:\Windows\Installer\MSI6C67.tmpFilesize
168KB
MD5a0962dd193b82c1946dc67e140ddf895
SHA17f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751
-
C:\Windows\Installer\MSI6C67.tmpFilesize
168KB
MD5a0962dd193b82c1946dc67e140ddf895
SHA17f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751
-
C:\Windows\Installer\MSI6C97.tmpFilesize
261KB
MD592297f7a0b78aa6dab28e23bb4562d71
SHA1bb384155b0730962584cfd38571681a198e9bfa4
SHA256b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8
SHA5124a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182
-
C:\Windows\Installer\MSI6C97.tmpFilesize
261KB
MD592297f7a0b78aa6dab28e23bb4562d71
SHA1bb384155b0730962584cfd38571681a198e9bfa4
SHA256b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8
SHA5124a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182
-
C:\Windows\Installer\MSI6D73.tmpFilesize
168KB
MD5a0962dd193b82c1946dc67e140ddf895
SHA17f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751
-
C:\Windows\Installer\MSI6D73.tmpFilesize
168KB
MD5a0962dd193b82c1946dc67e140ddf895
SHA17f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751
-
C:\Windows\Installer\MSI6DA3.tmpFilesize
168KB
MD5a0962dd193b82c1946dc67e140ddf895
SHA17f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751
-
C:\Windows\Installer\MSI6DA3.tmpFilesize
168KB
MD5a0962dd193b82c1946dc67e140ddf895
SHA17f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751
-
C:\Windows\Installer\MSI6E40.tmpFilesize
625KB
MD517caf74e3a3dbeab40d4261528db647d
SHA1f7ebf2d9cb83c72503f9a1149965b161151868d2
SHA2564b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c
SHA5128fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb
-
C:\Windows\Installer\MSI6E40.tmpFilesize
625KB
MD517caf74e3a3dbeab40d4261528db647d
SHA1f7ebf2d9cb83c72503f9a1149965b161151868d2
SHA2564b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c
SHA5128fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb
-
C:\Windows\Installer\MSI6F1C.tmpFilesize
1.0MB
MD5777cc1449acdb75d210f822e4e1d39dc
SHA15fa94e7b649c76941bb3bbfee028724a5fabd81b
SHA256dc890fa6eb386773bf781a7bb2ec80432f11c0d51c8a2eda7db1969cb5226b67
SHA512aa3880b05674702c490cd540366d76a8950d60a83c7f43b530f9be0dbd8a722951ff44082e0091d9f24f773e2a053899d05d2d3afe17f9724a0b27bf040dbb53
-
C:\Windows\Installer\MSI6F1C.tmpFilesize
1.0MB
MD5777cc1449acdb75d210f822e4e1d39dc
SHA15fa94e7b649c76941bb3bbfee028724a5fabd81b
SHA256dc890fa6eb386773bf781a7bb2ec80432f11c0d51c8a2eda7db1969cb5226b67
SHA512aa3880b05674702c490cd540366d76a8950d60a83c7f43b530f9be0dbd8a722951ff44082e0091d9f24f773e2a053899d05d2d3afe17f9724a0b27bf040dbb53
-
C:\Windows\Installer\MSI7631.tmpFilesize
412KB
MD5ee952864088f8fed9062ad44fd319a57
SHA1f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd
SHA256593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494
SHA512566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a
-
C:\Windows\Installer\MSI7631.tmpFilesize
412KB
MD5ee952864088f8fed9062ad44fd319a57
SHA1f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd
SHA256593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494
SHA512566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a
-
C:\Windows\Installer\MSI769F.tmpFilesize
412KB
MD5ee952864088f8fed9062ad44fd319a57
SHA1f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd
SHA256593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494
SHA512566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a
-
C:\Windows\Installer\MSI769F.tmpFilesize
412KB
MD5ee952864088f8fed9062ad44fd319a57
SHA1f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd
SHA256593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494
SHA512566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a
-
C:\Windows\Installer\MSI9312.tmpFilesize
211KB
MD5d9a9529176e4efa3dba832b33b06c973
SHA13cb38e60af954a72d3592e455d4a5389485ef339
SHA2565b9e09603a4dab1d5d0b5b89ab6048226ab943979b7e5d99bb6357a61b1f5110
SHA512df5fc26634eb352308e85d6a19df9b74bd9713ef254945719da9dbe9a4af6cdbe4be08731d6e8df3baaa690b26d865b0e6b335e71adfbc88c13440de5926610e
-
C:\Windows\Installer\MSI9312.tmpFilesize
211KB
MD5d9a9529176e4efa3dba832b33b06c973
SHA13cb38e60af954a72d3592e455d4a5389485ef339
SHA2565b9e09603a4dab1d5d0b5b89ab6048226ab943979b7e5d99bb6357a61b1f5110
SHA512df5fc26634eb352308e85d6a19df9b74bd9713ef254945719da9dbe9a4af6cdbe4be08731d6e8df3baaa690b26d865b0e6b335e71adfbc88c13440de5926610e
-
C:\Windows\Installer\MSI9370.tmpFilesize
80KB
MD572c7e3ef754d7b30d03f688556f49d0e
SHA1899f9145368d2658636c5545414f2e84ccde41fd
SHA25696cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe
-
C:\Windows\Installer\MSI9370.tmpFilesize
80KB
MD572c7e3ef754d7b30d03f688556f49d0e
SHA1899f9145368d2658636c5545414f2e84ccde41fd
SHA25696cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe
-
C:\Windows\Installer\MSIF70D.tmpFilesize
80KB
MD572c7e3ef754d7b30d03f688556f49d0e
SHA1899f9145368d2658636c5545414f2e84ccde41fd
SHA25696cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe
-
C:\Windows\Installer\MSIF70D.tmpFilesize
80KB
MD572c7e3ef754d7b30d03f688556f49d0e
SHA1899f9145368d2658636c5545414f2e84ccde41fd
SHA25696cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe
-
C:\Windows\Installer\MSIF74D.tmpFilesize
80KB
MD572c7e3ef754d7b30d03f688556f49d0e
SHA1899f9145368d2658636c5545414f2e84ccde41fd
SHA25696cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe
-
C:\Windows\Installer\MSIF74D.tmpFilesize
80KB
MD572c7e3ef754d7b30d03f688556f49d0e
SHA1899f9145368d2658636c5545414f2e84ccde41fd
SHA25696cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe
-
C:\Windows\Installer\MSIF838.tmpFilesize
690KB
MD58deb7d2f91c7392925718b3ba0aade22
SHA1fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA51237f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c
-
C:\Windows\Installer\MSIF838.tmpFilesize
690KB
MD58deb7d2f91c7392925718b3ba0aade22
SHA1fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA51237f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c
-
C:\Windows\System32\CatRoot2\dberr.txtFilesize
146KB
MD59801855699abaab75e43e8984d4ac233
SHA1236f9b8fb5d077476e68ed1bcac6441ed7feae98
SHA256359fcc825cd1ee2f579fae922669d2f90862f9cc8dff9ce26549cc4047685eb2
SHA51273d202860c6c42ff0f5bc1f1580238c9acf1dbe3e6025ebf6c756962ad943cc76ce71adb11ec97cbc5ecec22695cc825575d6f1e3604227a0bcff980898ea370
-
C:\Windows\System32\CatRoot2\dberr.txtFilesize
146KB
MD5140b88c3e77b6c4306cc25dcd2b722b6
SHA14a74cb46868dee87b8ee6ffb6674e799ae9a3dd7
SHA25601af27ef2157fba5fef0e3487f736b729404e619e80960cd53d3762e60dcafcd
SHA5122842f0ee2d3badcf37c49e6ef63f6e032354ab9036bffe8a01610577d661854c27f07970ab92e3d7dbb44f1cfe6b9e1846756087720b7955a9247e5b483db22c
-
C:\Windows\System32\DriverStore\FileRepository\jnprns.inf_amd64_9fc29f3268c7ae2e\jnprns.infFilesize
3KB
MD559f3bffb290ea8c28da403fc633de069
SHA16c7646767e20fdb9c200f265b91f4bcd15c68cec
SHA2564865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b
SHA51236c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb
-
C:\Windows\System32\DriverStore\FileRepository\jnprva.inf_amd64_2d3776125086d638\jnprva.catFilesize
9KB
MD51fdfdd5815f595b8d97ba80eb6473c91
SHA1abebdbe347fe8817f8a9631c19d38f123ed37592
SHA2560d797ee30e07cc0ed90e92df2aa451c3edcb6dbf1179e013feae67cc5d70343e
SHA5129364539a9055490fd8889ad687c05491baa3ddabf370d93889c5978b5ba3d6a4e38a1e534eb94f083d4d22fc421f0cafc70e755c188737bdab7f469b7c4c9a89
-
C:\Windows\System32\DriverStore\FileRepository\jnprva.inf_amd64_2d3776125086d638\jnprva.infFilesize
3KB
MD57e92b226a1ff75f5b3f8523df2dd0b1b
SHA15d204e9eb26c7857b75cb837006a9b4eb901b79b
SHA2565c59527c9ee43cd201282edba90ecce3af28653962800a4d6d2cf40dfd5b295a
SHA512fa06819c5c122bca5fc78d1609359e2e3bda5b23648975993c00bbb995fddf235993dec3c2f7e5c71e258a63076ab67aa2517e8da088dd4d76fa7b92512222f8
-
C:\Windows\system32\DRVSTORE\JNPRNS~1\jnprns.catFilesize
8KB
MD510a4f5e080cc472035f4fe44f671f381
SHA1260c6334d987c71b41ec39304ce4ae75d6794e54
SHA256a011a0f7907469b473801f7bfa24501d24fbd2a62f61c83a0c46e4c0a6b70911
SHA512c441d0c81f8dce9bbf6ec705ff3cea080bb365df3fb62233ef4324073454ed711ab6e8bfc89d58b614c9d569c14400725186b74448d6f10b5f407b97b8442e7d
-
C:\Windows\system32\DRVSTORE\JNPRNS~1\jnprns.sysFilesize
495KB
MD56d15d02704d1947a3bbb9638d0001593
SHA1d60de16e970a363653f4a7b1eb2b5db13bd18383
SHA256fcfdc26b2fc5dbe1e56cd8d707f3ab1655df1f1c43511ec48d6d563146cb5dc0
SHA512a46a52c8ec5376643df8a227f18427c385b63f5504d629188afdb2d216d8305b94ef3cee5351235386de68ecd450a656db5c9687f670bb5bb28dfff31a2848ff
-
C:\Windows\system32\DRVSTORE\jnprns_260C6334D987C71B41EC39304CE4AE75D6794E54\jnprns.infFilesize
3KB
MD559f3bffb290ea8c28da403fc633de069
SHA16c7646767e20fdb9c200f265b91f4bcd15c68cec
SHA2564865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b
SHA51236c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
21.4MB
MD5915e0d0f044116144e7f450963a36d12
SHA17c6c6c9a966234ae5040a94096df67d79df1ef96
SHA25604eb763613a8681b60f3f9e1e988bb86ee59711a59da343178cfe2aca39c5f79
SHA5128aa7a62e9380749855ceb126adb37f0f01aef537486fe39ac50e54ad56638d009338840e4b0e3a1198117d0181744c248a4949f6edec20b9a6ff137b184487df
-
\??\Volume{604b117b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a5feaab6-ff9c-4225-9fa4-9d555a01a2bc}_OnDiskSnapshotPropFilesize
5KB
MD5895047ef52516aa0aac133674ebc4ead
SHA1cd563afe3a332641a7800748d50408a76bb31b2c
SHA2560a5747c1cb5b33926f2334cd8df4f36717713c8ca218bc15d1207ad40de69d1c
SHA5125bba02d04cc79d86be58aa7f9fb9998d303fc8f988d6e97dc1b7959c0bc3d501f62ae52c3d5da2033e276d5fe61c8acaaab5a28a9e99d103bda043e605def40c
-
memory/344-209-0x0000000000000000-mapping.dmp
-
memory/460-217-0x0000000000000000-mapping.dmp
-
memory/744-222-0x0000000000000000-mapping.dmp
-
memory/932-214-0x0000000000000000-mapping.dmp
-
memory/1936-166-0x0000000000000000-mapping.dmp
-
memory/2040-201-0x0000000000000000-mapping.dmp
-
memory/2148-204-0x0000000000000000-mapping.dmp
-
memory/2180-187-0x0000000000000000-mapping.dmp
-
memory/2196-202-0x0000000000000000-mapping.dmp
-
memory/2284-215-0x0000000000000000-mapping.dmp
-
memory/2304-200-0x0000000000000000-mapping.dmp
-
memory/2392-218-0x0000000000000000-mapping.dmp
-
memory/2400-199-0x0000000000000000-mapping.dmp
-
memory/2404-159-0x0000000000000000-mapping.dmp
-
memory/2416-208-0x0000000000000000-mapping.dmp
-
memory/2712-216-0x0000000000000000-mapping.dmp
-
memory/2800-149-0x0000000000000000-mapping.dmp
-
memory/3136-219-0x0000000000000000-mapping.dmp
-
memory/3368-124-0x0000000000000000-mapping.dmp
-
memory/3656-221-0x0000000000000000-mapping.dmp
-
memory/3832-207-0x0000000000000000-mapping.dmp
-
memory/4104-205-0x0000000000000000-mapping.dmp
-
memory/4316-198-0x0000000000000000-mapping.dmp
-
memory/4336-178-0x0000000000000000-mapping.dmp
-
memory/4384-213-0x0000000000000000-mapping.dmp
-
memory/4388-129-0x0000000000000000-mapping.dmp
-
memory/4440-138-0x0000000000000000-mapping.dmp
-
memory/4552-152-0x0000000000000000-mapping.dmp
-
memory/4564-212-0x0000000000000000-mapping.dmp
-
memory/4588-203-0x0000000000000000-mapping.dmp
-
memory/4728-220-0x0000000000000000-mapping.dmp
-
memory/4864-206-0x0000000000000000-mapping.dmp
-
memory/4872-211-0x0000000000000000-mapping.dmp
-
memory/4876-210-0x0000000000000000-mapping.dmp
-
memory/4888-197-0x0000000000000000-mapping.dmp