File name:

parsec-windows.exe

Full analysis: https://app.any.run/tasks/057d373e-5975-422b-8a10-4c0d1fee3699
Verdict: Malicious activity
Analysis date: July 09, 2024, 12:10:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

01EF58E7C144C701B2EA01CFC049DBE4

SHA1:

2F572ACCB519096C9EA805812BA53703C16CCEEA

SHA256:

AE5B66322E5A7C26AD21CCC556BDC1618796166565D2939142C5AA3D76C38ACE

SSDEEP:

98304:3PgwkW/21bBYyUc4DJj3iWLhOtvwWprCD7DpCQJzZFmRrQQSrLhdtjB2MzxuPhzC:3/c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • parsec-windows.exe (PID: 5240)
      • parsec-vud.exe (PID: 992)
      • nefconw.exe (PID: 3624)
      • drvinst.exe (PID: 5952)
      • nefconw.exe (PID: 4216)
      • drvinst.exe (PID: 1856)
      • parsec-vdd.exe (PID: 7164)
      • nefconw.exe (PID: 6468)
      • drvinst.exe (PID: 6628)
      • parsecd.exe (PID: 7044)
      • parsecd.exe (PID: 4720)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 5952)
      • drvinst.exe (PID: 1856)
      • drvinst.exe (PID: 6628)
      • pservice.exe (PID: 3976)

    • Changes the autorun value in the registry

      • nefconw.exe (PID: 4216)
      • parsecd.exe (PID: 4720)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • parsec-windows.exe (PID: 5240)
      • parsec-vud.exe (PID: 992)
      • parsec-vdd.exe (PID: 7164)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • parsec-windows.exe (PID: 5240)
      • parsec-vud.exe (PID: 992)
      • parsec-vdd.exe (PID: 7164)

    • The process executes VB scripts

      • parsec-windows.exe (PID: 5240)

    • Executable content was dropped or overwritten

      • parsec-windows.exe (PID: 5240)
      • parsec-vud.exe (PID: 992)
      • nefconw.exe (PID: 3624)
      • drvinst.exe (PID: 5952)
      • nefconw.exe (PID: 4216)
      • drvinst.exe (PID: 1856)
      • parsec-vdd.exe (PID: 7164)
      • nefconw.exe (PID: 6468)
      • drvinst.exe (PID: 6628)
      • parsecd.exe (PID: 7044)
      • parsecd.exe (PID: 4720)

    • Uses TASKKILL.EXE to kill process

      • wscript.exe (PID: 5236)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5236)
      • wscript.exe (PID: 476)
      • wscript.exe (PID: 4084)
      • wscript.exe (PID: 1832)
      • wscript.exe (PID: 2632)
      • wscript.exe (PID: 2364)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 4084)
      • wscript.exe (PID: 2632)
      • wscript.exe (PID: 2364)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • wscript.exe (PID: 4084)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 5004)

    • Creates a software uninstall entry

      • parsec-windows.exe (PID: 5240)
      • parsec-vud.exe (PID: 992)
      • parsec-vdd.exe (PID: 7164)

    • Executes as Windows Service

      • pservice.exe (PID: 3976)
      • WUDFHost.exe (PID: 5896)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • wscript.exe (PID: 2364)

    • Starts CMD.EXE for commands execution

      • parsec-windows.exe (PID: 5240)
      • parsec-vud.exe (PID: 992)
      • parsec-vdd.exe (PID: 7164)

    • Drops a system driver (possible attempt to evade defenses)

      • parsec-vud.exe (PID: 992)
      • drvinst.exe (PID: 5952)
      • nefconw.exe (PID: 3624)
      • nefconw.exe (PID: 4216)
      • drvinst.exe (PID: 1856)

    • Creates files in the driver directory

      • drvinst.exe (PID: 5952)
      • drvinst.exe (PID: 1856)
      • drvinst.exe (PID: 6628)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 5952)
      • drvinst.exe (PID: 1856)
      • drvinst.exe (PID: 6628)
      • parsecd.exe (PID: 7044)
      • pservice.exe (PID: 3976)
      • parsecd.exe (PID: 4720)
      • parsecd.exe (PID: 3232)

    • Executing commands from a ".bat" file

      • parsec-vud.exe (PID: 992)
      • parsec-vdd.exe (PID: 7164)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 1048)
      • drvinst.exe (PID: 3944)
      • drvinst.exe (PID: 6984)
      • drvinst.exe (PID: 6604)

    • Uses WEVTUTIL.EXE to remove publishers and event logs from the manifest

      • parsec-vdd.exe (PID: 7164)
      • wevtutil.exe (PID: 4720)

    • Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

      • wevtutil.exe (PID: 420)
      • parsec-vdd.exe (PID: 7164)

    • Reads security settings of Internet Explorer

      • parsecd.exe (PID: 7044)

    • Uses RUNDLL32.EXE to load library

      • parsecd.exe (PID: 3232)

  • INFO

    • Create files in a temporary directory

      • parsec-windows.exe (PID: 5240)
      • parsec-vud.exe (PID: 992)
      • nefconw.exe (PID: 3624)
      • nefconw.exe (PID: 4216)
      • parsec-vdd.exe (PID: 7164)
      • nefconw.exe (PID: 6468)

    • Reads the computer name

      • parsec-windows.exe (PID: 5240)
      • pservice.exe (PID: 3976)
      • nefconw.exe (PID: 4196)
      • nefconw.exe (PID: 3624)
      • drvinst.exe (PID: 5952)
      • drvinst.exe (PID: 1048)
      • nefconw.exe (PID: 4216)
      • drvinst.exe (PID: 1856)
      • drvinst.exe (PID: 3944)
      • drvinst.exe (PID: 6984)
      • nefconw.exe (PID: 2896)
      • nefconw.exe (PID: 6704)
      • nefconw.exe (PID: 6468)
      • drvinst.exe (PID: 6628)
      • drvinst.exe (PID: 6604)
      • parsecd.exe (PID: 7044)
      • parsecd.exe (PID: 3232)
      • identity_helper.exe (PID: 8180)
      • parsecd.exe (PID: 4720)

    • Creates files in the program directory

      • parsec-windows.exe (PID: 5240)
      • parsec-vud.exe (PID: 992)
      • parsec-vdd.exe (PID: 7164)
      • parsecd.exe (PID: 3232)

    • Checks supported languages

      • parsec-windows.exe (PID: 5240)
      • pservice.exe (PID: 3976)
      • parsec-vud.exe (PID: 992)
      • nefconc.exe (PID: 6036)
      • nefconw.exe (PID: 3624)
      • drvinst.exe (PID: 5952)
      • nefconw.exe (PID: 4196)
      • drvinst.exe (PID: 1048)
      • nefconw.exe (PID: 4216)
      • drvinst.exe (PID: 1856)
      • drvinst.exe (PID: 6984)
      • parsec-vdd.exe (PID: 7164)
      • drvinst.exe (PID: 3944)
      • nefconw.exe (PID: 2896)
      • nefconw.exe (PID: 6704)
      • nefconw.exe (PID: 6468)
      • drvinst.exe (PID: 6628)
      • drvinst.exe (PID: 6604)
      • parsecd.exe (PID: 4720)
      • parsecd.exe (PID: 7044)
      • parsecd.exe (PID: 3232)
      • identity_helper.exe (PID: 8180)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 5952)
      • drvinst.exe (PID: 1856)
      • drvinst.exe (PID: 6628)
      • parsecd.exe (PID: 7044)
      • pservice.exe (PID: 3976)
      • parsecd.exe (PID: 4720)
      • parsecd.exe (PID: 3232)

    • Reads the software policy settings

      • drvinst.exe (PID: 5952)
      • drvinst.exe (PID: 1856)
      • drvinst.exe (PID: 6628)
      • parsecd.exe (PID: 7044)
      • pservice.exe (PID: 3976)
      • parsecd.exe (PID: 3232)
      • parsecd.exe (PID: 4720)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 6528)
      • rundll32.exe (PID: 5248)

    • Reads the time zone

      • runonce.exe (PID: 6528)

    • Creates files or folders in the user directory

      • parsecd.exe (PID: 7044)
      • parsecd.exe (PID: 4720)
      • parsecd.exe (PID: 3232)

    • Checks proxy server information

      • parsecd.exe (PID: 7044)

    • Reads Microsoft Office registry keys

      • rundll32.exe (PID: 5248)
      • msedge.exe (PID: 7136)

    • Application launched itself

      • msedge.exe (PID: 7136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 150.93.2.0
ProductVersionNumber: 150.93.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Parsec
FileVersion: 150.93.2.0
ProductName: Parsec
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
242
Monitored processes
98
Malicious processes
15
Suspicious processes
8

Behavior graph

Click at the process to see the details
start parsec-windows.exe wscript.exe no specs sc.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs wscript.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs wscript.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs wscript.exe no specs schtasks.exe no specs conhost.exe no specs wscript.exe no specs sc.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs pservice.exe wscript.exe no specs netsh.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs parsec-vud.exe cmd.exe no specs conhost.exe no specs nefconc.exe no specs cmd.exe no specs conhost.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs runonce.exe no specs grpconv.exe no specs drvinst.exe no specs cmd.exe no specs conhost.exe no specs parsec-vdd.exe wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs cmd.exe no specs conhost.exe no specs nefconw.exe no specs nefconw.exe no specs nefconw.exe drvinst.exe drvinst.exe no specs wudfhost.exe no specs wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs parsecd.exe parsecd.exe parsecd.exe sppextcomobj.exe no specs slui.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs parsec-windows.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewevtutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
420wevtutil im "C:\Program Files\Parsec Virtual Display Driver\mm.man"C:\Windows\SysWOW64\wevtutil.exeparsec-vdd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcp_win.dll
444"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2616 --field-trial-handle=2432,i,18192458963900716163,13435066415303771696,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
476"C:\Users\admin\AppData\Local\Temp\parsec-windows.exe" C:\Users\admin\AppData\Local\Temp\parsec-windows.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Parsec
Exit code:
3221226540
Version:
150.93.2.0
Modules
Images
c:\users\admin\appdata\local\temp\parsec-windows.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
476"C:\WINDOWS\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"C:\Windows\SysWOW64\wscript.exeparsec-windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
992"C:\Program Files\Parsec\vusb\parsec-vud.exe" /SC:\Program Files\Parsec\vusb\parsec-vud.exe
cmd.exe
User:
admin
Company:
Parsec Cloud Inc.
Integrity Level:
HIGH
Description:
Parsec Virtual USB Adapter Driver
Exit code:
0
Version:
0.2.8.0
Modules
Images
c:\program files\parsec\vusb\parsec-vud.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1048DrvInst.exe "2" "201" "ROOT\USB\0000" "C:\WINDOWS\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9\parsecvusba.inf" "oem1.inf:*:*:0.2.8.0:Root\Parsec\VUSBA," "464910f03" "00000000000001E0"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
1048C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""C:\Windows\SysWOW64\cmd.exeparsec-vdd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1068"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exeC:\Windows\SysWOW64\netsh.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
49 663
Read events
49 366
Write events
259
Delete events
38

