c1ec9ff1824ba53874ab1cb0f1e64c86ab84cfebc09434e33adaeea065211de1

Analysis

max time kernel
148s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17/05/2023, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RMLLauncher (1).exe
Size

507KB
MD5

a1887288be1d739385b74a9b1e4ec776
SHA1

b4f9f7569b4eb9c01a964ea3e7bd58d4c2e3c5a1
SHA256

c1ec9ff1824ba53874ab1cb0f1e64c86ab84cfebc09434e33adaeea065211de1
SHA512

72a74af82bd764521d1c117145640d1e9974190350377e5776acb5797a8d4ab37263c8f8621af76899a50f4d7d586f75e47a7194cf43e93b30d0400ae2dab36b
SSDEEP

6144:9ZiiMGbeHPZKpGtpuW4gvbRuaBqwzGIWEj9O3whKqWeuW4gvbeuaBXVBE56w93we:7/gZpGW4SRuUqwtRwAhWW4SeuUjP

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\parsecvusba.sys	DrvInst.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1868	netsh.exe
4620	netsh.exe
3320	netsh.exe
380	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 7 IoCs

pid	Process
1756	parsec-windows.exe
3912	devcon.exe
4152	devcon.exe
4744	pservice.exe
2756	devcon.exe
5180	parsecd.exe
5468	parsecd.exe

Loads dropped DLL 5 IoCs

pid	Process
1756	parsec-windows.exe
1756	parsec-windows.exe
1756	parsec-windows.exe
5180	parsecd.exe
5468	parsecd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}\SET4660.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}\parsecvusba.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}\parsecvusba.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494	pservice.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}\SET4650.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}\SET4660.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}\SET4661.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}\SET4661.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}\SET4650.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{48c0e3b7-b15b-4845-bf5d-bddc9581b3c0}\parsecvusba.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.PNF	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	pservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	pservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494	pservice.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.sys	DrvInst.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\Parsec\vusb\devcon.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsecvusba.sys	parsec-windows.exe
File created	C:\Program Files\Parsec\skel\parsecd-150-87d.dll	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\devcon-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs	parsec-windows.exe
File opened for modification	C:\Program Files\Parsec	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\devcon.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsecvusba.cat	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsecvusba.inf	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\mm.inf	parsec-windows.exe
File created	C:\Program Files\Parsec\skel\appdata.json	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\firewall-add.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\firewall-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\vdd-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\mm.cat	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\mm.dll	parsec-windows.exe
File created	C:\Program Files\Parsec\teams.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\parsecd.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\devcon-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\vdd-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\pservice.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\uninstall.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\setup.json	parsec-windows.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem3.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2112	sc.exe
3564	sc.exe
4272	sc.exe
3444	sc.exe
1868	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\URL Protocol	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\URL Protocol	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\ = "URL:parsec Protocol"	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\""	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\ = "URL:parsecd Protocol"	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\""	parsec-windows.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5468	parsecd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4744	pservice.exe
4744	pservice.exe
5448	chrome.exe
5448	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1756	parsec-windows.exe
5468	parsecd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	RMLLauncher (1).exe
Token: SeDebugPrivilege	2548	firefox.exe
Token: SeDebugPrivilege	2548	firefox.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeAuditPrivilege	380	svchost.exe
Token: SeSecurityPrivilege	380	svchost.exe
Token: SeShutdownPrivilege	4448	chrome.exe
Token: SeCreatePagefilePrivilege	4448	chrome.exe
Token: SeLoadDriverPrivilege	2756	devcon.exe
Token: SeRestorePrivilege	1292	DrvInst.exe
Token: SeBackupPrivilege	1292	DrvInst.exe
Token: SeLoadDriverPrivilege	1292	DrvInst.exe
Token: SeLoadDriverPrivilege	1292	DrvInst.exe
Token: SeLoadDriverPrivilege	1292	DrvInst.exe
Token: SeShutdownPrivilege	4448	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
5468	parsecd.exe
5468	parsecd.exe
4448	chrome.exe
5468	parsecd.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2548	firefox.exe
2548	firefox.exe
2548	firefox.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
4448	chrome.exe
5468	parsecd.exe
5468	parsecd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2548	firefox.exe
5468	parsecd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2244 wrote to memory of 2548	2244	firefox.exe	68
PID 2548 wrote to memory of 3892	2548	firefox.exe	69
PID 2548 wrote to memory of 3892	2548	firefox.exe	69
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 1496	2548	firefox.exe	70
PID 2548 wrote to memory of 3484	2548	firefox.exe	71
PID 2548 wrote to memory of 3484	2548	firefox.exe	71
PID 2548 wrote to memory of 3484	2548	firefox.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.0.1044859840\1121951494" -parentBuildID 20221007134813 -prefsHandle 1624 -prefMapHandle 1612 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c495a9f3-bbdb-4c43-b9e3-505e89c6c66a} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 1716 20a7f90e858 gpu
    3⤵
    PID:3892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.1.2108777933\1698030394" -parentBuildID 20221007134813 -prefsHandle 2052 -prefMapHandle 2044 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79524dcf-e2a8-4802-b190-3cced45ee4be} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 2064 20a7eefa258 socket
    3⤵
    - Checks processor information in registry
    PID:1496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.2.1738703366\888677820" -childID 1 -isForBrowser -prefsHandle 2884 -prefMapHandle 2744 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a945445-0a11-401e-8d5c-bb3d1e30a578} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 2736 20a03268558 tab
    3⤵
    PID:3484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.3.954730845\612926855" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 3532 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e51bcb03-c2e2-40e7-99af-ed5fa704d60b} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 3548 20a0434f358 tab
    3⤵
    PID:3152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.4.979580830\1094520650" -childID 3 -isForBrowser -prefsHandle 4336 -prefMapHandle 3536 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e18c217-f850-47aa-bfc5-e7c6caae989d} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 4344 20a0469c558 tab
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.6.916879089\1774585259" -childID 5 -isForBrowser -prefsHandle 4900 -prefMapHandle 4904 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {103f7e89-556c-4c62-9b21-37a69b93bc5f} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 4760 20a0600cd58 tab
    3⤵
    PID:5112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.5.560878714\837071439" -childID 4 -isForBrowser -prefsHandle 4728 -prefMapHandle 4744 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbfc8fc3-85ec-4059-8f23-dbc771a52b96} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 4720 20a0469b958 tab
    3⤵
    PID:1616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2548.7.757048208\2026548359" -childID 6 -isForBrowser -prefsHandle 5092 -prefMapHandle 5096 -prefsLen 26781 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71e2b5c7-667f-4288-95ae-99e9cccf7196} 2548 "\\.\pipe\gecko-crash-server-pipe.2548" 5080 20a0600e858 tab
    3⤵
    PID:5092

C:\Users\Admin\AppData\Local\Temp\RMLLauncher (1).exe
"C:\Users\Admin\AppData\Local\Temp\RMLLauncher (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd60829758,0x7ffd60829768,0x7ffd60829778
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1668 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:2
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2948 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4284 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4512 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4600 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4440 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4660 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5064 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5696 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4616 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5472 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6000 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:8
  2⤵
  PID:4160
- C:\Users\Admin\Downloads\parsec-windows.exe
  "C:\Users\Admin\Downloads\parsec-windows.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1756
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
    3⤵
    PID:1536
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" control Parsec 200
      4⤵
      Launches sc.exe
      PID:2112
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\devcon-remove.vbs" "C:\Program Files\Parsec\vusb\"
    3⤵
    PID:4908
  - - C:\Program Files\Parsec\vusb\devcon.exe
      "C:\Program Files\Parsec\vusb\devcon.exe" remove Root\Parsec\VUSBA
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:3912
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\vdd-remove.vbs" "C:\Program Files\Parsec\vdd\"
    3⤵
    PID:2544
  - - C:\Program Files\Parsec\vdd\devcon.exe
      "C:\Program Files\Parsec\vdd\devcon.exe" remove Root\Parsec\VDA
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:4152
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4748
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" stop Parsec
      4⤵
      Launches sc.exe
      PID:3564
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" delete Parsec
      4⤵
      Launches sc.exe
      PID:4272
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"
    3⤵
    PID:3988
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
      4⤵
      Modifies Windows Firewall
      PID:1868
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2544
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
      4⤵
      Modifies Windows Firewall
      PID:4620
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
      4⤵
      Modifies Windows Firewall
      PID:3320
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
      4⤵
      PID:4616
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"
    3⤵
    PID:3448
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
      4⤵
      Launches sc.exe
      PID:3444
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start Parsec
      4⤵
      Launches sc.exe
      PID:1868
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2204
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"
    3⤵
    PID:1760
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
      4⤵
      Modifies Windows Firewall
      PID:380
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\devcon-install.vbs" "C:\Program Files\Parsec\vusb\"
    3⤵
    PID:4620
  - - C:\Program Files\Parsec\vusb\devcon.exe
      "C:\Program Files\Parsec\vusb\devcon.exe" install "C:\Program Files\Parsec\vusb\parsecvusba.inf" Root\Parsec\VUSBA
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      PID:2756
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3988
- - C:\Program Files\Parsec\parsecd.exe
    "C:\Program Files\Parsec\parsecd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    PID:5180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3036 --field-trial-handle=1740,i,12488450463469576569,12037228273046518852,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5448

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec
1⤵
PID:4396

C:\Program Files\Parsec\pservice.exe
"C:\Program Files\Parsec\pservice.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4744
- C:\Program Files\Parsec\parsecd.exe
  "C:\Program Files\Parsec\parsecd.exe" SERVICE_LAUNCHED_V7
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5468

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:380
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{da150d3c-079e-da44-bd47-730c3b08ffc2}\parsecvusba.inf" "9" "4419fa153" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "c:\program files\parsec\vusb"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:4880
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\USB\0000" "C:\Windows\INF\oem3.inf" "parsecvusba.inf:c14ce884b7ae9cce:parsecvusba_Device:0.1.1.0:root\parsec\vusba," "4419fa153" "0000000000000178"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Parsec\parsecd.exe

Filesize
450KB

MD5
ce98489ae22d6e345e91949bacddb4c0

SHA1
646c002e53a2e406d3ba9ba26d8ad7d514110b32

SHA256
6d2029d705bb5baa38f0cfa2d767ebb7e9565323328aca286255bd690e9987db

SHA512
cb3e9da4c1f9c0f66aa9768525d6b39ca40c2b42780009b1c8276d43801cb76938bad4b92b0fb65da9847428826d5ef4eaec17bfd6e82cc0e71efe785232028c

Download Submit
C:\Program Files\Parsec\parsecd.exe

Filesize
450KB

MD5
ce98489ae22d6e345e91949bacddb4c0

SHA1
646c002e53a2e406d3ba9ba26d8ad7d514110b32

SHA256
6d2029d705bb5baa38f0cfa2d767ebb7e9565323328aca286255bd690e9987db

SHA512
cb3e9da4c1f9c0f66aa9768525d6b39ca40c2b42780009b1c8276d43801cb76938bad4b92b0fb65da9847428826d5ef4eaec17bfd6e82cc0e71efe785232028c

Download Submit
C:\Program Files\Parsec\parsecd.exe

Filesize
450KB

MD5
ce98489ae22d6e345e91949bacddb4c0

SHA1
646c002e53a2e406d3ba9ba26d8ad7d514110b32

SHA256
6d2029d705bb5baa38f0cfa2d767ebb7e9565323328aca286255bd690e9987db

SHA512
cb3e9da4c1f9c0f66aa9768525d6b39ca40c2b42780009b1c8276d43801cb76938bad4b92b0fb65da9847428826d5ef4eaec17bfd6e82cc0e71efe785232028c

Download Submit
C:\Program Files\Parsec\parsecd.exe

Filesize
450KB

MD5
ce98489ae22d6e345e91949bacddb4c0

SHA1
646c002e53a2e406d3ba9ba26d8ad7d514110b32

SHA256
6d2029d705bb5baa38f0cfa2d767ebb7e9565323328aca286255bd690e9987db

SHA512
cb3e9da4c1f9c0f66aa9768525d6b39ca40c2b42780009b1c8276d43801cb76938bad4b92b0fb65da9847428826d5ef4eaec17bfd6e82cc0e71efe785232028c

Download Submit
C:\Program Files\Parsec\pservice.exe

Filesize
406KB

MD5
e2c143ea07596857aefe2499f22ad400

SHA1
0dcc27100be26c6a43590aa9a1be1d21f266cd3a

SHA256
4c875900211b3e5de2438e5df94421bf56c256628b255bbbf37f8c919bae1936

SHA512
baa49cbaf976a1dcb7059390eed65f70db73d2e883a09e46291a26873df9b0809ba50c407554c79d1215e57b6446cf1e0853e5d367467871d008d6b53e92f160

Download Submit
C:\Program Files\Parsec\pservice.exe

Filesize
406KB

MD5
e2c143ea07596857aefe2499f22ad400

SHA1
0dcc27100be26c6a43590aa9a1be1d21f266cd3a

SHA256
4c875900211b3e5de2438e5df94421bf56c256628b255bbbf37f8c919bae1936

SHA512
baa49cbaf976a1dcb7059390eed65f70db73d2e883a09e46291a26873df9b0809ba50c407554c79d1215e57b6446cf1e0853e5d367467871d008d6b53e92f160

Download Submit
C:\Program Files\Parsec\setup.json

Filesize
28B

MD5
f4993c1cb73612115a9393e7f895a543

SHA1
550341774c8c36ff1ebd6194df8448013ebb9b80

SHA256
878dc7a5b708cbc7e9ab2465587c5a76f70b7e8bcbea871dde7583da6246940d

SHA512
d73633e88f3cf504733b856b89a151a38d02f75a02b31684075b76344d72947353b0f70a14ebda03586a952fd6902a5d7734b0cd69382078e7bd85af6b9d6d0c

Download Submit
C:\Program Files\Parsec\skel\appdata.json

Filesize
155B

MD5
650dea764c7bd8bb96dcb8bdbb7c7de9

SHA1
776daa3c2923d52c86fc167a2b9e6944ee087178

SHA256
66bc1fc3a8df99b1b8691d22f7165fcb6293bc6c84d7b525215321c1b5d06e81

SHA512
54bb8b1ea9189e21017054acd0ba70f7e11e0d22dfca5c22e7a8026c3890edecead6505e2d4a9a1a3d447db06351607c204b43964bbd78702d08e28b5ada2c29

Download Submit
C:\Program Files\Parsec\skel\parsecd-150-87d.dll

Filesize
3.1MB

MD5
1c76bee252aa9fb75e6d0108a5a84261

SHA1
dc02ad5234182e4f35b0aeaedf379273c61ff437

SHA256
8eff81ca6932d5a69604f9546a8133e48730852dfbc234e6df3d0f33cc746e6a

SHA512
da1481a3ca4563e7d27ad066547738aa94799f004b334b317f8acb499642ddb8b7bc0bad1e89bf0a26f4ae7e65bce7d1c72099929faef9db7ddabb5df73542e1

Download Submit
C:\Program Files\Parsec\vdd\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vdd\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Program Files\Parsec\wscripts\devcon-install.vbs

Filesize
339B

MD5
f3c6b9f1b6d0e119ff69945d34e5ebbe

SHA1
a1887ec6ce36d1b3546471f66c8862e0893ebaf7

SHA256
5ceb23a270bd473507e76a722212b47ffee3891870781c41d96e749e7534f24f

SHA512
20ab95ce40f49c64bee471d51110812f5789f5d7bba05bacf29c58f4549c972e8217e0e6971a60e63b798386720297ad97bf3021c5e755c711a1f350a57f5114

Download Submit
C:\Program Files\Parsec\wscripts\devcon-remove.vbs

Filesize
306B

MD5
aa7ef5a944cc8488c9655d933610e1ba

SHA1
a100ddb0441701ef63f8b5fc2fdb4094ccbc55e1

SHA256
9e2531fdc309bfe88c6646e5883b36302480536e171540ce601fc4b10704e03f

SHA512
122dd1f6d6645f9f5844dd8c9498d1c1b3f0087938a65e23ffc9c2ed59c223fa00caeaea30a56a783a5844aa17baf05defa72976e7e8c5aec4bc056a7fe89c93

Download Submit
C:\Program Files\Parsec\wscripts\firewall-add.vbs

Filesize
307B

MD5
882374285898f16b5f9ff44afc1ae701

SHA1
31c9445557c9b8ecda1f0a6d5ff666e01dd1c3ca

SHA256
0be5aa5cc6395a86878f56b131e13db4908e48f06e892ff8f8cf9e2d3b6c8abb

SHA512
3b05158b03b57a4d2cbfee9cef6adfe973d080264a88e5cdeb85c59b567529cd1cd2a3b5d8538cb8637d140fd8691dc8826388ab669b7bfb2d5c1c4174069243

Download Submit
C:\Program Files\Parsec\wscripts\firewall-remove.vbs

Filesize
367B

MD5
5d4d70cdf36fcdaa292da1da9133320c

SHA1
92dc18d3d1128d43f482ab56804136c687b00713

SHA256
75f1dece4fda689a907f6d74b513adb0c1771c1b79ea71160179542c9c4ab2f0

SHA512
b54c92fbecb10ddf66d1b7ad950ffbc13f504c71081a8bd56c28c5689a2bf19bd81b467e0697c38f140c72a273eb9eb837105e738c6f1ac4f43344e2ab521778

Download Submit
C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs

Filesize
115B

MD5
c78520c3162c1962f3164714b37eb4d0

SHA1
67c19b8aea7ad99465976dbcd3efcfdd7d62e3fe

SHA256
dea38bd553abe93c689de42d0220add18f9be3e3d2fa53f97eb8649f586df4f3

SHA512
cfbfc2c7dd8019f98b77e8881680ef9d0135a210fb9b0136a4992c236d971e247aa1641cd2eafdc5f6f5bb61002b30ea14b226127c4cef04f3b3d6be3a941fcc

Download Submit
C:\Program Files\Parsec\wscripts\service-install.vbs

Filesize
412B

MD5
971e2a344a6e17347a81eeb21ada7ba7

SHA1
37e034c29adda9b118b75bfdc7c6f41aac71e257

SHA256
01f62a12de3307b375dff3ebcd6961d76ffcbc24f70682c7875655a811ce76a1

SHA512
5ea0750dc07ff1a0eb1807043b48fb9ed54f6dcb96ce03cb543b0ea36d326779814b6cb87091373574911662a35d75b576e35c5b8d781db36fe1503f8287c65d

Download Submit
C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs

Filesize
105B

MD5
5a9e6b7ea8911aafca7d5299283795b9

SHA1
7b7c863302e2d5ff8b8f298be9eb2409292077cb

SHA256
f0a62d83920cf2cc4a5d5d3ac46b9a7d99b9835b58a6e63bca868941d08c5c9a

SHA512
c5611c99e139253abf9f6b60b1ffa4de438fa475901bfba24d18af82b523eb1bb79a83a89a09c253cacf4d9a50ed743d8e7acc12ecd9c59d488ade2af866ea66

Download Submit
C:\Program Files\Parsec\wscripts\service-remove.vbs

Filesize
150B

MD5
b90e75dd7903cb2d6328bb3714865c7a

SHA1
2d32868deb198726ed5feb80b66542bad7fbacee

SHA256
970b3c2a9ea1906a177810990478932e3517f47aba267cf2ab9e4ba65e7b475f

SHA512
3d4bfb86ec98fd85843ae5b63dcf5f475c6500380f02bb4d0dee15a5f7e2334abdbbcd9420b8ac05b5beb8a63b9ea16abcd70ae01c04b87a423fc288ff4dca0a

Download Submit
C:\Program Files\Parsec\wscripts\vdd-remove.vbs

Filesize
304B

MD5
7414c331d58788784f820f0b2cc7b5b0

SHA1
72301126d7a8cd2e21d5cd1a64844b08d0f4bebc

SHA256
300f15c94dae513508bd87e28b632a9342ebf3ca059050af5f54d3cb0ee5a9ff

SHA512
140258d6adb99a23af0f7b61605e5928dbd04d8295617773486f8c2dac7a7d29899b65b0bbb9558d5da3026de30569ca152f237df3d53597c68ecdec9bd86824

Download Submit
C:\ProgramData\Parsec\appdata.json

Filesize
155B

MD5
650dea764c7bd8bb96dcb8bdbb7c7de9

SHA1
776daa3c2923d52c86fc167a2b9e6944ee087178

SHA256
66bc1fc3a8df99b1b8691d22f7165fcb6293bc6c84d7b525215321c1b5d06e81

SHA512
54bb8b1ea9189e21017054acd0ba70f7e11e0d22dfca5c22e7a8026c3890edecead6505e2d4a9a1a3d447db06351607c204b43964bbd78702d08e28b5ada2c29

Download Submit
C:\ProgramData\Parsec\appdata.json

Filesize
155B

MD5
650dea764c7bd8bb96dcb8bdbb7c7de9

SHA1
776daa3c2923d52c86fc167a2b9e6944ee087178

SHA256
66bc1fc3a8df99b1b8691d22f7165fcb6293bc6c84d7b525215321c1b5d06e81

SHA512
54bb8b1ea9189e21017054acd0ba70f7e11e0d22dfca5c22e7a8026c3890edecead6505e2d4a9a1a3d447db06351607c204b43964bbd78702d08e28b5ada2c29

Download Submit
C:\ProgramData\Parsec\config.txt

Filesize
522B

MD5
8dc4ca6bcb63a9ad7b14e88ab773a753

SHA1
9e1c05e4afe04b33cb3d2a16a0c5418062f98af3

SHA256
bc5af91b882b29312ffcc063db2f09d5be72ea6be51cfad426175f2be3261f21

SHA512
c5f5b09a1e955e20c9e3e58855f21122d9276d508a1b1cf0af6c859fc7ed220d87b4c093260c0d21f70d116280e6abbb78f0398ff88829d0ffa278e3bae25dd5

Download Submit
C:\ProgramData\Parsec\parsecd-150-87d.dll

Filesize
3.1MB

MD5
1c76bee252aa9fb75e6d0108a5a84261

SHA1
dc02ad5234182e4f35b0aeaedf379273c61ff437

SHA256
8eff81ca6932d5a69604f9546a8133e48730852dfbc234e6df3d0f33cc746e6a

SHA512
da1481a3ca4563e7d27ad066547738aa94799f004b334b317f8acb499642ddb8b7bc0bad1e89bf0a26f4ae7e65bce7d1c72099929faef9db7ddabb5df73542e1

Download Submit
C:\ProgramData\Parsec\parsecd-150-87d.dll

Filesize
3.1MB

MD5
1c76bee252aa9fb75e6d0108a5a84261

SHA1
dc02ad5234182e4f35b0aeaedf379273c61ff437

SHA256
8eff81ca6932d5a69604f9546a8133e48730852dfbc234e6df3d0f33cc746e6a

SHA512
da1481a3ca4563e7d27ad066547738aa94799f004b334b317f8acb499642ddb8b7bc0bad1e89bf0a26f4ae7e65bce7d1c72099929faef9db7ddabb5df73542e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
87cdaff94fa51c02a60ee0d3d817be57

SHA1
6ddd992ee9e208ad0a00a038830fc538609b7b18

SHA256
6326f4a52f93e6d7301bc4ed7c98dc07c273e46fcfaafff72434d26544a8cb1f

SHA512
52e5dfaab807831fa04b588d3f780709a2b176dd44a8604c9dc119248d7bdde16ae066e9834e4e59e3e092c83a2dc6b436efb5f39d3936ffdfb615cbfb62a8a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6af2b90fe6a3ff7be1d7f8fc75795a72

SHA1
2e85f112240cfa36804935316a9c57dbfdde05ca

SHA256
d3d712f3b049b9fe9b60ed66c141915867ccd627ae7c220025b6fa77331fc25a

SHA512
238ae515f18f775ed0b7249a154bb95882502afa969b9ae2fce83d151aaa2b0317c4dcfba0887c2389eb27dadf4e78cd85ef1eba77a56f9a3b0d20033950f9d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
a46bb7df28b33b2e050d653750573e86

SHA1
665b5f2e5ea7595b059f405d539b8a4db0bf75de

SHA256
a124eaccdd5b35f62cc1ada9ff88a2d5bbc9a3fb3f6c6dd5d91abe45006b50c7

SHA512
10a782f72bdd187d33d291aed1b2f84efb4e864db106b5f5ac3a5a3f2819f1003d21c5c81b2ad2c91bba4c4c67bafc8db8d7c2f17eee2a1b61b7bb058a5fa39e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\4a40cb59-8ccf-4fd7-8de3-51b78d98f8c6.tmp

Filesize
3KB

MD5
a042fa4ba48fdb868ccc1757ba6ac95f

SHA1
3127e0e06bfa1f5f890d70978f8a622ace82729f

SHA256
24670cdd9543bc50300633571a2f71ae3f3591045c9257e4ff17c99c2fd9e517

SHA512
13bcb1419820c80a35bf1852e5bcf0fca160a5b1f398e91ff08d533c0a9be9361235b84a74a74b1b5872c5e838e8b07e052df32716eba4c7d87f9bf46bd8b9d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
9e0f13b5c8e7d456fd8371e0ae7cbe34

SHA1
6cc395e6d5a33372ab1a8b415967d42fc02028d0

SHA256
03395dbf1a6e590cf89fb1ff9badac9842d2f4c07c2de7b3bfe6c809e37e13b9

SHA512
a6c3f5fc416796383b423614ae586d49d97e1bddd141de23fcfc94b8408553acb87576962365b91c7a31bd6d5e627bfcbb8d27c9f5187465e491646e90bc2a3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c5bd539f-501c-466a-aa73-5f0bb83c4f1d.tmp

Filesize
6KB

MD5
0758c4e5cd332a2f917bde43d74f03d4

SHA1
680ccfe85ee67b41fdbd01abb76188e4c4fd6474

SHA256
5c36b8d87fea16e35d0f4d87bec4e943b10e530bd9132d1f9d9579be00349a51

SHA512
b7a07ec01bae3409f879e1c7e45fa27c09d6d3d39f63f78ea99587c7af322d0ce3344ffd34b0d2f255d8f58826517f02dec08b29b607c17ccf91032da65b687c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
56f6d64e910488116039def6d0db54b4

SHA1
ef7965df7d1896ac8eaf07d9008c9d762aba801b

SHA256
931df8be2470ff29443ee3b26df3a9576a7a85340b0831e5b6afa8bf248e8ba4

SHA512
1787a9986c7d32e699d85f298445445c570882b82a6eb4edb10d4764f21a979979c98a7d888c3c5fe139e0327cb5b88094c5df26851bf38c2ab8c9e47f818aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3d11e72cbf3a1ad0b6613ee6753ff2c8

