ae5b66322e5a7c26ad21ccc556bdc1618796166565d2939142c5aa3d76c38ace

Analysis

max time kernel
37s
max time network
38s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

parsec-windows.exe
Size

3.9MB
MD5

01ef58e7c144c701b2ea01cfc049dbe4
SHA1

2f572accb519096c9ea805812ba53703c16cceea
SHA256

ae5b66322e5a7c26ad21ccc556bdc1618796166565d2939142c5aa3d76c38ace
SHA512

434fd6d4eb49669617da3a15c2239a2cf524624cc4fcf9f09d8bb78a40ddf2dc5e70105e6708ce7643448f3176301edd64a9b71244c179a836119532d7dd69a6
SSDEEP

98304:QsSoMQnPLeMNCvYa59QKS7XnqSsAVlsX4pIDmjjcrhm2NGbUU:QsSByeMj04VlslQsm2NK

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2496	netsh.exe
852	netsh.exe
2752	netsh.exe
1500	netsh.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Parsec\parsecd.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\pservice.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\uninstall.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\firewall-add.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\firewall-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-install.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-remove.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\vusb\parsec-vud.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\skel\appdata.json	parsec-windows.exe
File created	C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs	parsec-windows.exe
File created	C:\Program Files\Parsec\teams.exe	parsec-windows.exe
File opened for modification	C:\Program Files\Parsec	parsec-windows.exe
File created	C:\Program Files\Parsec\vdd\parsec-vdd.exe	parsec-windows.exe
File created	C:\Program Files\Parsec\skel\parsecd-150-93b.dll	parsec-windows.exe

Executes dropped EXE 4 IoCs

pid	Process
480	Process not Found
2056	pservice.exe
1536	parsecd.exe
1260	Process not Found

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1732	sc.exe
948	sc.exe
2588	sc.exe
2556	sc.exe
3012	sc.exe

Loads dropped DLL 9 IoCs

pid	Process
1988	parsec-windows.exe
1988	parsec-windows.exe
1988	parsec-windows.exe
1988	parsec-windows.exe
480	Process not Found
1988	parsec-windows.exe
1536	parsecd.exe
1260	Process not Found
1260	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2704	taskkill.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\URL Protocol	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\ = "URL:parsec Protocol"	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\URL Protocol	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\""	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsec\shell\open\command\ = "\"C:\\Program Files\\Parsec\\parsecd.exe\" \"%1\""	parsec-windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\ = "URL:parsecd Protocol"	parsec-windows.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\parsecd\shell\open	parsec-windows.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	parsecd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	parsecd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2584	1988	parsec-windows.exe	28
PID 1988 wrote to memory of 2584	1988	parsec-windows.exe	28
PID 1988 wrote to memory of 2584	1988	parsec-windows.exe	28
PID 1988 wrote to memory of 2584	1988	parsec-windows.exe	28
PID 2584 wrote to memory of 2588	2584	wscript.exe	29
PID 2584 wrote to memory of 2588	2584	wscript.exe	29
PID 2584 wrote to memory of 2588	2584	wscript.exe	29
PID 2584 wrote to memory of 2588	2584	wscript.exe	29
PID 2584 wrote to memory of 2704	2584	wscript.exe	31
PID 2584 wrote to memory of 2704	2584	wscript.exe	31
PID 2584 wrote to memory of 2704	2584	wscript.exe	31
PID 2584 wrote to memory of 2704	2584	wscript.exe	31
PID 1988 wrote to memory of 2436	1988	parsec-windows.exe	34
PID 1988 wrote to memory of 2436	1988	parsec-windows.exe	34
PID 1988 wrote to memory of 2436	1988	parsec-windows.exe	34
PID 1988 wrote to memory of 2436	1988	parsec-windows.exe	34
PID 2436 wrote to memory of 2556	2436	wscript.exe	35
PID 2436 wrote to memory of 2556	2436	wscript.exe	35
PID 2436 wrote to memory of 2556	2436	wscript.exe	35
PID 2436 wrote to memory of 2556	2436	wscript.exe	35
PID 2436 wrote to memory of 3012	2436	wscript.exe	37
PID 2436 wrote to memory of 3012	2436	wscript.exe	37
PID 2436 wrote to memory of 3012	2436	wscript.exe	37
PID 2436 wrote to memory of 3012	2436	wscript.exe	37
PID 1988 wrote to memory of 2608	1988	parsec-windows.exe	39
PID 1988 wrote to memory of 2608	1988	parsec-windows.exe	39
PID 1988 wrote to memory of 2608	1988	parsec-windows.exe	39
PID 1988 wrote to memory of 2608	1988	parsec-windows.exe	39
PID 2608 wrote to memory of 2496	2608	wscript.exe	40
PID 2608 wrote to memory of 2496	2608	wscript.exe	40
PID 2608 wrote to memory of 2496	2608	wscript.exe	40
PID 2608 wrote to memory of 2496	2608	wscript.exe	40
PID 2608 wrote to memory of 852	2608	wscript.exe	42
PID 2608 wrote to memory of 852	2608	wscript.exe	42
PID 2608 wrote to memory of 852	2608	wscript.exe	42
PID 2608 wrote to memory of 852	2608	wscript.exe	42
PID 2608 wrote to memory of 2752	2608	wscript.exe	44
PID 2608 wrote to memory of 2752	2608	wscript.exe	44
PID 2608 wrote to memory of 2752	2608	wscript.exe	44
PID 2608 wrote to memory of 2752	2608	wscript.exe	44
PID 1988 wrote to memory of 2832	1988	parsec-windows.exe	46
PID 1988 wrote to memory of 2832	1988	parsec-windows.exe	46
PID 1988 wrote to memory of 2832	1988	parsec-windows.exe	46
PID 1988 wrote to memory of 2832	1988	parsec-windows.exe	46
PID 2832 wrote to memory of 2916	2832	wscript.exe	47
PID 2832 wrote to memory of 2916	2832	wscript.exe	47
PID 2832 wrote to memory of 2916	2832	wscript.exe	47
PID 2832 wrote to memory of 2916	2832	wscript.exe	47
PID 1988 wrote to memory of 2296	1988	parsec-windows.exe	49
PID 1988 wrote to memory of 2296	1988	parsec-windows.exe	49
PID 1988 wrote to memory of 2296	1988	parsec-windows.exe	49
PID 1988 wrote to memory of 2296	1988	parsec-windows.exe	49
PID 2296 wrote to memory of 1732	2296	wscript.exe	50
PID 2296 wrote to memory of 1732	2296	wscript.exe	50
PID 2296 wrote to memory of 1732	2296	wscript.exe	50
PID 2296 wrote to memory of 1732	2296	wscript.exe	50
PID 2296 wrote to memory of 948	2296	wscript.exe	52
PID 2296 wrote to memory of 948	2296	wscript.exe	52
PID 2296 wrote to memory of 948	2296	wscript.exe	52
PID 2296 wrote to memory of 948	2296	wscript.exe	52
PID 1988 wrote to memory of 784	1988	parsec-windows.exe	55
PID 1988 wrote to memory of 784	1988	parsec-windows.exe	55
PID 1988 wrote to memory of 784	1988	parsec-windows.exe	55
PID 1988 wrote to memory of 784	1988	parsec-windows.exe	55

C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe
"C:\Users\Admin\AppData\Local\Temp\parsec-windows.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" control Parsec 200
    3⤵
    - Launches sc.exe
    PID:2588
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" stop Parsec
    3⤵
    - Launches sc.exe
    PID:2556
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" delete Parsec
    3⤵
    - Launches sc.exe
    PID:3012
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2496
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:852
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2752
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
    3⤵
    PID:2916
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
    3⤵
    - Launches sc.exe
    PID:1732
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start Parsec
    3⤵
    - Launches sc.exe
    PID:948
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"
  2⤵
  PID:784
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1500
- C:\Program Files\Parsec\parsecd.exe
  "C:\Program Files\Parsec\parsecd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  PID:1536

C:\Program Files\Parsec\pservice.exe
"C:\Program Files\Parsec\pservice.exe"
1⤵
- Executes dropped EXE
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Parsec\skel\appdata.json

Filesize
155B

MD5
2c669af7ee4adeddf72fa0102aa0378d

SHA1
5fcdf2480946eef8f55daa2df5522508e45deccd

SHA256
cd5d52066766b7f0fd7222e551a96c539f17c72debd32f8da9f76df4627a6dd5

SHA512
553caece520111cab22bb8e92099a2976acd7f2dc8c8766227f8d64259cc9e3104adf1b10019b25edb3a05b92a64afe5466c661f88bf33f2ecacda4fe6edc32f

Download Submit
C:\Program Files\Parsec\skel\parsecd-150-93b.dll

Filesize
3.3MB

MD5
1ff3e1349edd37a206a97943731045c4

SHA1
6d1cfc0c0b26191385cb27149433e743b74d479a

SHA256
b43debe8105cfd4e2c8f81599497ad4ad38640f19a64f9e530e7d2f64662bf6d

SHA512
80f91692c22587e76e26c7ca38b267493d4598bce75e284b3fef4ef03c64ef8ba91d67bb7be2bddd9624e4aa52a67bdeb4b5eac3a86a31529bb18c44f5824fe6

Download Submit
C:\Program Files\Parsec\wscripts\firewall-add.vbs

Filesize
307B

MD5
882374285898f16b5f9ff44afc1ae701

SHA1
31c9445557c9b8ecda1f0a6d5ff666e01dd1c3ca

SHA256
0be5aa5cc6395a86878f56b131e13db4908e48f06e892ff8f8cf9e2d3b6c8abb

SHA512
3b05158b03b57a4d2cbfee9cef6adfe973d080264a88e5cdeb85c59b567529cd1cd2a3b5d8538cb8637d140fd8691dc8826388ab669b7bfb2d5c1c4174069243

