Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
8Static
static
3parsec-windows.exe
windows7-x64
8parsec-windows.exe
windows10-2004-x64
3$PLUGINSDI...ID.dll
windows7-x64
3$PLUGINSDI...ID.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3parsecd.exe
windows7-x64
1parsecd.exe
windows10-2004-x64
1pservice.exe
windows7-x64
1pservice.exe
windows10-2004-x64
1skel/parse...3b.dll
windows7-x64
1skel/parse...3b.dll
windows10-2004-x64
1teams.exe
windows7-x64
1teams.exe
windows10-2004-x64
1vusb/parsec-vud.exe
windows7-x64
3vusb/parsec-vud.exe
windows10-2004-x64
3wscripts/f...dd.vbs
windows7-x64
1wscripts/f...dd.vbs
windows10-2004-x64
1wscripts/f...ve.vbs
windows7-x64
8wscripts/f...ve.vbs
windows10-2004-x64
8wscripts/l...up.vbs
windows7-x64
3wscripts/l...up.vbs
windows10-2004-x64
7wscripts/s...ll.vbs
windows7-x64
8wscripts/s...ll.vbs
windows10-2004-x64
8wscripts/s...ec.vbs
windows7-x64
4wscripts/s...ec.vbs
windows10-2004-x64
7wscripts/s...ve.vbs
windows7-x64
8wscripts/s...ve.vbs
windows10-2004-x64
8Analysis
-
max time kernel
37s -
max time network
38s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/07/2024, 04:39
Static task
static1
Behavioral task
behavioral1
Sample
parsec-windows.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
parsec-windows.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ApplicationID.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ApplicationID.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
parsecd.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
parsecd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
pservice.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
pservice.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
skel/parsecd-150-93b.dll
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
skel/parsecd-150-93b.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
teams.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
teams.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
vusb/parsec-vud.exe
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
vusb/parsec-vud.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral21
Sample
wscripts/firewall-add.vbs
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
wscripts/firewall-add.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
wscripts/firewall-remove.vbs
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
wscripts/firewall-remove.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
wscripts/legacy-cleanup.vbs
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
wscripts/legacy-cleanup.vbs
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
wscripts/service-install.vbs
Resource
win7-20240220-en
Behavioral task
behavioral28
Sample
wscripts/service-install.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
wscripts/service-kill-parsec.vbs
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
wscripts/service-kill-parsec.vbs
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
wscripts/service-remove.vbs
Resource
win7-20240221-en
General
-
Target
parsec-windows.exe
-
Size
3.9MB
-
MD5
01ef58e7c144c701b2ea01cfc049dbe4
-
SHA1
2f572accb519096c9ea805812ba53703c16cceea
-
SHA256
ae5b66322e5a7c26ad21ccc556bdc1618796166565d2939142c5aa3d76c38ace
-
SHA512
434fd6d4eb49669617da3a15c2239a2cf524624cc4fcf9f09d8bb78a40ddf2dc5e70105e6708ce7643448f3176301edd64a9b71244c179a836119532d7dd69a6
-
SSDEEP
98304:QsSoMQnPLeMNCvYa59QKS7XnqSsAVlsX4pIDmjjcrhm2NGbUU:QsSByeMj04VlslQsm2NK
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 2496 netsh.exe 852 netsh.exe 2752 netsh.exe 1500 netsh.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files\Parsec\parsecd.exe parsec-windows.exe File created C:\Program Files\Parsec\pservice.exe parsec-windows.exe File created C:\Program Files\Parsec\uninstall.exe parsec-windows.exe File created C:\Program Files\Parsec\wscripts\firewall-add.vbs parsec-windows.exe File created C:\Program Files\Parsec\wscripts\firewall-remove.vbs parsec-windows.exe File created C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs parsec-windows.exe File created C:\Program Files\Parsec\wscripts\service-install.vbs parsec-windows.exe File created C:\Program Files\Parsec\wscripts\service-remove.vbs parsec-windows.exe File created C:\Program Files\Parsec\vusb\parsec-vud.exe parsec-windows.exe File created C:\Program Files\Parsec\skel\appdata.json parsec-windows.exe File created C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs parsec-windows.exe File created C:\Program Files\Parsec\teams.exe parsec-windows.exe File opened for modification C:\Program Files\Parsec parsec-windows.exe File created C:\Program Files\Parsec\vdd\parsec-vdd.exe parsec-windows.exe File created C:\Program Files\Parsec\skel\parsecd-150-93b.dll parsec-windows.exe -
Executes dropped EXE 4 IoCs
pid Process 480 Process not Found 2056 pservice.exe 1536 parsecd.exe 1260 Process not Found -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1732 sc.exe 948 sc.exe 2588 sc.exe 2556 sc.exe 3012 sc.exe -
Loads dropped DLL 9 IoCs
pid Process 1988 parsec-windows.exe 1988 parsec-windows.exe 1988 parsec-windows.exe 1988 parsec-windows.exe 480 Process not Found 1988 parsec-windows.exe 1536 parsecd.exe 1260 Process not Found 1260 Process not Found -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Kills process with taskkill 1 IoCs
pid Process 2704 taskkill.exe -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\parsec\URL Protocol parsec-windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command parsec-windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\parsec\ = "URL:parsec Protocol" parsec-windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell parsec-windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command parsec-windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell parsec-windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\parsecd parsec-windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\URL Protocol parsec-windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\"" parsec-windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\parsec parsec-windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open parsec-windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\"" parsec-windows.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\ = "URL:parsecd Protocol" parsec-windows.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open parsec-windows.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 parsecd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 parsecd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2704 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1988 wrote to memory of 2584 1988 parsec-windows.exe 28 PID 1988 wrote to memory of 2584 1988 parsec-windows.exe 28 PID 1988 wrote to memory of 2584 1988 parsec-windows.exe 28 PID 1988 wrote to memory of 2584 1988 parsec-windows.exe 28 PID 2584 wrote to memory of 2588 2584 wscript.exe 29 PID 2584 wrote to memory of 2588 2584 wscript.exe 29 PID 2584 wrote to memory of 2588 2584 wscript.exe 29 PID 2584 wrote to memory of 2588 2584 wscript.exe 29 PID 2584 wrote to memory of 2704 2584 wscript.exe 31 PID 2584 wrote to memory of 2704 2584 wscript.exe 31 PID 2584 wrote to memory of 2704 2584 wscript.exe 31 PID 2584 wrote to memory of 2704 2584 wscript.exe 31 PID 1988 wrote to memory of 2436 1988 parsec-windows.exe 34 PID 1988 wrote to memory of 2436 1988 parsec-windows.exe 34 PID 1988 wrote to memory of 2436 1988 parsec-windows.exe 34 PID 1988 wrote to memory of 2436 1988 parsec-windows.exe 34 PID 2436 wrote to memory of 2556 