File name:

MacDrive 11.1.4.26 Setup.exe

Full analysis: https://app.any.run/tasks/0bcfc7cb-af02-496a-8874-cab71d9321d3
Verdict: Malicious activity
Analysis date: January 28, 2026, 14:30:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

D57CD08E93B154AFDA35CA79025B54DD

SHA1:

89E2EC60975124C2AF0FB65B3F1B659FF6A90197

SHA256:

0A4B9C8B051E97BC21AF9131F6427F30A488116AD8A9B026C7741C28C4582142

SSDEEP:

98304:MZpyGRtVZL+w365Wdv3MR1JgD+GKftQN17rz+U8Bc9wL7u2Vy8qfrtz3/BDhLA1g:el97+klSIdtxv6m1eC5z3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • MacDrive 11.1.4.26 Setup.exe (PID: 5524)
      • MacDrive Setup.exe (PID: 2352)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)
      • Activate MacDrive.exe (PID: 2268)

    • Changes the autorun value in the registry

      • MacDrive Setup.exe (PID: 2352)
      • msiexec.exe (PID: 4816)

    • Changes settings of System certificates

      • MSI907F.tmp (PID: 4544)
      • MSI935E.tmp (PID: 1456)

  • SUSPICIOUS

    • Starts itself from another location

      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)

    • Searches for installed software

      • MacDrive Setup.exe (PID: 2352)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)
      • dllhost.exe (PID: 8660)
      • MSIC6D8.tmp (PID: 8968)

    • Executable content was dropped or overwritten

      • MacDrive 11.1.4.26 Setup.exe (PID: 5524)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)
      • MacDrive Setup.exe (PID: 2352)
      • MacDrive Disk Image.exe (PID: 6304)
      • wow64sup.exe (PID: 8572)
      • wow64sup.exe (PID: 4604)
      • MacDrive Service.exe (PID: 272)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4288)
      • MacDrive Service.exe (PID: 272)
      • vds.exe (PID: 2860)
      • OWCFSEventsService.exe (PID: 5628)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4816)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4816)
      • MacDrive Service.exe (PID: 272)

    • Drops a system driver (possible attempt to evade defenses)

      • drvinst.exe (PID: 9080)
      • msiexec.exe (PID: 4816)
      • MacDrive Disk Image.exe (PID: 6304)
      • wow64sup.exe (PID: 8572)
      • wow64sup.exe (PID: 4604)

    • Creates files in the driver directory

      • msiexec.exe (PID: 8428)
      • msiexec.exe (PID: 4816)
      • wow64sup.exe (PID: 8572)

    • Image mount has been detect

      • drvinst.exe (PID: 6236)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 4816)

    • Adds/modifies Windows certificates

      • MSI907F.tmp (PID: 4544)
      • MSI935E.tmp (PID: 1456)

    • Creates/Modifies COM task schedule object

      • msiexec.exe (PID: 4816)
      • msiexec.exe (PID: 5496)
      • msiexec.exe (PID: 3464)
      • msiexec.exe (PID: 908)

    • Application launched itself

      • msiexec.exe (PID: 4816)

    • Creates or modifies Windows services

      • wow64sup.exe (PID: 8572)

  • INFO

    • The sample compiled with english language support

      • MacDrive 11.1.4.26 Setup.exe (PID: 5524)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)
      • MacDrive Setup.exe (PID: 2352)
      • msiexec.exe (PID: 4816)
      • drvinst.exe (PID: 9080)
      • wow64sup.exe (PID: 8572)
      • MacDrive Disk Image.exe (PID: 6304)
      • wow64sup.exe (PID: 4604)

    • Create files in a temporary directory

      • MacDrive Setup.exe (PID: 2352)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5524)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)
      • MacDrive Disk Image.exe (PID: 6304)
      • wow64sup.exe (PID: 8572)
      • wow64sup.exe (PID: 4604)

    • Checks supported languages

      • MacDrive Setup.exe (PID: 2352)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5524)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)
      • msiexec.exe (PID: 4816)
      • MSI8EB8.tmp (PID: 8968)
      • MSI8F55.tmp (PID: 4404)
      • MSI907F.tmp (PID: 4544)
      • msiexec.exe (PID: 9196)
      • MSI938E.tmp (PID: 8468)
      • msiexec.exe (PID: 8428)
      • drvinst.exe (PID: 9080)
      • drvinst.exe (PID: 6236)
      • MSI935E.tmp (PID: 1456)
      • MacDrive Disk Image.exe (PID: 6304)
      • wow64sup.exe (PID: 8572)
      • wow64sup.exe (PID: 4604)
      • MacDrive Service.exe (PID: 272)
      • Activate MacDrive.exe (PID: 2268)
      • OWCFSEventsService.exe (PID: 5628)
      • MSIC6D8.tmp (PID: 8968)
      • MSIC7E4.tmp (PID: 6300)
      • OWC Product Updates Helper.exe (PID: 2688)

