| File name: | MacDrive Pro v11.0.9.0 CE.exe |
| Full analysis: | https://app.any.run/tasks/007f9994-e698-48f5-bd7d-f9ac4684fcdc |
| Verdict: | Malicious activity |
| Analysis date: | September 13, 2024, 18:01:59 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 035C2D4A28875F63573A7810A56EBC3B |
| SHA1: | 13245FB65CED9280A115FFA3C93953B7815D21FB |
| SHA256: | 439BB191A8C0305CF420C1693D14D777D2E636229AE7E44AF3417B72BD81DDF3 |
| SSDEEP: | 98304:r+QqZ8fPt+mF3nEgfMIjHLeaBunQS+E9wlAMcsfalNUjPmDAmaYoe5nZ1HAERgsX:avyfLmMj0ejWSK |
MALICIOUS
Changes the autorun value in the registry
- msiexec.exe (PID: 5220)
SUSPICIOUS
Executable content was dropped or overwritten
- MacDrive Pro v11.0.9.0 CE.exe (PID: 5852)
- MacDrive Pro v11.0.9.0 CE.exe (PID: 2576)
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 320)
- drvinst.exe (PID: 6876)
- MacDrive Disk Image.exe (PID: 5900)
- wow64sup.exe (PID: 6724)
- wow64sup.exe (PID: 7080)
- MacDrive Service.exe (PID: 5000)
- MacDrive.exe (PID: 8176)
Reads security settings of Internet Explorer
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 4392)
- MacDrive Service.exe (PID: 5000)
- MacDrive.exe (PID: 8176)
- MDDiskManager.exe (PID: 7764)
Reads the Windows owner or organization settings
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 320)
- msiexec.exe (PID: 5220)
Drops a system driver (possible attempt to evade defenses)
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 320)
- msiexec.exe (PID: 5220)
- drvinst.exe (PID: 6876)
- MacDrive Disk Image.exe (PID: 5900)
- wow64sup.exe (PID: 6724)
- wow64sup.exe (PID: 7080)
Executes as Windows Service
- VSSVC.exe (PID: 5516)
- MacDrive Service.exe (PID: 5000)
- vds.exe (PID: 1528)
Adds/modifies Windows certificates
- MSI17E9.tmp (PID: 6364)
- MSI1BD2.tmp (PID: 4944)
The process creates files with name similar to system file names
- msiexec.exe (PID: 5220)
Creates files in the driver directory
- msiexec.exe (PID: 5220)
- drvinst.exe (PID: 6876)
- msiexec.exe (PID: 3708)
- wow64sup.exe (PID: 7080)
Checks Windows Trust Settings
- drvinst.exe (PID: 6876)
- MacDrive Service.exe (PID: 5000)
- MacDrive.exe (PID: 8176)
- MDDiskManager.exe (PID: 7764)
Image mount has been detect
- drvinst.exe (PID: 2036)
Creates/Modifies COM task schedule object
- msiexec.exe (PID: 5220)
- msiexec.exe (PID: 6016)
- msiexec.exe (PID: 1172)
- msiexec.exe (PID: 7080)
Creates or modifies Windows services
- drvinst.exe (PID: 2036)
- wow64sup.exe (PID: 7080)
Uses REG/REGEDIT.EXE to modify registry
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 320)
Reads the date of Windows installation
- MacDrive.exe (PID: 8176)
INFO
Checks supported languages
- MacDrive Pro v11.0.9.0 CE.exe (PID: 5852)
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 4392)
- MacDrive Pro v11.0.9.0 CE.exe (PID: 2576)
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 320)
- msiexec.exe (PID: 5220)
- msiexec.exe (PID: 32)
- MSI174C.tmp (PID: 4644)
- MSI17E9.tmp (PID: 6364)
- MSI1BD2.tmp (PID: 4944)
- msiexec.exe (PID: 3708)
- MSI1BF3.tmp (PID: 368)
- drvinst.exe (PID: 6876)
- msiexec.exe (PID: 6216)
- drvinst.exe (PID: 2036)
- wow64sup.exe (PID: 6724)
- wow64sup.exe (PID: 7080)
- MacDrive Service.exe (PID: 5000)
- MacDrive Disk Image.exe (PID: 5900)
- Activate MacDrive.exe (PID: 7540)
- MSI47BB.tmp (PID: 7624)
- OWC Product Updates Helper.exe (PID: 7688)
- MSI48F5.tmp (PID: 7732)
- MacDrive.exe (PID: 8176)
- MDDiskManager.exe (PID: 7764)
Process checks computer location settings
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 4392)
- MacDrive.exe (PID: 8176)
Reads the computer name
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 4392)
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 320)
- msiexec.exe (PID: 5220)
- msiexec.exe (PID: 6216)
- msiexec.exe (PID: 32)
- msiexec.exe (PID: 3708)
- drvinst.exe (PID: 6876)
- drvinst.exe (PID: 2036)
- wow64sup.exe (PID: 6724)
- wow64sup.exe (PID: 7080)
- MacDrive Disk Image.exe (PID: 5900)
- MacDrive Service.exe (PID: 5000)
- Activate MacDrive.exe (PID: 7540)
- MSI47BB.tmp (PID: 7624)
- OWC Product Updates Helper.exe (PID: 7688)
- MacDrive.exe (PID: 8176)
- MDDiskManager.exe (PID: 7764)
Create files in a temporary directory
- MacDrive Pro v11.0.9.0 CE.exe (PID: 2576)
- MacDrive Pro v11.0.9.0 CE.exe (PID: 5852)
- MacDrive Pro v11.0.9.0 CE.tmp (PID: 320)
- MacDrive Disk Image.exe (PID: 5900)
- wow64sup.exe (PID: 6724)
- wow64sup.exe (PID: 7080)
- MacDrive.exe (PID: 8176)
Executable content was dropped or overwritten
- msiexec.exe (PID: 6520)
- msiexec.exe (PID: 5220)
Application launched itself
- msiexec.exe (PID: 5220)
Starts application with an unusual extension
- msiexec.exe (PID: 5220)
Reads the machine GUID from the registry
- drvinst.exe (PID: 6876)
- MacDrive Disk Image.exe (PID: 5900)
- MacDrive Service.exe (PID: 5000)
- Activate MacDrive.exe (PID: 7540)
- MSI47BB.tmp (PID: 7624)
- OWC Product Updates Helper.exe (PID: 7688)
- MacDrive.exe (PID: 8176)
- MDDiskManager.exe (PID: 7764)
Reads the software policy settings
- drvinst.exe (PID: 6876)
- MacDrive Service.exe (PID: 5000)
- MacDrive.exe (PID: 8176)
- MDDiskManager.exe (PID: 7764)
- slui.exe (PID: 6552)
- slui.exe (PID: 7792)
Creates or modifies Windows services
- msiexec.exe (PID: 5220)
Reads CPU info
- MacDrive Service.exe (PID: 5000)
- Activate MacDrive.exe (PID: 7540)
- MacDrive.exe (PID: 8176)
- MDDiskManager.exe (PID: 7764)
Creates files in the program directory
- MacDrive Service.exe (PID: 5000)
- Activate MacDrive.exe (PID: 7540)
- MDDiskManager.exe (PID: 7764)
- MacDrive.exe (PID: 8176)
Reads Windows Product ID
- MacDrive Service.exe (PID: 5000)
- Activate MacDrive.exe (PID: 7540)
- MacDrive.exe (PID: 8176)
- MDDiskManager.exe (PID: 7764)
The process uses the downloaded file
- MacDrive Service.exe (PID: 5000)
- MacDrive.exe (PID: 8176)
Reads Environment values
- MacDrive Service.exe (PID: 5000)
- MacDrive.exe (PID: 8176)
Sends debugging messages
- MacDrive Service.exe (PID: 5000)
Checks proxy server information
- MacDrive Service.exe (PID: 5000)
- MacDrive.exe (PID: 8176)
- slui.exe (PID: 7792)
Creates a software uninstall entry
- msiexec.exe (PID: 5220)
Disables trace logs
- MacDrive Service.exe (PID: 5000)
- MacDrive.exe (PID: 8176)
Manual execution by a user
- MacDrive.exe (PID: 8176)
Creates files or folders in the user directory
- MacDrive.exe (PID: 8176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:06:05 15:54:43+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741376 |
| InitializedDataSize: | 142336 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 11.0.9.0 |
| ProductVersionNumber: | 11.0.9.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Other World Computing |
| FileDescription: | MacDrive Pro 11.0.9.0 |
| FileVersion: | 11.0.9.0 |
| LegalCopyright: | © 1996-2022, MediaFour; 2017-2023 Other World Computing, Inc. |
| OriginalFileName: | |
| ProductName: | MacDrive Pro 11.0.9.0 |
| ProductVersion: | 11.0.9.0 |
Total processes
189
Monitored processes
45
Malicious processes
9
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 32 | C:\Windows\System32\MsiExec.exe -Embedding CEF456D60D1775D251A1EAD981E0BC6F | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 320 | "C:\Users\admin\AppData\Local\Temp\is-CJKCG.tmp\MacDrive Pro v11.0.9.0 CE.tmp" /SL5="$D02B2,8284567,884736,C:\Users\admin\AppData\Local\Temp\MacDrive Pro v11.0.9.0 CE.exe" /SPAWNWND=$7039A /NOTIFYWND=$B028C | C:\Users\admin\AppData\Local\Temp\is-CJKCG.tmp\MacDrive Pro v11.0.9.0 CE.tmp | MacDrive Pro v11.0.9.0 CE.exe | ||||||||||||
User: admin Company: Other World Computing Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 368 | "C:\WINDOWS\Installer\MSI1BF3.tmp" /install "C:\Program Files\Common Files\OWC\Drivers\OWCVirtualDisk2\OWCVirtualDisk.inf" "Root\OWCVirtualDisk2" | C:\Windows\Installer\MSI1BF3.tmp | — | msiexec.exe | |||||||||||
User: admin Company: Other World Computing Integrity Level: HIGH Description: SoftRaidDriverInstaller.exe Exit code: 0 Version: 4.0.0.64 Modules
| |||||||||||||||
| 752 | C:\WINDOWS\System32\vdsldr.exe -Embedding | C:\Windows\System32\vdsldr.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Loader Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1172 | "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\OWC\MacDrive 11\MDShell.dll" | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1492 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1528 | C:\WINDOWS\System32\vds.exe | C:\Windows\System32\vds.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1680 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2036 | DrvInst.exe "2" "211" "ROOT\SCSIADAPTER\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:57de7b8f3742476c:OWCVirtualDisk_Device:9.38.21.501:root\owcvirtualdisk2," "4ab4d401f" "000000000000018C" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2056 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | wow64sup.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
78 585
Read events
65 346
Write events
13 203
Delete events
36
Modification events
| (PID) Process: | (320) MacDrive Pro v11.0.9.0 CE.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Mediafour\Common\Logging\M4LIC2.DLL |
| Operation: | write | Name: | EnabledLevels |
Value: 0 | |||
| (PID) Process: | (320) MacDrive Pro v11.0.9.0 CE.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Mediafour\Common\Logging\MacDrive.exe |
| Operation: | write | Name: | EnabledLevels |
Value: 0 | |||
| (PID) Process: | (320) MacDrive Pro v11.0.9.0 CE.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Mediafour\Common\Logging\License.x64.dll |
| Operation: | write | Name: | EnabledLevels |
Value: 0 | |||
| (PID) Process: | (5220) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000BCCA15120706DB01641400009C1B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5220) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000BCCA15120706DB01641400009C1B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5220) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000C4515D120706DB01641400009C1B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5220) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000C4515D120706DB01641400009C1B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5220) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000AAB65F120706DB01641400009C1B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5220) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000948064120706DB01641400009C1B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5220) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
Executable files
369
Suspicious files
109
Text files
26
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 320 | MacDrive Pro v11.0.9.0 CE.tmp | C:\Users\admin\AppData\Local\Temp\is-2QG8G.tmp\CFiles64\OWC\Drivers\OWCVirtualDisk2\is-25T0K.tmp | binary | |
MD5:1C8DAC4A8F6D563405CD252F7B321B55 | SHA256:F7865B9CEB5E8F2E337E6A227D3F5DEA3691C2D39E4C6A454A108FB27EC5B02D | |||
| 320 | MacDrive Pro v11.0.9.0 CE.tmp | C:\Users\admin\AppData\Local\Temp\is-2QG8G.tmp\CFiles64\OWC\Drivers\OWCVirtualDisk2\OWCVirtualDisk.cat | binary | |
MD5:1C8DAC4A8F6D563405CD252F7B321B55 | SHA256:F7865B9CEB5E8F2E337E6A227D3F5DEA3691C2D39E4C6A454A108FB27EC5B02D | |||
| 320 | MacDrive Pro v11.0.9.0 CE.tmp | C:\Users\admin\AppData\Local\Temp\is-2QG8G.tmp\is-MPR4G.tmp | executable | |
MD5:4F8FEC2835A902F32D3C2B548AC6B285 | SHA256:1DED74186E0DCB9AA8D586EF6787ADAA44032C6D2D4FFC379C67E538334778A8 | |||
| 320 | MacDrive Pro v11.0.9.0 CE.tmp | C:\Users\admin\AppData\Local\Temp\is-2QG8G.tmp\CommApp\Microsoft\Event Viewer\Views\OWC\is-LP4KT.tmp | text | |
MD5:C09F98DEEF483ECFBDDDD5AE76A9F6BF | SHA256:8B7CABDFA26EDA62B818349A2D2CF1024811CEFBBE59F2C0815C4F94DB2C4574 | |||
| 320 | MacDrive Pro v11.0.9.0 CE.tmp | C:\Users\admin\AppData\Local\Temp\is-2QG8G.tmp\_isetup\_iscrypt.dll | executable | |
MD5:A69559718AB506675E907FE49DEB71E9 | SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC | |||
| 320 | MacDrive Pro v11.0.9.0 CE.tmp | C:\Users\admin\AppData\Local\Temp\is-2QG8G.tmp\CFiles64\OWC\Drivers\OWCVirtualDisk2\OWCVirtualDisk.inf | binary | |
MD5:780DE531987F3C0845331D6A79D60443 | SHA256:EAC79155E175C78101615FE7B467225E8491689A252F1CD6E436150230B01D25 | |||
| 320 | MacDrive Pro v11.0.9.0 CE.tmp | C:\Users\admin\AppData\Local\Temp\is-2QG8G.tmp\CFiles64\OWC\Drivers\OWCVirtualDisk2\is-077UH.tmp | binary | |
MD5:780DE531987F3C0845331D6A79D60443 | SHA256:EAC79155E175C78101615FE7B467225E8491689A252F1CD6E436150230B01D25 | |||
| 320 | MacDrive Pro v11.0.9.0 CE.tmp | C:\Users\admin\AppData\Local\Temp\is-2QG8G.tmp\CFiles64\OWC\Drivers\OWCVirtualDisk2\is-N0EAD.tmp | executable | |
MD5:9D6BFAC947CDA8E421064BC4FFE2BBE1 | SHA256:CD80E1684A07B5DD0B05C9D2D31B5F762A77065D6474E4BC05BD865F18C23FBF | |||
| 320 | MacDrive Pro v11.0.9.0 CE.tmp | C:\Users\admin\AppData\Local\Temp\is-2QG8G.tmp\CFiles64\OWC\Drivers\OWCVirtualDisk2\OWCVirtualDisk.sys | executable | |
MD5:9D6BFAC947CDA8E421064BC4FFE2BBE1 | SHA256:CD80E1684A07B5DD0B05C9D2D31B5F762A77065D6474E4BC05BD865F18C23FBF | |||
| 5852 | MacDrive Pro v11.0.9.0 CE.exe | C:\Users\admin\AppData\Local\Temp\is-CJKCG.tmp\MacDrive Pro v11.0.9.0 CE.tmp | executable | |
MD5:A48FF766EFB08AB7DBD3827D697C2288 | SHA256:CFE058D442BFC0216D5037E7F9E5206820DB3EBDD6A0444524E9D537C256543F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
68
DNS requests
27
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5336 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | US | binary | 471 b | whitelisted |
7056 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 973 b | whitelisted |
1448 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | binary | 471 b | whitelisted |
6968 | SIHClient.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | DE | binary | 419 b | whitelisted |
6980 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | US | binary | 471 b | whitelisted |
6968 | SIHClient.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | DE | binary | 407 b | whitelisted |
8176 | MacDrive.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D | US | binary | 471 b | whitelisted |
8176 | MacDrive.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAlqBBrQW6zsTUgEPZQwzoI%3D | US | binary | 471 b | whitelisted |
5000 | MacDrive Service.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA9iL28hwv9dUh9yOh1H1i0%3D | US | binary | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
7056 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6552 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7056 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7056 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5336 | SearchApp.exe | 184.86.251.5:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
5336 | SearchApp.exe | 184.86.251.30:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
5336 | SearchApp.exe | 184.86.251.20:443 | th.bing.com | Akamai International B.V. | DE | whitelisted |
5336 | SearchApp.exe | 52.182.143.211:443 | browser.pipe.aria.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
r.bing.com |
| whitelisted |
th.bing.com |
| whitelisted |
browser.pipe.aria.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
Threats
Process | Message |
|---|---|
MacDrive Service.exe | Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#000000001F500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
|
MacDrive Service.exe | Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000003FCB800000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
|
MacDrive Service.exe | Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000003FAAF00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
|
MacDrive Service.exe | Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
|
MacDrive Service.exe | Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#000000001F500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
|
MacDrive Service.exe | Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000003FCB800000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
|
MacDrive Service.exe | Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000003FAAF00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
|
MacDrive Service.exe | Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
|