2436 wscript.exe 35 PID 2436 wrote to memory of 2556 2436 wscript.exe 35 PID 2436 wrote to memory of 2556 2436 wscript.exe 35 PID 2436 wrote to memory of 2556 2436 wscript.exe 35 PID 2436 wrote to memory of 3012 2436 wscript.exe 37 PID 2436 wrote to memory of 3012 2436 wscript.exe 37 PID 2436 wrote to memory of 3012 2436 wscript.exe 37 PID 2436 wrote to memory of 3012 2436 wscript.exe 37 PID 1988 wrote to memory of 2608 1988 parsec-windows.exe 39 PID 1988 wrote to memory of 2608 1988 parsec-windows.exe 39 PID 1988 wrote to memory of 2608 1988 parsec-windows.exe 39 PID 1988 wrote to memory of 2608 1988 parsec-windows.exe 39 PID 2608 wrote to memory of 2496 2608 wscript.exe 40 PID 2608 wrote to memory of 2496 2608 wscript.exe 40 PID 2608 wrote to memory of 2496 2608 wscript.exe 40 PID 2608 wrote to memory of 2496 2608 wscript.exe 40 PID 2608 wrote to memory of 852 2608 wscript.exe 42 PID 2608 wrote to memory of 852 2608 wscript.exe 42 PID 2608 wrote to memory of 852 2608 wscript.exe 42 PID 2608 wrote to memory of 852 2608 wscript.exe 42 PID 2608 wrote to memory of 2752 2608 wscript.exe 44 PID 2608 wrote to memory of 2752 2608 wscript.exe 44 PID 2608 wrote to memory of 2752 2608 wscript.exe 44 PID 2608 wrote to memory of 2752 2608 wscript.exe 44 PID 1988 wrote to memory of 2832 1988 parsec-windows.exe 46 PID 1988 wrote to memory of 2832 1988 parsec-windows.exe 46 PID 1988 wrote to memory of 2832 1988 parsec-windows.exe 46 PID 1988 wrote to memory of 2832 1988 parsec-windows.exe 46 PID 2832 wrote to memory of 2916 2832 wscript.exe 47 PID 2832 wrote to memory of 2916 2832 wscript.exe 47 PID 2832 wrote to memory of 2916 2832 wscript.exe 47 PID 2832 wrote to memory of 2916 2832 wscript.exe 47 PID 1988 wrote to memory of 2296 1988 parsec-windows.exe 49 PID 1988 wrote to memory of 2296 1988 parsec-windows.exe 49 PID 1988 wrote to memory of 2296 1988 parsec-windows.exe 49 PID 1988 wrote to memory of 2296 1988 parsec-windows.exe 49 PID 2296 wrote to memory of 1732 2296 wscript.exe 50 PID 2296 wrote to memory of 1732 2296 wscript.exe 50 PID 2296 wrote to memory of 1732 2296 wscript.exe 50 PID 2296 wrote to memory of 1732 2296 wscript.exe 50 PID 2296 wrote to memory of 948 2296 wscript.exe 52 PID 2296 wrote to memory of 948 2296 wscript.exe 52 PID 2296 wrote to memory of 948 2296 wscript.exe 52 PID 2296 wrote to memory of 948 2296 wscript.exe 52 PID 1988 wrote to memory of 784 1988 parsec-windows.exe 55 PID 1988 wrote to memory of 784 1988 parsec-windows.exe 55 PID 1988 wrote to memory of 784 1988 parsec-windows.exe 55 PID 1988 wrote to memory of 784 1988 parsec-windows.exe 55
Processes
-
C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe"C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe"1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" control Parsec 2003⤵
- Launches sc.exe
PID:2588
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM parsecd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" stop Parsec3⤵
- Launches sc.exe
PID:2556
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" delete Parsec3⤵
- Launches sc.exe
PID:3012
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2496
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:852
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2752
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f3⤵PID:2916
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own3⤵
- Launches sc.exe
PID:1732
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start Parsec3⤵
- Launches sc.exe
PID:948
-
-
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"2⤵PID:784
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1500
-
-
-
C:\Program Files\Parsec\parsecd.exe"C:\Program Files\Parsec\parsecd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1536
-
-
C:\Program Files\Parsec\pservice.exe"C:\Program Files\Parsec\pservice.exe"1⤵
- Executes dropped EXE
PID:2056
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155B
MD52c669af7ee4adeddf72fa0102aa0378d
SHA15fcdf2480946eef8f55daa2df5522508e45deccd
SHA256cd5d52066766b7f0fd7222e551a96c539f17c72debd32f8da9f76df4627a6dd5
SHA512553caece520111cab22bb8e92099a2976acd7f2dc8c8766227f8d64259cc9e3104adf1b10019b25edb3a05b92a64afe5466c661f88bf33f2ecacda4fe6edc32f
-
Filesize
3.3MB
MD51ff3e1349edd37a206a97943731045c4
SHA16d1cfc0c0b26191385cb27149433e743b74d479a
SHA256b43debe8105cfd4e2c8f81599497ad4ad38640f19a64f9e530e7d2f64662bf6d
SHA51280f91692c22587e76e26c7ca38b267493d4598bce75e284b3fef4ef03c64ef8ba91d67bb7be2bddd9624e4aa52a67bdeb4b5eac3a86a31529bb18c44f5824fe6
-
Filesize
307B
MD5882374285898f16b5f9ff44afc1ae701
SHA131c9445557c9b8ecda1f0a6d5ff666e01dd1c3ca
SHA2560be5aa5cc6395a86878f56b131e13db4908e48f06e892ff8f8cf9e2d3b6c8abb
SHA5123b05158b03b57a4d2cbfee9cef6adfe973d080264a88e5cdeb85c59b567529cd1cd2a3b5d8538cb8637d140fd8691dc8826388ab669b7bfb2d5c1c4174069243
-
Filesize
367B
MD55d4d70cdf36fcdaa292da1da9133320c
SHA192dc18d3d1128d43f482ab56804136c687b00713
SHA25675f1dece4fda689a907f6d74b513adb0c1771c1b79ea71160179542c9c4ab2f0
SHA512b54c92fbecb10ddf66d1b7ad950ffbc13f504c71081a8bd56c28c5689a2bf19bd81b467e0697c38f140c72a273eb9eb837105e738c6f1ac4f43344e2ab521778
-
Filesize
115B
MD5c78520c3162c1962f3164714b37eb4d0
SHA167c19b8aea7ad99465976dbcd3efcfdd7d62e3fe
SHA256dea38bd553abe93c689de42d0220add18f9be3e3d2fa53f97eb8649f586df4f3
SHA512cfbfc2c7dd8019f98b77e8881680ef9d0135a210fb9b0136a4992c236d971e247aa1641cd2eafdc5f6f5bb61002b30ea14b226127c4cef04f3b3d6be3a941fcc
-
Filesize
412B
MD5971e2a344a6e17347a81eeb21ada7ba7
SHA137e034c29adda9b118b75bfdc7c6f41aac71e257
SHA25601f62a12de3307b375dff3ebcd6961d76ffcbc24f70682c7875655a811ce76a1
SHA5125ea0750dc07ff1a0eb1807043b48fb9ed54f6dcb96ce03cb543b0ea36d326779814b6cb87091373574911662a35d75b576e35c5b8d781db36fe1503f8287c65d
-
Filesize
164B
MD5f7b0c63e7aea5cbd96f7bf1021b28b73
SHA1fc5b11a6bf022740de3ba15455b06ad3f061366b
SHA25671f9cc28497b959377439f6611615ef582745dd5b9cca02b5c4b24bb1fc3dfb8
SHA512c957b7b45b188af0b6e6698507e94564e8e5ccc8dbf5f0237827df373878291095887422584f7f3b7833cbcdd682531fa75c974ba1137031b32bf2ffba268191
-
Filesize
150B
MD5b90e75dd7903cb2d6328bb3714865c7a
SHA12d32868deb198726ed5feb80b66542bad7fbacee
SHA256970b3c2a9ea1906a177810990478932e3517f47aba267cf2ab9e4ba65e7b475f
SHA5123d4bfb86ec98fd85843ae5b63dcf5f475c6500380f02bb4d0dee15a5f7e2334abdbbcd9420b8ac05b5beb8a63b9ea16abcd70ae01c04b87a423fc288ff4dca0a
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
454KB
MD562beb668110b4c5ddad09bb20d921cb6
SHA1f3706372c01d1e607ff8c605307de6ef2c26c1a4
SHA2566f1be9e26e403a885cc3b1ff0e4dbecbc96c0821119d25990c3e211564f215d5
SHA5128994c3f1c78b0a816ecf30e463af8d6ddfd0a0ce7b962cbf13e9bbd360d37a024b8ee69c76745f4c332a4786dbfb9216667b1d03c32c60a7c06e85359a2186ee
-
Filesize
408KB
MD546cd3fc327af9109bd143ba7f16df397
SHA153d2a6bcf0d21168050b852e287c2ef62f52f909
SHA2565a699a165838c739e449ac19a52e0a05b841bcee1a27f7d348f0dd04c8e277a3
SHA512d6e35f0dd4f6ef259dd7040d80cd469f27eb460836a4c767d40678ce82b46ce4c38b329c0cf3b41236cea2f0333f94669cfbef05ef484d91035f52ad4c1a5ca3
-
Filesize
196KB
MD5a858c1a57e32485505b1977cf0a125be
SHA125d86c4b51f7cc10fc70e3a0493a39c4460cc350
SHA2561462a072345e86318b981089b08b613a34027ddf527bfb66606c683f218fc3b4
SHA51232b597fc2412a9407fd12ac77c556ff9740f1dd0d2055426d11a7baf21b09c536a84cfb97865b4e94168656514e7ce71eb2bc4122aa340100f4ce483bad1722d
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
9KB
MD56c3f8c94d0727894d706940a8a980543
SHA10d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA25656b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA5122094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355