Windows Analysis Report
PSL5339.msi

Overview

General Information

Sample name: PSL5339.msi
Analysis ID: 1436492
MD5: 9c740333ad8fcfc9d6c5788431fff571
SHA1: 91be81a6b81a00b8033c88cbf799c40327ff1409
SHA256: 5d36dcb79c5400efb9758323858075bb5d6e3e55d6f32b6c5dc57d81fa0f6142
Infos:

Detection

Score: 33
Range: 0 - 100
Whitelisted: false
Confidence: 0%

Signatures

Contain functionality to detect virtual machines
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00145130 CryptAcquireContextW,GetLastError,CryptAcquireContextW,GetLastError, 3_2_00145130
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0014F270 GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,CryptReleaseContext,FreeLibrary,CryptReleaseContext,FreeLibrary,CryptReleaseContext,FreeLibrary,GetLastError, 3_2_0014F270
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0014C2D0 CryptGetUserKey,GetLastError,CryptGetUserKey,GetLastError,CryptGetKeyParam,GetLastError,CryptGetKeyParam,GetLastError,Concurrency::cancel_current_task, 3_2_0014C2D0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00147410 CryptAcquireContextW,GetLastError,CryptAcquireContextW,GetLastError, 3_2_00147410
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00167510 GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,CryptGetHashParam,GetLastError,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext, 3_2_00167510
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0014E520 GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,CryptReleaseContext,FreeLibrary,SimpleUString::operator=,CryptReleaseContext,FreeLibrary,GetLastError,FileTimeToLocalFileTime,GetLastError,FileTimeToSystemTime,GetLastError, 3_2_0014E520
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0014B580 CryptAcquireContextW,GetLastError, 3_2_0014B580
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0014B6E0 GetLastError,CryptSetProvParam,GetLastError,CryptReleaseContext,FreeLibrary, 3_2_0014B6E0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0011C7B0 CryptAcquireContextA,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,CryptGetHashParam,GetLastError,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext, 3_2_0011C7B0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00145810 CryptDestroyHash, 3_2_00145810
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00151870 CryptSignHashW,GetLastError,CryptDestroyHash,CryptSignHashW,GetLastError,CryptDestroyHash,CryptDestroyHash,GetLastError,GetLastError,GetLastError,GetLastError, 3_2_00151870
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00150860 CryptReleaseContext,FreeLibrary, 3_2_00150860
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00167890 CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA, 3_2_00167890
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001458B0 CryptSetProvParam,GetLastError, 3_2_001458B0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0017DB00 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 3_2_0017DB00
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00150C30 CryptSetProvParam,GetLastError, 3_2_00150C30
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0011CC70 CryptAcquireContextA,GetLastError,CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptGetHashParam,CryptGetHashParam,GetLastError,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext, 3_2_0011CC70
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00144DF0 CryptAcquireContextW,GetLastError,CryptCreateHash,CryptSetHashParam, 3_2_00144DF0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00145ED0 CryptSetProvParam,GetLastError, 3_2_00145ED0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0014DF00 CryptGetProvParam,GetLastError,CryptGetProvParam,GetLastError, 3_2_0014DF00
Source: unknown HTTPS traffic detected: 23.220.136.112:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.220.136.112:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\PulseExt.pdb source: PulseExt64.exe.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb= source: psalswitch.exe.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\PulseExt.pdb source: PulseExt.exe.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb source: psalswitch.exe.1.dr
Source: Binary string: C:\agent\_work\82\s\build\ship\x86\wixca.pdb source: PSL5339.msi, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psal.pdb source: PulseApplicationLauncher.exe, 00000003.00000000.1667154949.0000000000235000.00000002.00000001.01000000.00000003.sdmp, PulseApplicationLauncher.exe, 00000003.00000002.1757181714.0000000000235000.00000002.00000001.01000000.00000003.sdmp, PulseApplicationLauncher.exe.1.dr, PulseApplicationLauncher.exe1.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\psal.pdb source: PulseApplicationLauncher.exe0.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001342E0 FindFirstFileA,FindClose,CreateFileA,GetFileInformationByHandle,GetLastError,SetFileInformationByHandle,GetLastError,DeleteFileA,GetLastError,CloseHandle,CreateFileA, 3_2_001342E0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134580 FindFirstFileA,FindClose, 3_2_00134580
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134770 FindFirstFileA,FindClose,FindClose, 3_2_00134770
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001348F0 FindFirstFileA,FindClose,FindClose, 3_2_001348F0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001338E0 CreateFileA,GetLastError,DeviceIoControl,GetLastError,CreateFileA,GetLastError,DeviceIoControl,CloseHandle,ConvertStringSecurityDescriptorToSecurityDescriptorA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,DeleteFileA,GetLastError,GetLastError,CreateFileA,CloseHandle,GetLastError,LocalFree,GetLastError,CloseHandle, 3_2_001338E0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00130CC0 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 3_2_00130CC0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00128210 ExpandEnvironmentStringsA,FindFirstFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,Concurrency::cancel_current_task,__fassign, 3_2_00128210
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134500 FindFirstFileA,FindClose, 3_2_00134500
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00185580 FindFirstFileA,FindClose, 3_2_00185580
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134650 FindFirstFileA,FindClose, 3_2_00134650
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134810 FindFirstFileA,FindClose,FindClose, 3_2_00134810
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00133CC0 ConvertStringSecurityDescriptorToSecurityDescriptorA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,DeleteFileA,GetLastError,GetLastError,CreateFileA,CloseHandle,GetLastError,LocalFree, 3_2_00133CC0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00185D00 FindFirstFileA,FindFirstFileA,Sleep,Sleep,FindFirstFileA,FindClose, 3_2_00185D00
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_1_00130CC0 FindFirstFileA, 3_1_00130CC0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 23.220.136.112
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00168150 select,recv,WSAGetLastError,send,WSAGetLastError,WSAGetLastError, 3_2_00168150
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BZoCVwFWo7naPVk&MD=YSyY96gg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=BZoCVwFWo7naPVk&MD=YSyY96gg HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: google.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: PSL5339.msi, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: PSL5339.msi, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: PSL5339.msi, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PSL5339.msi, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: PSL5339.msi, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: PSL5339.msi, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr String found in binary or memory: http://wixtoolset.org
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: PSL5339.msi, psalswitch.exe.1.dr, PulseApplicationLauncher.exe.1.dr, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr, PulseApplicationLauncher.exe1.1.dr, PulseExt.exe.1.dr, PulseExt64.exe.1.dr, PulseApplicationLauncher.exe0.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 23.220.136.112:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.220.136.112:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.4:49747 version: TLS 1.2
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001338E0: CreateFileA,GetLastError,DeviceIoControl,GetLastError,CreateFileA,GetLastError,DeviceIoControl,CloseHandle,ConvertStringSecurityDescriptorToSecurityDescriptorA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,DeleteFileA,GetLastError,GetLastError,CreateFileA,CloseHandle,GetLastError,LocalFree,GetLastError,CloseHandle, 3_2_001338E0
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00187150 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetLastError,DuplicateTokenEx,GetLastError,CloseHandle,GetProcAddress,GetProcAddress,GetLastError,GetLastError,GetLastError,GetProcAddress,GetLastError,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetLastError,GetLastError,CreateProcessAsUserA,CloseHandle,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,CloseHandle,FreeLibrary,CloseHandle,CloseHandle, 3_2_00187150
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0017CEEA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,ExitWindowsEx,GetLastError,AdjustTokenPrivileges,CloseHandle, 3_2_0017CEEA
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5b6324.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI646C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{A85F9180-F7FE-4E81-B67F-BB54A1BD2CDB} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI64FA.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5b6326.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\5b6326.msi Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI646C.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001C0003 3_2_001C0003
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001AB030 3_2_001AB030
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00148070 3_2_00148070
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001E50DE 3_2_001E50DE
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001520C0 3_2_001520C0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001D8100 3_2_001D8100
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00168150 3_2_00168150
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0014E160 3_2_0014E160
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0017A16F 3_2_0017A16F
