ae654731f8e85ec41a77edbfad7ec0064497421803fbc5105ca8a935af57fd6e

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2023, 23:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

parsec-windows.exe
Size

2.7MB
MD5

b49af1859c41d9178c4af8b330d64741
SHA1

1272d1cd56010a813e05bcb32d8cf824e8a5e725
SHA256

ae654731f8e85ec41a77edbfad7ec0064497421803fbc5105ca8a935af57fd6e
SHA512

238add2b5db89886e31e281fa633ac4657580c853b5f6750a6e6816ffb85551466abbe7589fe60e19c0fe57989258c99a658331a4e039b48a991a5d2f8cc66cc
SSDEEP

49152:MmRtVNwyndBmOrH+e/xsQjhtmZZcoANnuR+pAfkdE2WX8zPmK:3vhQ1st7oMpA92fmK

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\parsecvusba.sys	DrvInst.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4944	netsh.exe
1436	netsh.exe
2872	netsh.exe
3004	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 6 IoCs

pid	Process
4428	devcon.exe
4724	devcon.exe
2564	pservice.exe
3996	devcon.exe
2028	parsecd.exe
3724	parsecd.exe

Loads dropped DLL 6 IoCs

pid	Process
1344	parsec-windows.exe
1344	parsec-windows.exe
1344	parsec-windows.exe
2028	parsecd.exe
3724	parsecd.exe
3724	parsecd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parsec.App.0 = "C:\\Program Files\\Parsec\\parsecd.exe app_silent=1"	parsecd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	pservice.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}\SETD874.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}\SETD875.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}\parsecvusba.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}\parsecvusba.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494	pservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	pservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494	pservice.exe
File created	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}\SETD874.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}\parsecvusba.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}\SETD854.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}\SETD854.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e3ba2d3c-0fc7-644f-8202-44054a5b34a4}\SETD875.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Parsec\parsecd.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\firewall-add.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsecvusba.cat	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\mm.inf	parsec-windows.exe
File created	C:\Program Files\Parsec\teams.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\uninstall.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\devcon-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsecvusba.inf	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\mm.cat	parsec-windows.exe
File created	C:\Program Files\Parsec\skel\parsecd-150-86h.dll	parsec-windows.exe
File created	C:\Program Files\Parsec\skel\appdata.json	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\firewall-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\vdd-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\vdd-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\devcon.exe	parsec-windows.exe
File opened for modification	C:\Program Files\Parsec	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\devcon-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\mm.dll	parsec-windows.exe
File created	C:\Program Files\Parsec\pservice.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsecvusba.sys	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\devcon.exe	parsec-windows.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1580	sc.exe
4228	sc.exe
3784	sc.exe
3644	sc.exe
2692	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	parsecd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000087bcf9ccea5dd901	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	pservice.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\URL Protocol	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\""	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\URL Protocol	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\""	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\ = "URL:parsec Protocol"	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\ = "URL:parsecd Protocol"	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open	parsec-windows.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	parsecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3724	parsecd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2564	pservice.exe
2564	pservice.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3724	parsecd.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid
4

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeAuditPrivilege	4484	svchost.exe
Token: SeSecurityPrivilege	4484	svchost.exe
Token: SeLoadDriverPrivilege	3996	devcon.exe
Token: SeRestorePrivilege	5044	DrvInst.exe
Token: SeBackupPrivilege	5044	DrvInst.exe
Token: SeLoadDriverPrivilege	5044	DrvInst.exe
Token: SeLoadDriverPrivilege	5044	DrvInst.exe
Token: SeLoadDriverPrivilege	5044	DrvInst.exe
Token: 33	4156	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4156	AUDIODG.EXE
Token: 33	3724	parsecd.exe
Token: SeIncBasePriorityPrivilege	3724	parsecd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3724	parsecd.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3724	parsecd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3724	parsecd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2188	1344	parsec-windows.exe	91
PID 1344 wrote to memory of 2188	1344	parsec-windows.exe	91
PID 1344 wrote to memory of 2188	1344	parsec-windows.exe	91
PID 2188 wrote to memory of 4228	2188	wscript.exe	92
PID 2188 wrote to memory of 4228	2188	wscript.exe	92
PID 2188 wrote to memory of 4228	2188	wscript.exe	92
PID 1344 wrote to memory of 4076	1344	parsec-windows.exe	96
PID 1344 wrote to memory of 4076	1344	parsec-windows.exe	96
PID 1344 wrote to memory of 4076	1344	parsec-windows.exe	96
PID 4076 wrote to memory of 4428	4076	wscript.exe	97
PID 4076 wrote to memory of 4428	4076	wscript.exe	97
PID 1344 wrote to memory of 3968	1344	parsec-windows.exe	99
PID 1344 wrote to memory of 3968	1344	parsec-windows.exe	99
PID 1344 wrote to memory of 3968	1344	parsec-windows.exe	99
PID 3968 wrote to memory of 4724	3968	wscript.exe	100
PID 3968 wrote to memory of 4724	3968	wscript.exe	100
PID 1344 wrote to memory of 4560	1344	parsec-windows.exe	102
PID 1344 wrote to memory of 4560	1344	parsec-windows.exe	102
PID 1344 wrote to memory of 4560	1344	parsec-windows.exe	102
PID 4560 wrote to memory of 3784	4560	wscript.exe	103
PID 4560 wrote to memory of 3784	4560	wscript.exe	103
PID 4560 wrote to memory of 3784	4560	wscript.exe	103
PID 4560 wrote to memory of 3644	4560	wscript.exe	105
PID 4560 wrote to memory of 3644	4560	wscript.exe	105
PID 4560 wrote to memory of 3644	4560	wscript.exe	105
PID 1344 wrote to memory of 4836	1344	parsec-windows.exe	107
PID 1344 wrote to memory of 4836	1344	parsec-windows.exe	107
PID 1344 wrote to memory of 4836	1344	parsec-windows.exe	107
PID 4836 wrote to memory of 4944	4836	wscript.exe	108
PID 4836 wrote to memory of 4944	4836	wscript.exe	108
PID 4836 wrote to memory of 4944	4836	wscript.exe	108
PID 4836 wrote to memory of 1436	4836	wscript.exe	110
PID 4836 wrote to memory of 1436	4836	wscript.exe	110
PID 4836 wrote to memory of 1436	4836	wscript.exe	110
PID 4836 wrote to memory of 2872	4836	wscript.exe	112
PID 4836 wrote to memory of 2872	4836	wscript.exe	112
PID 4836 wrote to memory of 2872	4836	wscript.exe	112
PID 1344 wrote to memory of 4416	1344	parsec-windows.exe	114
PID 1344 wrote to memory of 4416	1344	parsec-windows.exe	114
PID 1344 wrote to memory of 4416	1344	parsec-windows.exe	114
PID 4416 wrote to memory of 1520	4416	wscript.exe	115
PID 4416 wrote to memory of 1520	4416	wscript.exe	115
PID 4416 wrote to memory of 1520	4416	wscript.exe	115
PID 1344 wrote to memory of 5040	1344	parsec-windows.exe	117
PID 1344 wrote to memory of 5040	1344	parsec-windows.exe	117
PID 1344 wrote to memory of 5040	1344	parsec-windows.exe	117
PID 5040 wrote to memory of 2692	5040	wscript.exe	118
PID 5040 wrote to memory of 2692	5040	wscript.exe	118
PID 5040 wrote to memory of 2692	5040	wscript.exe	118
PID 5040 wrote to memory of 1580	5040	wscript.exe	120
PID 5040 wrote to memory of 1580	5040	wscript.exe	120
PID 5040 wrote to memory of 1580	5040	wscript.exe	120
PID 1344 wrote to memory of 1248	1344	parsec-windows.exe	123
PID 1344 wrote to memory of 1248	1344	parsec-windows.exe	123
PID 1344 wrote to memory of 1248	1344	parsec-windows.exe	123
PID 1248 wrote to memory of 3004	1248	wscript.exe	124
PID 1248 wrote to memory of 3004	1248	wscript.exe	124
PID 1248 wrote to memory of 3004	1248	wscript.exe	124
PID 1344 wrote to memory of 1112	1344	parsec-windows.exe	127
PID 1344 wrote to memory of 1112	1344	parsec-windows.exe	127
PID 1344 wrote to memory of 1112	1344	parsec-windows.exe	127
PID 1112 wrote to memory of 3996	1112	wscript.exe	128
PID 1112 wrote to memory of 3996	1112	wscript.exe	128
PID 4484 wrote to memory of 4560	4484	svchost.exe	131

C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe
"C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" control Parsec 200
    3⤵
    - Launches sc.exe
    PID:4228
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\devcon-remove.vbs" "C:\Program Files\Parsec\vusb\"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Program Files\Parsec\vusb\devcon.exe
    "C:\Program Files\Parsec\vusb\devcon.exe" remove Root\Parsec\VUSBA
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4428
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\vdd-remove.vbs" "C:\Program Files\Parsec\vdd\"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Program Files\Parsec\vdd\devcon.exe
    "C:\Program Files\Parsec\vdd\devcon.exe" remove Root\Parsec\VDA
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4724
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop Parsec
    3⤵
    - Launches sc.exe
    PID:3784
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" delete Parsec
    3⤵
    - Launches sc.exe
    PID:3644
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
    3⤵
    - Modifies Windows Firewall
    PID:4944
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
    3⤵
    - Modifies Windows Firewall
    PID:1436
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
    3⤵
    - Modifies Windows Firewall
    PID:2872
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
    3⤵
    PID:1520
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
    3⤵
    - Launches sc.exe
    PID:2692
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start Parsec
    3⤵
    - Launches sc.exe
    PID:1580
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
    3⤵
    - Modifies Windows Firewall
    PID:3004
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\devcon-install.vbs" "C:\Program Files\Parsec\vusb\"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Program Files\Parsec\vusb\devcon.exe
    "C:\Program Files\Parsec\vusb\devcon.exe" install "C:\Program Files\Parsec\vusb\parsecvusba.inf" Root\Parsec\VUSBA
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- C:\Program Files\Parsec\parsecd.exe
  "C:\Program Files\Parsec\parsecd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  PID:2028

C:\Program Files\Parsec\pservice.exe
"C:\Program Files\Parsec\pservice.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2564
- C:\Program Files\Parsec\parsecd.exe
  "C:\Program Files\Parsec\parsecd.exe" SERVICE_LAUNCHED_V6
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{9acfa4c0-907c-9a4e-9cff-21655bd74ad4}\parsecvusba.inf" "9" "4419fa153" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files\parsec\vusb"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4560
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\USB\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce884b7ae9cce:parsecvusba_Device:0.1.1.0:root\parsec\vusba," "4419fa153" "0000000000000148"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:5044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x374 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Parsec\parsecd.exe

Filesize
451KB

MD5
adf970bb295346b0a6c53f88a1df50e4

SHA1
c3025efc68b330d0f95e9fed17f243f289e77636

SHA256
af30926b8bd58a9871d2c987d6c1647caf28f776315a6a82b1b12d04511f1efc

SHA512
4ae4207e9585a53667ee06cfca7dffab11668bde2d6bfbb62b664f0686ec5ea29c43eefff333672e45ba54602721c171f2524fc25a4f3c78ebfd83d03dad9951

Download Submit
C:\Program Files\Parsec\parsecd.exe

Filesize
451KB

MD5
adf970bb295346b0a6c53f88a1df50e4

SHA1
c3025efc68b330d0f95e9fed17f243f289e77636

SHA256
af30926b8bd58a9871d2c987d6c1647caf28f776315a6a82b1b12d04511f1efc

SHA512
4ae4207e9585a53667ee06cfca7dffab11668bde2d6bfbb62b664f0686ec5ea29c43eefff333672e45ba54602721c171f2524fc25a4f3c78ebfd83d03dad9951

Download Submit
C:\Program Files\Parsec\parsecd.exe

Filesize
451KB

MD5
adf970bb295346b0a6c53f88a1df50e4

SHA1
c3025efc68b330d0f95e9fed17f243f289e77636

SHA256
af30926b8bd58a9871d2c987d6c1647caf28f776315a6a82b1b12d04511f1efc

SHA512
4ae4207e9585a53667ee06cfca7dffab11668bde2d6bfbb62b664f0686ec5ea29c43eefff333672e45ba54602721c171f2524fc25a4f3c78ebfd83d03dad9951

Download Submit
C:\Program Files\Parsec\parsecd.exe

Filesize
451KB

MD5
adf970bb295346b0a6c53f88a1df50e4

SHA1
c3025efc68b330d0f95e9fed17f243f289e77636

SHA256
af30926b8bd58a9871d2c987d6c1647caf28f776315a6a82b1b12d04511f1efc

SHA512
4ae4207e9585a53667ee06cfca7dffab11668bde2d6bfbb62b664f0686ec5ea29c43eefff333672e45ba54602721c171f2524fc25a4f3c78ebfd83d03dad9951

Download Submit
C:\Program Files\Parsec\pservice.exe

Filesize
414KB

MD5
4c828bfc7282b9faac68dcffa04748ec

SHA1
5f7cc414c79ec029accc1974d77ac1121ab065a9

SHA256
858395062d04854410abb29ba7e89b9c9d3a5afcb19713c76a3131057f9af0e2

SHA512
269ef798b53b3f75c951c7ed1af4377c8e6a319db79e26f60ee36419c7147ed0208ecd08862d701e3990d270c007f12328ff181125082bb9059aad586abd5377

Download Submit
C:\Program Files\Parsec\pservice.exe

Filesize
414KB

MD5
4c828bfc7282b9faac68dcffa04748ec

SHA1
5f7cc414c79ec029accc1974d77ac1121ab065a9

SHA256
858395062d04854410abb29ba7e89b9c9d3a5afcb19713c76a3131057f9af0e2

SHA512
269ef798b53b3f75c951c7ed1af4377c8e6a319db79e26f60ee36419c7147ed0208ecd08862d701e3990d270c007f12328ff181125082bb9059aad586abd5377

Download Submit
C:\Program Files\Parsec\skel\appdata.json

Filesize
155B

MD5
402a61c961006a551518f9174c4bdefc

SHA1
2ce0fb21a2a7aa057d4bcc934e9a2d1e95211f70

SHA256
6a4b62597d69a1d490fdbced9d0076551ce512b3d29ae018df4e9835f739aedb

SHA512
1ad72563de25d5c04d7d3267287d20a57f89a41d07b984fabb85f2b0c68ca2be8f8aa36d5d52b22819fe110a7fc99e961a53ebaa0d18296142d3d1b9f354f99c

Download Submit
C:\Program Files\Parsec\skel\parsecd-150-86h.dll

Filesize
3.2MB

MD5
864f36082ae99b72597e64fdd3420250

SHA1
73fa06def6cb66271778edc46b95e13f1149e843

SHA256
917e9c68ac5a6d9c22c3ce20382679caed91d81cd51a4545a7515331db0cd2b8

SHA512
9cc2b57196deb61f9390b171e9ca803afe814dcb424c149d5e8675cdd4d2f12003aa3fcb27a61e8d9c5268fb3150bac9cc34b8306ccd7c57c9fe32b71a43a220

Download Submit
C:\Program Files\Parsec\vdd\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vdd\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Program Files\Parsec\wscripts\devcon-install.vbs

Filesize
339B

MD5
f3c6b9f1b6d0e119ff69945d34e5ebbe

SHA1
a1887ec6ce36d1b3546471f66c8862e0893ebaf7

SHA256
5ceb23a270bd473507e76a722212b47ffee3891870781c41d96e749e7534f24f

SHA512
20ab95ce40f49c64bee471d51110812f5789f5d7bba05bacf29c58f4549c972e8217e0e6971a60e63b798386720297ad97bf3021c5e755c711a1f350a57f5114

Download Submit
C:\Program Files\Parsec\wscripts\devcon-remove.vbs

Filesize
306B

MD5
aa7ef5a944cc8488c9655d933610e1ba

SHA1
a100ddb0441701ef63f8b5fc2fdb4094ccbc55e1

SHA256
9e2531fdc309bfe88c6646e5883b36302480536e171540ce601fc4b10704e03f

SHA512
122dd1f6d6645f9f5844dd8c9498d1c1b3f0087938a65e23ffc9c2ed59c223fa00caeaea30a56a783a5844aa17baf05defa72976e7e8c5aec4bc056a7fe89c93

Download Submit
C:\Program Files\Parsec\wscripts\firewall-add.vbs

Filesize
307B

MD5
882374285898f16b5f9ff44afc1ae701

SHA1
31c9445557c9b8ecda1f0a6d5ff666e01dd1c3ca

SHA256
0be5aa5cc6395a86878f56b131e13db4908e48f06e892ff8f8cf9e2d3b6c8abb

SHA512
3b05158b03b57a4d2cbfee9cef6adfe973d080264a88e5cdeb85c59b567529cd1cd2a3b5d8538cb8637d140fd8691dc8826388ab669b7bfb2d5c1c4174069243

Download Submit
C:\Program Files\Parsec\wscripts\firewall-remove.vbs

Filesize
367B

MD5
5d4d70cdf36fcdaa292da1da9133320c

SHA1
92dc18d3d1128d43f482ab56804136c687b00713

SHA256
75f1dece4fda689a907f6d74b513adb0c1771c1b79ea71160179542c9c4ab2f0

SHA512
b54c92fbecb10ddf66d1b7ad950ffbc13f504c71081a8bd56c28c5689a2bf19bd81b467e0697c38f140c72a273eb9eb837105e738c6f1ac4f43344e2ab521778

Download Submit
C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs

Filesize
115B

MD5
c78520c3162c1962f3164714b37eb4d0

SHA1
67c19b8aea7ad99465976dbcd3efcfdd7d62e3fe

SHA256
dea38bd553abe93c689de42d0220add18f9be3e3d2fa53f97eb8649f586df4f3

SHA512
cfbfc2c7dd8019f98b77e8881680ef9d0135a210fb9b0136a4992c236d971e247aa1641cd2eafdc5f6f5bb61002b30ea14b226127c4cef04f3b3d6be3a941fcc

Download Submit
C:\Program Files\Parsec\wscripts\service-install.vbs

Filesize
412B

MD5
971e2a344a6e17347a81eeb21ada7ba7

SHA1
37e034c29adda9b118b75bfdc7c6f41aac71e257

SHA256
01f62a12de3307b375dff3ebcd6961d76ffcbc24f70682c7875655a811ce76a1

SHA512
5ea0750dc07ff1a0eb1807043b48fb9ed54f6dcb96ce03cb543b0ea36d326779814b6cb87091373574911662a35d75b576e35c5b8d781db36fe1503f8287c65d

Download Submit
C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs

Filesize
105B

MD5
5a9e6b7ea8911aafca7d5299283795b9

SHA1
7b7c863302e2d5ff8b8f298be9eb2409292077cb

SHA256
f0a62d83920cf2cc4a5d5d3ac46b9a7d99b9835b58a6e63bca868941d08c5c9a

SHA512
c5611c99e139253abf9f6b60b1ffa4de438fa475901bfba24d18af82b523eb1bb79a83a89a09c253cacf4d9a50ed743d8e7acc12ecd9c59d488ade2af866ea66

Download Submit
C:\Program Files\Parsec\wscripts\service-remove.vbs

Filesize
150B

MD5
b90e75dd7903cb2d6328bb3714865c7a

SHA1
2d32868deb198726ed5feb80b66542bad7fbacee

SHA256
970b3c2a9ea1906a177810990478932e3517f47aba267cf2ab9e4ba65e7b475f

SHA512
3d4bfb86ec98fd85843ae5b63dcf5f475c6500380f02bb4d0dee15a5f7e2334abdbbcd9420b8ac05b5beb8a63b9ea16abcd70ae01c04b87a423fc288ff4dca0a

Download Submit
C:\Program Files\Parsec\wscripts\vdd-remove.vbs

Filesize
304B

MD5
7414c331d58788784f820f0b2cc7b5b0

SHA1
72301126d7a8cd2e21d5cd1a64844b08d0f4bebc

SHA256
300f15c94dae513508bd87e28b632a9342ebf3ca059050af5f54d3cb0ee5a9ff

SHA512
140258d6adb99a23af0f7b61605e5928dbd04d8295617773486f8c2dac7a7d29899b65b0bbb9558d5da3026de30569ca152f237df3d53597c68ecdec9bd86824