    • Reads the computer name

      • MacDrive Setup.exe (PID: 2352)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)
      • msiexec.exe (PID: 4816)
      • MSI8F55.tmp (PID: 4404)
      • msiexec.exe (PID: 9196)
      • msiexec.exe (PID: 8428)
      • drvinst.exe (PID: 9080)
      • drvinst.exe (PID: 6236)
      • MacDrive Disk Image.exe (PID: 6304)
      • wow64sup.exe (PID: 4604)
      • wow64sup.exe (PID: 8572)
      • MacDrive Service.exe (PID: 272)
      • OWCFSEventsService.exe (PID: 5628)
      • Activate MacDrive.exe (PID: 2268)
      • OWC Product Updates Helper.exe (PID: 2688)
      • MSIC6D8.tmp (PID: 8968)

    • Process checks computer location settings

      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)

    • Reads security settings of Internet Explorer

      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)
      • MacDrive Service.exe (PID: 272)

    • There is functionality for taking screenshot (YARA)

      • MacDrive 11.1.4.26 Setup.exe (PID: 5408)
      • MacDrive 11.1.4.26 Setup.exe (PID: 5524)

    • Creates a software uninstall entry

      • MacDrive Setup.exe (PID: 2352)
      • msiexec.exe (PID: 4816)

    • Manages system restore points

      • SrTasks.exe (PID: 8300)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4816)
      • MacDrive Setup.exe (PID: 2352)
      • drvinst.exe (PID: 9080)
      • MacDrive Disk Image.exe (PID: 6304)
      • OWCFSEventsService.exe (PID: 5628)
      • MacDrive Service.exe (PID: 272)
      • Activate MacDrive.exe (PID: 2268)
      • OWC Product Updates Helper.exe (PID: 2688)
      • MSIC6D8.tmp (PID: 8968)

    • Launching a file from a Registry key

      • MacDrive Setup.exe (PID: 2352)
      • msiexec.exe (PID: 4816)

    • Creates files in the program directory

      • MacDrive Setup.exe (PID: 2352)
      • MacDrive Service.exe (PID: 272)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 4816)

    • The sample compiled with czech language support

      • msiexec.exe (PID: 4816)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4816)

    • Reads Environment values

      • msiexec.exe (PID: 4816)
      • MacDrive Service.exe (PID: 272)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 4816)

    • Creates or modifies Windows services

      • msiexec.exe (PID: 4816)

    • Checks proxy server information

      • MacDrive Service.exe (PID: 272)

    • Reads Windows Product ID

      • MacDrive Service.exe (PID: 272)
      • Activate MacDrive.exe (PID: 2268)

    • Reads CPU info

      • MacDrive Service.exe (PID: 272)
      • Activate MacDrive.exe (PID: 2268)

    • Disables trace logs

      • MacDrive Service.exe (PID: 272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:13 22:48:00+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.37
CodeSize: 442880
InitializedDataSize: 326656
UninitializedDataSize: -
EntryPoint: 0x46a70
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.1.4.26
ProductVersionNumber: 11.1.4.26
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: ASCII
CompanyName: OWC
FileDescription: MacDrive 11
FileVersion: 11.1.4.26
InternalName: burn
OriginalFileName: MacDrive Setup.exe
ProductName: MacDrive 11
ProductVersion: 11.1.4.26
LegalCopyright: Copyright © 2023 Other World Computing
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
191
Monitored processes
34
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start macdrive 11.1.4.26 setup.exe macdrive 11.1.4.26 setup.exe macdrive setup.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msiexec.exe no specs msi8eb8.tmp no specs msi8f55.tmp no specs msi907f.tmp no specs msi935e.tmp no specs msi938e.tmp no specs msiexec.exe no specs drvinst.exe no specs drvinst.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs macdrive disk image.exe wow64sup.exe conhost.exe no specs wow64sup.exe conhost.exe no specs macdrive service.exe vdsldr.exe no specs vds.exe no specs owcfseventsservice.exe activate macdrive.exe no specs msic6d8.tmp no specs owc product updates helper.exe no specs msic7e4.tmp no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
272"C:\Program Files\OWC\MacDrive 11\MacDrive Service.exe"C:\Program Files\OWC\MacDrive 11\MacDrive Service.exe
services.exe
User:
SYSTEM
Company:
OWC
Integrity Level:
SYSTEM
Description:
MacDriveService
Version:
11.1.4.26
Modules
Images
c:\program files\owc\macdrive 11\macdrive service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
908"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\OWC\MacDrive 11\MDShell.dll"C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1456"C:\WINDOWS\Installer\MSI935E.tmp"C:\Windows\Installer\MSI935E.tmpmsiexec.exe
User:
admin
Company:
Other World Computing, Inc.
Integrity Level:
HIGH
Description:
InstallEldosCertificate
Exit code:
0
Version:
11.1.4.26
Modules
Images
c:\windows\installer\msi935e.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2268"C:\Program Files\OWC\MacDrive 11\Activate MacDrive.exe" /initializeC:\Program Files\OWC\MacDrive 11\Activate MacDrive.exemsiexec.exe
User:
admin
Company:
Other World Computing, Inc.
Integrity Level:
HIGH
Description:
Activate MacDrive
Exit code:
0
Version:
11.1.4.26
Modules
Images
c:\program files\owc\macdrive 11\activate macdrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2352"C:\Users\admin\AppData\Local\Temp\{87560837-0D56-455B-AFA1-46F842D0C527}\.be\MacDrive Setup.exe" -q -burn.elevated BurnPipe.{1885F880-2CA7-4D5F-9529-AB51999BFA28} {79B54E1F-D96A-4E49-8A22-9504387A7D11} 5408C:\Users\admin\AppData\Local\Temp\{87560837-0D56-455B-AFA1-46F842D0C527}\.be\MacDrive Setup.exe
MacDrive 11.1.4.26 Setup.exe
User:
admin
Company:
OWC
Integrity Level:
HIGH
Description:
MacDrive 11
Exit code:
1073807364
Version:
11.1.4.26
Modules
Images
c:\users\admin\appdata\local\temp\{87560837-0d56-455b-afa1-46f842d0c527}\.be\macdrive setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2688"C:\Program Files\OWC Product Updates\OWC Product Updates Helper.exe"C:\Program Files\OWC Product Updates\OWC Product Updates Helper.exemsiexec.exe
User:
admin
Company:
Other World Computing
Integrity Level:
HIGH
Description:
OWC Product Updates Helper
Exit code:
1073807364
Version:
2.4.0.12
Modules
Images
c:\program files\owc product updates\owc product updates helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2860C:\WINDOWS\System32\vds.exeC:\Windows\System32\vds.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vds.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3464"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\OWC\MacDrive 11\M4HTEXT.OCX"C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4288C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4404"C:\WINDOWS\Installer\MSI8F55.tmp"C:\Windows\Installer\MSI8F55.tmpmsiexec.exe
User:
admin
Integrity Level:
HIGH
Description:
KillServiceProcess11Before11_1_4
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\installer\msi8f55.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
13 131
Read events
12 683
Write events
428
Delete events
20