Download Submit
C:\Program Files\Parsec\wscripts\firewall-remove.vbs

Filesize
367B

MD5
5d4d70cdf36fcdaa292da1da9133320c

SHA1
92dc18d3d1128d43f482ab56804136c687b00713

SHA256
75f1dece4fda689a907f6d74b513adb0c1771c1b79ea71160179542c9c4ab2f0

SHA512
b54c92fbecb10ddf66d1b7ad950ffbc13f504c71081a8bd56c28c5689a2bf19bd81b467e0697c38f140c72a273eb9eb837105e738c6f1ac4f43344e2ab521778

Download Submit
C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs

Filesize
115B

MD5
c78520c3162c1962f3164714b37eb4d0

SHA1
67c19b8aea7ad99465976dbcd3efcfdd7d62e3fe

SHA256
dea38bd553abe93c689de42d0220add18f9be3e3d2fa53f97eb8649f586df4f3

SHA512
cfbfc2c7dd8019f98b77e8881680ef9d0135a210fb9b0136a4992c236d971e247aa1641cd2eafdc5f6f5bb61002b30ea14b226127c4cef04f3b3d6be3a941fcc

Download Submit
C:\Program Files\Parsec\wscripts\service-install.vbs

Filesize
412B

MD5
971e2a344a6e17347a81eeb21ada7ba7

SHA1
37e034c29adda9b118b75bfdc7c6f41aac71e257

SHA256
01f62a12de3307b375dff3ebcd6961d76ffcbc24f70682c7875655a811ce76a1

SHA512
5ea0750dc07ff1a0eb1807043b48fb9ed54f6dcb96ce03cb543b0ea36d326779814b6cb87091373574911662a35d75b576e35c5b8d781db36fe1503f8287c65d

Download Submit
C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs

Filesize
164B

MD5
f7b0c63e7aea5cbd96f7bf1021b28b73

SHA1
fc5b11a6bf022740de3ba15455b06ad3f061366b

SHA256
71f9cc28497b959377439f6611615ef582745dd5b9cca02b5c4b24bb1fc3dfb8

SHA512
c957b7b45b188af0b6e6698507e94564e8e5ccc8dbf5f0237827df373878291095887422584f7f3b7833cbcdd682531fa75c974ba1137031b32bf2ffba268191

Download Submit
C:\Program Files\Parsec\wscripts\service-remove.vbs

Filesize
150B

MD5
b90e75dd7903cb2d6328bb3714865c7a

SHA1
2d32868deb198726ed5feb80b66542bad7fbacee

SHA256
970b3c2a9ea1906a177810990478932e3517f47aba267cf2ab9e4ba65e7b475f

SHA512
3d4bfb86ec98fd85843ae5b63dcf5f475c6500380f02bb4d0dee15a5f7e2334abdbbcd9420b8ac05b5beb8a63b9ea16abcd70ae01c04b87a423fc288ff4dca0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
\Program Files\Parsec\parsecd.exe

Filesize
454KB

MD5
62beb668110b4c5ddad09bb20d921cb6

SHA1
f3706372c01d1e607ff8c605307de6ef2c26c1a4

SHA256
6f1be9e26e403a885cc3b1ff0e4dbecbc96c0821119d25990c3e211564f215d5

SHA512
8994c3f1c78b0a816ecf30e463af8d6ddfd0a0ce7b962cbf13e9bbd360d37a024b8ee69c76745f4c332a4786dbfb9216667b1d03c32c60a7c06e85359a2186ee

Download Submit
\Program Files\Parsec\pservice.exe

Filesize
408KB

MD5
46cd3fc327af9109bd143ba7f16df397

SHA1
53d2a6bcf0d21168050b852e287c2ef62f52f909

SHA256
5a699a165838c739e449ac19a52e0a05b841bcee1a27f7d348f0dd04c8e277a3

SHA512
d6e35f0dd4f6ef259dd7040d80cd469f27eb460836a4c767d40678ce82b46ce4c38b329c0cf3b41236cea2f0333f94669cfbef05ef484d91035f52ad4c1a5ca3

Download Submit
\Users\Admin\AppData\Local\Temp\nst73CA.tmp\ApplicationID.dll

Filesize
196KB

MD5
a858c1a57e32485505b1977cf0a125be

SHA1
25d86c4b51f7cc10fc70e3a0493a39c4460cc350

SHA256
1462a072345e86318b981089b08b613a34027ddf527bfb66606c683f218fc3b4

SHA512
32b597fc2412a9407fd12ac77c556ff9740f1dd0d2055426d11a7baf21b09c536a84cfb97865b4e94168656514e7ce71eb2bc4122aa340100f4ce483bad1722d

Download Submit
\Users\Admin\AppData\Local\Temp\nst73CA.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nst73CA.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads