e17c059a2ec3153241f4cddf8081f19e83af890cb9126f3e1528474c29610786

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

parsec-windows.exe
Size

2.7MB
MD5

86c3e34147f64ca7b0bcfe4564317706
SHA1

dffbf6d25bcfe675fc314968a4413ba9757b6c25
SHA256

e17c059a2ec3153241f4cddf8081f19e83af890cb9126f3e1528474c29610786
SHA512

8d5f2efa99de7c6275162927b77dc3b5d640fbd18d771cff71ee7bd3cb8009d87fa23b8f29113d15aaca17b7aaa33a440434ba1ac2db7c1998d14673d31d4e5c
SSDEEP

49152:P3myVbHOO2Q4gSrF32OL5OsrcnWYBR959Cenopym7r4bvwfIr+Z4NJU/EPM/Ob:PWyBH52oYZLTrcWYn959CeTIIr+eXUSf

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\parsecvusba.sys	DrvInst.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2136	netsh.exe
4352	netsh.exe
2196	netsh.exe
3280	netsh.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Parsec.App.0 = "C:\\Program Files\\Parsec\\parsecd.exe app_silent=1"	parsecd.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	pservice.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}\SET876B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}\SET876B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}\SET877C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}\parsecvusba.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}\SET878C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.PNF	devcon.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}\SET878C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	pservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494	pservice.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}\parsecvusba.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}\SET877C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{b34a0af2-30a8-e24b-b6d4-e120bd2b3237}\parsecvusba.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494	pservice.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Parsec\wscripts\vdd-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsecvusba.cat	parsec-windows.exe
File created	C:\Program Files\Parsec\skel\appdata.json	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\firewall-add.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\firewall-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\devcon.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsecvusba.sys	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\mm.cat	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\mm.dll	parsec-windows.exe
File created	C:\Program Files\Parsec\teams.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\devcon-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\devcon-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\vdd-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\devcon.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\mm.inf	parsec-windows.exe
File opened for modification	C:\Program Files\Parsec	parsec-windows.exe
File created	C:\Program Files\Parsec\pservice.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\skel\parsecd-150-87d.dll	parsec-windows.exe
File created	C:\Program Files\Parsec\parsecd.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\uninstall.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsecvusba.inf	parsec-windows.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 6 IoCs

pid	Process
3948	devcon.exe
4056	devcon.exe
2760	pservice.exe
4196	devcon.exe
4480	parsecd.exe
3684	parsecd.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1700	sc.exe
2104	sc.exe
3248	sc.exe
1788	sc.exe
4404	sc.exe

Loads dropped DLL 5 IoCs

pid	Process
3240	parsec-windows.exe
3240	parsec-windows.exe
3240	parsec-windows.exe
4480	parsecd.exe
3684	parsecd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	devcon.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	parsecd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000570d1446c1b5d901	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	parsecd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000e9d41246c1b5d901	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	parsecd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	pservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\ = "URL:parsec Protocol"	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\""	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\URL Protocol	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\""	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\ = "URL:parsecd Protocol"	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\URL Protocol	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell	parsec-windows.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	parsecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3684	parsecd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2760	pservice.exe
2760	pservice.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3684	parsecd.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid
4

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeAuditPrivilege	1892	svchost.exe
Token: SeSecurityPrivilege	1892	svchost.exe
Token: SeLoadDriverPrivilege	4196	devcon.exe
Token: SeRestorePrivilege	1436	DrvInst.exe
Token: SeBackupPrivilege	1436	DrvInst.exe
Token: SeLoadDriverPrivilege	1436	DrvInst.exe
Token: SeLoadDriverPrivilege	1436	DrvInst.exe
Token: SeLoadDriverPrivilege	1436	DrvInst.exe
Token: 33	1288	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1288	AUDIODG.EXE
Token: 33	3684	parsecd.exe
Token: SeIncBasePriorityPrivilege	3684	parsecd.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3684	parsecd.exe
3684	parsecd.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3684	parsecd.exe
3684	parsecd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3684	parsecd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3688	3240	parsec-windows.exe	95
PID 3240 wrote to memory of 3688	3240	parsec-windows.exe	95
PID 3240 wrote to memory of 3688	3240	parsec-windows.exe	95
PID 3688 wrote to memory of 1788	3688	wscript.exe	96
PID 3688 wrote to memory of 1788	3688	wscript.exe	96
PID 3688 wrote to memory of 1788	3688	wscript.exe	96
PID 3240 wrote to memory of 5056	3240	parsec-windows.exe	98
PID 3240 wrote to memory of 5056	3240	parsec-windows.exe	98
PID 3240 wrote to memory of 5056	3240	parsec-windows.exe	98
PID 5056 wrote to memory of 3948	5056	wscript.exe	100
PID 5056 wrote to memory of 3948	5056	wscript.exe	100
PID 3240 wrote to memory of 1892	3240	parsec-windows.exe	102
PID 3240 wrote to memory of 1892	3240	parsec-windows.exe	102
PID 3240 wrote to memory of 1892	3240	parsec-windows.exe	102
PID 1892 wrote to memory of 4056	1892	wscript.exe	103
PID 1892 wrote to memory of 4056	1892	wscript.exe	103
PID 3240 wrote to memory of 4440	3240	parsec-windows.exe	105
PID 3240 wrote to memory of 4440	3240	parsec-windows.exe	105
PID 3240 wrote to memory of 4440	3240	parsec-windows.exe	105
PID 4440 wrote to memory of 4404	4440	wscript.exe	106
PID 4440 wrote to memory of 4404	4440	wscript.exe	106
PID 4440 wrote to memory of 4404	4440	wscript.exe	106
PID 4440 wrote to memory of 1700	4440	wscript.exe	108
PID 4440 wrote to memory of 1700	4440	wscript.exe	108
PID 4440 wrote to memory of 1700	4440	wscript.exe	108
PID 3240 wrote to memory of 2860	3240	parsec-windows.exe	110
PID 3240 wrote to memory of 2860	3240	parsec-windows.exe	110
PID 3240 wrote to memory of 2860	3240	parsec-windows.exe	110
PID 2860 wrote to memory of 2136	2860	wscript.exe	111
PID 2860 wrote to memory of 2136	2860	wscript.exe	111
PID 2860 wrote to memory of 2136	2860	wscript.exe	111
PID 2860 wrote to memory of 4352	2860	wscript.exe	113
PID 2860 wrote to memory of 4352	2860	wscript.exe	113
PID 2860 wrote to memory of 4352	2860	wscript.exe	113
PID 2860 wrote to memory of 2196	2860	wscript.exe	115
PID 2860 wrote to memory of 2196	2860	wscript.exe	115
PID 2860 wrote to memory of 2196	2860	wscript.exe	115
PID 3240 wrote to memory of 844	3240	parsec-windows.exe	117
PID 3240 wrote to memory of 844	3240	parsec-windows.exe	117
PID 3240 wrote to memory of 844	3240	parsec-windows.exe	117
PID 844 wrote to memory of 1996	844	wscript.exe	118
PID 844 wrote to memory of 1996	844	wscript.exe	118
PID 844 wrote to memory of 1996	844	wscript.exe	118
PID 3240 wrote to memory of 4984	3240	parsec-windows.exe	120
PID 3240 wrote to memory of 4984	3240	parsec-windows.exe	120
PID 3240 wrote to memory of 4984	3240	parsec-windows.exe	120
PID 4984 wrote to memory of 2104	4984	wscript.exe	122
PID 4984 wrote to memory of 2104	4984	wscript.exe	122
PID 4984 wrote to memory of 2104	4984	wscript.exe	122
PID 4984 wrote to memory of 3248	4984	wscript.exe	123
PID 4984 wrote to memory of 3248	4984	wscript.exe	123
PID 4984 wrote to memory of 3248	4984	wscript.exe	123
PID 3240 wrote to memory of 3720	3240	parsec-windows.exe	126
PID 3240 wrote to memory of 3720	3240	parsec-windows.exe	126
PID 3240 wrote to memory of 3720	3240	parsec-windows.exe	126
PID 3720 wrote to memory of 3280	3720	wscript.exe	127
PID 3720 wrote to memory of 3280	3720	wscript.exe	127
PID 3720 wrote to memory of 3280	3720	wscript.exe	127
PID 3240 wrote to memory of 5020	3240	parsec-windows.exe	129
PID 3240 wrote to memory of 5020	3240	parsec-windows.exe	129
PID 3240 wrote to memory of 5020	3240	parsec-windows.exe	129
PID 5020 wrote to memory of 4196	5020	wscript.exe	130
PID 5020 wrote to memory of 4196	5020	wscript.exe	130
PID 1892 wrote to memory of 3792	1892	svchost.exe	134

C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe
"C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" control Parsec 200
    3⤵
    - Launches sc.exe
    PID:1788
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\devcon-remove.vbs" "C:\Program Files\Parsec\vusb\"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Program Files\Parsec\vusb\devcon.exe
    "C:\Program Files\Parsec\vusb\devcon.exe" remove Root\Parsec\VUSBA
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:3948
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\vdd-remove.vbs" "C:\Program Files\Parsec\vdd\"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Program Files\Parsec\vdd\devcon.exe
    "C:\Program Files\Parsec\vdd\devcon.exe" remove Root\Parsec\VDA
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:4056
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop Parsec
    3⤵
    - Launches sc.exe
    PID:4404
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" delete Parsec
    3⤵
    - Launches sc.exe
    PID:1700
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
    3⤵
    - Modifies Windows Firewall
    PID:2136
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
    3⤵
    - Modifies Windows Firewall
    PID:4352
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
    3⤵
    - Modifies Windows Firewall
    PID:2196
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
    3⤵
    PID:1996
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
    3⤵
    - Launches sc.exe
    PID:2104
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start Parsec
    3⤵
    - Launches sc.exe
    PID:3248
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
    3⤵
    - Modifies Windows Firewall
    PID:3280
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\devcon-install.vbs" "C:\Program Files\Parsec\vusb\"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Program Files\Parsec\vusb\devcon.exe
    "C:\Program Files\Parsec\vusb\devcon.exe" install "C:\Program Files\Parsec\vusb\parsecvusba.inf" Root\Parsec\VUSBA
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- C:\Program Files\Parsec\parsecd.exe
  "C:\Program Files\Parsec\parsecd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  PID:4480

C:\Program Files\Parsec\pservice.exe
"C:\Program Files\Parsec\pservice.exe"
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2760
- C:\Program Files\Parsec\parsecd.exe
  "C:\Program Files\Parsec\parsecd.exe" SERVICE_LAUNCHED_V7
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{97803e52-0372-194d-978b-e25580e9eed8}\parsecvusba.inf" "9" "4419fa153" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files\parsec\vusb"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:3792
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\USB\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:c14ce884b7ae9cce:parsecvusba_Device:0.1.1.0:root\parsec\vusba," "4419fa153" "0000000000000148"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x448
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Parsec\parsecd.exe

Filesize
450KB

MD5
ce98489ae22d6e345e91949bacddb4c0

SHA1
646c002e53a2e406d3ba9ba26d8ad7d514110b32

SHA256
6d2029d705bb5baa38f0cfa2d767ebb7e9565323328aca286255bd690e9987db

SHA512
cb3e9da4c1f9c0f66aa9768525d6b39ca40c2b42780009b1c8276d43801cb76938bad4b92b0fb65da9847428826d5ef4eaec17bfd6e82cc0e71efe785232028c

Download Submit
C:\Program Files\Parsec\parsecd.exe

Filesize
450KB

MD5
ce98489ae22d6e345e91949bacddb4c0

SHA1
646c002e53a2e406d3ba9ba26d8ad7d514110b32

SHA256
6d2029d705bb5baa38f0cfa2d767ebb7e9565323328aca286255bd690e9987db

SHA512
cb3e9da4c1f9c0f66aa9768525d6b39ca40c2b42780009b1c8276d43801cb76938bad4b92b0fb65da9847428826d5ef4eaec17bfd6e82cc0e71efe785232028c

Download Submit
C:\Program Files\Parsec\parsecd.exe

Filesize
450KB

MD5
ce98489ae22d6e345e91949bacddb4c0

SHA1
646c002e53a2e406d3ba9ba26d8ad7d514110b32

SHA256
6d2029d705bb5baa38f0cfa2d767ebb7e9565323328aca286255bd690e9987db

SHA512
cb3e9da4c1f9c0f66aa9768525d6b39ca40c2b42780009b1c8276d43801cb76938bad4b92b0fb65da9847428826d5ef4eaec17bfd6e82cc0e71efe785232028c

Download Submit
C:\Program Files\Parsec\parsecd.exe

Filesize
450KB

MD5
ce98489ae22d6e345e91949bacddb4c0

SHA1
646c002e53a2e406d3ba9ba26d8ad7d514110b32

SHA256
6d2029d705bb5baa38f0cfa2d767ebb7e9565323328aca286255bd690e9987db

SHA512
cb3e9da4c1f9c0f66aa9768525d6b39ca40c2b42780009b1c8276d43801cb76938bad4b92b0fb65da9847428826d5ef4eaec17bfd6e82cc0e71efe785232028c

Download Submit
C:\Program Files\Parsec\pservice.exe

Filesize
406KB

MD5
e2c143ea07596857aefe2499f22ad400

SHA1
0dcc27100be26c6a43590aa9a1be1d21f266cd3a

SHA256
4c875900211b3e5de2438e5df94421bf56c256628b255bbbf37f8c919bae1936

SHA512
baa49cbaf976a1dcb7059390eed65f70db73d2e883a09e46291a26873df9b0809ba50c407554c79d1215e57b6446cf1e0853e5d367467871d008d6b53e92f160

Download Submit
C:\Program Files\Parsec\pservice.exe

Filesize
406KB

MD5
e2c143ea07596857aefe2499f22ad400

SHA1
0dcc27100be26c6a43590aa9a1be1d21f266cd3a

SHA256
4c875900211b3e5de2438e5df94421bf56c256628b255bbbf37f8c919bae1936

SHA512
baa49cbaf976a1dcb7059390eed65f70db73d2e883a09e46291a26873df9b0809ba50c407554c79d1215e57b6446cf1e0853e5d367467871d008d6b53e92f160

Download Submit
C:\Program Files\Parsec\skel\appdata.json

Filesize
155B

MD5
650dea764c7bd8bb96dcb8bdbb7c7de9

SHA1
776daa3c2923d52c86fc167a2b9e6944ee087178

SHA256
66bc1fc3a8df99b1b8691d22f7165fcb6293bc6c84d7b525215321c1b5d06e81

SHA512
54bb8b1ea9189e21017054acd0ba70f7e11e0d22dfca5c22e7a8026c3890edecead6505e2d4a9a1a3d447db06351607c204b43964bbd78702d08e28b5ada2c29

Download Submit
C:\Program Files\Parsec\skel\parsecd-150-87d.dll

Filesize
3.1MB

MD5
1c76bee252aa9fb75e6d0108a5a84261

SHA1
dc02ad5234182e4f35b0aeaedf379273c61ff437

SHA256
8eff81ca6932d5a69604f9546a8133e48730852dfbc234e6df3d0f33cc746e6a

SHA512
da1481a3ca4563e7d27ad066547738aa94799f004b334b317f8acb499642ddb8b7bc0bad1e89bf0a26f4ae7e65bce7d1c72099929faef9db7ddabb5df73542e1

Download Submit
C:\Program Files\Parsec\vdd\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vdd\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\devcon.exe

Filesize
80KB

MD5
a9b2b49cc4457ad9d63b10c4fd6c9748

SHA1
358179dc6acaca3101c3b6f8af4d471267576d63

SHA256
270836795917367e22d843df92a535004143515e9ea9bbdeb056a27c82ad6daa

SHA512
8b958943667d73d479e3943f752248bdf13f3c7f242d2ca7ac13ca81a7318e737b78e3172a726c7de040c9ae442ee9fb53245153f6f3d965562070c6f097f34a

Download Submit
C:\Program Files\Parsec\vusb\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Program Files\Parsec\wscripts\devcon-install.vbs

Filesize
339B

MD5
f3c6b9f1b6d0e119ff69945d34e5ebbe

SHA1
a1887ec6ce36d1b3546471f66c8862e0893ebaf7

SHA256
5ceb23a270bd473507e76a722212b47ffee3891870781c41d96e749e7534f24f

SHA512
20ab95ce40f49c64bee471d51110812f5789f5d7bba05bacf29c58f4549c972e8217e0e6971a60e63b798386720297ad97bf3021c5e755c711a1f350a57f5114

Download Submit
C:\Program Files\Parsec\wscripts\devcon-remove.vbs

Filesize
306B

MD5
aa7ef5a944cc8488c9655d933610e1ba

SHA1
a100ddb0441701ef63f8b5fc2fdb4094ccbc55e1

SHA256
9e2531fdc309bfe88c6646e5883b36302480536e171540ce601fc4b10704e03f

SHA512
122dd1f6d6645f9f5844dd8c9498d1c1b3f0087938a65e23ffc9c2ed59c223fa00caeaea30a56a783a5844aa17baf05defa72976e7e8c5aec4bc056a7fe89c93

Download Submit
C:\Program Files\Parsec\wscripts\firewall-add.vbs

Filesize
307B

MD5
882374285898f16b5f9ff44afc1ae701

SHA1
31c9445557c9b8ecda1f0a6d5ff666e01dd1c3ca

SHA256
0be5aa5cc6395a86878f56b131e13db4908e48f06e892ff8f8cf9e2d3b6c8abb

SHA512
3b05158b03b57a4d2cbfee9cef6adfe973d080264a88e5cdeb85c59b567529cd1cd2a3b5d8538cb8637d140fd8691dc8826388ab669b7bfb2d5c1c4174069243

Download Submit
C:\Program Files\Parsec\wscripts\firewall-remove.vbs

Filesize
367B

MD5
5d4d70cdf36fcdaa292da1da9133320c

SHA1
92dc18d3d1128d43f482ab56804136c687b00713

SHA256
75f1dece4fda689a907f6d74b513adb0c1771c1b79ea71160179542c9c4ab2f0

SHA512
b54c92fbecb10ddf66d1b7ad950ffbc13f504c71081a8bd56c28c5689a2bf19bd81b467e0697c38f140c72a273eb9eb837105e738c6f1ac4f43344e2ab521778

Download Submit
C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs

Filesize
115B

MD5
c78520c3162c1962f3164714b37eb4d0

SHA1
67c19b8aea7ad99465976dbcd3efcfdd7d62e3fe

SHA256
dea38bd553abe93c689de42d0220add18f9be3e3d2fa53f97eb8649f586df4f3

SHA512
cfbfc2c7dd8019f98b77e8881680ef9d0135a210fb9b0136a4992c236d971e247aa1641cd2eafdc5f6f5bb61002b30ea14b226127c4cef04f3b3d6be3a941fcc

Download Submit
C:\Program Files\Parsec\wscripts\service-install.vbs

Filesize
412B

MD5
971e2a344a6e17347a81eeb21ada7ba7

SHA1
37e034c29adda9b118b75bfdc7c6f41aac71e257

SHA256
01f62a12de3307b375dff3ebcd6961d76ffcbc24f70682c7875655a811ce76a1

SHA512
5ea0750dc07ff1a0eb1807043b48fb9ed54f6dcb96ce03cb543b0ea36d326779814b6cb87091373574911662a35d75b576e35c5b8d781db36fe1503f8287c65d

Download Submit
C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs

Filesize
105B

MD5
5a9e6b7ea8911aafca7d5299283795b9

SHA1
7b7c863302e2d5ff8b8f298be9eb2409292077cb

SHA256
f0a62d83920cf2cc4a5d5d3ac46b9a7d99b9835b58a6e63bca868941d08c5c9a

SHA512
c5611c99e139253abf9f6b60b1ffa4de438fa475901bfba24d18af82b523eb1bb79a83a89a09c253cacf4d9a50ed743d8e7acc12ecd9c59d488ade2af866ea66

Download Submit
C:\Program Files\Parsec\wscripts\service-remove.vbs

Filesize
150B

MD5
b90e75dd7903cb2d6328bb3714865c7a

SHA1
2d32868deb198726ed5feb80b66542bad7fbacee

SHA256
970b3c2a9ea1906a177810990478932e3517f47aba267cf2ab9e4ba65e7b475f

SHA512
3d4bfb86ec98fd85843ae5b63dcf5f475c6500380f02bb4d0dee15a5f7e2334abdbbcd9420b8ac05b5beb8a63b9ea16abcd70ae01c04b87a423fc288ff4dca0a

Download Submit
C:\Program Files\Parsec\wscripts\vdd-remove.vbs

Filesize
304B

MD5
7414c331d58788784f820f0b2cc7b5b0

SHA1
72301126d7a8cd2e21d5cd1a64844b08d0f4bebc

SHA256
300f15c94dae513508bd87e28b632a9342ebf3ca059050af5f54d3cb0ee5a9ff

SHA512
140258d6adb99a23af0f7b61605e5928dbd04d8295617773486f8c2dac7a7d29899b65b0bbb9558d5da3026de30569ca152f237df3d53597c68ecdec9bd86824

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz293F.tmp\ApplicationID.dll

Filesize
196KB

MD5
a858c1a57e32485505b1977cf0a125be

SHA1
25d86c4b51f7cc10fc70e3a0493a39c4460cc350

SHA256
1462a072345e86318b981089b08b613a34027ddf527bfb66606c683f218fc3b4

SHA512
32b597fc2412a9407fd12ac77c556ff9740f1dd0d2055426d11a7baf21b09c536a84cfb97865b4e94168656514e7ce71eb2bc4122aa340100f4ce483bad1722d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz293F.tmp\ApplicationID.dll

Filesize
196KB

MD5
a858c1a57e32485505b1977cf0a125be

SHA1
25d86c4b51f7cc10fc70e3a0493a39c4460cc350

SHA256
1462a072345e86318b981089b08b613a34027ddf527bfb66606c683f218fc3b4

SHA512
32b597fc2412a9407fd12ac77c556ff9740f1dd0d2055426d11a7baf21b09c536a84cfb97865b4e94168656514e7ce71eb2bc4122aa340100f4ce483bad1722d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz293F.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz293F.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\{97803e52-0372-194d-978b-e25580e9eed8}\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit
C:\Users\Admin\AppData\Local\Temp\{97803e52-0372-194d-978b-e25580e9eed8}\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{97803e52-0372-194d-978b-e25580e9eed8}\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{97803e52-0372-194d-978b-e25580e9eed8}\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{97803~1\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit
C:\Users\Admin\AppData\Local\Temp\{97803~1\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\appdata.json

Filesize
155B

MD5
650dea764c7bd8bb96dcb8bdbb7c7de9

SHA1
776daa3c2923d52c86fc167a2b9e6944ee087178

SHA256
66bc1fc3a8df99b1b8691d22f7165fcb6293bc6c84d7b525215321c1b5d06e81

SHA512
54bb8b1ea9189e21017054acd0ba70f7e11e0d22dfca5c22e7a8026c3890edecead6505e2d4a9a1a3d447db06351607c204b43964bbd78702d08e28b5ada2c29

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\appdata.json

Filesize
155B

MD5
650dea764c7bd8bb96dcb8bdbb7c7de9

SHA1
776daa3c2923d52c86fc167a2b9e6944ee087178

SHA256
66bc1fc3a8df99b1b8691d22f7165fcb6293bc6c84d7b525215321c1b5d06e81

SHA512
54bb8b1ea9189e21017054acd0ba70f7e11e0d22dfca5c22e7a8026c3890edecead6505e2d4a9a1a3d447db06351607c204b43964bbd78702d08e28b5ada2c29

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-87d.dll

Filesize
3.1MB

MD5
1c76bee252aa9fb75e6d0108a5a84261

SHA1
dc02ad5234182e4f35b0aeaedf379273c61ff437

SHA256
8eff81ca6932d5a69604f9546a8133e48730852dfbc234e6df3d0f33cc746e6a

SHA512
da1481a3ca4563e7d27ad066547738aa94799f004b334b317f8acb499642ddb8b7bc0bad1e89bf0a26f4ae7e65bce7d1c72099929faef9db7ddabb5df73542e1

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-87d.dll

Filesize
3.1MB

MD5
1c76bee252aa9fb75e6d0108a5a84261

SHA1
dc02ad5234182e4f35b0aeaedf379273c61ff437

SHA256
8eff81ca6932d5a69604f9546a8133e48730852dfbc234e6df3d0f33cc746e6a

SHA512
da1481a3ca4563e7d27ad066547738aa94799f004b334b317f8acb499642ddb8b7bc0bad1e89bf0a26f4ae7e65bce7d1c72099929faef9db7ddabb5df73542e1

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-87d.dll

Filesize
3.1MB

MD5
1c76bee252aa9fb75e6d0108a5a84261

SHA1
dc02ad5234182e4f35b0aeaedf379273c61ff437

SHA256
8eff81ca6932d5a69604f9546a8133e48730852dfbc234e6df3d0f33cc746e6a

SHA512
da1481a3ca4563e7d27ad066547738aa94799f004b334b317f8acb499642ddb8b7bc0bad1e89bf0a26f4ae7e65bce7d1c72099929faef9db7ddabb5df73542e1

Download Submit
C:\Users\Admin\AppData\Roaming\Parsec\parsecd-150-87d.dll

Filesize
3.1MB

MD5
1c76bee252aa9fb75e6d0108a5a84261

SHA1
dc02ad5234182e4f35b0aeaedf379273c61ff437

SHA256
8eff81ca6932d5a69604f9546a8133e48730852dfbc234e6df3d0f33cc746e6a

SHA512
da1481a3ca4563e7d27ad066547738aa94799f004b334b317f8acb499642ddb8b7bc0bad1e89bf0a26f4ae7e65bce7d1c72099929faef9db7ddabb5df73542e1

Download Submit
C:\Windows\INF\oem3.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Windows\System32\DriverStore\FileRepository\PARSEC~1.INF\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_ee9c44e2bc310c6a\parsecvusba.inf

Filesize
2KB

MD5
83184628923227e514afa09b18adc463

SHA1
f5b18c8034dc3164efff6f685e330c096e51e5e4

SHA256
32a2e842576629cea6bd3b4041df08c8b74ce1e87f260af61b27c1b941b96bfc

SHA512
153fa5aa375fda2a9a735262027cae456875650614c6e8f958f6824af93cf43fc084c16b77873a8e8413129151c802803531b4c14b5997dd20759feb5f589da7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
1a7172ae553f9810a01d5f373a45c412

SHA1
6557718f165fba18dea798559859b9e46b210176

SHA256
7184001f93d4b53c86457fa647b6fb88d1346641643cdbe6767e02e4719549aa

SHA512
db8ffa3b8465f7951156bc7f334df5994f16373790d6364f264cd828794646951b727c77ea5bb52ae6446f6aeb82547c6b4bda9d7c0e08614bc5fe7286abd426

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494

Filesize
471B

MD5
4922f5291a10c6e1f1ea19898becfa6b

SHA1
8287df1cbeeb339e964cfc0fea020ddcd96daace

SHA256
3108841b83c0fd1ad58e12b9b6e6cba80995c1e4b9ac6fcfa2fde04d6acca347

SHA512
e5e66c85991f0c0744d0235391ca7fd2053218b52cc7a333fafe75cbe4b21834954276ec83bc6b487260c1039783e30bbcc6c3dfa920cdcab07cc71008e92595

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
a6ac848db4e774d453ac4a45d6344dcb

SHA1
49ea606d0b4bf0b602a834e63a7d388c890e78ce

SHA256
696c4c762f0864773e0959163b46df8baa05dae84f40246facb9c3df4800034a

SHA512
42c6d5ee95569971d7d575d518beae5d4f8ffa8ddedb0f1a7098026bb1dea5a36a621fcb4396c674b7181674b551775e8e5e237aa75733b17d004517b4fc6c29

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_4A9A0BBEBC0AA728CF9BFF068BE5A494

Filesize
420B

MD5
ce2497594e562505b2cc8c307358665a

SHA1
df7a34005fd47108e2864d2de2b38d639e9ece4a

SHA256
7d5f885a83a6afc74eff698b92d4dd22d93e8d452b9371934b928530142fc743

SHA512
b9d32446c5987c5bc607be706e50880a24bbad3f410c5048928af557955ee145328f524d6ad5e063c64ca4ea30cb75542971ae590d711a7960b6db88ce66b682

Download Submit
\??\c:\PROGRA~1\parsec\vusb\parsecvusba.sys

Filesize
250KB

MD5
abb460f37f439fce944476bf9b793ccc

SHA1
95022753eff69926ccf1673f76fad516843f3592

SHA256
92411ce987e52951e39f3454fb0579188b225f613394b2b566f2247f3964876e

SHA512
9456d6cd809d0697cc9e2ad053cbe36222458023400a2862c9e9c14a0bef037b66c858414796f02741c5dcd6824c27dc0a7f3ab73ef4c1da64f02dcbb38898ba

Download Submit
\??\c:\program files\parsec\vusb\parsecvusba.cat

Filesize
11KB

MD5
49c8afa6763b5d017975c9972326c3df

SHA1
4dcf8012645ed1bdea60f8a9ee6d51f067417d08

SHA256
636dae8dcb26083bf2714578660b47ebc85ef09da6325f27b08a26714b887481

SHA512
7dbe4f10ecd670b6c62ae73a5b6ecf08dbba2fa52a3dec8250e415602ba15f38301d4f87fa32c557a48623c5e67522b8f8ffb49f778672e87cc9b68283718894

Download Submit