| File name: | parsec-vdd-0.45.0.0.exe |
| Full analysis: | https://app.any.run/tasks/9043de3e-d4b4-4b55-82b0-62a04a1b3f01 |
| Verdict: | Malicious activity |
| Analysis date: | June 12, 2025, 17:39:25 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | 4B9A3048286692A865187013B70F44E8 |
| SHA1: | EEFE91D9702314341ACCCD828FE4EDB6EE570D7B |
| SHA256: | E23332448FDAF5AA017CB308DB5EF6855FAC526A7DED05D80C039404126D5362 |
| SSDEEP: | 24576:Rq1sg0R377IdjkRBLhBAtQdfiiWd9Ng5LCtuPhPYASZ13:Rq1sg0Rr7IdjkjLhBAtQdfiiWd9Ng5LI |
MALICIOUS
No malicious indicators.SUSPICIOUS
Uses WEVTUTIL.EXE to remove publishers and event logs from the manifest
- parsec-vdd-0.45.0.0.exe (PID: 516)
- wevtutil.exe (PID: 1520)
Executable content was dropped or overwritten
- parsec-vdd-0.45.0.0.exe (PID: 516)
- nefconw.exe (PID: 6936)
- drvinst.exe (PID: 984)
Malware-specific behavior (creating "System.dll" in Temp)
- parsec-vdd-0.45.0.0.exe (PID: 516)
Executing commands from a ".bat" file
- parsec-vdd-0.45.0.0.exe (PID: 516)
Starts CMD.EXE for commands execution
- parsec-vdd-0.45.0.0.exe (PID: 516)
Creates a software uninstall entry
- parsec-vdd-0.45.0.0.exe (PID: 516)
The process creates files with name similar to system file names
- parsec-vdd-0.45.0.0.exe (PID: 516)
Creates files in the driver directory
- drvinst.exe (PID: 984)
Creates or modifies Windows services
- drvinst.exe (PID: 1336)
Executes as Windows Service
- WUDFHost.exe (PID: 7076)
Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
- wevtutil.exe (PID: 2188)
- parsec-vdd-0.45.0.0.exe (PID: 516)
INFO
Create files in a temporary directory
- parsec-vdd-0.45.0.0.exe (PID: 516)
- nefconw.exe (PID: 6936)
Checks supported languages
- parsec-vdd-0.45.0.0.exe (PID: 516)
- nefconw.exe (PID: 2512)
- nefconw.exe (PID: 6180)
- nefconw.exe (PID: 6936)
- drvinst.exe (PID: 984)
- drvinst.exe (PID: 1336)
The sample compiled with english language support
- parsec-vdd-0.45.0.0.exe (PID: 516)
- drvinst.exe (PID: 984)
- nefconw.exe (PID: 6936)
Reads the computer name
- parsec-vdd-0.45.0.0.exe (PID: 516)
- nefconw.exe (PID: 2512)
- nefconw.exe (PID: 6180)
- nefconw.exe (PID: 6936)
- drvinst.exe (PID: 984)
- drvinst.exe (PID: 1336)
Creates files in the program directory
- parsec-vdd-0.45.0.0.exe (PID: 516)
Reads the machine GUID from the registry
- drvinst.exe (PID: 984)
Reads the software policy settings
- drvinst.exe (PID: 984)
- slui.exe (PID: 1524)
Checks proxy server information
- slui.exe (PID: 1524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:09:25 21:57:46+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 27136 |
| InitializedDataSize: | 186880 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x352d |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.45.0.0 |
| ProductVersionNumber: | 0.45.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | Parsec Virtual Display Driver |
| CompanyName: | Parsec Cloud Inc. |
| FileDescription: | Parsec Virtual Display Driver |
| FileVersion: | 0.45.0.0 |
| LegalCopyright: | Parsec Cloud Inc. |
| ProductName: | Parsec Virtual Display Driver |
| ProductVersion: | 0.45.0.0 |
Total processes
154
Monitored processes
17
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 516 | "C:\Users\admin\Desktop\parsec-vdd-0.45.0.0.exe" | C:\Users\admin\Desktop\parsec-vdd-0.45.0.0.exe | explorer.exe | ||||||||||||
User: admin Company: Parsec Cloud Inc. Integrity Level: HIGH Description: Parsec Virtual Display Driver Exit code: 0 Version: 0.45.0.0 Modules
| |||||||||||||||
| 632 | "C:\Users\admin\Desktop\parsec-vdd-0.45.0.0.exe" | C:\Users\admin\Desktop\parsec-vdd-0.45.0.0.exe | — | explorer.exe | |||||||||||
User: admin Company: Parsec Cloud Inc. Integrity Level: MEDIUM Description: Parsec Virtual Display Driver Exit code: 3221226540 Version: 0.45.0.0 Modules
| |||||||||||||||
| 984 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{a4efb3d0-9a06-754b-aecb-c1705cab387e}\mm.inf" "9" "484386e17" "00000000000001CC" "WinSta0\Default" "00000000000001DC" "208" "C:\Program Files\Parsec Virtual Display Driver\driver" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1336 | DrvInst.exe "2" "201" "ROOT\DISPLAY\0000" "C:\WINDOWS\System32\DriverStore\FileRepository\mm.inf_amd64_615d17457058f652\mm.inf" "oem1.inf:*:*:0.45.0.0:Root\Parsec\VDA," "484386e17" "00000000000001CC" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1520 | wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" | C:\Windows\SysWOW64\wevtutil.exe | — | parsec-vdd-0.45.0.0.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Eventing Command Line Utility Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1524 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2148 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2188 | wevtutil im "C:\Program Files\Parsec Virtual Display Driver\mm.man" | C:\Windows\SysWOW64\wevtutil.exe | — | parsec-vdd-0.45.0.0.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Eventing Command Line Utility Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2512 | .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" | C:\Program Files\Parsec Virtual Display Driver\nefconw.exe | — | cmd.exe | |||||||||||
User: admin Company: Nefarius Software Solutions e.U. Integrity Level: HIGH Description: Nefarius' Device Console Utility Exit code: 6 Version: 1.10.0.0 Modules
| |||||||||||||||
| 2648 | wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64 | C:\Windows\System32\wevtutil.exe | — | wevtutil.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Eventing Command Line Utility Exit code: 2147942403 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
7 213
Read events
7 147
Write events
60
Delete events
6
Modification events
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | Comments |
Value: Parsec Virtual Display Driver | |||
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\Parsec Virtual Display Driver\uninstall.exe | |||
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | DisplayName |
Value: Parsec Virtual Display Driver | |||
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | DisplayVersion |
Value: 0.45.0.0 | |||
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | EstimatedSize |
Value: 851 | |||
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | HelpLink |
Value: https://support.parsec.app | |||
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\Parsec Virtual Display Driver | |||
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | NoRepair |
Value: 1 | |||
| (PID) Process: | (516) parsec-vdd-0.45.0.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVDD |
| Operation: | write | Name: | Publisher |
Value: Parsec Cloud Inc. | |||
Executable files
9
Suspicious files
0
Text files
5
Unknown types
11
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 516 | parsec-vdd-0.45.0.0.exe | C:\Users\admin\AppData\Local\Temp\nsh6E6A.tmp\nsExec.dll | executable | |
MD5:675C4948E1EFC929EDCABFE67148EDDD | SHA256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906 | |||
| 516 | parsec-vdd-0.45.0.0.exe | C:\Program Files\Parsec Virtual Display Driver\driver\mm.inf | txt | |
MD5:D8030AFE09A2F984BE00389B31F7039B | SHA256:34DA9FF45C13577631F67E33D11B8A26E3D22CA685D00C388B6122A795800588 | |||
| 516 | parsec-vdd-0.45.0.0.exe | C:\Program Files\Parsec Virtual Display Driver\nefconw.exe | executable | |
MD5:E9F2BC8C82AC755F47C7F89D1530F1A1 | SHA256:CF746D1B0BBB713993D4A90DCCD774C78D9FFF8C2BA5A054B6C8F56C77E1EEE1 | |||
| 516 | parsec-vdd-0.45.0.0.exe | C:\Users\admin\AppData\Local\Temp\nsh6E6A.tmp\System.dll | executable | |
MD5:CFF85C549D536F651D4FB8387F1976F2 | SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8 | |||
| 6936 | nefconw.exe | C:\Users\admin\AppData\Local\Temp\{a4efb3d0-9a06-754b-aecb-c1705cab387e}\SET707F.tmp | txt | |
MD5:D8030AFE09A2F984BE00389B31F7039B | SHA256:34DA9FF45C13577631F67E33D11B8A26E3D22CA685D00C388B6122A795800588 | |||
| 516 | parsec-vdd-0.45.0.0.exe | C:\Program Files\Parsec Virtual Display Driver\uninstall.exe | executable | |
MD5:A8482B15BD93524520814369536FECFA | SHA256:1E30A0C0FB30C1B09007ABE48909FE05EFB055DBC0A917F4F29D37635319F243 | |||
| 6936 | nefconw.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:FD9DBD8DCC4FCB2ADBDDE0DC30D33770 | SHA256:BC54CC167A236AAC1FE1E6A9FBF60BD1B3DF5D32DD36E32845B85854E00E2235 | |||
| 6936 | nefconw.exe | C:\Users\admin\AppData\Local\Temp\{a4efb3d0-9a06-754b-aecb-c1705cab387e}\SET707D.tmp | cat | |
MD5:1FE1FC7CC73FB17E995D65835D51CA94 | SHA256:136E64AC07DCE5A3B4935D5A9C5CFE03983C0B3065F46A30A45536D5B1681D5C | |||
| 6936 | nefconw.exe | C:\Users\admin\AppData\Local\Temp\{a4efb3d0-9a06-754b-aecb-c1705cab387e}\mm.cat | cat | |
MD5:1FE1FC7CC73FB17E995D65835D51CA94 | SHA256:136E64AC07DCE5A3B4935D5A9C5CFE03983C0B3065F46A30A45536D5B1681D5C | |||
| 6936 | nefconw.exe | C:\Users\admin\AppData\Local\Temp\{a4efb3d0-9a06-754b-aecb-c1705cab387e}\SET707E.tmp | executable | |
MD5:F09967CC8CC9BF03612DDECB6BF86DAA | SHA256:96DB6AE2F950B56E52BE3E68F92893AFA94645EAE09FEA2ABD5DD1985758150A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
43
DNS requests
18
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2028 | RUXIMICS.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2028 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 403 | 95.101.149.131:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | unknown | html | 384 b | whitelisted |
— | — | POST | 403 | 95.101.149.131:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | unknown | html | 384 b | whitelisted |
— | — | POST | 403 | 95.101.149.131:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | unknown | html | 384 b | whitelisted |
— | — | POST | 403 | 95.101.149.131:443 | https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409 | unknown | html | 384 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2028 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2028 | RUXIMICS.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
2028 | RUXIMICS.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |