Analysis Overview
SHA256
78be59991f40ec589c204bb1c879aaaceee6e5ce108876558db65f207705881e
Threat Level: Known bad
The file PulseSecure.x64.msi was found to be: Known bad.
Malicious Activity Summary
Registers COM server for autorun
Egregor Ransomware
Detected Egregor ransomware
Executes dropped EXE
Drops file in Drivers directory
Blocklisted process makes network request
Modifies file permissions
Loads dropped DLL
Checks computer location settings
Checks installed software on the system
Enumerates connected drives
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-05 14:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-05 14:06
Reported
2022-04-05 14:11
Platform
win10v2004-20220331-en
Max time kernel
268s
Max time network
274s
Command Line
Signatures
Detected Egregor ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Egregor Ransomware
Registers COM server for autorun
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\Drivers\PulseSAM.sys | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Windows\system32\DRIVERS\SET1CB.tmp | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\jnprns.sys | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\SET824.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\drivers\SET824.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\Drivers\PulseSAM.sys | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\jnprvamgr.sys | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\system32\Drivers\jnprTdi_9111_9451.sys | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRIVERS\SET1CB.tmp | C:\Windows\System32\MsiExec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\MSI6F1C.tmp | N/A |
| N/A | N/A | C:\Windows\Installer\MSI20E8.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamcommand.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PulseSecure = "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\Pulse.exe -tray" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495} | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netvchannel.inf_amd64_ba3e73aa330c95d6\netvchannel.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\jnprns.inf_amd64_9fc29f3268c7ae2e\jnprns.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\jnprvamgr.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAA8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_9957a38c3d2283ed\usbncm.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\jnprva.inf_amd64_2d3776125086d638\jnprva.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\SET6CE.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\dc21x4vm.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtwlanu.inf_amd64_1815bafd14dc59f0\netrtwlanu.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAA7.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\SET6CE.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_8d5ca5ab1472fc44\netl1e64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\msux64w10.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAD8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\netwmbclass.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a958ace3-883e-fe44-b2d3-2dc500bf3ab0}\SET3D0.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{a958ace3-883e-fe44-b2d3-2dc500bf3ab0}\jnprva.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\DRVSTORE | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAD8.tmp | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_cc87c915f33d1c27\net7500-x64-n650f.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\jnprvamgr.cat | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\jnprvamgr.inf_amd64_a6b97483d4e0add9\jnprvamgr.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\usbnet.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\netwbw02.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\netavpna.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\net8192se64.PNF | C:\Windows\System32\MsiExec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\print.css | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-solve-connection-issue.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-remediation-info-viewing.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\access-control-connect-client-view-properties.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\g033413.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\notecaution.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033408.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033409.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\notewarning-laser.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\vpnAccessMethod\MessageCatalogVpnAM_KO.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-suspending.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-log-file-saving.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\g033408.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\container-book.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\g033413.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\bestpractice.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\access-control-connect-client-extend.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033423.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\help.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-accessibility-features.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-configuration-overview.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\print.css | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\PulseSAM\pulseWFPInst.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\access-control-connect-client-extend.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-window-resizing.html | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Pulse Secure\Connection Manager\versionInfo.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\access-control-connect-client-jtac-contacting.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\plus.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\container.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\tip.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.inf | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\g033408.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\g033405.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\g033410.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-version-viewing.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\eapService\MessageCatalogEapAM_JA.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\access-control-connect-client-meeting-joining.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Pulse Secure\Pulse\PulseHelper.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Pulse Secure\ConnectionStore\versionInfo.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\g033422.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\access-control-connect-client-meeting-joining.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\access-control-connect-client-forget-credentials.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-extend.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\blank.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\TNC Client Plugin\hcUtils.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\access-control-connect-client-meeting-joining.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\book-access-control-connect-client.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-smartcard-overview.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\access-control-connect-client-ui.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseResource_ZH.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\access-control-delete-client-connection-status.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\IT\access-control-connect-client-adding.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\g033468.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\Integration\MessageCatalogIntegrationAM_KO.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\g033405.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\standard.css | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033400.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\access-control-connect-client-window-resizing.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\access-control-connect-client-disconnect.html | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\bestpractice.gif | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\eapService\MessageCatalogEapAM_ZH-CN.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\book-utils.js | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\access-control-connect-client-tray-icon.html | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Pulse Secure\TNC Client Plugin\versionInfo.ini | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI9312.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF838.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\PulseSetupClient64.inf | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe | N/A |
| File opened for modification | C:\Windows\Downloaded Program Files\PulseSetupClient64.ocx | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6C97.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI769F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem2.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI307.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI657E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\INF\oem4.PNF | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI307D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI31B8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6D73.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF70D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\wix{DF894007-8BB3-42E4-83EA-5D05969C2517}.SchedServiceConfig.rmi | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI28D9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5CC1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{DF894007-8BB3-42E4-83EA-5D05969C2517} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI180A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2C65.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI628E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7631.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64 | C:\Windows\system32\xcopy.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI615.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2C45.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI65ED.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6BAB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\PulseSetupClientCtrlUninstaller.exe | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\PulseExt64.exe | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3139.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9370.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI20E8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAAB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\PulseSetupClient.inf | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\PulseSetupClient.ocx | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| File opened for modification | C:\Windows\Installer\e585a02.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Downloaded Program Files\install.log | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\PulseExt.exe | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2098.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI24B1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e585a04.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF74D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem2.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\inf\oem3.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\inf\oem4.inf | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Downloaded Program Files\install.log | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6E40.