Modification events

(PID) Process:(5236) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5236) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5236) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5236) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(476) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(476) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(476) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(476) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4084) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4084) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
40
Suspicious files
117
Text files
58
Unknown types
11

Dropped files

PID
Process
Filename
Type
5240parsec-windows.exeC:\Users\admin\AppData\Local\Temp\nsyAE1.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
5240parsec-windows.exeC:\Program Files\Parsec\uninstall.exeexecutable
MD5:FD4427B781E0DCB86E2FBC84BF000B36
SHA256:99864EAE2AD9B58075D0F4B2B3CF5B68BC35FE9E187B8695791F041C1335D5F1
5240parsec-windows.exeC:\Program Files\Parsec\skel\parsecd-150-93b.dllexecutable
MD5:1FF3E1349EDD37A206A97943731045C4
SHA256:B43DEBE8105CFD4E2C8F81599497AD4AD38640F19A64F9E530E7D2F64662BF6D
5240parsec-windows.exeC:\Users\admin\AppData\Local\Temp\nsyAE1.tmp\ApplicationID.dllexecutable
MD5:A858C1A57E32485505B1977CF0A125BE
SHA256:1462A072345E86318B981089B08B613A34027DDF527BFB66606C683F218FC3B4
5240parsec-windows.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Parsec\Parsec.lnklnk
MD5:FE30A18CC1AB9C7901B2E306D7203754
SHA256:D8B8ECCB950025F8C918F7B9FBB1B024B6012E17FE788F529EF7C73A89F2D5F6
5240parsec-windows.exeC:\Program Files\Parsec\pservice.exeexecutable
MD5:46CD3FC327AF9109BD143BA7F16DF397
SHA256:5A699A165838C739E449AC19A52E0A05B841BCEE1A27F7D348F0DD04C8E277A3
5240parsec-windows.exeC:\Program Files\Parsec\wscripts\firewall-remove.vbstext
MD5:5D4D70CDF36FCDAA292DA1DA9133320C
SHA256:75F1DECE4FDA689A907F6D74B513ADB0C1771C1B79EA71160179542C9C4AB2F0
5240parsec-windows.exeC:\Users\admin\AppData\Local\Temp\nsyAE1.tmp\nsExec.dllexecutable
MD5:675C4948E1EFC929EDCABFE67148EDDD
SHA256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
5240parsec-windows.exeC:\Program Files\Parsec\wscripts\service-remove.vbstext
MD5:B90E75DD7903CB2D6328BB3714865C7A
SHA256:970B3C2A9EA1906A177810990478932E3517F47ABA267CF2AB9E4BA65E7B475F
5240parsec-windows.exeC:\Program Files\Parsec\wscripts\firewall-add.vbstext
MD5:882374285898F16B5F9FF44AFC1AE701
SHA256:0BE5AA5CC6395A86878F56B131E13DB4908E48F06E892FF8F8CF9E2D3B6C8ABB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
119
DNS requests
88
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1888
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1888
svchost.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6068
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
7044
parsecd.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
unknown
7044
parsecd.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
unknown
7044
parsecd.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAloEugzUPGt9OnVZ%2FPPgls%3D
unknown
unknown
3976
pservice.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
unknown
3976
pservice.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
unknown
3976
pservice.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAloEugzUPGt9OnVZ%2FPPgls%3D
unknown
unknown
4264
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3516
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1776
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
1888
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1888
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1888
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
1888
svchost.exe
104.119.109.218:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.9
  • 2.16.164.106
whitelisted
www.microsoft.com
  • 104.119.109.218
  • 88.221.169.152
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.2
  • 40.126.31.67
  • 40.126.31.71
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.71
whitelisted
builds.parsec.app
  • 104.18.0.181
  • 104.18.1.181
unknown
client.wns.windows.com
  • 40.113.110.67
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
arc.msn.com
  • 20.103.156.88
  • 20.74.19.45
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
parsec-windows.exe