Malware Analysis Report

2024-10-16 03:26

Sample ID 220405-reqlhagdh2
Target PulseSecure.x64.msi
SHA256 78be59991f40ec589c204bb1c879aaaceee6e5ce108876558db65f207705881e
Tags
egregor discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78be59991f40ec589c204bb1c879aaaceee6e5ce108876558db65f207705881e

Threat Level: Known bad

The file PulseSecure.x64.msi was found to be: Known bad.

Malicious Activity Summary

egregor discovery persistence ransomware

Registers COM server for autorun

Egregor Ransomware

Detected Egregor ransomware

Executes dropped EXE

Drops file in Drivers directory

Blocklisted process makes network request

Modifies file permissions

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-05 14:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-05 14:06

Reported

2022-04-05 14:11

Platform

win10v2004-20220331-en

Max time kernel

268s

Max time network

274s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PulseSecure.x64.msi

Signatures

Detected Egregor ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Egregor Ransomware

ransomware egregor

Registers COM server for autorun

persistence

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Drivers\PulseSAM.sys C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\system32\DRIVERS\SET1CB.tmp C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\jnprns.sys C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\drivers\SET824.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\drivers\SET824.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\Drivers\PulseSAM.sys C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\System32\drivers\jnprvamgr.sys C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\system32\Drivers\jnprTdi_9111_9451.sys C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRIVERS\SET1CB.tmp C:\Windows\System32\MsiExec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PulseSecure = "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\Pulse.exe -tray" C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_101a408e6cb1d8f8\netmlx5.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_762588e32974f9e8\netloop.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495} C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvchannel.inf_amd64_ba3e73aa330c95d6\netvchannel.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\jnprns.inf_amd64_9fc29f3268c7ae2e\jnprns.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\netwtw08.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_b06c3bc32f7db374\bthpan.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\jnprvamgr.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_325c0bd6349ed81c\netwew00.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAA8.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_netservice.inf_amd64_9ab9cf10857f7349\c_netservice.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_153e01d761813df2\netwew01.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_97bef65a8432edd4\msdri.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbncm.inf_amd64_9957a38c3d2283ed\usbncm.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\jnprva.inf_amd64_2d3776125086d638\jnprva.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\SET6CE.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_3294fc34256dbb0e\dc21x4vm.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrasa.inf_amd64_1bdf7a435cb3580d\netrasa.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_07ad61d07466a58a\wceisvista.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtwlanu.inf_amd64_1815bafd14dc59f0\netrtwlanu.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAA7.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netv1x64.inf_amd64_30040c3eb9d7ade4\netv1x64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netefe3e.inf_amd64_7830581a689ef40d\netefe3e.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8187se64.inf_amd64_99a4ca261f585f17\net8187se64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\SET6CE.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_8d5ca5ab1472fc44\netl1e64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netmyk64.inf_amd64_1f949c30555f4111\netmyk64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msux64w10.inf_amd64_5aa81644af5957b3\msux64w10.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_f9e30429669d7fff\netvwwanmp.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAD8.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbrdg.inf_amd64_8a737d38f201aeb1\netbrdg.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_178f1bdb49a6e2fd\net7800-x64-n650f.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rt640x64.inf_amd64_8984d8483eef476c\rt640x64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\b57nd60a.inf_amd64_77a731ab08be20a5\b57nd60a.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_dba6eeaf0544a4e0\netwmbclass.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_9a5b429abc465278\wnetvsc.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netbxnda.inf_amd64_1fff3bc87a99b0f1\netbxnda.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a958ace3-883e-fe44-b2d3-2dc500bf3ab0}\SET3D0.tmp C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{a958ace3-883e-fe44-b2d3-2dc500bf3ab0}\jnprva.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netpacer.inf_amd64_7d294c7fa012d315\netpacer.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_b6748bc8bb8ccf4d\netax88179_178a.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_ec11d0ad3c5b262a\netvwifimp.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\system32\DRVSTORE C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\Temp\{9c17b94b-2b5d-7c49-b52a-d71715c8911e}\SETFAD8.tmp C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnwifi.inf_amd64_a2bfd066656fe297\netnwifi.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_cc87c915f33d1c27\net7500-x64-n650f.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtwlans.inf_amd64_97cd1a72c2a7829c\netrtwlans.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netimm.inf_amd64_8b2087393aaef952\netimm.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\System32\DriverStore\Temp\{fca41259-9bf1-054d-bdac-dde3648e6495}\jnprvamgr.cat C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\jnprvamgr.inf_amd64_a6b97483d4e0add9\jnprvamgr.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbnet.inf_amd64_9e6bb7a4b7338267\usbnet.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_8604d8a50804b9c1\net1yx64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netwbw02.inf_amd64_1c4077fa004e73b4\netwbw02.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netavpna.inf_amd64_f6f0831ba09dd9f5\netavpna.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netg664.inf_amd64_84cd7b2798e0a666\netg664.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\e2xw10x64.inf_amd64_04c2ae40613a06ff\e2xw10x64.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_d6132e4c7fe2fac6\rtux64w10.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net7400-x64-n650.inf_amd64_557ce3b37c3e0e3b\net7400-x64-n650.PNF C:\Windows\System32\MsiExec.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8192se64.inf_amd64_167684f9283b4eca\net8192se64.PNF C:\Windows\System32\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\print.css C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-solve-connection-issue.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-remediation-info-viewing.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\access-control-connect-client-view-properties.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\g033413.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\notecaution.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033408.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033409.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\notewarning-laser.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\vpnAccessMethod\MessageCatalogVpnAM_KO.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-suspending.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-log-file-saving.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\g033408.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\container-book.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\g033413.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\bestpractice.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\access-control-connect-client-extend.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033423.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\help.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-accessibility-features.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-configuration-overview.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\print.css C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\PulseSAM\pulseWFPInst.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\access-control-connect-client-extend.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-window-resizing.html C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Pulse Secure\Connection Manager\versionInfo.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\access-control-connect-client-jtac-contacting.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\plus.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\container.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\tip.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.inf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\g033408.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\g033405.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\g033410.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\access-control-connect-client-version-viewing.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\eapService\MessageCatalogEapAM_JA.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\access-control-connect-client-meeting-joining.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Pulse Secure\Pulse\PulseHelper.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Pulse Secure\ConnectionStore\versionInfo.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\g033422.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\access-control-connect-client-meeting-joining.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\access-control-connect-client-forget-credentials.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-client-extend.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\blank.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\TNC Client Plugin\hcUtils.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\access-control-connect-client-meeting-joining.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\KO\book-access-control-connect-client.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\DE\access-control-connect-smartcard-overview.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\access-control-connect-client-ui.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseResource_ZH.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\access-control-delete-client-connection-status.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\IT\access-control-connect-client-adding.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\JA\g033468.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\Integration\MessageCatalogIntegrationAM_KO.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\g033405.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ES\standard.css C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\g033400.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\access-control-connect-client-window-resizing.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\PL\access-control-connect-client-disconnect.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH\bestpractice.gif C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\eapService\MessageCatalogEapAM_ZH-CN.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\EN\book-utils.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\PulseHelp\ZH-CN\access-control-connect-client-tray-icon.html C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Pulse Secure\TNC Client Plugin\versionInfo.ini C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI9312.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF838.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Downloaded Program Files\PulseSetupClient64.inf C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\PulseSetupClient64.ocx C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6C97.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI769F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem2.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI307.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI657E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\INF\oem4.PNF C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI307D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI31B8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6D73.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF70D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\wix{DF894007-8BB3-42E4-83EA-5D05969C2517}.SchedServiceConfig.rmi C:\Windows\syswow64\MsiExec.exe N/A
File opened for modification C:\Windows\Installer\MSI28D9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5CC1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{DF894007-8BB3-42E4-83EA-5D05969C2517} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI180A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2C65.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI628E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7631.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\SysWOW64 C:\Windows\system32\xcopy.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI615.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2C45.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI65ED.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6BAB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Downloaded Program Files\PulseSetupClientCtrlUninstaller.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
File created C:\Windows\Downloaded Program Files\PulseExt64.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe N/A
File opened for modification C:\Windows\Installer\MSI3139.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9370.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI20E8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIAAB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Downloaded Program Files\PulseSetupClient.inf C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
File created C:\Windows\Downloaded Program Files\PulseSetupClient.ocx C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
File opened for modification C:\Windows\Installer\e585a02.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\install.log C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
File created C:\Windows\Downloaded Program Files\PulseExt.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
File opened for modification C:\Windows\Installer\MSI2098.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI24B1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e585a04.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF74D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem2.inf C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\inf\oem3.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\inf\oem4.inf C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Downloaded Program Files\install.log C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe N/A
File opened for modification C:\Windows\Installer\MSI6E40.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6F1C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI315A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6C67.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI182A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Downloaded Program Files\PulseSetupClientCtrlUninstaller64.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe N/A
File opened for modification C:\Windows\Installer\MSI9FE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Downloaded Program Files\PulseSetupClient64.ocx C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\System32\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\DrvInst.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\DrvInst.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007b114b607c81ab010000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007b114b600000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007b114b60000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007b114b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007b114b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\System32\MsiExec.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom C:\Windows\system32\DrvInst.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 C:\Windows\system32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 C:\Windows\system32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Pulse Secure\\Setup Client" C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119}\Policy = "3" C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Pulse.exe = "11000" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\PulseSecureService.exe = "11000" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119} C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe N/A
Key created \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3E8944DC-79B5-4650-9C2E-83885548A119}\AppName = "PulseSetupClient.exe" C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20\52C64B7E\@%SystemRoot%\System32\SimAuth.dll,-1003 = "EAP-AKA'" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%windir%\system32\drivers\netbios.sys,-501 = "NetBIOS Interface" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\drivers\mslldp.sys,-211 = "Microsoft LLDP Protocol Driver" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\wkssvc.dll,-1010 = "Client for Microsoft Networks" C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A407658-288A-48A9-86E4-59FE723BF6DF}\NumMethods\ = "12" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dsATLSetupCtrl64.PulseSetupClientCont C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{081CB686-E56B-4C26-A0A9-E7A4A4ADC094} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91DD713B-801E-43B2-88D1-2C1CC7827936}\NumMethods\ = "47" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44090970-D42F-4B80-A44B-117AC24B7626}\ = "IUiModelService" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C0F1C9-6F7D-4401-A959-8111D5E9E973}\TypeLib\ = "{1FA1F2EF-0DCD-4228-8025-74CD7749C878}" C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\700498FD3BB84E2438AED55069C95271\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{5669C0F7-C43F-4E79-AAA2-81C72067EA20} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{1B8F498F-DB53-4B0C-85C0-D4E188DDDB02} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{DFD0DE0A-B9FD-4F8B-83DB-ABEF6966313E} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05C0F1C9-6F7D-4401-A959-8111D5E9E973}\InProcServer32 C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05C0F1C9-6F7D-4401-A959-8111D5E9E973}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24C9FAED-1510-4BE4-9D1A-FBD5F1DCD8F9}\ = "IPulseSetupClientControl" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5FEE7FE9-F273-4D77-AE00-81D6F3FA0188}\ = "IDSAccessService" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{93DBDC46-C99C-4266-A871-9208213282A1}\ = "PSFactoryBuffer" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0686490E-1C1B-49BB-99C8-4159B0387278} C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E375A63-C616-46F1-AC77-59DF78F3A826}\ProgID\ = "dsATLSetupCtrl.PulseSetupClientCont.1" C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B284C66D-1D9E-4E4F-8E3D-98AE9D6E5F9A}\ = "IDSAccessServiceEvents" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4FEB6927-4918-48BD-865C-6F576795547F}\ = "IJamUIPromptPlugin3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\dsATLSetupCtrl64.PulseSetupClientCo.1\CLSID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA1F2EF-0DCD-4228-8025-74CD7749C878} C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CDF36C56-A2F1-452A-BD29-F4E43C987EF3}\1.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0686490E-1C1B-49BB-99C8-4159B0387278}\NumMethods\ = "8" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E60EAB20-C294-4757-8507-E14A72676EA9}\VersionIndependentProgID\ = "PulseSecureServicePS.DSAccessPluginMonitor" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\ = "IUiModelPreLogin" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4B9CAC01-6732-40d0-8B8F-B5B340F9D44F}\ = "Pulse Secure SSO OneX Password Credential Provider Class" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{71A878AF-F1B7-49DB-B9E0-B5DAE00CDAA0}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{627CFA44-B791-4C6B-8E37-3E5D7C1727C7} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{673867FA-2CD8-495A-A22C-820A3800A9F5}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDDE791B-B8B5-4B20-A65E-17B38C537BC2}\ProxyStubClsid32\ = "{BDDE791B-B8B5-4B20-A65E-17B38C537BC2}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\InProcServer32\ = "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\uiModelServicePS64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC5D8B78-4C89-43B3-83FA-E4D3000352A1}\ProxyStubClsid32\ = "{93DBDC46-C99C-4266-A871-9208213282A1}" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B61004C8-7A80-4006-84E9-8499E4F123F8}\ProxyStubClsid32\ = "{C1FAF476-B9C2-4F01-A323-074F00A90EA1}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61FE4786-084E-4598-8F16-30DED15B6125} C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5669C0F7-C43F-4E79-AAA2-81C72067EA20}\ = "IJamUIProvider2" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\NumMethods C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44090970-D42F-4B80-A44B-117AC24B7626} C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D169455C-DDBA-4288-8DB5-B182C6E4814C}\ = "IPulseObjectEvents" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E375A63-C616-46F1-AC77-59DF78F3A826}\ToolboxBitmap32\ = "C:\\Windows\\Downloaded Program Files\\PulseSetupClient.ocx, 102" C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{627CFA44-B791-4C6B-8E37-3E5D7C1727C7}\ProxyStubClsid32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{583C990C-2D38-410c-9A4A-0932D66A754F}\AppID = "{F0F68EE4-3331-424A-BED2-3B8E561275A5}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PulseSecureClient\shell\open\command\ = "\"C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\Pulse.exe\" %1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A36A6A63-33C9-41A5-85A8-FB5CB4D1302D}\ProxyStubClsid32 C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C43482F-6F8E-46D2-8FDC-DBE8B3FC9560} C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08B208CF-EABD-4BE5-88C0-2ADBB0D75E84}\NumMethods\ = "49" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{7C92C70A-46F0-4A41-ACA8-C4858AC07472}\ProxyStubClsid32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74D0078-6B9F-4928-BF49-163F885B1332}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EE8499B-5411-496A-92F5-B4E379F55FB7}\ = "ICloudAppVisibilityCallback" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1FA1F2EF-0DCD-4228-8025-74CD7749C878}\1.0\ = "PulseSetupClientATL 1.0 Type Library" C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C1FAF476-B9C2-4F01-A323-074F00A90EA1}\ProxyStubClsid32\ = "{D169455C-DDBA-4288-8DB5-B182C6E4814C}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E375A63-C616-46F1-AC77-59DF78F3A826}\ToolboxBitmap32 C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3884BCAA-C611-4e2d-9105-E11B1203294E}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Pulse Secure\\JamUI\\jamSSOCredProv64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D169455C-DDBA-4288-8DB5-B182C6E4814C} C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{C1FAF476-B9C2-4F01-A323-074F00A90EA1} C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F3404B-3474-470D-987D-BDAB0329EF46}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D169455C-DDBA-4288-8DB5-B182C6E4814C}\ProxyStubClsid32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{24C9FAED-1510-4BE4-9D1A-FBD5F1DCD8F9}\TypeLib\Version = "1.0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61FE4786-084E-4598-8F16-30DED15B6125}\ = "IDSAccessPluginEvents" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{8D622A6A-24F5-4EF1-B5E9-5305B0626810}\NumMethods C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E60EAB20-C294-4757-8507-E14A72676EA9} C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CBB168F-3886-49F7-8602-1B9769A7150C}\NumMethods\ = "4" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B051258-5990-46D6-855F-A764FE81A35B}\InprocServer32 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A915D786-7A01-445D-A37B-2751A66AA62D}\NumMethods\ = "20" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9C0A2DF-5D3F-448A-9F14-6903EAB54DD5} C:\Windows\System32\MsiExec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4164 wrote to memory of 3368 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4164 wrote to memory of 3368 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4164 wrote to memory of 4388 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 4388 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 4388 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 4440 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 4440 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 2800 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 2800 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 2800 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 4552 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI6F1C.tmp
PID 4164 wrote to memory of 4552 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI6F1C.tmp
PID 4164 wrote to memory of 4552 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI6F1C.tmp
PID 2800 wrote to memory of 2404 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\icacls.exe
PID 2800 wrote to memory of 2404 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\icacls.exe
PID 2800 wrote to memory of 2404 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\icacls.exe
PID 4164 wrote to memory of 1936 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 1936 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2036 wrote to memory of 4336 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2036 wrote to memory of 4336 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2036 wrote to memory of 2180 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2036 wrote to memory of 2180 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2036 wrote to memory of 4888 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2036 wrote to memory of 4888 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2036 wrote to memory of 4316 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 2036 wrote to memory of 4316 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\DrvInst.exe
PID 4164 wrote to memory of 2400 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\cmd.exe
PID 4164 wrote to memory of 2400 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\cmd.exe
PID 2400 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2400 wrote to memory of 2304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 2800 wrote to memory of 2040 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\wevtutil.exe
PID 2800 wrote to memory of 2040 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\wevtutil.exe
PID 2800 wrote to memory of 2040 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\wevtutil.exe
PID 2040 wrote to memory of 2196 N/A C:\Windows\SysWOW64\wevtutil.exe C:\Windows\System32\wevtutil.exe
PID 2040 wrote to memory of 2196 N/A C:\Windows\SysWOW64\wevtutil.exe C:\Windows\System32\wevtutil.exe
PID 4164 wrote to memory of 4588 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 4588 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 2148 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 2148 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 4104 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 4104 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 4864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 4864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 4864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 3832 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 3832 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 2416 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 2416 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 344 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 344 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 4876 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 4876 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4164 wrote to memory of 4872 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20E8.tmp
PID 4164 wrote to memory of 4872 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20E8.tmp
PID 4164 wrote to memory of 4872 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI20E8.tmp
PID 4872 wrote to memory of 4564 N/A C:\Windows\Installer\MSI20E8.tmp C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe
PID 4872 wrote to memory of 4564 N/A C:\Windows\Installer\MSI20E8.tmp C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe
PID 4872 wrote to memory of 4564 N/A C:\Windows\Installer\MSI20E8.tmp C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe
PID 4564 wrote to memory of 4384 N/A C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe
PID 4564 wrote to memory of 4384 N/A C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe
PID 4564 wrote to memory of 4384 N/A C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe
PID 4384 wrote to memory of 932 N/A C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe
PID 4384 wrote to memory of 932 N/A C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe
PID 4384 wrote to memory of 932 N/A C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PulseSecure.x64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 899233030C5A7A60AE461828A6A149ED

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding DBB176194EB4BC1023A71506FB2D0678

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding EDAEBDA37523AB2378CBC9EC16612A7F E Global\MSI0000

C:\Windows\Installer\MSI6F1C.tmp

"C:\Windows\Installer\MSI6F1C.tmp" /Stop /ProcessName pulse.exe /FilePathToRun "C:\Program Files (x86)\Common Files\Juniper Networks\JamUI\pulse.exe" /CLIArgsForProcess -stop

C:\Windows\SysWOW64\icacls.exe

C:\Windows\system32\icacls.exe "C:\ProgramData\Pulse Secure" /T /C /RESET

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 137A9AB0EBD6D23E39EA9769388BBA3B E Global\MSI0000

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Windows\system32\DRVSTORE\jnprns_260C6334D987C71B41EC39304CE4AE75D6794E54\jnprns.inf" "9" "4643d6d13" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Windows\system32\DRVSTORE\jnprns_260C6334D987C71B41EC39304CE4AE75D6794E54"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprva\jnprva.inf" "9" "44586aa07" "000000000000016C" "WinSta0\Default" "0000000000000168" "208" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprva"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "4" "1" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprvamgr\jnprvamgr.inf" "9" "49e869bf7" "0000000000000168" "WinSta0\Default" "0000000000000100" "208" "C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprvamgr"

C:\Windows\system32\DrvInst.exe

DrvInst.exe "2" "211" "ROOT\JNPRVAMGR\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:2b880b3aaa1342d2:JnprVaMgr_Device:9.1.11.6235:jnprvamgr," "4fbf82383" "0000000000000168"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Pulse Secure\VC142.CRT\copyCRT.bat" 1 "C:\Program Files (x86)\Pulse Secure\VC142.CRT\" "C:\Windows\SysWOW64\" "pnp.bat" >> C:\Users\Admin\AppData\Local\Temp\psinstall.log"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Program Files (x86)\Pulse Secure\VC142.CRT\pnp.bat" "C:\Windows\SysWOW64\" /Q /H /R /Y

C:\Windows\SysWOW64\wevtutil.exe

"wevtutil.exe" im "C:\Program Files (x86)\Pulse Secure\Pulse\AllEvents.man"

C:\Windows\System32\wevtutil.exe

"wevtutil.exe" im "C:\Program Files (x86)\Pulse Secure\Pulse\AllEvents.man" /fromwow64

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureServicePS64.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\uiPromptPluginPS64.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\uiModelServicePS64.dll"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamSSOCredProv.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamSSOCredProv64.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\Integration\IntegrationAccessMethodPS64.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\8021xAccessMethod\8021xAccessMethodPS64.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files (x86)\Common Files\Pulse Secure\8021xAccessMethod\JNPRTtlsProvider.dll"

C:\Windows\Installer\MSI20E8.tmp

"C:\Windows\Installer\MSI20E8.tmp" /Run /ProcessName explorer.exe /FilePathToRun "C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe" /CLIArgsForProcess /S

C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe

"C:\Program Files (x86)\Pulse Secure\Pulse\PSSetupClientInstaller.exe" /S

C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe

"C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClient.exe" -install

C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe

"C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe"

C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe

"C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX.exe"

C:\Windows\SYSTEM32\netcfg.exe

netcfg -v -b jnprna

C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe

"C:\Users\Admin\AppData\Roaming\Pulse Secure\Setup Client\PulseSetupClientOCX64.exe"

C:\Windows\SYSTEM32\netcfg.exe

netcfg -v -s n

C:\Windows\system32\regsvr32.exe

"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\Downloaded Program Files\PulseSetupClient64.ocx"

C:\Windows\SYSTEM32\netcfg.exe

netcfg -v -s a

C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamcommand.exe

"C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\jamcommand.exe" -tray

C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe

"C:\Program Files (x86)\Common Files\Pulse Secure\JamUI\Pulse.exe" -tray

C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe

C:\Program Files (x86)\Common Files\Pulse Secure\JUNS\PulseSecureService.exe /host HostCheckerService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Eaphost

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.msn.com udp
US 131.253.33.203:443 api.msn.com tcp
RU 23.196.236.89:80 tcp
US 52.168.117.169:443 tcp
FI 62.115.252.112:80 tcp
FI 62.115.252.112:80 tcp
FI 62.115.252.112:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
NL 104.110.191.165:80 tcp
NL 104.110.191.165:80 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:443 tcp
US 8.8.8.8:17243 tcp
US 8.8.8.8:14946 tcp
US 8.8.8.8:28523 tcp
US 8.8.8.8:36551 tcp
US 8.8.8.8:443 tcp
US 8.8.8.8:26755 tcp

Files

memory/3368-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_6F051139928C549506C1CA842E999B7F

MD5 3e65f096255c3143231a09fe5d94d6f3
SHA1 16db405b059cfca6f21547ed06ff4912aa3aab6c
SHA256 bc9040afd0a9fadb57dbebb32dfcbd8c1486278fae6b06e86ec65a58fdb856f7
SHA512 ae26b34f0efbbb31b807b3bc7377d4ae2700a9c10ae1b06af93d37a2e5b05e43b3b097d607e06eefd7770fb8614bba7949e0f61aa629a301f661ce89a7d6c450

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_6F051139928C549506C1CA842E999B7F

MD5 8dd51ba4d83f012bd9a794dfb6803d50
SHA1 674692f7b56eb3cf061df479693d114990c281af
SHA256 544e09008f231f1eecb4762f4dd515792fc04c4d8826d46a88efb59ea6ccf50e
SHA512 2cd839fc8bc1d5d01c8db11ad578271f94d15c70d28030d56623d3f4afb95e289b2b82f11e8075c3043c016bb717b70fdf5a7c0888bbec23f42e973d394525d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5 099f6c60c99bec55d1a1d404efdbf54e
SHA1 e08f2b845a9678e68abfbd75ab87abfe19082bb6
SHA256 722b2a9e1e78c82ec7a2385f1014952cd93cabcf8fbfa24e0651786ce433f28b
SHA512 63f7e096ff234c4811d2d92410edaa2a40cb44f6514c441915b8bbdebf1376643f711122f935823ae5d4fe0debf5a863b2014d54a74fa3eb8841d362286d2416

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

MD5 52555ead38f08ef81019f8f9bc1acc29
SHA1 7e859756e4c9988f829ce2a34fc742df1faf6f8b
SHA256 2891ddce651405a92a1b3ce008f3b2af943c9710df40d518f38fdf4c84976699
SHA512 270f73d848ca9f15944c793735e87c3a2718669c9f1330ecf1878ade444384a9f7e4e689e465adaa8c6030795fe815fe5c11e29922c0c2fced56debb07dc40e6

memory/4388-129-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI5CC1.tmp

MD5 99a04ab918dc90a034b35ab4a5e516ea
SHA1 95b3208fffa56331b8b6374282515713b8d5ed00
SHA256 760f4876c623c5f2893e1348206931378a43821f2c3a45561c7616aa33c384e7
SHA512 f07fceefb831a38b600fd03321f244c3b01951fb52ab2fffa76884f5b3de5a678093fa02bb724aed4c7a2ebbb0cdac58ac68e684b5fef2af20495a9f97bf7bda

C:\Windows\Installer\MSI5CC1.tmp

MD5 99a04ab918dc90a034b35ab4a5e516ea
SHA1 95b3208fffa56331b8b6374282515713b8d5ed00
SHA256 760f4876c623c5f2893e1348206931378a43821f2c3a45561c7616aa33c384e7
SHA512 f07fceefb831a38b600fd03321f244c3b01951fb52ab2fffa76884f5b3de5a678093fa02bb724aed4c7a2ebbb0cdac58ac68e684b5fef2af20495a9f97bf7bda

C:\Windows\Installer\MSI628E.tmp

MD5 17caf74e3a3dbeab40d4261528db647d
SHA1 f7ebf2d9cb83c72503f9a1149965b161151868d2
SHA256 4b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c
SHA512 8fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb

C:\Windows\Installer\MSI628E.tmp

MD5 17caf74e3a3dbeab40d4261528db647d
SHA1 f7ebf2d9cb83c72503f9a1149965b161151868d2
SHA256 4b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c
SHA512 8fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb

C:\Windows\Installer\MSI657E.tmp

MD5 a0962dd193b82c1946dc67e140ddf895
SHA1 7f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256 b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

C:\Windows\Installer\MSI657E.tmp

MD5 a0962dd193b82c1946dc67e140ddf895
SHA1 7f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256 b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

C:\Windows\Installer\MSI65ED.tmp

MD5 92297f7a0b78aa6dab28e23bb4562d71
SHA1 bb384155b0730962584cfd38571681a198e9bfa4
SHA256 b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8
SHA512 4a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182

C:\Windows\Installer\MSI65ED.tmp

MD5 92297f7a0b78aa6dab28e23bb4562d71
SHA1 bb384155b0730962584cfd38571681a198e9bfa4
SHA256 b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8
SHA512 4a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182

memory/4440-138-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI6BAB.tmp

MD5 418322f7be2b68e88a93a048ac75a757
SHA1 09739792ff1c30f73dacafbe503630615922b561
SHA256 ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

C:\Windows\Installer\MSI6BAB.tmp

MD5 418322f7be2b68e88a93a048ac75a757
SHA1 09739792ff1c30f73dacafbe503630615922b561
SHA256 ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b
SHA512 253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

C:\Windows\Installer\MSI6C67.tmp

MD5 a0962dd193b82c1946dc67e140ddf895
SHA1 7f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256 b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

C:\Windows\Installer\MSI6C67.tmp

MD5 a0962dd193b82c1946dc67e140ddf895
SHA1 7f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256 b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

C:\Windows\Installer\MSI6C97.tmp

MD5 92297f7a0b78aa6dab28e23bb4562d71
SHA1 bb384155b0730962584cfd38571681a198e9bfa4
SHA256 b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8
SHA512 4a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182

C:\Windows\Installer\MSI6C97.tmp

MD5 92297f7a0b78aa6dab28e23bb4562d71
SHA1 bb384155b0730962584cfd38571681a198e9bfa4
SHA256 b6eb47a4b67dec5a8fb749dc09c0ce78cf295d4d315609925f84a1d440af40c8
SHA512 4a0a625c32666c9255651d2d20d71288078bf0821a1273d665e801e9efd1af4ead5b8771d2ebe6065d2230809115b1f1b59b9ae5900ccce879fde6dfcd476182

C:\Windows\Installer\MSI6D73.tmp

MD5 a0962dd193b82c1946dc67e140ddf895
SHA1 7f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256 b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

C:\Windows\Installer\MSI6D73.tmp

MD5 a0962dd193b82c1946dc67e140ddf895
SHA1 7f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256 b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

C:\Windows\Installer\MSI6DA3.tmp

MD5 a0962dd193b82c1946dc67e140ddf895
SHA1 7f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256 b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

C:\Windows\Installer\MSI6DA3.tmp

MD5 a0962dd193b82c1946dc67e140ddf895
SHA1 7f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256 b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512 118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

memory/2800-149-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI6E40.tmp

MD5 17caf74e3a3dbeab40d4261528db647d
SHA1 f7ebf2d9cb83c72503f9a1149965b161151868d2
SHA256 4b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c
SHA512 8fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb

C:\Windows\Installer\MSI6E40.tmp

MD5 17caf74e3a3dbeab40d4261528db647d
SHA1 f7ebf2d9cb83c72503f9a1149965b161151868d2
SHA256 4b9c717847770ad4489220b00bd13347f552a1fa6bc6db06c29c0c1557b4e79c
SHA512 8fcce22772d44645a8b77f0b2b4929a545d644729e7eecdb28350b65cce5967fb30ee2663fc0e8e53981d6af0ddc28622fd23af24ea8e281acaf3cbb51cac8cb

C:\Windows\Installer\MSI6F1C.tmp

MD5 777cc1449acdb75d210f822e4e1d39dc
SHA1 5fa94e7b649c76941bb3bbfee028724a5fabd81b
SHA256 dc890fa6eb386773bf781a7bb2ec80432f11c0d51c8a2eda7db1969cb5226b67
SHA512 aa3880b05674702c490cd540366d76a8950d60a83c7f43b530f9be0dbd8a722951ff44082e0091d9f24f773e2a053899d05d2d3afe17f9724a0b27bf040dbb53

memory/4552-152-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI6F1C.tmp

MD5 777cc1449acdb75d210f822e4e1d39dc
SHA1 5fa94e7b649c76941bb3bbfee028724a5fabd81b
SHA256 dc890fa6eb386773bf781a7bb2ec80432f11c0d51c8a2eda7db1969cb5226b67
SHA512 aa3880b05674702c490cd540366d76a8950d60a83c7f43b530f9be0dbd8a722951ff44082e0091d9f24f773e2a053899d05d2d3afe17f9724a0b27bf040dbb53

C:\Windows\Installer\MSI7631.tmp

MD5 ee952864088f8fed9062ad44fd319a57
SHA1 f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd
SHA256 593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494
SHA512 566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a

C:\Windows\Installer\MSI7631.tmp

MD5 ee952864088f8fed9062ad44fd319a57
SHA1 f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd
SHA256 593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494
SHA512 566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a

C:\Windows\Installer\MSI769F.tmp

MD5 ee952864088f8fed9062ad44fd319a57
SHA1 f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd
SHA256 593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494
SHA512 566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a

C:\Windows\Installer\MSI769F.tmp

MD5 ee952864088f8fed9062ad44fd319a57
SHA1 f2ce7b232b458b2640f2a8d2d96433b3bfd1cfdd
SHA256 593890f7191a73feb179575a6d2d284451a586564e06e71fb8f04316ec460494
SHA512 566227c0956cf790acd1a73c83b49437e9af8945615c34c21f404e10d991c1d821196315c8d3b8a111b868e77313cb4a96701bb963a4bf6e438e68ea16d9f00a

memory/2404-159-0x0000000000000000-mapping.dmp

\??\Volume{604b117b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a5feaab6-ff9c-4225-9fa4-9d555a01a2bc}_OnDiskSnapshotProp

MD5 895047ef52516aa0aac133674ebc4ead
SHA1 cd563afe3a332641a7800748d50408a76bb31b2c
SHA256 0a5747c1cb5b33926f2334cd8df4f36717713c8ca218bc15d1207ad40de69d1c
SHA512 5bba02d04cc79d86be58aa7f9fb9998d303fc8f988d6e97dc1b7959c0bc3d501f62ae52c3d5da2033e276d5fe61c8acaaab5a28a9e99d103bda043e605def40c

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 915e0d0f044116144e7f450963a36d12
SHA1 7c6c6c9a966234ae5040a94096df67d79df1ef96
SHA256 04eb763613a8681b60f3f9e1e988bb86ee59711a59da343178cfe2aca39c5f79
SHA512 8aa7a62e9380749855ceb126adb37f0f01aef537486fe39ac50e54ad56638d009338840e4b0e3a1198117d0181744c248a4949f6edec20b9a6ff137b184487df

C:\Windows\Installer\MSI9312.tmp

MD5 d9a9529176e4efa3dba832b33b06c973
SHA1 3cb38e60af954a72d3592e455d4a5389485ef339
SHA256 5b9e09603a4dab1d5d0b5b89ab6048226ab943979b7e5d99bb6357a61b1f5110
SHA512 df5fc26634eb352308e85d6a19df9b74bd9713ef254945719da9dbe9a4af6cdbe4be08731d6e8df3baaa690b26d865b0e6b335e71adfbc88c13440de5926610e

C:\Users\Public\Pulse Secure\Logging\debuglog.log

MD5 a5e27f7a5cce645eb8276ab6bde64232
SHA1 f682327e38da24720da36bddf1c5c57bac68db85
SHA256 3df4c9c009633e8c054edf0c4e74ffd8f0a3006b985c791da3162f747ac0e72b
SHA512 7d7f7baa3ff3312594f17321cb6e9e92b05781ed00a93f02944256be88a71d70d7b4d953f5253872277e158e0baa245fb69057b737d4ac8e6ad47ecd02cb2a56

C:\Windows\Installer\MSI9312.tmp

MD5 d9a9529176e4efa3dba832b33b06c973
SHA1 3cb38e60af954a72d3592e455d4a5389485ef339
SHA256 5b9e09603a4dab1d5d0b5b89ab6048226ab943979b7e5d99bb6357a61b1f5110
SHA512 df5fc26634eb352308e85d6a19df9b74bd9713ef254945719da9dbe9a4af6cdbe4be08731d6e8df3baaa690b26d865b0e6b335e71adfbc88c13440de5926610e

C:\Program Files (x86)\Common Files\Pulse Secure\PulseSAM\PulseSAM.sys

MD5 de563e8326794fe7b4c652869a5dba91
SHA1 a7490f7dbddb1403510283e9241620d4d016369b
SHA256 9942835f5c4182840401b90ef226a4d4496fd93d724594f772d9186aabb1c406
SHA512 ca2be1c4cd41e63d2e172c492c4dc3e729eaf0fcfcdb23593c03844c0dc16bbba0215b94bf4c4e96e1fe3729701540f6305431db4762c3fb087227c5772880fe

memory/1936-166-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI9370.tmp

MD5 72c7e3ef754d7b30d03f688556f49d0e
SHA1 899f9145368d2658636c5545414f2e84ccde41fd
SHA256 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512 b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe

C:\Windows\Installer\MSI9370.tmp

MD5 72c7e3ef754d7b30d03f688556f49d0e
SHA1 899f9145368d2658636c5545414f2e84ccde41fd
SHA256 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512 b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe

C:\Windows\Installer\MSIF70D.tmp

MD5 72c7e3ef754d7b30d03f688556f49d0e
SHA1 899f9145368d2658636c5545414f2e84ccde41fd
SHA256 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512 b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe

C:\Windows\Installer\MSIF70D.tmp

MD5 72c7e3ef754d7b30d03f688556f49d0e
SHA1 899f9145368d2658636c5545414f2e84ccde41fd
SHA256 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512 b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe

C:\Windows\Installer\MSIF74D.tmp

MD5 72c7e3ef754d7b30d03f688556f49d0e
SHA1 899f9145368d2658636c5545414f2e84ccde41fd
SHA256 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512 b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe

C:\Windows\Installer\MSIF74D.tmp

MD5 72c7e3ef754d7b30d03f688556f49d0e
SHA1 899f9145368d2658636c5545414f2e84ccde41fd
SHA256 96cf36410228a543ca3f28005e2d55ac2435488d660a79b1a0b4d08253e3d1a9
SHA512 b799dc8bc8cc7f410e773fe4e91fae4e139f0fdc25fd83387cb3526e82a5138cefc0c227f5d475f4a970e9c8a84715d61b84d1a6fbd166f259590cd889afcebe

C:\Windows\Installer\MSIF838.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Windows\Installer\MSIF838.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.inf

MD5 59f3bffb290ea8c28da403fc633de069
SHA1 6c7646767e20fdb9c200f265b91f4bcd15c68cec
SHA256 4865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b
SHA512 36c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb

C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.cat

MD5 10a4f5e080cc472035f4fe44f671f381
SHA1 260c6334d987c71b41ec39304ce4ae75d6794e54
SHA256 a011a0f7907469b473801f7bfa24501d24fbd2a62f61c83a0c46e4c0a6b70911
SHA512 c441d0c81f8dce9bbf6ec705ff3cea080bb365df3fb62233ef4324073454ed711ab6e8bfc89d58b614c9d569c14400725186b74448d6f10b5f407b97b8442e7d

C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprns\jnprns.sys

MD5 6d15d02704d1947a3bbb9638d0001593
SHA1 d60de16e970a363653f4a7b1eb2b5db13bd18383
SHA256 fcfdc26b2fc5dbe1e56cd8d707f3ab1655df1f1c43511ec48d6d563146cb5dc0
SHA512 a46a52c8ec5376643df8a227f18427c385b63f5504d629188afdb2d216d8305b94ef3cee5351235386de68ecd450a656db5c9687f670bb5bb28dfff31a2848ff

memory/4336-178-0x0000000000000000-mapping.dmp

C:\Windows\system32\DRVSTORE\jnprns_260C6334D987C71B41EC39304CE4AE75D6794E54\jnprns.inf

MD5 59f3bffb290ea8c28da403fc633de069
SHA1 6c7646767e20fdb9c200f265b91f4bcd15c68cec
SHA256 4865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b
SHA512 36c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb

C:\Windows\system32\DRVSTORE\JNPRNS~1\jnprns.cat

MD5 10a4f5e080cc472035f4fe44f671f381
SHA1 260c6334d987c71b41ec39304ce4ae75d6794e54
SHA256 a011a0f7907469b473801f7bfa24501d24fbd2a62f61c83a0c46e4c0a6b70911
SHA512 c441d0c81f8dce9bbf6ec705ff3cea080bb365df3fb62233ef4324073454ed711ab6e8bfc89d58b614c9d569c14400725186b74448d6f10b5f407b97b8442e7d

C:\Windows\system32\DRVSTORE\JNPRNS~1\jnprns.sys

MD5 6d15d02704d1947a3bbb9638d0001593
SHA1 d60de16e970a363653f4a7b1eb2b5db13bd18383
SHA256 fcfdc26b2fc5dbe1e56cd8d707f3ab1655df1f1c43511ec48d6d563146cb5dc0
SHA512 a46a52c8ec5376643df8a227f18427c385b63f5504d629188afdb2d216d8305b94ef3cee5351235386de68ecd450a656db5c9687f670bb5bb28dfff31a2848ff

C:\Windows\System32\DriverStore\FileRepository\jnprns.inf_amd64_9fc29f3268c7ae2e\jnprns.inf

MD5 59f3bffb290ea8c28da403fc633de069
SHA1 6c7646767e20fdb9c200f265b91f4bcd15c68cec
SHA256 4865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b
SHA512 36c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb

C:\Windows\INF\oem2.inf

MD5 59f3bffb290ea8c28da403fc633de069
SHA1 6c7646767e20fdb9c200f265b91f4bcd15c68cec
SHA256 4865617857833229e4e42c861abc2b616d0c2b12b080880936762232df469a4b
SHA512 36c3928fda949a75c4fe9ed9f81ac816985d1948a0d3df319dc2252434088c1b4c97eab225c22f65022ee4f9a29b1813be27d3c8267da66b3d2b54e4c8f435bb

C:\Windows\Installer\MSI307.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Windows\Installer\MSI307.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprva\jnprva.inf

MD5 7e92b226a1ff75f5b3f8523df2dd0b1b
SHA1 5d204e9eb26c7857b75cb837006a9b4eb901b79b
SHA256 5c59527c9ee43cd201282edba90ecce3af28653962800a4d6d2cf40dfd5b295a
SHA512 fa06819c5c122bca5fc78d1609359e2e3bda5b23648975993c00bbb995fddf235993dec3c2f7e5c71e258a63076ab67aa2517e8da088dd4d76fa7b92512222f8

memory/2180-187-0x0000000000000000-mapping.dmp

C:\PROGRA~2\COMMON~1\JUNIPE~1\JNPRNA\Drivers\jnprva\jnprva.sys

MD5 6af27b10861e98fa0addd6ed5d10f8c5
SHA1 f8293d562fbf7a560d533d1e18f0ac56405d41e7
SHA256 aeea7c1c2a06a8d739651b073b26007da7c352260585e109028fffaaf3c34de0
SHA512 720bcfe5e28511ade7bc4fc0dacefa1290a401bbbf7399d097dc3d03ae62e6ab56dd8f72068ae0a934993c049f48dd1b80fabb792b87434e51c5e93c368643db

C:\PROGRA~2\COMMON~1\JUNIPE~1\JNPRNA\Drivers\jnprva\jnprva.cat

MD5 1fdfdd5815f595b8d97ba80eb6473c91
SHA1 abebdbe347fe8817f8a9631c19d38f123ed37592
SHA256 0d797ee30e07cc0ed90e92df2aa451c3edcb6dbf1179e013feae67cc5d70343e
SHA512 9364539a9055490fd8889ad687c05491baa3ddabf370d93889c5978b5ba3d6a4e38a1e534eb94f083d4d22fc421f0cafc70e755c188737bdab7f469b7c4c9a89

C:\Windows\System32\CatRoot2\dberr.txt

MD5 9801855699abaab75e43e8984d4ac233
SHA1 236f9b8fb5d077476e68ed1bcac6441ed7feae98
SHA256 359fcc825cd1ee2f579fae922669d2f90862f9cc8dff9ce26549cc4047685eb2
SHA512 73d202860c6c42ff0f5bc1f1580238c9acf1dbe3e6025ebf6c756962ad943cc76ce71adb11ec97cbc5ecec22695cc825575d6f1e3604227a0bcff980898ea370

C:\Windows\System32\DriverStore\FileRepository\jnprva.inf_amd64_2d3776125086d638\jnprva.inf

MD5 7e92b226a1ff75f5b3f8523df2dd0b1b
SHA1 5d204e9eb26c7857b75cb837006a9b4eb901b79b
SHA256 5c59527c9ee43cd201282edba90ecce3af28653962800a4d6d2cf40dfd5b295a
SHA512 fa06819c5c122bca5fc78d1609359e2e3bda5b23648975993c00bbb995fddf235993dec3c2f7e5c71e258a63076ab67aa2517e8da088dd4d76fa7b92512222f8

C:\Windows\System32\CatRoot2\dberr.txt

MD5 140b88c3e77b6c4306cc25dcd2b722b6
SHA1 4a74cb46868dee87b8ee6ffb6674e799ae9a3dd7
SHA256 01af27ef2157fba5fef0e3487f736b729404e619e80960cd53d3762e60dcafcd
SHA512 2842f0ee2d3badcf37c49e6ef63f6e032354ab9036bffe8a01610577d661854c27f07970ab92e3d7dbb44f1cfe6b9e1846756087720b7955a9247e5b483db22c

C:\Windows\System32\DriverStore\FileRepository\jnprva.inf_amd64_2d3776125086d638\jnprva.cat

MD5 1fdfdd5815f595b8d97ba80eb6473c91
SHA1 abebdbe347fe8817f8a9631c19d38f123ed37592
SHA256 0d797ee30e07cc0ed90e92df2aa451c3edcb6dbf1179e013feae67cc5d70343e
SHA512 9364539a9055490fd8889ad687c05491baa3ddabf370d93889c5978b5ba3d6a4e38a1e534eb94f083d4d22fc421f0cafc70e755c188737bdab7f469b7c4c9a89

C:\Windows\Installer\MSI615.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Windows\Installer\MSI615.tmp

MD5 8deb7d2f91c7392925718b3ba0aade22
SHA1 fc8e9b10c83e16eb0af1b6f10128f5c37b389682
SHA256 cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4
SHA512 37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

C:\Program Files (x86)\Common Files\Juniper Networks\JNPRNA\Drivers\jnprvamgr\jnprvamgr.inf

MD5 cdce8d87e76ab195443a08252d3fc807
SHA1 1329dcf816971d26b0496276b3fdd4b4141da255
SHA256 74dcf667f9f9fb6fcdfbe02f3e678769f0addb5da004734e79c04e94c1ca421c
SHA512 abe16681810a025669942a4d8ac47e00ba4c77724862b1d2bc0fd92bfbb2b7589b7e388627b51770386e358c31970fbf554f0731adedd93c9089e4d6763760a2

memory/4888-197-0x0000000000000000-mapping.dmp

memory/4316-198-0x0000000000000000-mapping.dmp

memory/2400-199-0x0000000000000000-mapping.dmp

memory/2304-200-0x0000000000000000-mapping.dmp

memory/2040-201-0x0000000000000000-mapping.dmp

memory/2196-202-0x0000000000000000-mapping.dmp

memory/4588-203-0x0000000000000000-mapping.dmp

memory/2148-204-0x0000000000000000-mapping.dmp

memory/4104-205-0x0000000000000000-mapping.dmp

memory/4864-206-0x0000000000000000-mapping.dmp

memory/3832-207-0x0000000000000000-mapping.dmp

memory/2416-208-0x0000000000000000-mapping.dmp

memory/344-209-0x0000000000000000-mapping.dmp

memory/4876-210-0x0000000000000000-mapping.dmp

memory/4872-211-0x0000000000000000-mapping.dmp

memory/4564-212-0x0000000000000000-mapping.dmp

memory/4384-213-0x0000000000000000-mapping.dmp

memory/932-214-0x0000000000000000-mapping.dmp

memory/2284-215-0x0000000000000000-mapping.dmp

memory/2712-216-0x0000000000000000-mapping.dmp

memory/460-217-0x0000000000000000-mapping.dmp

memory/2392-218-0x0000000000000000-mapping.dmp

memory/3136-219-0x0000000000000000-mapping.dmp

memory/4728-220-0x0000000000000000-mapping.dmp

memory/3656-221-0x0000000000000000-mapping.dmp

memory/744-222-0x0000000000000000-mapping.dmp