Modification events

(PID) Process:(8660) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000FC91F4AE6290DC01D421000050070000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8660) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000F4EF53AF6290DC01D421000050070000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8660) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000505256AF6290DC01D4210000F4190000E80300000100000000000000000000009A2562BDB27A20448BB64D68388C299A00000000000000000000000000000000
(PID) Process:(2352) MacDrive Setup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000FC91F4AE6290DC013009000008090000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8660) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000078183CAF6290DC01D421000050070000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8660) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000078183CAF6290DC01D421000050070000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8660) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000078183CAF6290DC01D421000050070000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8660) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000DC7A3EAF6290DC01D421000050070000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8660) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
15
(PID) Process:(4288) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000074795DAF6290DC01C0100000300B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
195
Suspicious files
104
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
8660dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
5408MacDrive 11.1.4.26 Setup.exeC:\Users\admin\AppData\Local\Temp\{87560837-0D56-455B-AFA1-46F842D0C527}\MacDrive_11_Setup.msi
MD5:
SHA256:
2352MacDrive Setup.exeC:\ProgramData\Package Cache\.unverified\MacDrive_11_Setup.msi
MD5:
SHA256:
2352MacDrive Setup.exeC:\ProgramData\Package Cache\{81CDC47D-042F-4C73-A8BF-83FB19BCC743}v11.1.4.26\MacDrive 11 Setup.msi
MD5:
SHA256:
4816msiexec.exeC:\Windows\Installer\1b8876.msi
MD5:
SHA256:
8660dllhost.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:17C1D155E8566C9355E171C54FB0F464
SHA256:A6E6F3703057FFEA1E69486888FB3747A68E7D68B3C166C2DFD8490BBBA1A961
5408MacDrive 11.1.4.26 Setup.exeC:\Users\admin\AppData\Local\Temp\{87560837-0D56-455B-AFA1-46F842D0C527}\.ba\wixstdba.dllexecutable
MD5:55211ABFF95D198E76F5A4700E7759B6
SHA256:F1F8918F38CBC20D2DDC4E2CDDA06BA565A65DC3EA7CD1825092CD183A58740E
5408MacDrive 11.1.4.26 Setup.exeC:\Users\admin\AppData\Local\Temp\{87560837-0D56-455B-AFA1-46F842D0C527}\.ba\logo.pngimage
MD5:3B4EC9DEE18D094979A17D84B3A5F422
SHA256:FF73C622088167E64CDA034E5FD6FB463D378DDF6FEC1737B2163B37AC5A04FA
4816msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.logtext
MD5:306AD684D62B62AE7AE748B5EE4DF3B3
SHA256:073390CD1430FD1DDD586912D705F2C61C2DA22D04D1DBE8B35E19AECED5D88D
4816msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3EC49180A59F0C351C30F112AD97CFA5_AC469B1D769F5860AA4D54671A5C64B0binary
MD5:DA4E63CA1CA3B5FECB56DD39B5A3ABC2
SHA256:ADAC5C09F3A5407DFAF148143DF2B21FA2F0B57EFFFB6DD7FCA24AA3334C808F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
42
DNS requests
23
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
8240
svchost.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WaaS/FeatureManagement?IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&CurrentBranch=vb_release&AccountFirstChar=&ActivationChannel=Retail&OEMModel=DELL&FlightRing=Retail&AttrDataVer=186&InstallLanguage=en-US&OSUILocale=en-US&WebExperience=1&FlightingBranchName=&ChassisTypeId=1&OSSkuId=48&App=CDM&InstallDate=1661339444&AppVer=&OSArchitecture=AMD64&DefaultUserRegion=244&TelemetryLevel=1&OSVersion=10.0.19045.4046&DeviceFamily=Windows.Desktop
US
whitelisted
8692
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8692
SIHClient.exe
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
8692
SIHClient.exe
GET
200
74.178.76.128:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
8692
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
8240
svchost.exe
GET
200
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.63 Kb
whitelisted
4280
svchost.exe
GET
200
162.159.142.9:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
9092
svchost.exe
POST
403
88.221.169.205:443
https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409
US
html
386 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
8240
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6788
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5568
SearchApp.exe
2.16.204.156:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4280
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4280
svchost.exe
162.159.142.9:80
ocsp.digicert.com
CLOUDFLARENET
US
whitelisted
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8240
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 2.16.204.156
  • 2.16.204.152
  • 2.16.204.145
  • 2.16.204.147
  • 2.16.204.155
  • 2.16.204.149
  • 2.16.204.150
  • 2.16.204.153
  • 2.16.204.148
  • 2.16.241.204
  • 2.16.241.206
  • 2.16.241.200
  • 2.16.241.205
  • 2.16.241.207
  • 2.16.241.223
  • 2.16.241.203
  • 2.16.241.197
  • 2.16.241.208
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.74
  • 20.190.160.17
  • 20.190.160.4
  • 20.190.160.67
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 162.159.142.9
  • 172.66.2.5
  • 184.30.131.245
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 2.16.164.32
  • 2.16.164.89
  • 2.16.164.99
  • 2.16.164.122
  • 2.16.164.88
  • 2.16.164.42
  • 2.16.164.73
  • 2.16.164.81
whitelisted
go.microsoft.com
  • 88.221.169.205
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Process
Message
MacDrive Service.exe
Mount detected: \\?\STORAGE#Volume#{69e3323f-9524-11f0-b4f5-806e6f6e6963}#000000001F500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe
Mount detected: \\?\STORAGE#Volume#{69e3323f-9524-11f0-b4f5-806e6f6e6963}#0000003FCB800000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe
Mount detected: \\?\STORAGE#Volume#{69e3323f-9524-11f0-b4f5-806e6f6e6963}#0000003FAAF00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe
Mount detected: \\?\STORAGE#Volume#{69e3323f-9524-11f0-b4f5-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe
Mount detected: \\?\STORAGE#Volume#{69e3323f-9524-11f0-b4f5-806e6f6e6963}#000000001F500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe
Mount detected: \\?\STORAGE#Volume#{69e3323f-9524-11f0-b4f5-806e6f6e6963}#0000003FCB800000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe
Mount detected: \\?\STORAGE#Volume#{69e3323f-9524-11f0-b4f5-806e6f6e6963}#0000003FAAF00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe
Mount detected: \\?\STORAGE#Volume#{69e3323f-9524-11f0-b4f5-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
OWCFSEventsService.exe
OWCFSEventsService.exe Information: 0 :
OWCFSEventsService.exe
Service Started
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MacDrive 11.1.4.26 Setup.exe