SHA1
a3246c5eed51c4610ea9bacc35bd664e70ab3c45

SHA256
ad9e166d25005c11d2103f659f85fa25ba41e3fe8384881f6db1f4c37f927905

SHA512
ba8a718ad85b033d3aba3c1d1c5b36362a1e8149acaa7dbc584c0340f39afbe77efcb00505c994db3821756d8a882459009d3aec8b6fa3796ce7a651af3eab01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ed7d8f55a582b97e193f6991fe84945b

SHA1
2bc0682da6bef17d08425f0f0372ace98d35a424

SHA256
0ec9f9788fe0fac4c58896248b3c68bb3c816c334788088c2eb3d29bd58a994d

SHA512
f901d4f8e42b1896c5217f3fde9c7a8cb6f8a67ea175ba3df70062791678fbac3b747f821d65969f3b984f566a5f4f7bab35887b6d8bb7b683847cf789ce5b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
0de05067146f89bb9bcda705307c46dc

SHA1
ba60e9bff5ae976378107ddc30ee462b46e0baa4

SHA256
aa44b1d2e37c00e227ad12cfb44aa381ce561e03254f8d233b263628433828c0

SHA512
d105002d7d96387e6411ab97a7aff0c7fd83f789459d6e53c9fa98f48d8d0f30a144d532db4a7865c7236fae20e7442047052c03c9ff2f9369a188abe2ebb7e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
e9e023ca26b73ca85469dea9b5df1734

SHA1
21382d5e7d1b4b88f7eb389812830e2fab63aa53

SHA256
6f68e18d913097afbe4672a206328d6673ba2d119e8ab8b2bb8ff6414d7bd2b6

SHA512
e6a249c9c255212146d9d49a5e8487420c6c7fbd8489012cef71475b196eb416dc355d216e2b1a8d19c1e1e08fc2cf9d4cbd58a3d20ccc07e5fc16285725d796

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p4wuoroe.default-release\activity-stream.discovery_stream.json.tmp

Filesize
154KB

MD5
7e6619062542b843fce40b913e188550

SHA1
e840cbc3c23b9cb786e0fd1a05dd5259a3ab0a5c

SHA256
f3e72ed36f98bb76c8cfea0d926d651b249cd4cf34900a27464f72cd50336de0

SHA512
efe56e3bb9165d555fae7158c8c4e8b6bae6e1cbbd77850e79f5d8fb0caef68da56af6d323f37e557f70b948570edf1b4fc551d57a9b3bc5939ed96036a5c931

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1DCA.tmp\ApplicationID.dll

Filesize
196KB

MD5
a858c1a57e32485505b1977cf0a125be

SHA1
25d86c4b51f7cc10fc70e3a0493a39c4460cc350

SHA256
1462a072345e86318b981089b08b613a34027ddf527bfb66606c683f218fc3b4

SHA512
32b597fc2412a9407fd12ac77c556ff9740f1dd0d2055426d11a7baf21b09c536a84cfb97865b4e94168656514e7ce71eb2bc4122aa340100f4ce483bad1722d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA150~1\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit
C:\Users\Admin\AppData\Local\Temp\{DA150~1\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{da150d3c-079e-da44-bd47-730c3b08ffc2}\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit
C:\Users\Admin\AppData\Local\Temp\{da150d3c-079e-da44-bd47-730c3b08ffc2}\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{da150d3c-079e-da44-bd47-730c3b08ffc2}\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{da150d3c-079e-da44-bd47-730c3b08ffc2}\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\prefs.js

Filesize
6KB

MD5
fc03769491e92557713bff75b3dcae44

SHA1
a4f4687575dba8a950a014c93d8f9f086a2b68d6

SHA256
3e943e423e8dd73d3afd2444234e9c1ca4eebd430da878f5bcc15e2141da7375

SHA512
8e2266f0af8f7833397b36b31482a43a4bd798693e069f8aeb823d12b767bcdac3aed772ce10b8907fca777436e4efc39ecb5172e81d2672f1165a2427b709b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\sessionstore.jsonlz4

Filesize
965B

MD5
da63664ff7f0eadde560aa1d081d45e9

SHA1
1815d4e6c26f3f0a98940db6a1f9348d03b00e75

SHA256
0c7382fb7892f97e87015b7a3b532e2a283e6998be5f9863b5bb15e04a8d807b

SHA512
3c9a4b0646a809d7ef3a0582ec3d9aae7807f11d28d81a4954a840a053985c6691d525e935a6e1a9871df47360145645a9ad1678477a83a608baf00a9b42dd5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p4wuoroe.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
2868ade33b3fc157edc3d0e6b6b88d96

SHA1
2fbc5d21e4b5b51b85aa242c5f1094b78b42f06f

SHA256
463716a72dce3b7c34a12818ca051fc044627890946b4437b6998bcc24a20534

SHA512
0756622f5ab9deb31b5cb909c570b236b58fd594d9ff52b92a670761f1b447a1f15f9032a50dce0bbd9b176a761fe7a5f2095938c1642bfe04b93ba83147ee0d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 103170.crdownload

Filesize
2.7MB

MD5
86c3e34147f64ca7b0bcfe4564317706

SHA1
dffbf6d25bcfe675fc314968a4413ba9757b6c25

SHA256
e17c059a2ec3153241f4cddf8081f19e83af890cb9126f3e1528474c29610786

SHA512
8d5f2efa99de7c6275162927b77dc3b5d640fbd18d771cff71ee7bd3cb8009d87fa23b8f29113d15aaca17b7aaa33a440434ba1ac2db7c1998d14673d31d4e5c

Download Submit
C:\Users\Admin\Downloads\parsec-windows.exe

Filesize
2.7MB

MD5
86c3e34147f64ca7b0bcfe4564317706

SHA1
dffbf6d25bcfe675fc314968a4413ba9757b6c25

SHA256
e17c059a2ec3153241f4cddf8081f19e83af890cb9126f3e1528474c29610786

SHA512
8d5f2efa99de7c6275162927b77dc3b5d640fbd18d771cff71ee7bd3cb8009d87fa23b8f29113d15aaca17b7aaa33a440434ba1ac2db7c1998d14673d31d4e5c

Download Submit
C:\Users\Admin\Downloads\parsec-windows.exe

Filesize
2.7MB

MD5
86c3e34147f64ca7b0bcfe4564317706

SHA1
dffbf6d25bcfe675fc314968a4413ba9757b6c25

SHA256
e17c059a2ec3153241f4cddf8081f19e83af890cb9126f3e1528474c29610786

SHA512
8d5f2efa99de7c6275162927b77dc3b5d640fbd18d771cff71ee7bd3cb8009d87fa23b8f29113d15aaca17b7aaa33a440434ba1ac2db7c1998d14673d31d4e5c

Download Submit
C:\Windows\INF\oem3.PNF

Filesize
9KB

MD5
8a19322ab1da6cf0173cfb5c069cdf99

SHA1
cb67711943eab7b0964d4fc4e92ecb5e783e6224

SHA256
0798f753d5934edbc7cf307274101c0e8e84f338f32d6d8c500900c3ff7c0b20

SHA512
01b244aa2a40619c4c8f45d547eb6739ba0a09126627666a2a37341e111214c48aad3c471616e7e21d8f04f89180324f05caecf5d472449c4fda79c71c4126d3

Download Submit
C:\Windows\INF\oem3.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\PARSEC~1.INF\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit
C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
\??\c:\PROGRA~1\parsec\vusb\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
\??\c:\program files\parsec\vusb\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit
\ProgramData\Parsec\parsecd-150-87d.dll

Filesize
3.1MB

MD5
1c76bee252aa9fb75e6d0108a5a84261

SHA1
dc02ad5234182e4f35b0aeaedf379273c61ff437

SHA256
8eff81ca6932d5a69604f9546a8133e48730852dfbc234e6df3d0f33cc746e6a

SHA512
da1481a3ca4563e7d27ad066547738aa94799f004b334b317f8acb499642ddb8b7bc0bad1e89bf0a26f4ae7e65bce7d1c72099929faef9db7ddabb5df73542e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1DCA.tmp\ApplicationID.dll

Filesize
196KB

MD5
a858c1a57e32485505b1977cf0a125be

SHA1
25d86c4b51f7cc10fc70e3a0493a39c4460cc350

SHA256
1462a072345e86318b981089b08b613a34027ddf527bfb66606c683f218fc3b4

SHA512
32b597fc2412a9407fd12ac77c556ff9740f1dd0d2055426d11a7baf21b09c536a84cfb97865b4e94168656514e7ce71eb2bc4122aa340100f4ce483bad1722d

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1DCA.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1DCA.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
memory/2240-169-0x0000000008910000-0x000000000894E000-memory.dmp

Filesize
248KB

Download
memory/2240-167-0x00000000088B0000-0x00000000088C2000-memory.dmp

Filesize
72KB

Download
memory/2240-168-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/2240-121-0x0000000000370000-0x00000000003F4000-memory.dmp

Filesize
528KB

Download
memory/2240-133-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/2240-130-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/2240-124-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/2240-123-0x00000000051E0000-0x00000000056DE000-memory.dmp

Filesize
5.0MB

Download