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001751B0 3_2_001751B0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001671D0 3_2_001671D0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001181E0 3_2_001181E0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001C1216 3_2_001C1216
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0017A3B4 3_2_0017A3B4
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001C0476 3_2_001C0476
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001C1473 3_2_001C1473
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0014E520 3_2_0014E520
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0014A620 3_2_0014A620
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0013E650 3_2_0013E650
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00201666 3_2_00201666
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001106B0 3_2_001106B0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001C06A8 3_2_001C06A8
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001566D0 3_2_001566D0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00201786 3_2_00201786
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001607F0 3_2_001607F0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0012B830 3_2_0012B830
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00151870 3_2_00151870
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001C193C 3_2_001C193C
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00179A7C 3_2_00179A7C
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00139A80 3_2_00139A80
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00142AA0 3_2_00142AA0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001C0B1B 3_2_001C0B1B
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00179B43 3_2_00179B43
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0013ABA0 3_2_0013ABA0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00137C10 3_2_00137C10
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00183D6E 3_2_00183D6E
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00117D80 3_2_00117D80
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0013BE40 3_2_0013BE40
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00124E4C 3_2_00124E4C
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001FDE7C 3_2_001FDE7C
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00187EE0 3_2_00187EE0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_1_001181E0 3_1_001181E0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_1_001106B0 3_1_001106B0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_1_0012B830 3_1_0012B830
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_1_00117D80 3_1_00117D80
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_1_00124E4C 3_1_00124E4C
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: String function: 00125A20 appears 1380 times
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: String function: 0018BC50 appears 42 times
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: String function: 0017F790 appears 59 times
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: String function: 001A9B00 appears 42 times
Sample file is different than original file name gathered from version info
Source: PSL5339.msi Binary or memory string: OriginalFilenamewixca.dll\ vs PSL5339.msi
Source: classification engine Classification label: sus33.evad.winMSI@25/41@4/3
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00105153 __EH_prolog3_GS,FormatMessageA,_strlen,GetLastError,LocalFree, 3_2_00105153
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0017CEEA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,GetLastError,GetLastError,ExitWindowsEx,GetLastError,AdjustTokenPrivileges,CloseHandle, 3_2_0017CEEA
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00104B69 __EH_prolog3_GS,GetTickCount,GetSystemTimeAsFileTime,GetDiskFreeSpaceExA,UuidCreate, 3_2_00104B69
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0011B090 CreateToolhelp32Snapshot,Process32Next,Process32Next,CloseHandle, 3_2_0011B090
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00121380 GetModuleHandleA,GetModuleFileNameA,GetLastError,PathRemoveFileSpecA,GetModuleFileNameW,GetLastError,PathRemoveFileSpecW,CoInitialize,CoCreateInstance, 3_2_00121380
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML6576.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\PulseSecure.LogService.Settings.Mutex.v2
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Mutant created: NULL
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF799DDD98B2193694.TMP Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: PSL5339.msi Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
Source: PulseApplicationLauncher.exe String found in binary or memory: Missing a component and needs to be re-installed. Component: Resource Catalog
Source: PulseApplicationLauncher.exe String found in binary or memory: Missing a component and needs to be re-installed.Component: Resource Catalog
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PSL5339.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 940058BE92977F245B44AFFE26674F7A
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1824,i,13947100179998375561,13646205961899372581,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 940058BE92977F245B44AFFE26674F7A Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1824,i,13947100179998375561,13646205961899372581,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File written: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\Version.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: PSL5339.msi Static file information: File size 3284992 > 1048576
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\PulseExt.pdb source: PulseExt64.exe.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb= source: psalswitch.exe.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\PulseExt.pdb source: PulseExt.exe.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psalswitch.pdb source: psalswitch.exe.1.dr
Source: Binary string: C:\agent\_work\82\s\build\ship\x86\wixca.pdb source: PSL5339.msi, 5b6324.msi.1.dr, MSI646C.tmp.1.dr, 5b6326.msi.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x86-Release\psal.pdb source: PulseApplicationLauncher.exe, 00000003.00000000.1667154949.0000000000235000.00000002.00000001.01000000.00000003.sdmp, PulseApplicationLauncher.exe, 00000003.00000002.1757181714.0000000000235000.00000002.00000001.01000000.00000003.sdmp, PulseApplicationLauncher.exe.1.dr, PulseApplicationLauncher.exe1.1.dr
Source: Binary string: s:\ive\out\bin\winnt-x64-Release\psal.pdb source: PulseApplicationLauncher.exe0.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00133680 _strrchr,LoadLibraryA,GetProcAddress,GetSecurityDescriptorSacl,GetLastError,GetLastError,GetProcAddress,GetLastError,SetNamedSecurityInfoA,LocalFree,FreeLibrary, 3_2_00133680
PE file contains sections with non-standard names
Source: PulseApplicationLauncher.exe0.1.dr Static PE information: section name: _RDATA
Source: PulseExt64.exe.1.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0018B71D push ecx; ret 3_2_0018B730
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI646C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI646C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00120900 GetPrivateProfileStringA, 3_2_00120900
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Process information set: NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: vmwarevdi VMware Desktop 3_2_0010B7C0
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI646C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\psalswitch.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x64\PulseApplicationLauncher.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseExt64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\x86\PulseApplicationLauncher.exe Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Evaded block: after key decision
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe API coverage: 6.5 %
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001342E0 FindFirstFileA,FindClose,CreateFileA,GetFileInformationByHandle,GetLastError,SetFileInformationByHandle,GetLastError,DeleteFileA,GetLastError,CloseHandle,CreateFileA, 3_2_001342E0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134580 FindFirstFileA,FindClose, 3_2_00134580
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134770 FindFirstFileA,FindClose,FindClose, 3_2_00134770
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001348F0 FindFirstFileA,FindClose,FindClose, 3_2_001348F0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001338E0 CreateFileA,GetLastError,DeviceIoControl,GetLastError,CreateFileA,GetLastError,DeviceIoControl,CloseHandle,ConvertStringSecurityDescriptorToSecurityDescriptorA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,DeleteFileA,GetLastError,GetLastError,CreateFileA,CloseHandle,GetLastError,LocalFree,GetLastError,CloseHandle, 3_2_001338E0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00130CC0 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 3_2_00130CC0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00128210 ExpandEnvironmentStringsA,FindFirstFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,Concurrency::cancel_current_task,__fassign, 3_2_00128210
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134500 FindFirstFileA,FindClose, 3_2_00134500
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00185580 FindFirstFileA,FindClose, 3_2_00185580
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134650 FindFirstFileA,FindClose, 3_2_00134650
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00134810 FindFirstFileA,FindClose,FindClose, 3_2_00134810
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00133CC0 ConvertStringSecurityDescriptorToSecurityDescriptorA,FindFirstFileA,FindClose,FindFirstFileA,FindClose,DeleteFileA,GetLastError,GetLastError,CreateFileA,CloseHandle,GetLastError,LocalFree, 3_2_00133CC0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00185D00 FindFirstFileA,FindFirstFileA,Sleep,Sleep,FindFirstFileA,FindClose, 3_2_00185D00
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_1_00130CC0 FindFirstFileA, 3_1_00130CC0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0017E73E GetModuleHandleA,GetProcAddress,GetSystemInfo,GetSystemInfo, 3_2_0017E73E
Source: PulseApplicationLauncher.exe0.1.dr Binary or memory string: AppIdAppActionLaunchParamsURLServerTokensHostSrvCertMd5LocaleServerVersionTimeStampPSALSwitchTruehcHost CheckerepoacOdyssey Access ClientepjamctsPulse Secure Citrix Services ClientwtsPulse Terminal Services ClientpulseNetwork ConnectsamSecure Application ManagercitrixvdiCitrix Xen DesktopvmwarevdiVMware DesktopPulse CollaborationLog UploadjsamhobautowtsWindows Terminal ServicesInvalid parameterPsal::CmdParsers:\ive\setup\psal\common\psalcmd.cppKey = %sxxxxKey = %s, Value = %sUnknown key. IgnoringFirefoxEdgeChromeStopUninstallSetHCCookieInvalid 'AppAction' present in the input = %s'AppId' is not present in the inputInvalid 'AppId' present in the input'AppId' conatins unexpected character'AppAction' is not present in the inputInvalid 'AppAction' present in the input'AppAction' conatins unexpected characterpsalparams.cgiwelcome.cgimtgpleasewait.cgirdremediate.cgi'LaunchParamsURL' is not present in the inputInvalid 'LaunchParamsURL' present in the input.cgiInvalid 'LaunchParamsURL'. NO Qmark and No Cgi in LaunchURLInvalid 'LaunchParamsURL'. NO slash in LaunchURLInvalid 'LaunchParamsURL' Invalid start positionIndex of ? = %dIndex of slash = %dstrCGIFile = %s'Host' is not present in the inputInvalid 'Host' present in the input'ServerTokens' is not present in the inputInvalid 'ServerTokens' present in the input'SrvCertMd5' is not present in the inputInvalid 'SrvCertMd5' present in the input'SrvCertMd5' conatins unexpected character'UserAgent' is not present in the inputInvalid 'UserAgent' present in the input'Locale' is not present in the inputInvalid 'Locale' present in the input'Locale' conatins unexpected character'ServerVersion' is not present in the inputInvalid 'ServerVersion' present in the input'ServerVersion' conatins unexpected character'Timestamp' is not present in the inputInvalid 'Timestamp' present in the input'Timestamp' conatins unexpected characterlist too longXW
Source: PulseApplicationLauncher.exe0.1.dr Binary or memory string: vmwarevdi
Source: PulseApplicationLauncher.exe0.1.dr Binary or memory string: VMware Desktop
Source: PulseApplicationLauncher.exe1.1.dr Binary or memory string: @AppIdAppActionLaunchParamsURLServerTokensSrvCertMd5LocaleServerVersionTimeStampPSALSwitchTruehcHost CheckerepoacOdyssey Access ClientepjamPulse SecurectsPulse Secure Citrix Services ClientwtsPulse Terminal Services ClientpulsencNetwork ConnectsamSecure Application ManagercitrixvdiCitrix Xen DesktopvmwarevdiVMware DesktopPulse CollaborationLog UploadjsamhobautowtsWindows Terminal ServicesInvalid parameterPsal::CmdParsers:\ive\setup\psal\common\psalcmd.cppKey = %sKey = %s, Value = %sUnknown key. IgnoringFirefoxfirefoxEdgeChromechromeStartStopUninstallSetHCCookieInvalid 'AppAction' present in the input = %s'AppId' is not present in the inputInvalid 'AppId' present in the input'AppId' conatins unexpected character'AppAction' is not present in the inputInvalid 'AppAction' present in the input'AppAction' conatins unexpected characterpsalparams.cgiwelcome.cgimtgpleasewait.cgirdremediate.cgi'LaunchParamsURL' is not present in the inputInvalid 'LaunchParamsURL' present in the input.cgiInvalid 'LaunchParamsURL'. NO Qmark and No Cgi in LaunchURLInvalid 'LaunchParamsURL'. NO slash in LaunchURLInvalid 'LaunchParamsURL' Invalid start positionIndex of ? = %dIndex of slash = %dstrCGIFile = %s'Host' is not present in the inputInvalid 'Host' present in the input'ServerTokens' is not present in the inputInvalid 'ServerTokens' present in the input'SrvCertMd5' is not present in the inputInvalid 'SrvCertMd5' present in the input'SrvCertMd5' conatins unexpected character'UserAgent' is not present in the inputInvalid 'UserAgent' present in the input'Locale' is not present in the inputInvalid 'Locale' present in the input'Locale' conatins unexpected character'ServerVersion' is not present in the inputInvalid 'ServerVersion' present in the input'ServerVersion' conatins unexpected character'Timestamp' is not present in the inputInvalid 'Timestamp' present in the input'Timestamp' conatins unexpected characterlist too long
Source: PulseApplicationLauncher.exe, 00000003.00000002.1757514525.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: PulseApplicationLauncher.exe, 00000003.00000002.1757181714.0000000000235000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: AppIdAppActionLaunchParamsURLServerTokensSrvCertMd5LocaleServerVersionTimeStampPSALSwitchTruehcHost CheckerepoacOdyssey Access ClientepjamPulse SecurectsPulse Secure Citrix Services ClientwtsPulse Terminal Services ClientpulsencNetwork ConnectsamSecure Application ManagercitrixvdiCitrix Xen DesktopvmwarevdiVMware DesktopPulse CollaborationLog UploadjsamhobautowtsWindows Terminal ServicesInvalid parameterPsal::CmdParsers:\ive\setup\psal\common\psalcmd.cppKey = %sKey = %s, Value = %sUnknown key. IgnoringFirefoxfirefoxEdgeChromechromeStartStopUninstallSetHCCookieInvalid 'AppAction' present in the input = %s'AppId' is not present in the inputInvalid 'AppId' present in the input'AppId' conatins unexpected character'AppAction' is not present in the inputInvalid 'AppAction' present in the input'AppAction' conatins unexpected characterpsalparams.cgiwelcome.cgimtgpleasewait.cgirdremediate.cgi'LaunchParamsURL' is not present in the inputInvalid 'LaunchParamsURL' present in the input.cgiInvalid 'LaunchParamsURL'. NO Qmark and No Cgi in LaunchURLInvalid 'LaunchParamsURL'. NO slash in LaunchURLInvalid 'LaunchParamsURL' Invalid start positionIndex of ? = %dIndex of slash = %dstrCGIFile = %s'Host' is not present in the inputInvalid 'Host' present in the input'ServerTokens' is not present in the inputInvalid 'ServerTokens' present in the input'SrvCertMd5' is not present in the inputInvalid 'SrvCertMd5' present in the input'SrvCertMd5' conatins unexpected character'UserAgent' is not present in the inputInvalid 'UserAgent' present in the input'Locale' is not present in the inputInvalid 'Locale' present in the input'Locale' conatins unexpected character'ServerVersion' is not present in the inputInvalid 'ServerVersion' present in the input'ServerVersion' conatins unexpected character'Timestamp' is not present in the inputInvalid 'Timestamp' present in the input'Timestamp' conatins unexpected characterlist too long
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001B6152 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_001B6152
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00133680 _strrchr,LoadLibraryA,GetProcAddress,GetSecurityDescriptorSacl,GetLastError,GetLastError,GetProcAddress,GetLastError,SetNamedSecurityInfoA,LocalFree,FreeLibrary, 3_2_00133680
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001F1750 mov eax, dword ptr fs:[00000030h] 3_2_001F1750
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001CDB62 mov eax, dword ptr fs:[00000030h] 3_2_001CDB62
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0012E170 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,___std_exception_destroy, 3_2_0012E170
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe "C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe" PSALInstallFinished Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0012D230 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegQueryValueExA,RegQueryValueExA,RegCloseKey,_strncpy,GetLastError,_strncpy,_strncpy,PathRemoveExtensionA,GetCurrentProcessId,SetUnhandledExceptionFilter, 3_2_0012D230
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_001B6152 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_001B6152
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0018B3E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0018B3E7
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00132D40 CoCreateInstance,SetUnhandledExceptionFilter, 3_2_00132D40
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00188B00 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 3_2_00188B00
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: GetLocaleInfoW, 3_2_001EC391
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetUserDefaultUILanguage,__Init_thread_footer, 3_2_00186510
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: EnumSystemLocalesW, 3_2_001F96FC
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: EnumSystemLocalesW, 3_2_001F9765
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: EnumSystemLocalesW, 3_2_001F9800
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_001F9C04
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_001F9DD9
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Queries volume information: C:\Users\Public\Pulse Secure\Logging\PulseClient.log VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_00131FE0 ConvertStringSecurityDescriptorToSecurityDescriptorA,GetLastError,_strrchr,GetLocalTime,CreateFileA,GetLastError,LocalFree, 3_2_00131FE0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0012C5C0 GetCurrentProcessId,GetCurrentProcessId,ProcessIdToSessionId,GetCurrentProcessId,GetLastError,GetCurrentProcessId,WaitForSingleObject,GetCurrentProcessId,CloseHandle,GetCurrentProcessId,ReleaseMutex,CloseHandle,GetCurrentProcessId,CreateMutexA,GetLastError,ReleaseMutex,GetUserNameA,_strncpy,CreateEventA,GetLastError, 3_2_0012C5C0
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0017E49C GetVersionExA,GetVersionExA,GetVersionExA,GetLastError, 3_2_0017E49C
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe Code function: 3_2_0016C290 WSAGetLastError,htons,htons,htons,socket,bind,closesocket,WSAGetLastError,WSAGetLastError,closesocket,connect,WSAGetLastError,WSAGetLastError,WSAGetLastError,closesocket,WSAGetLastError,getsockname,htons,getsockname,htons, 3_2_0016C290
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436492 Sample: PSL5339.msi Startdate: 05/05/2024 Architecture: WINDOWS Score: 33 37 Contain functionality to detect virtual machines 2->37 6 msiexec.exe 101 63 2->6         started        9 chrome.exe 1 2->9         started        12 msiexec.exe 3 2->12         started        process3 dnsIp4 21 C:\Users\...\PulseApplicationLauncher.exe, PE32 6->21 dropped 23 C:\Windows\Installer\MSI646C.tmp, PE32 6->23 dropped 25 C:\Users\...\PulseApplicationLauncher.exe, PE32 6->25 dropped 27 4 other files (none is malicious) 6->27 dropped 14 PulseApplicationLauncher.exe 3 6->14         started        16 msiexec.exe 6->16         started        33 192.168.2.4, 138, 443, 49378 unknown unknown 9->33 35 239.255.255.250 unknown Reserved 9->35 18 chrome.exe 9->18         started        file5 process6 dnsIp7 29 www.google.com 172.253.63.99, 443, 49738, 49749 GOOGLEUS United States 18->29 31 google.com 18->31
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
172.253.63.99
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
google.com 172.253.115.139 true
www.google.com 172.253.63.99 true