Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3parsec-windows.exe
windows7-x64
3parsec-windows.exe
windows10-2004-x64
3$PLUGINSDI...ID.dll
windows7-x64
3$PLUGINSDI...ID.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3parsecd.exe
windows7-x64
1parsecd.exe
windows10-2004-x64
1pservice.exe
windows7-x64
1pservice.exe
windows10-2004-x64
1skel/parse...3b.dll
windows7-x64
1skel/parse...3b.dll
windows10-2004-x64
1teams.exe
windows7-x64
1teams.exe
windows10-2004-x64
1vdd/parsec-vdd.exe
windows7-x64
3vdd/parsec-vdd.exe
windows10-2004-x64
8$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3driver/mm.dll
windows10-2004-x64
1nefconw.exe
windows7-x64
1nefconw.exe
windows10-2004-x64
1vddinstall.bat
windows7-x64
5vddinstall.bat
windows10-2004-x64
8vdduninstall.bat
windows7-x64
1vdduninstall.bat
windows10-2004-x64
4vusb/parsec-vud.exe
windows7-x64
3Analysis
-
max time kernel
1792s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2024, 14:58
Static task
static1
Behavioral task
behavioral1
Sample
parsec-windows.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
parsec-windows.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ApplicationID.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ApplicationID.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
parsecd.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
parsecd.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
pservice.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
pservice.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
skel/parsecd-150-93b.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
skel/parsecd-150-93b.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
teams.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
teams.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
vdd/parsec-vdd.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
vdd/parsec-vdd.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
driver/mm.dll
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
nefconw.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral27
Sample
nefconw.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
vddinstall.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
vddinstall.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
vdduninstall.bat
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral31
Sample
vdduninstall.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
vusb/parsec-vud.exe
Resource
win7-20240221-en
windows7-x64
General
-
Target
vdd/parsec-vdd.exe
-
Size
505KB
-
MD5
4b9a3048286692a865187013b70f44e8
-
SHA1
eefe91d9702314341acccd828fe4edb6ee570d7b
-
SHA256
e23332448fdaf5aa017cb308db5ef6855fac526a7ded05d80c039404126d5362
-
SHA512
a38b9a0a1626d9f40ff2c718717a793108c7e773b25493cc53c595e6b9840cc4de66587549f43ce00569b368834327184a90d55da3c4ae0e269e1d0edef6238d
-
SSDEEP
12288:QbLQNEFqf6MouZQqdF9zuAkDjdCjXHSZz2AKhAOYYA:QbUNEFKXrZ6ZjdFZxKhAOYv
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\UMDF\mm.dll DrvInst.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e}\SET2546.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e}\SET2547.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e}\mm.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e}\SET2548.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e}\SET2548.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e}\SET2546.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e}\mm.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e}\SET2547.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e}\mm.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{7678af18-f5de-7547-89fc-a4c5a8382c9e} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.cat DrvInst.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Parsec Virtual Display Driver\nefconw.exe parsec-vdd.exe File created C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat parsec-vdd.exe File created C:\Program Files\Parsec Virtual Display Driver\vdduninstall.bat parsec-vdd.exe File created C:\Program Files\Parsec Virtual Display Driver\driver\mm.cat parsec-vdd.exe File created C:\Program Files\Parsec Virtual Display Driver\driver\mm.dll parsec-vdd.exe File created C:\Program Files\Parsec Virtual Display Driver\driver\mm.inf parsec-vdd.exe File created C:\Program Files\Parsec Virtual Display Driver\mm.man parsec-vdd.exe File created C:\Program Files\Parsec Virtual Display Driver\uninstall.exe parsec-vdd.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\c_display.PNF nefconw.exe File opened for modification C:\Windows\INF\setupapi.dev.log nefconw.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Executes dropped EXE 3 IoCs
pid Process 5048 nefconw.exe 3984 nefconw.exe 3744 nefconw.exe -
Loads dropped DLL 15 IoCs
pid Process 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe 3700 parsec-vdd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom nefconw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs nefconw.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid 4 -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeSecurityPrivilege 4284 wevtutil.exe Token: SeBackupPrivilege 4284 wevtutil.exe Token: SeSecurityPrivilege 3236 wevtutil.exe Token: SeBackupPrivilege 3236 wevtutil.exe Token: SeAuditPrivilege 4056 svchost.exe Token: SeSecurityPrivilege 4056 svchost.exe Token: SeLoadDriverPrivilege 3744 nefconw.exe Token: SeRestorePrivilege 4948 DrvInst.exe Token: SeBackupPrivilege 4948 DrvInst.exe Token: SeLoadDriverPrivilege 4948 DrvInst.exe Token: SeLoadDriverPrivilege 4948 DrvInst.exe Token: SeLoadDriverPrivilege 4948 DrvInst.exe Token: SeSecurityPrivilege 4252 wevtutil.exe Token: SeBackupPrivilege 4252 wevtutil.exe Token: SeSecurityPrivilege 2440 wevtutil.exe Token: SeBackupPrivilege 2440 wevtutil.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3700 wrote to memory of 4284 3700 parsec-vdd.exe 92 PID 3700 wrote to memory of 4284 3700 parsec-vdd.exe 92 PID 3700 wrote to memory of 4284 3700 parsec-vdd.exe 92 PID 4284 wrote to memory of 3236 4284 wevtutil.exe 94 PID 4284 wrote to memory of 3236 4284 wevtutil.exe 94 PID 3700 wrote to memory of 1396 3700 parsec-vdd.exe 95 PID 3700 wrote to memory of 1396 3700 parsec-vdd.exe 95 PID 3700 wrote to memory of 1396 3700 parsec-vdd.exe 95 PID 1396 wrote to memory of 5048 1396 cmd.exe 97 PID 1396 wrote to memory of 5048 1396 cmd.exe 97 PID 1396 wrote to memory of 3984 1396 cmd.exe 98 PID 1396 wrote to memory of 3984 1396 cmd.exe 98 PID 1396 wrote to memory of 3744 1396 cmd.exe 99 PID 1396 wrote to memory of 3744 1396 cmd.exe 99 PID 4056 wrote to memory of 1700 4056 svchost.exe 101 PID 4056 wrote to memory of 1700 4056 svchost.exe 101 PID 4056 wrote to memory of 4948 4056 svchost.exe 102 PID 4056 wrote to memory of 4948 4056 svchost.exe 102 PID 3700 wrote to memory of 4252 3700 parsec-vdd.exe 103 PID 3700 wrote to memory of 4252 3700 parsec-vdd.exe 103 PID 3700 wrote to memory of 4252 3700 parsec-vdd.exe 103 PID 4252 wrote to memory of 2440 4252 wevtutil.exe 105 PID 4252 wrote to memory of 2440 4252 wevtutil.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\vdd\parsec-vdd.exe"C:\Users\Admin\AppData\Local\Temp\vdd\parsec-vdd.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\wevtutil.exewevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\System32\wevtutil.exewevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow643⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Program Files\Parsec Virtual Display Driver\nefconw.exe.\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"3⤵
- Executes dropped EXE
PID:5048
-
-
C:\Program Files\Parsec Virtual Display Driver\nefconw.exe.\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA3⤵
- Drops file in Windows directory
- Executes dropped EXE
PID:3984
-
-
C:\Program Files\Parsec Virtual Display Driver\nefconw.exe.\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"3⤵
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil im "C:\Program Files\Parsec Virtual Display Driver\mm.man"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\System32\wevtutil.exewevtutil im "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow643⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{a02f1a9b-3584-9343-8b28-cfced7b3294d}\mm.inf" "9" "484386e17" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Parsec Virtual Display Driver\driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1700
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "201" "ROOT\DISPLAY\0000" "C:\Windows\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.inf" "oem3.inf:*:*:0.45.0.0:Root\Parsec\VDA," "484386e17" "0000000000000178"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3768 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:2100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4268 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD51fe1fc7cc73fb17e995d65835d51ca94
SHA1249acf0a3a362b2163127bd76f6d4d6aa463297d
SHA256136e64ac07dce5a3b4935d5a9c5cfe03983c0b3065f46a30a45536d5b1681d5c
SHA51231fe1bdcb5f243a6eecc40006fc70793bc5aea9d95ffe449117cb67366f0f120c393716ffe93b65a73c8b2dfe02917f1d0dcf4ca62aa302fe685513b8cc80bdc
-
Filesize
169KB
MD5f09967cc8cc9bf03612ddecb6bf86daa
SHA1166f8e3000b6a1e2b13b46e85b7559b9837b9aa7
SHA25696db6ae2f950b56e52be3e68f92893afa94645eae09fea2abd5dd1985758150a
SHA512190d2edea81c42a2d7a5bc69cb98f03368e702a5fcb3fc1dcd4e9c387687bab542e4b0e5de67292e8b8a7efed7fd9e30d1efdd35bcdfea28417de71db0e13864
-
Filesize
4KB
MD5d8030afe09a2f984be00389b31f7039b
SHA1ab7a55fa6641cc31b0b7e70c8680bbbd553fc8a1
SHA25634da9ff45c13577631f67e33d11b8a26e3d22ca685d00c388b6122a795800588
SHA5120787e9e95369686b20bcbddb9ff984111c4ed53a064fc8f198691db5c124dfbe1b1f4d434dbfd81482545b723c01325ed9bcc626f461191b3ae4095222df10a6
-
Filesize
6KB
MD5481369808b1b657547bcd92a897c58c0
SHA1847723989cf3c9c98b64549090e8260c922d9201
SHA256e6a9944ca554b25d67b47b4d0dfbada6ea5ae7cb208b9ec09cfe6132bab4600f
SHA51242e6e7332dc0a6b14b308a4f04f1afdfcf950c6fcaa6609dd1730bd0a7aa6d764f56be05a45e94877b6d4028e0a312029baa7fa67f49d280f05a6ffe069d9e77
-
Filesize
574KB
MD5e9f2bc8c82ac755f47c7f89d1530f1a1
SHA17ce5938c4b8a3eb4de49f7a7e34972f5f2acfcb5
SHA256cf746d1b0bbb713993d4a90dccd774c78d9fff8c2ba5a054b6c8f56c77e1eee1
SHA51286ed0a391d22631da9bdc7eb9cb096ba4de4c6619c6c4326030cb03d196b63e5aa156bac264a48d5b4cda7401844a3b5050259b41859d32e0c4d39b96913c2ce
-
Filesize
420B
MD5ee1bfb5ccbb3949e3258155e141a68a5
SHA1b79dd1e75e3e7acd8d21d7b17c86673a6c6383d9
SHA2561e7c35eb6c296f96aee5ae4bbbd40395e8019bde95ef9bef91260dd8ef03c6d1
SHA512b37d680f5dab52536926c718eb1b4c1f0e78552c061756f998e3a3ccb2dc4fbea15dd1a4b181646a68a2987a22ce225c185c2ef2bb1d10a70c780ada8cf9f9aa
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
7KB
MD5675c4948e1efc929edcabfe67148eddd
SHA1f5bdd2c4329ed2732ecfe3423c3cc482606eb28e
SHA2561076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906
SHA51261737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683