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6F1C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI315A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6C67.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI182A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\PulseSetupClientCtrlUninstaller64.exe | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9FE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\PulseSetupClient64.ocx | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\System32\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\DrvInst.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007b114b607c81ab010000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007b114b600000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007b114b60000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007b114b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007b114b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\MsiExec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom | C:\Windows\system32\DrvInst.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights | C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Pulse Secure\\Setup Client" | C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119}\Policy = "3" | C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Pulse.exe = "11000" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PulseSecureService.exe = "11000" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119} | C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119}\AppName = "PulseSetupClient.exe" | C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\SimAuth.dll,-1003 = "EAP-AKA'" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%windir%\system32\drivers\netbios.sys,-501 = "NetBIOS Interface" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\drivers\mslldp.sys,-211 = "Microsoft LLDP Protocol Driver" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\wkssvc.dll,-1010 = "Client for Microsoft Networks" | C:\Windows\System32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A407658-288A-48A9-86E4-59FE723BF6DF}\NumMethods\ = "12" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dsATLSetupCtrl64.PulseSetupClientCont | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081CB686-E56B-4C26-A0A9-E7A4A4ADC094} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91DD713B-801E-43B2-88D1-2C1CC7827936}\NumMethods\ = "47" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44090970-D42F-4B80-A44B-117AC24B7626}\ = "IUiModelService" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C0F1C9-6F7D-4401-A959-8111D5E9E973}\TypeLib\ = "{1FA1F2EF-0DCD-4228-8025-74CD7749C878}" | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\700498FD3BB84E2438AED55069C95271\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5669C0F7-C43F-4E79-AAA2-81C72067EA20} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1B8F498F-DB53-4B0C-85C0-D4E188DDDB02} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DFD0DE0A-B9FD-4F8B-83DB-ABEF6966313E} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05C0F1C9-6F7D-4401-A959-8111D5E9E973}\InProcServer32 | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C0F1C9-6F7D-4401-A959-8111D5E9E973}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24C9FAED-1510-4BE4-9D1A-FBD5F1DCD8F9}\ = "IPulseSetupClientControl" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FEE7FE9-F273-4D77-AE00-81D6F3FA0188}\ = "IDSAccessService" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{93DBDC46-C99C-4266-A871-9208213282A1}\ = "PSFactoryBuffer" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0686490E-1C1B-49BB-99C8-4159B0387278} | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E375A63-C616-46F1-AC77-59DF78F3A826}\ProgID\ = "dsATLSetupCtrl.PulseSetupClientCont.1" | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B284C66D-1D9E-4E4F-8E3D-98AE9D6E5F9A}\ = "IDSAccessServiceEvents" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FEB6927-4918-48BD-865C-6F576795547F}\ = "IJamUIPromptPlugin3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\dsATLSetupCtrl64.PulseSetupClientCo.1\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA1F2EF-0DCD-4228-8025-74CD7749C878} | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDF36C56-A2F1-452A-BD29-F4E43C987EF3}\1.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0686490E-1C1B-49BB-99C8-4159B0387278}\NumMethods\ = "8" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E60EAB20-C294-4757-8507-E14A72676EA9}\VersionIndependentProgID\ = "PulseSecureServicePS.DSAccessPluginMonitor" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\ = "IUiModelPreLogin" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B9CAC01-6732-40d0-8B8F-B5B340F9D44F}\ = "Pulse Secure SSO OneX Password Credential Provider Class" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{71A878AF-F1B7-49DB-B9E0-B5DAE00CDAA0}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{627CFA44-B791-4C6B-8E37-3E5D7C1727C7} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{673867FA-2CD8-495A-A22C-820A3800A9F5}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDDE791B-B8B5-4B20-A65E-17B38C537BC2}\ProxyStubClsid32\ = "{BDDE791B-B8B5-4B20-A65E-17B38C537BC2}" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\uiModelServicePS64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC5D8B78-4C89-43B3-83FA-E4D3000352A1}\ProxyStubClsid32\ = "{93DBDC46-C99C-4266-A871-9208213282A1}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B61004C8-7A80-4006-84E9-8499E4F123F8}\ProxyStubClsid32\ = "{C1FAF476-B9C2-4F01-A323-074F00A90EA1}" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61FE4786-084E-4598-8F16-30DED15B6125} | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5669C0F7-C43F-4E79-AAA2-81C72067EA20}\ = "IJamUIProvider2" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\NumMethods | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44090970-D42F-4B80-A44B-117AC24B7626} | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D169455C-DDBA-4288-8DB5-B182C6E4814C}\ = "IPulseObjectEvents" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E375A63-C616-46F1-AC77-59DF78F3A826}\ToolboxBitmap32\ = "C:\\Windows\\Downloaded Program Files\\PulseSetupClient.ocx, 102" | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{627CFA44-B791-4C6B-8E37-3E5D7C1727C7}\ProxyStubClsid32 | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{583C990C-2D38-410c-9A4A-0932D66A754F}\AppID = "{F0F68EE4-3331-424A-BED2-3B8E561275A5}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PulseSecureClient\shell\open\command\ = "\"C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\Pulse.exe\" %1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\ProxyStubClsid32 | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C43482F-6F8E-46D2-8FDC-DBE8B3FC9560} | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B208CF-EABD-4BE5-88C0-2ADBB0D75E84}\NumMethods\ = "49" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7C92C70A-46F0-4A41-ACA8-C4858AC07472}\ProxyStubClsid32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74D0078-6B9F-4928-BF49-163F885B1332}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EE8499B-5411-496A-92F5-B4E379F55FB7}\ = "ICloudAppVisibilityCallback" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA1F2EF-0DCD-4228-8025-74CD7749C878}\1.0\ = "PulseSetupClientATL 1.0 Type Library" | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1FAF476-B9C2-4F01-A323-074F00A90EA1}\ProxyStubClsid32\ = "{D169455C-DDBA-4288-8DB5-B182C6E4814C}" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E375A63-C616-46F1-AC77-59DF78F3A826}\ToolboxBitmap32 | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3884BCAA-C611-4e2d-9105-E11B1203294E}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\jamSSOCredProv64.dll" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D169455C-DDBA-4288-8DB5-B182C6E4814C} | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C1FAF476-B9C2-4F01-A323-074F00A90EA1} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F3404B-3474-470D-987D-BDAB0329EF46}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D169455C-DDBA-4288-8DB5-B182C6E4814C}\ProxyStubClsid32 | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24C9FAED-1510-4BE4-9D1A-FBD5F1DCD8F9}\TypeLib\Version = "1.0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61FE4786-084E-4598-8F16-30DED15B6125}\ = "IDSAccessPluginEvents" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D622A6A-24F5-4EF1-B5E9-5305B0626810}\NumMethods | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E60EAB20-C294-4757-8507-E14A72676EA9} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CBB168F-3886-49F7-8602-1B9769A7150C}\NumMethods\ = "4" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B051258-5990-46D6-855F-A764FE81A35B}\InprocServer32 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A915D786-7A01-445D-A37B-2751A66AA62D}\NumMethods\ = "20" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9C0A2DF-5D3F-448A-9F14-6903EAB54DD5} | C:\Windows\System32\MsiExec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\MSI6F1C.tmp | N/A |
| N/A | N/A | C:\Windows\Installer\MSI6F1C.tmp | N/A |
| N/A | N/A | C:\Windows\Installer\MSI20E8.tmp | N/A |
| N/A | N/A | C:\Windows\Installer\MSI20E8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamcommand.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamcommand.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PulseSecure.x64.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 899233030C5A7A60AE461828A6A149ED
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding DBB176194EB4BC1023A71506FB2D0678
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EDAEBDA37523AB2378CBC9EC16612A7F E Global\MSI0000
C:\Windows\Installer\MSI6F1C.tmp
"C:\Windows\Installer\MSI6F1C.tmp" /Stop /ProcessName pulse.exe /FilePathToRun "C:\Program Files (x86)\Common Files\Juniper Networks\JamUI\pulse.exe" /CLIArgsForProcess -stop
C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\ProgramData\Pulse Secure" /T /C /RESET
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 137A9AB0EBD6D23E39EA9769388BBA3B E Global\MSI0000
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Windows\system32\DRVSTORE\jnprns_260C6334D987C71B41EC39304CE4AE75D6794E54\jnprns.inf" "9" "4643d6d13" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Windows\system32\DRVSTORE\jnprns_260C6334D987C71B41EC39304CE4AE75D6794E54"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprva\jnprva.inf" "9" "44586aa07" "000000000000016C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprva"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "1" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprvamgr\jnprvamgr.inf" "9" "49e869bf7" "0000000000000168" "WinSta0\Default" "0000000000000100" "208" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprvamgr"
C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\JNPRVAMGR\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:2b880b3aaa1342d2:JnprVaMgr_Device:9.1.11.6235:jnprvamgr," "4fbf82383" "0000000000000168"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Pulse Secure\VC142.CRT\copyCRT.bat" 1 "C:\Program Files (x86)\Pulse Secure\VC142.CRT\" "C:\Windows\SysWOW64\" "pnp.bat" >> C:\Users\Admin\AppData\Local\Temp\psinstall.log"
C:\Windows\system32\xcopy.exe
XCOPY "C:\Program Files (x86)\Pulse Secure\VC142.CRT\pnp.bat" "C:\Windows\SysWOW64\" /Q /H /R /Y
C:\Windows\SysWOW64\wevtutil.exe
"wevtutil.exe" im "C:\Program Files (x86)\Pulse Secure\Pulse\AllEvents.man"
C:\Windows\System32\wevtutil.exe
"wevtutil.exe" im "C:\Program Files (x86)\Pulse Secure\Pulse\AllEvents.man" /fromwow64
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureServicePS64.dll"
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\uiPromptPluginPS64.dll"
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\uiModelServicePS64.dll"
C:\Windows\syswow64\MsiExec.exe
"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamSSOCredProv.dll"
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamSSOCredProv64.dll"
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\Integration\IntegrationAccessMethodPS64.dll"
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\8021xAccessMethod\8021xAccessMethodPS64.dll"
C:\Windows\System32\MsiExec.exe
"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\8021xAccessMethod\JNPRTtlsProvider.dll"
C:\Windows\Installer\MSI20E8.tmp
"C:\Windows\Installer\MSI20E8.tmp" /Run /ProcessName explorer.exe /FilePathToRun "C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe" /CLIArgsForProcess /S
C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe
"C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe" /S
C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe
"C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe" -install
C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe
"C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe"
C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe
"C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe"
C:\Windows\SYSTEM32\netcfg.exe
netcfg -v -b jnprna
C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe
"C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe"
C:\Windows\SYSTEM32\netcfg.exe
netcfg -v -s n
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\Downloaded Program Files\PulseSetupClient64.ocx"
C:\Windows\SYSTEM32\netcfg.exe
netcfg -v -s a
C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamcommand.exe
"C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamcommand.exe" -tray
C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe
"C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe" -tray
C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe
C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe /host HostCheckerService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Eaphost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.msn.com | udp |
| US | 131.253.33.203:443 | api.msn.com | tcp |
| RU | 23.196.236.89:80 | tcp | |
| US | 52.168.117.169:443 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| NL | 104.110.191.165:80 | tcp | |
| NL | 104.110.191.165:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:17243 | tcp | |
| US | 8.8.8.8:14946 | tcp | |
| US | 8.8.8.8:28523 | tcp | |
| US | 8.8.8.8:36551 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:26755 | tcp |
Files
memory/3368-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_6F051139928C549506C1CA842E999B7F
| MD5 | 3e65f096255c3143231a09fe5d94d6f3 |
| SHA1 | 16db405b059cfca6f21547ed06ff4912aa3aab6c |
| SHA256 | bc9040afd0a9fadb57dbebb32dfcbd8c1486278fae6b06e86ec65a58fdb856f7 |
| SHA512 | ae26b34f0efbbb31b807b3bc7377d4ae2700a9c10ae1b06af93d37a2e5b05e43b3b097d607e06eefd7770fb8614bba7949e0f61aa629a301f661ce89a7d6c450 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_6F051139928C549506C1CA842E999B7F
| MD5 | 8dd51ba4d83f012bd9a794dfb6803d50 |
| SHA1 | 674692f7b56eb3cf061df479693d114990c281af |
| SHA256 | 544e09008f231f1eecb4762f4dd515792fc04c4d8826d46a88efb59ea6ccf50e |
| SHA512 | 2cd839fc8bc1d5d01c8db11ad578271f94d15c70d28030d56623d3f4afb95e289b2b82f11e8075c3043c016bb717b70fdf5a7c0888bbec23f42e973d394525d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
| MD5 | 099f6c60c99bec55d1a1d404efdbf54e |
| SHA1 | e08f2b845a9678e68abfbd75ab87abfe19082bb6 |
| SHA256 | 722b2a9e1e78c82ec7a2385f1014952cd93cabcf8fbfa24e0651786ce433f28b |
| SHA512 | 63f7e096ff234c4811d2d92410edaa2a40cb44f6514c441915b8bbdebf1376643f711122f935823ae5d4fe0debf5a863b2014d54a74fa3eb8841d362286d2416 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
| MD5 | 52555ead38f08ef81019f8f9bc1acc29 |
| SHA1 | 7e859756e4c9988f829ce2a34fc742df1faf6f8b |
| SHA256 | 2891ddce651405a92a1b3ce008f3b2af943c9710df40d518f38fdf4c84976699 |
| SHA512 | 270f73d848ca9f15944c793735e87c3a2718669c9f1330ecf1878ade444384a9f7e4e689e465adaa8c6030795fe815fe5c11e29922c0c2fced56debb07dc40e6 |
memory/4388-129-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSI5CC1.tmp
| MD5 | 99a04ab918dc90a034b35ab4a5e516ea |
| SHA1 | 95b3208fffa56331b8b6374282515713b8d5ed00 |
| SHA256 | 760f4876c623c5f2893e1348206931378a43821f2c3a45561c7616aa33c384e7 |
| SHA512 | f07fceefb831a38b600fd03321f244c3b01951fb52ab2fffa76884f5b3de5a678093fa02bb724aed4c7a2ebbb0cdac58ac68e684b5fef2af20495a9f97bf7bda |
C:\Windows\Installer\MSI5CC1.tmp
| MD5 | 99a04ab918dc90a034b35ab4a5e516ea |
| SHA1 | 95b3208fffa56331b8b6374282515713b8d5ed00 |
| SHA256 | 760f4876c623c5f2893e1348206931378a43821f2c3a45561c7616aa33c384e7 |
| SHA512 | f07fceefb831a38b600fd03321f244c3b01951fb52ab2fffa76884f5b3de5a678093fa02bb724aed4c7a2ebbb0cdac58ac68e684b5fef2af20495a9f97bf7bda |
C:\Windows\Installer\MSI628E.tmp
| MD5 | 17caf74e3a3dbeab40d4261528db647d |
| SHA1 | f7ebf2d9cb83c72503f9a1149965b161151868d2 |
| SHA256 | 4b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c |
| SHA512 | 8fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb |
C:\Windows\Installer\MSI628E.tmp
| MD5 | 17caf74e3a3dbeab40d4261528db647d |
| SHA1 | f7ebf2d9cb83c72503f9a1149965b161151868d2 |
| SHA256 | 4b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c |
| SHA512 | 8fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb |
C:\Windows\Installer\MSI657E.tmp
| MD5 | a0962dd193b82c1946dc67e140ddf895 |
| SHA1 | 7f36c38d80b7c32e750e22907ac7e1f0df76e966 |
| SHA256 | b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9 |
| SHA512 | 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751 |
C:\Windows\Installer\MSI657E.tmp
| MD5 | a0962dd193b82c1946dc67e140ddf895 |
| SHA1 | 7f36c38d80b7c32e750e22907ac7e1f0df76e966 |
| SHA256 | b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9 |
| SHA512 | 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751 |
C:\Windows\Installer\MSI65ED.tmp
| MD5 | 92297f7a0b78aa6dab28e23bb4562d71 |
| SHA1 | bb384155b0730962584cfd38571681a198e9bfa4 |
| SHA256 | b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8 |
| SHA512 | 4a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182 |
C:\Windows\Installer\MSI65ED.tmp
| MD5 | 92297f7a0b78aa6dab28e23bb4562d71 |
| SHA1 | bb384155b0730962584cfd38571681a198e9bfa4 |
| SHA256 | b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8 |
| SHA512 | 4a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182 |
memory/4440-138-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSI6BAB.tmp
| MD5 | 418322f7be2b68e88a93a048ac75a757 |
| SHA1 | 09739792ff1c30f73dacafbe503630615922b561 |
| SHA256 | ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b |
| SHA512 | 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef |
C:\Windows\Installer\MSI6BAB.tmp
| MD5 | 418322f7be2b68e88a93a048ac75a757 |
| SHA1 | 09739792ff1c30f73dacafbe503630615922b561 |
| SHA256 | ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b |
| SHA512 | 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef |
C:\Windows\Installer\MSI6C67.tmp
| MD5 | a0962dd193b82c1946dc67e140ddf895 |
| SHA1 | 7f36c38d80b7c32e750e22907ac7e1f0df76e966 |
| SHA256 | b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9 |
| SHA512 | 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751 |
C:\Windows\Installer\MSI6C67.tmp
| MD5 | a0962dd193b82c1946dc67e140ddf895 |
| SHA1 | 7f36c38d80b7c32e750e22907ac7e1f0df76e966 |
| SHA256 | b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9 |
| SHA512 | 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751 |
C:\Windows\Installer\MSI6C97.tmp
| MD5 | 92297f7a0b78aa6dab28e23bb4562d71 |
| SHA1 | bb384155b0730962584cfd38571681a198e9bfa4 |
| SHA256 | b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8 |
| SHA512 | 4a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182 |
C:\Windows\Installer\MSI6C97.tmp
| MD5 | 92297f7a0b78aa6dab28e23bb4562d71 |
| SHA1 | bb384155b0730962584cfd38571681a198e9bfa4 |
| SHA256 | b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8 |
| SHA512 | 4a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182 |
C:\Windows\Installer\MSI6D73.tmp
| MD5 | a0962dd193b82c1946dc67e140ddf895 |
| SHA1 | 7f36c38d80b7c32e750e22907ac7e1f0df76e966 |
| SHA256 | b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9 |
| SHA512 | 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751 |
C:\Windows\Installer\MSI6D73.tmp
| MD5 | a0962dd193b82c1946dc67e140ddf895 |
| SHA1 | 7f36c38d80b7c32e750e22907ac7e1f0df76e966 |
| SHA256 | b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9 |
| SHA512 | 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751 |
C:\Windows\Installer\MSI6DA3.tmp
| MD5 | a0962dd193b82c1946dc67e140ddf895 |
| SHA1 | 7f36c38d80b7c32e750e22907ac7e1f0df76e966 |
| SHA256 | b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9 |
| SHA512 | 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751 |
C:\Windows\Installer\MSI6DA3.tmp
| MD5 | a0962dd193b82c1946dc67e140ddf895 |
| SHA1 | 7f36c38d80b7c32e750e22907ac7e1f0df76e966 |
| SHA256 | b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9 |
| SHA512 | 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751 |
memory/2800-149-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSI6E40.tmp
| MD5 | 17caf74e3a3dbeab40d4261528db647d |
| SHA1 | f7ebf2d9cb83c72503f9a1149965b161151868d2 |
| SHA256 | 4b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c |
| SHA512 | 8fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb |
C:\Windows\Installer\MSI6E40.tmp
| MD5 | 17caf74e3a3dbeab40d4261528db647d |
| SHA1 | f7ebf2d9cb83c72503f9a1149965b161151868d2 |
| SHA256 | 4b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c |
| SHA512 | 8fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb |
C:\Windows\Installer\MSI6F1C.tmp
| MD5 | 777cc1449acdb75d210f822e4e1d39dc |
| SHA1 | 5fa94e7b649c76941bb3bbfee028724a5fabd81b |
| SHA256 | dc890fa6eb386773bf781a7bb2ec80432f11c0d51c8a2eda7db1969cb5226b67 |
| SHA512 | aa3880b05674702c490cd540366d76a8950d60a83c7f43b530f9be0dbd8a722951ff44082e0091d9f24f773e2a053899d05d2d3afe17f9724a0b27bf040dbb53 |
memory/4552-152-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSI6F1C.tmp
| MD5 | 777cc1449acdb75d210f822e4e1d39dc |
| SHA1 | 5fa94e7b649c76941bb3bbfee028724a5fabd81b |
| SHA256 | dc890fa6eb386773bf781a7bb2ec80432f11c0d51c8a2eda7db1969cb5226b67 |
| SHA512 | aa3880b05674702c490cd540366d76a8950d60a83c7f43b530f9be0dbd8a722951ff44082e0091d9f24f773e2a053899d05d2d3afe17f9724a0b27bf040dbb53 |
C:\Windows\Installer\MSI7631.tmp
| MD5 | ee952864088f8fed9062ad44fd319a57 |
| SHA1 | f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd |
| SHA256 | 593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494 |
| SHA512 | 566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a |
C:\Windows\Installer\MSI7631.tmp
| MD5 | ee952864088f8fed9062ad44fd319a57 |
| SHA1 | f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd |
| SHA256 | 593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494 |
| SHA512 | 566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a |
C:\Windows\Installer\MSI769F.tmp
| MD5 | ee952864088f8fed9062ad44fd319a57 |
| SHA1 | f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd |
| SHA256 | 593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494 |
| SHA512 | 566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a |
C:\Windows\Installer\MSI769F.tmp
| MD5 | ee952864088f8fed9062ad44fd319a57 |
| SHA1 | f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd |
| SHA256 | 593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494 |
| SHA512 | 566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a |
memory/2404-159-0x0000000000000000-mapping.dmp
\??\Volume{604b117b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a5feaab6-ff9c-4225-9fa4-9d555a01a2bc}_OnDiskSnapshotProp
| MD5 | 895047ef52516aa0aac133674ebc4ead |
| SHA1 | cd563afe3a332641a7800748d50408a76bb31b2c |
| SHA256 | 0a5747c1cb5b33926f2334cd8df4f36717713c8ca218bc15d1207ad40de69d1c |
| SHA512 | 5bba02d04cc79d86be58aa7f9fb9998d303fc8f988d6e97dc1b7959c0bc3d501f62ae52c3d5da2033e276d5fe61c8acaaab5a28a9e99d103bda043e605def40c |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 915e0d0f044116144e7f450963a36d12 |
| SHA1 | 7c6c6c9a966234ae5040a94096df67d79df1ef96 |
| SHA256 | 04eb763613a8681b60f3f9e1e988bb86ee59711a59da343178cfe2aca39c5f79 |
| SHA512 | 8aa7a62e9380749855ceb126adb37f0f01aef537486fe39ac50e54ad56638d009338840e4b0e3a1198117d0181744c248a4949f6edec20b9a6ff137b184487df |
C:\Windows\Installer\MSI9312.tmp
| MD5 | d9a9529176e4efa3dba832b33b06c973 |
| SHA1 | 3cb38e60af954a72d3592e455d4a5389485ef339 |
| SHA256 | 5b9e09603a4dab1d5d0b5b89ab6048226ab943979b7e5d99bb6357a61b1f5110 |
| SHA512 | df5fc26634eb352308e85d6a19df9b74bd9713ef254945719da9dbe9a4af6cdbe4be08731d6e8df3baaa690b26d865b0e6b335e71adfbc88c13440de5926610e |
C:\Users\Public\Pulse Secure\Logging\debuglog.log
| MD5 | a5e27f7a5cce645eb8276ab6bde64232 |
| SHA1 | f682327e38da24720da36bddf1c5c57bac68db85 |
| SHA256 | 3df4c9c009633e8c054edf0c4e74ffd8f0a3006b985c791da3162f747ac0e72b |
| SHA512 | 7d7f7baa3ff3312594f17321cb6e9e92b05781ed00a93f02944256be88a71d70d7b4d953f5253872277e158e0baa245fb69057b737d4ac8e6ad47ecd02cb2a56 |
C:\Windows\Installer\MSI9312.tmp
| MD5 | d9a9529176e4efa3dba832b33b06c973 |
| SHA1 | 3cb38e60af954a72d3592e455d4a5389485ef339 |
| SHA256 | 5b9e09603a4dab1d5d0b5b89ab6048226ab943979b7e5d99bb6357a61b1f5110 |
| SHA512 | df5fc26634eb352308e85d6a19df9b74bd9713ef254945719da9dbe9a4af6cdbe4be08731d6e8df3baaa690b26d865b0e6b335e71adfbc88c13440de5926610e |
C:\Program Files (x86)\Common Files\Pulse Secure\PulseSAM\PulseSAM.sys
| MD5 | de563e8326794fe7b4c652869a5dba91 |
| SHA1 | a7490f7dbddb1403510283e9241620d4d016369b |
| SHA256 | 9942835f5c4182840401b90ef226a4d4496fd93d724594f772d9186aabb1c406 |
| SHA512 | ca2be1c4cd41e63d2e172c492c4dc3e729eaf0fcfcdb23593c03844c0dc16bbba0215b94bf4c4e96e1fe3729701540f6305431db4762c3fb087227c5772880fe |
memory/1936-166-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSI9370.tmp
| MD5 | 72c7e3ef754d7b30d03f688556f49d0e |
| SHA1 | 899f9145368d2658636c5545414f2e84ccde41fd |
| SHA256 | 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9 |
| SHA512 | b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe |
C:\Windows\Installer\MSI9370.tmp
| MD5 | 72c7e3ef754d7b30d03f688556f49d0e |
| SHA1 | 899f9145368d2658636c5545414f2e84ccde41fd |
| SHA256 | 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9 |
| SHA512 | b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe |
C:\Windows\Installer\MSIF70D.tmp
| MD5 | 72c7e3ef754d7b30d03f688556f49d0e |
| SHA1 | 899f9145368d2658636c5545414f2e84ccde41fd |
| SHA256 | 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9 |
| SHA512 | b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe |
C:\Windows\Installer\MSIF70D.tmp
| MD5 | 72c7e3ef754d7b30d03f688556f49d0e |
| SHA1 | 899f9145368d2658636c5545414f2e84ccde41fd |
| SHA256 | 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9 |
| SHA512 | b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe |
C:\Windows\Installer\MSIF74D.tmp
| MD5 | 72c7e3ef754d7b30d03f688556f49d0e |
| SHA1 | 899f9145368d2658636c5545414f2e84ccde41fd |
| SHA256 | 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9 |
| SHA512 | b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe |
C:\Windows\Installer\MSIF74D.tmp
| MD5 | 72c7e3ef754d7b30d03f688556f49d0e |
| SHA1 | 899f9145368d2658636c5545414f2e84ccde41fd |
| SHA256 | 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9 |
| SHA512 | b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe |
C:\Windows\Installer\MSIF838.tmp
| MD5 | 8deb7d2f91c7392925718b3ba0aade22 |
| SHA1 | fc8e9b10c83e16eb0af1b6f10128f5c37b389682 |
| SHA256 | cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4 |
| SHA512 | 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c |
C:\Windows\Installer\MSIF838.tmp
| MD5 | 8deb7d2f91c7392925718b3ba0aade22 |
| SHA1 | fc8e9b10c83e16eb0af1b6f10128f5c37b389682 |
| SHA256 | cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4 |
| SHA512 | 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c |
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.inf
| MD5 | 59f3bffb290ea8c28da403fc633de069 |
| SHA1 | 6c7646767e20fdb9c200f265b91f4bcd15c68cec |
| SHA256 | 4865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b |
| SHA512 | 36c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb |
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.cat
| MD5 | 10a4f5e080cc472035f4fe44f671f381 |
| SHA1 | 260c6334d987c71b41ec39304ce4ae75d6794e54 |
| SHA256 | a011a0f7907469b473801f7bfa24501d24fbd2a62f61c83a0c46e4c0a6b70911 |
| SHA512 | c441d0c81f8dce9bbf6ec705ff3cea080bb365df3fb62233ef4324073454ed711ab6e8bfc89d58b614c9d569c14400725186b74448d6f10b5f407b97b8442e7d |
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.sys
| MD5 | 6d15d02704d1947a3bbb9638d0001593 |
| SHA1 | d60de16e970a363653f4a7b1eb2b5db13bd18383 |
| SHA256 | fcfdc26b2fc5dbe1e56cd8d707f3ab1655df1f1c43511ec48d6d563146cb5dc0 |
| SHA512 | a46a52c8ec5376643df8a227f18427c385b63f5504d629188afdb2d216d8305b94ef3cee5351235386de68ecd450a656db5c9687f670bb5bb28dfff31a2848ff |
memory/4336-178-0x0000000000000000-mapping.dmp
C:\Windows\system32\DRVSTORE\jnprns_260C6334D987C71B41EC39304CE4AE75D6794E54\jnprns.inf
| MD5 | 59f3bffb290ea8c28da403fc633de069 |
| SHA1 | 6c7646767e20fdb9c200f265b91f4bcd15c68cec |
| SHA256 | 4865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b |
| SHA512 | 36c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb |
C:\Windows\system32\DRVSTORE\JNPRNS~1\jnprns.cat
| MD5 | 10a4f5e080cc472035f4fe44f671f381 |
| SHA1 | 260c6334d987c71b41ec39304ce4ae75d6794e54 |
| SHA256 | a011a0f7907469b473801f7bfa24501d24fbd2a62f61c83a0c46e4c0a6b70911 |
| SHA512 | c441d0c81f8dce9bbf6ec705ff3cea080bb365df3fb62233ef4324073454ed711ab6e8bfc89d58b614c9d569c14400725186b74448d6f10b5f407b97b8442e7d |
C:\Windows\system32\DRVSTORE\JNPRNS~1\jnprns.sys
| MD5 | 6d15d02704d1947a3bbb9638d0001593 |
| SHA1 | d60de16e970a363653f4a7b1eb2b5db13bd18383 |
| SHA256 | fcfdc26b2fc5dbe1e56cd8d707f3ab1655df1f1c43511ec48d6d563146cb5dc0 |
| SHA512 | a46a52c8ec5376643df8a227f18427c385b63f5504d629188afdb2d216d8305b94ef3cee5351235386de68ecd450a656db5c9687f670bb5bb28dfff31a2848ff |
C:\Windows\System32\DriverStore\FileRepository\jnprns.inf_amd64_9fc29f3268c7ae2e\jnprns.inf
| MD5 | 59f3bffb290ea8c28da403fc633de069 |
| SHA1 | 6c7646767e20fdb9c200f265b91f4bcd15c68cec |
| SHA256 | 4865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b |
| SHA512 | 36c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb |
C:\Windows\INF\oem2.inf
| MD5 | 59f3bffb290ea8c28da403fc633de069 |
| SHA1 | 6c7646767e20fdb9c200f265b91f4bcd15c68cec |
| SHA256 | 4865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b |
| SHA512 | 36c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb |
C:\Windows\Installer\MSI307.tmp
| MD5 | 8deb7d2f91c7392925718b3ba0aade22 |
| SHA1 | fc8e9b10c83e16eb0af1b6f10128f5c37b389682 |
| SHA256 | cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4 |
| SHA512 | 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c |
C:\Windows\Installer\MSI307.tmp
| MD5 | 8deb7d2f91c7392925718b3ba0aade22 |
| SHA1 | fc8e9b10c83e16eb0af1b6f10128f5c37b389682 |
| SHA256 | cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4 |
| SHA512 | 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c |
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprva\jnprva.inf
| MD5 | 7e92b226a1ff75f5b3f8523df2dd0b1b |
| SHA1 | 5d204e9eb26c7857b75cb837006a9b4eb901b79b |
| SHA256 | 5c59527c9ee43cd201282edba90ecce3af28653962800a4d6d2cf40dfd5b295a |
| SHA512 | fa06819c5c122bca5fc78d1609359e2e3bda5b23648975993c00bbb995fddf235993dec3c2f7e5c71e258a63076ab67aa2517e8da088dd4d76fa7b92512222f8 |
memory/2180-187-0x0000000000000000-mapping.dmp
C:\PROGRA~2\COMMON~1\JUNIPE~1\JNPRNA\Drivers\jnprva\jnprva.sys
| MD5 | 6af27b10861e98fa0addd6ed5d10f8c5 |
| SHA1 | f8293d562fbf7a560d533d1e18f0ac56405d41e7 |
| SHA256 | aeea7c1c2a06a8d739651b073b26007da7c352260585e109028fffaaf3c34de0 |
| SHA512 | 720bcfe5e28511ade7bc4fc0dacefa1290a401bbbf7399d097dc3d03ae62e6ab56dd8f72068ae0a934993c049f48dd1b80fabb792b87434e51c5e93c368643db |
C:\PROGRA~2\COMMON~1\JUNIPE~1\JNPRNA\Drivers\jnprva\jnprva.cat
| MD5 | 1fdfdd5815f595b8d97ba80eb6473c91 |
| SHA1 | abebdbe347fe8817f8a9631c19d38f123ed37592 |
| SHA256 | 0d797ee30e07cc0ed90e92df2aa451c3edcb6dbf1179e013feae67cc5d70343e |
| SHA512 | 9364539a9055490fd8889ad687c05491baa3ddabf370d93889c5978b5ba3d6a4e38a1e534eb94f083d4d22fc421f0cafc70e755c188737bdab7f469b7c4c9a89 |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | 9801855699abaab75e43e8984d4ac233 |
| SHA1 | 236f9b8fb5d077476e68ed1bcac6441ed7feae98 |
| SHA256 | 359fcc825cd1ee2f579fae922669d2f90862f9cc8dff9ce26549cc4047685eb2 |
| SHA512 | 73d202860c6c42ff0f5bc1f1580238c9acf1dbe3e6025ebf6c756962ad943cc76ce71adb11ec97cbc5ecec22695cc825575d6f1e3604227a0bcff980898ea370 |
C:\Windows\System32\DriverStore\FileRepository\jnprva.inf_amd64_2d3776125086d638\jnprva.inf
| MD5 | 7e92b226a1ff75f5b3f8523df2dd0b1b |
| SHA1 | 5d204e9eb26c7857b75cb837006a9b4eb901b79b |
| SHA256 | 5c59527c9ee43cd201282edba90ecce3af28653962800a4d6d2cf40dfd5b295a |
| SHA512 | fa06819c5c122bca5fc78d1609359e2e3bda5b23648975993c00bbb995fddf235993dec3c2f7e5c71e258a63076ab67aa2517e8da088dd4d76fa7b92512222f8 |
C:\Windows\System32\CatRoot2\dberr.txt
| MD5 | 140b88c3e77b6c4306cc25dcd2b722b6 |
| SHA1 | 4a74cb46868dee87b8ee6ffb6674e799ae9a3dd7 |
| SHA256 | 01af27ef2157fba5fef0e3487f736b729404e619e80960cd53d3762e60dcafcd |
| SHA512 | 2842f0ee2d3badcf37c49e6ef63f6e032354ab9036bffe8a01610577d661854c27f07970ab92e3d7dbb44f1cfe6b9e1846756087720b7955a9247e5b483db22c |
C:\Windows\System32\DriverStore\FileRepository\jnprva.inf_amd64_2d3776125086d638\jnprva.cat
| MD5 | 1fdfdd5815f595b8d97ba80eb6473c91 |
| SHA1 | abebdbe347fe8817f8a9631c19d38f123ed37592 |
| SHA256 | 0d797ee30e07cc0ed90e92df2aa451c3edcb6dbf1179e013feae67cc5d70343e |
| SHA512 | 9364539a9055490fd8889ad687c05491baa3ddabf370d93889c5978b5ba3d6a4e38a1e534eb94f083d4d22fc421f0cafc70e755c188737bdab7f469b7c4c9a89 |
C:\Windows\Installer\MSI615.tmp
| MD5 | 8deb7d2f91c7392925718b3ba0aade22 |
| SHA1 | fc8e9b10c83e16eb0af1b6f10128f5c37b389682 |
| SHA256 | cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4 |
| SHA512 | 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c |
C:\Windows\Installer\MSI615.tmp
| MD5 | 8deb7d2f91c7392925718b3ba0aade22 |
| SHA1 | fc8e9b10c83e16eb0af1b6f10128f5c37b389682 |
| SHA256 | cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4 |
| SHA512 | 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c |
C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprvamgr\jnprvamgr.inf
| MD5 | cdce8d87e76ab195443a08252d3fc807 |
| SHA1 | 1329dcf816971d26b0496276b3fdd4b4141da255 |
| SHA256 | 74dcf667f9f9fb6fcdfbe02f3e678769f0addb5da004734e79c04e94c1ca421c |
| SHA512 | abe16681810a025669942a4d8ac47e00ba4c77724862b1d2bc0fd92bfbb2b7589b7e388627b51770386e358c31970fbf554f0731adedd93c9089e4d6763760a2 |
memory/4888-197-0x0000000000000000-mapping.dmp
memory/4316-198-0x0000000000000000-mapping.dmp
memory/2400-199-0x0000000000000000-mapping.dmp
memory/2304-200-0x0000000000000000-mapping.dmp
memory/2040-201-0x0000000000000000-mapping.dmp
memory/2196-202-0x0000000000000000-mapping.dmp
memory/4588-203-0x0000000000000000-mapping.dmp
memory/2148-204-0x0000000000000000-mapping.dmp
memory/4104-205-0x0000000000000000-mapping.dmp
memory/4864-206-0x0000000000000000-mapping.dmp
memory/3832-207-0x0000000000000000-mapping.dmp
memory/2416-208-0x0000000000000000-mapping.dmp
memory/344-209-0x0000000000000000-mapping.dmp
memory/4876-210-0x0000000000000000-mapping.dmp
memory/4872-211-0x0000000000000000-mapping.dmp
memory/4564-212-0x0000000000000000-mapping.dmp
memory/4384-213-0x0000000000000000-mapping.dmp
memory/932-214-0x0000000000000000-mapping.dmp
memory/2284-215-0x0000000000000000-mapping.dmp
memory/2712-216-0x0000000000000000-mapping.dmp
memory/460-217-0x0000000000000000-mapping.dmp
memory/2392-218-0x0000000000000000-mapping.dmp
memory/3136-219-0x0000000000000000-mapping.dmp
memory/4728-220-0x0000000000000000-mapping.dmp
memory/3656-221-0x0000000000000000-mapping.dmp
memory/744-222-0x0000000000000000-mapping.dmp