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk94E3.tmp\ApplicationID.dll

Filesize
196KB

MD5
a858c1a57e32485505b1977cf0a125be

SHA1
25d86c4b51f7cc10fc70e3a0493a39c4460cc350

SHA256
1462a072345e86318b981089b08b613a34027ddf527bfb66606c683f218fc3b4

SHA512
32b597fc2412a9407fd12ac77c556ff9740f1dd0d2055426d11a7baf21b09c536a84cfb97865b4e94168656514e7ce71eb2bc4122aa340100f4ce483bad1722d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk94E3.tmp\ApplicationID.dll

Filesize
196KB

MD5
a858c1a57e32485505b1977cf0a125be

SHA1
25d86c4b51f7cc10fc70e3a0493a39c4460cc350

SHA256
1462a072345e86318b981089b08b613a34027ddf527bfb66606c683f218fc3b4

SHA512
32b597fc2412a9407fd12ac77c556ff9740f1dd0d2055426d11a7baf21b09c536a84cfb97865b4e94168656514e7ce71eb2bc4122aa340100f4ce483bad1722d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk94E3.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk94E3.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9ACFA~1\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9ACFA~1\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9acfa4c0-907c-9a4e-9cff-21655bd74ad4}\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9acfa4c0-907c-9a4e-9cff-21655bd74ad4}\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9acfa4c0-907c-9a4e-9cff-21655bd74ad4}\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9acfa4c0-907c-9a4e-9cff-21655bd74ad4}\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\appdata.json

Filesize
155B

MD5
402a61c961006a551518f9174c4bdefc

SHA1
2ce0fb21a2a7aa057d4bcc934e9a2d1e95211f70

SHA256
6a4b62597d69a1d490fdbced9d0076551ce512b3d29ae018df4e9835f739aedb

SHA512
1ad72563de25d5c04d7d3267287d20a57f89a41d07b984fabb85f2b0c68ca2be8f8aa36d5d52b22819fe110a7fc99e961a53ebaa0d18296142d3d1b9f354f99c

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\appdata.json

Filesize
155B

MD5
402a61c961006a551518f9174c4bdefc

SHA1
2ce0fb21a2a7aa057d4bcc934e9a2d1e95211f70

SHA256
6a4b62597d69a1d490fdbced9d0076551ce512b3d29ae018df4e9835f739aedb

SHA512
1ad72563de25d5c04d7d3267287d20a57f89a41d07b984fabb85f2b0c68ca2be8f8aa36d5d52b22819fe110a7fc99e961a53ebaa0d18296142d3d1b9f354f99c

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\appdata.json

Filesize
132B

MD5
0ab8318ac6958dfef2c5f2708954017c

SHA1
88fe823f91ba7d0a2ddd8230518b1947f060e716

SHA256
f58b6995fd73abc1213bfcc4a7ce15f73503fef85f00f45515b6a80e16000849

SHA512
d4dbdf0785b3d845d3619a675170c1eb5562065c571ba79a757eb822f50c7543bfcca8bd849ab388d22d486b864682d35c34e277ca8e136880f85140b4725cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-86h.dll

Filesize
3.2MB

MD5
864f36082ae99b72597e64fdd3420250

SHA1
73fa06def6cb66271778edc46b95e13f1149e843

SHA256
917e9c68ac5a6d9c22c3ce20382679caed91d81cd51a4545a7515331db0cd2b8

SHA512
9cc2b57196deb61f9390b171e9ca803afe814dcb424c149d5e8675cdd4d2f12003aa3fcb27a61e8d9c5268fb3150bac9cc34b8306ccd7c57c9fe32b71a43a220

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-86h.dll

Filesize
3.2MB

MD5
864f36082ae99b72597e64fdd3420250

SHA1
73fa06def6cb66271778edc46b95e13f1149e843

SHA256
917e9c68ac5a6d9c22c3ce20382679caed91d81cd51a4545a7515331db0cd2b8

SHA512
9cc2b57196deb61f9390b171e9ca803afe814dcb424c149d5e8675cdd4d2f12003aa3fcb27a61e8d9c5268fb3150bac9cc34b8306ccd7c57c9fe32b71a43a220

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-86h.dll

Filesize
3.2MB

MD5
864f36082ae99b72597e64fdd3420250

SHA1
73fa06def6cb66271778edc46b95e13f1149e843

SHA256
917e9c68ac5a6d9c22c3ce20382679caed91d81cd51a4545a7515331db0cd2b8

SHA512
9cc2b57196deb61f9390b171e9ca803afe814dcb424c149d5e8675cdd4d2f12003aa3fcb27a61e8d9c5268fb3150bac9cc34b8306ccd7c57c9fe32b71a43a220

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-86h.dll

Filesize
3.2MB

MD5
864f36082ae99b72597e64fdd3420250

SHA1
73fa06def6cb66271778edc46b95e13f1149e843

SHA256
917e9c68ac5a6d9c22c3ce20382679caed91d81cd51a4545a7515331db0cd2b8

SHA512
9cc2b57196deb61f9390b171e9ca803afe814dcb424c149d5e8675cdd4d2f12003aa3fcb27a61e8d9c5268fb3150bac9cc34b8306ccd7c57c9fe32b71a43a220

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-87c.dll

Filesize
3.1MB

MD5
572bae1c94eef2115b21fa7b0d659e54

SHA1
e2c2003bdacc595c4767a1e9ba5cc549c3989379

SHA256
641e9989c6a32ae486dbbc4bc7f9f32c1333e7b9f00341f8b80261cb8b6979b8

SHA512
c246b04800ea2bdac6eec2f1de8e17fbc50d486761b9cbf5c2002fc35e2c4669e56854389cd09d406920eafc015f5c70ad3cfc0d28c9584bc54ae5f33a5dab7c

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-87c.dll

Filesize
3.1MB

MD5
572bae1c94eef2115b21fa7b0d659e54

SHA1
e2c2003bdacc595c4767a1e9ba5cc549c3989379

SHA256
641e9989c6a32ae486dbbc4bc7f9f32c1333e7b9f00341f8b80261cb8b6979b8

SHA512
c246b04800ea2bdac6eec2f1de8e17fbc50d486761b9cbf5c2002fc35e2c4669e56854389cd09d406920eafc015f5c70ad3cfc0d28c9584bc54ae5f33a5dab7c

Download Submit
C:\Windows\INF\oem3.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Windows\System32\DriverStore\FileRepository\PARSEC~1.INF\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
88bdbcd4b3459b8d64300776ac32ae89

SHA1
36db5f85b7ebc796b193c95a9d85609c3a9a3c37

SHA256
7a8623cb830aa50457814a61dd20e79358b295ee64db4046bc38b553d0c6c8de

SHA512
1256c5e16a3290b01775e1662a60e4f59baf7c13b9e33d2b7fd719b247b4747e70dd4b5bfdff0f79235914e04c7a7712974e0ae59629bafc2bc1d6f501a7749e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494

Filesize
471B

MD5
b9742aa1c700d8ac3f4246f06bf5192e

SHA1
664c3740ee48817e7919f668c27aee9142bd8841

SHA256
a7a661f411616049e58238d0e7a809fc7ca49ab4cfbc5658d37334a7dc610c43

SHA512
4cfd8f05d4931b11cacf96b12bd71098f50aa59008fa341fc9406426f343d90d14d1f898e42c4f8f94ddfdd65b3607e15f6c368b6f243a09390d8f5bf02107ca

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
426B

MD5
b1a674dfcaf40adb8a262b96c6795bc6

SHA1
1c4627ff8f9e2a170c9f887c84c36ad83e58f724

SHA256
14068ca05260ff1995b663785cd003a31eb65d003987c57a56e00d949e0276e5

SHA512
0911f7b192bd5da2471bc10e38ef39e4481ddd8487f6acb80c50dea076a60540de8d7497f21fb8df5a94e11884740868693cc7aaf25144f3b57275c4e254c9ed

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494

Filesize
420B

MD5
15a76e5263c0818255884ec4f2c2fbdd

SHA1
8f5d162c548b8032f8561acd08d5f7abc5b96bc3

SHA256
b8938d48825149eb5f89ccc40ae2b63db763d32864f8040f4c73297eb90d081f

SHA512
caa6e437f54f832a6740419b2e912ecc8d1a094a72d6baac6f2e6826ab8bc1138e08d95d8b8ff08f7aa9507990cca2e856488ef83232869821e374e9a005c78a

Download Submit
\??\c:\PROGRA~1\parsec\vusb\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
\??\c:\program files\parsec\vusb\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit