Malware analysis MacDrive 11.1.1.12 Setup.exe Malicious activity

Add for printing

File name:	MacDrive 11.1.1.12 Setup.exe
Full analysis:	https://app.any.run/tasks/dfd6a518-035e-4099-9c4b-9597f09ce9e9
Verdict:	Malicious activity
Analysis date:	August 08, 2024, 14:30:23
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	D3A10E695F66D69FA0D0EA1939B14B45
SHA1:	2DBC490484835B4F40B6482208274389DDF54FB9
SHA256:	6C732E418C6E1EF469A7FBA49ADD8105267050A0C640A44E9886F5B9C21F977B
SSDEEP:	98304:NZpyGRtVZLW4GYdRQ7SPfzJH+OzRavv208a8JoY9C4t9PKGkGq5FaCp2h+cdxwv7:s337clQDKY/tHx3Ov+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - MacDrive 11.1.1.12 Setup.exe (PID: 6992)
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
  - msiexec.exe (PID: 1128)
  - MacDrive Disk Image.exe (PID: 640)
- Changes the autorun value in the registry
  - MacDrive Setup.exe (PID: 6976)
  - msiexec.exe (PID: 1128)
SUSPICIOUS
- Searches for installed software
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
  - dllhost.exe (PID: 4540)
  - MacDrive Setup.exe (PID: 6976)
  - MSIF71E.tmp (PID: 7412)
- Executable content was dropped or overwritten
  - MacDrive 11.1.1.12 Setup.exe (PID: 6992)
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
  - MacDrive Setup.exe (PID: 6976)
  - drvinst.exe (PID: 5588)
  - MacDrive Disk Image.exe (PID: 640)
  - wow64sup.exe (PID: 1120)
  - wow64sup.exe (PID: 4844)
  - MacDrive Service.exe (PID: 4844)
  - MacDrive.exe (PID: 6704)
- Reads the date of Windows installation
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
- Reads security settings of Internet Explorer
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
  - MacDrive Service.exe (PID: 4844)
- Starts itself from another location
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
- Executes as Windows Service
  - VSSVC.exe (PID: 2456)
  - MacDrive Service.exe (PID: 4844)
  - vds.exe (PID: 5900)
  - OWCFSEventsService.exe (PID: 7256)
- Drops the executable file immediately after the start
  - MacDrive Setup.exe (PID: 6976)
  - drvinst.exe (PID: 5588)
  - wow64sup.exe (PID: 4844)
  - wow64sup.exe (PID: 1120)
  - MacDrive Service.exe (PID: 4844)
  - MacDrive.exe (PID: 6704)
- Creates a software uninstall entry
  - MacDrive Setup.exe (PID: 6976)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 1128)
  - drvinst.exe (PID: 5588)
  - MacDrive Service.exe (PID: 4844)
  - Activate MacDrive.exe (PID: 7344)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 1128)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 1128)
  - MacDrive Service.exe (PID: 4844)
  - MacDrive.exe (PID: 6704)
- Adds/modifies Windows certificates
  - MSIBDB7.tmp (PID: 5900)
  - MSIC162.tmp (PID: 6880)
- Drops a system driver (possible attempt to evade defenses)
  - msiexec.exe (PID: 1128)
  - drvinst.exe (PID: 5588)
  - MacDrive Disk Image.exe (PID: 640)
  - wow64sup.exe (PID: 1120)
  - wow64sup.exe (PID: 4844)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 1128)
- Creates files in the driver directory
  - msiexec.exe (PID: 1128)
  - drvinst.exe (PID: 5588)
  - msiexec.exe (PID: 5052)
  - wow64sup.exe (PID: 1120)
- Image mount has been detect
  - drvinst.exe (PID: 5140)
- Creates or modifies Windows services
  - drvinst.exe (PID: 5140)
  - wow64sup.exe (PID: 1120)
- Creates/Modifies COM task schedule object
  - msiexec.exe (PID: 1128)
  - msiexec.exe (PID: 2932)
  - msiexec.exe (PID: 5084)
  - msiexec.exe (PID: 5044)
- The process executes via Task Scheduler
  - PLUGScheduler.exe (PID: 4744)
INFO
- Create files in a temporary directory
  - MacDrive 11.1.1.12 Setup.exe (PID: 6992)
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
  - MacDrive Setup.exe (PID: 6976)
  - MacDrive Disk Image.exe (PID: 640)
  - wow64sup.exe (PID: 4844)
  - wow64sup.exe (PID: 1120)
- Checks supported languages
  - MacDrive 11.1.1.12 Setup.exe (PID: 6992)
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
  - MacDrive Setup.exe (PID: 6976)
  - msiexec.exe (PID: 1128)
  - msiexec.exe (PID: 2720)
  - MSIBD0A.tmp (PID: 7120)
  - MSIC162.tmp (PID: 6880)
  - MSIC182.tmp (PID: 5400)
  - msiexec.exe (PID: 5052)
  - MSIBDB7.tmp (PID: 5900)
  - drvinst.exe (PID: 5588)
  - drvinst.exe (PID: 5140)
  - MacDrive Disk Image.exe (PID: 640)
  - wow64sup.exe (PID: 4844)
  - wow64sup.exe (PID: 1120)
  - MacDrive Service.exe (PID: 4844)
  - OWCFSEventsService.exe (PID: 7256)
  - Activate MacDrive.exe (PID: 7344)
  - MSIF71E.tmp (PID: 7412)
  - OWC Product Updates Helper.exe (PID: 7460)
  - MSIF848.tmp (PID: 7504)
- Reads the computer name
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
  - MacDrive Setup.exe (PID: 6976)
  - msiexec.exe (PID: 1128)
  - msiexec.exe (PID: 2720)
  - msiexec.exe (PID: 5052)
  - drvinst.exe (PID: 5588)
  - drvinst.exe (PID: 5140)
  - MacDrive Disk Image.exe (PID: 640)
  - wow64sup.exe (PID: 1120)
  - MacDrive Service.exe (PID: 4844)
  - wow64sup.exe (PID: 4844)
  - OWCFSEventsService.exe (PID: 7256)
  - Activate MacDrive.exe (PID: 7344)
  - MSIF71E.tmp (PID: 7412)
  - OWC Product Updates Helper.exe (PID: 7460)
- Process checks computer location settings
  - MacDrive 11.1.1.12 Setup.exe (PID: 7016)
- Creates files in the program directory
  - MacDrive Setup.exe (PID: 6976)
  - MacDrive Service.exe (PID: 4844)
- Application launched itself
  - msiexec.exe (PID: 1128)
- Reads the machine GUID from the registry
  - MacDrive Setup.exe (PID: 6976)
  - msiexec.exe (PID: 1128)
  - drvinst.exe (PID: 5588)
  - MacDrive Disk Image.exe (PID: 640)
  - MacDrive Service.exe (PID: 4844)
  - OWCFSEventsService.exe (PID: 7256)
  - Activate MacDrive.exe (PID: 7344)
  - OWC Product Updates Helper.exe (PID: 7460)
  - MSIF71E.tmp (PID: 7412)
- Reads the software policy settings
  - msiexec.exe (PID: 1128)
  - drvinst.exe (PID: 5588)
  - MacDrive Service.exe (PID: 4844)
  - Activate MacDrive.exe (PID: 7344)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 1128)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 1128)
- Reads Environment values
  - msiexec.exe (PID: 1128)
  - MacDrive Service.exe (PID: 4844)
- Starts application with an unusual extension
  - msiexec.exe (PID: 1128)
- Creates or modifies Windows services
  - msiexec.exe (PID: 1128)
- Reads CPU info
  - MacDrive Service.exe (PID: 4844)
  - Activate MacDrive.exe (PID: 7344)
- Reads Windows Product ID
  - MacDrive Service.exe (PID: 4844)
  - Activate MacDrive.exe (PID: 7344)
- Creates a software uninstall entry
  - msiexec.exe (PID: 1128)
- Checks proxy server information
  - MacDrive Service.exe (PID: 4844)
- Manual execution by a user
  - MacDrive.exe (PID: 6704)
  - MacDrive Helper.exe (PID: 7164)
  - OWC Product Updates Helper.exe (PID: 5892)
- Disables trace logs
  - MacDrive Service.exe (PID: 4844)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:11:13 22:48:00+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.37
CodeSize:	442880
InitializedDataSize:	326656
UninitializedDataSize:	-
EntryPoint:	0x46a70
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.1.1.12
ProductVersionNumber:	11.1.1.12
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
CompanyName:	OWC
FileDescription:	MacDrive 11
FileVersion:	11.1.1.12
InternalName:	burn
OriginalFileName:	MacDrive Setup.exe
ProductName:	MacDrive 11
ProductVersion:	11.1.1.12
LegalCopyright:	Copyright © 2023 Other World Computing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

295

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

640

"C:\Program Files\OWC\MacDrive 11\MacDrive Disk Image.exe" /installdriver

C:\Program Files\OWC\MacDrive 11\MacDrive Disk Image.exe

msiexec.exe

User:

admin

Company:

OWC

Integrity Level:

HIGH

Description:

MacDrive Disk Image

Exit code:

Version:

1.0.0.0

Modules

Images
c:\program files\owc\macdrive 11\macdrive disk image.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

1120

"C:\Users\admin\AppData\Local\Temp\cbdD231.tmp\x64\wow64sup.exe"

C:\Users\admin\AppData\Local\Temp\cbdD231.tmp\x64\wow64sup.exe

MacDrive Disk Image.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\cbdd231.tmp\x64\wow64sup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1128

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1564

"C:\Program Files\OWC\MacDrive 11\MDDiskManager.exe"

C:\Program Files\OWC\MacDrive 11\MDDiskManager.exe

—

MacDrive.exe

User:

admin

Company:

Other World Computing, Inc.

Integrity Level:

MEDIUM

Description:

MacDrive Disk Manager

Exit code:

3221226540

Version:

11.1.1.9

2456

C:\WINDOWS\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2720

C:\Windows\System32\MsiExec.exe -Embedding 3160412A95123537209EA6994898D459

C:\Windows\System32\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2932

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\OWC\MacDrive 11\MDShell.dll"

C:\Windows\System32\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2932

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

wow64sup.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4540

C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

4644

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

wow64sup.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

36 464

Read events

35 142

Write events

1 269

Delete events

Modification events


(PID) Process:	(7016) MacDrive 11.1.1.12 Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7016) MacDrive 11.1.1.12 Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7016) MacDrive 11.1.1.12 Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7016) MacDrive 11.1.1.12 Setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4540) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000000999558B9FE9DA01BC110000E81A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6976) MacDrive Setup.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 40000000000000000999558B9FE9DA01401B000074190000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4540) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 48000000000000003D93938B9FE9DA01BC110000E81A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4540) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 48000000000000003D93938B9FE9DA01BC110000E81A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4540) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000EC5A988B9FE9DA01BC110000E81A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(4540) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 48000000000000000BBE9A8B9FE9DA01BC110000E81A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

212

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4540	dllhost.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
7016	MacDrive 11.1.1.12 Setup.exe	C:\Users\admin\AppData\Local\Temp\{60686764-176D-4A98-A406-FD53A8278A9A}\MacDrive_11_Setup.msi		—
		MD5:—	SHA256:—
6976	MacDrive Setup.exe	C:\ProgramData\Package Cache\.unverified\MacDrive_11_Setup.msi		—
		MD5:—	SHA256:—
6976	MacDrive Setup.exe	C:\ProgramData\Package Cache\{8AE8E93D-AE53-4B31-A9D0-753446556303}v11.1.1.12\MacDrive 11 Setup.msi		—
		MD5:—	SHA256:—
1128	msiexec.exe	C:\Windows\Installer\eb67a.msi		—
		MD5:—	SHA256:—
7016	MacDrive 11.1.1.12 Setup.exe	C:\Users\admin\AppData\Local\Temp\{60686764-176D-4A98-A406-FD53A8278A9A}\.ba\BootstrapperApplicationData.xml		xml
		MD5:47C2549DA030B51E768B2C89EE34D9AB	SHA256:F814313883A962534D94EC7B6B106C6F0C12E2AF5CB5DA131B4666A8F3021C59
7016	MacDrive 11.1.1.12 Setup.exe	C:\Users\admin\AppData\Local\Temp\{60686764-176D-4A98-A406-FD53A8278A9A}\.ba\wixstdba.dll		executable
		MD5:F315D536600502E58E492C6CD5BF0A50	SHA256:BFAF2854ECC398A07387F82F3F09209BB79AA36D5B2E376B962AE9A303CFB432
7016	MacDrive 11.1.1.12 Setup.exe	C:\Users\admin\AppData\Local\Temp\{60686764-176D-4A98-A406-FD53A8278A9A}\.ba\BundleExtensionData.xml		xml
		MD5:A35990570AFAA7D023FD2EBBE229AFB8	SHA256:9B696AD0EC3B37BAC11DA76BCD51AD907D31EE9638DAD7BB8FDD5AEF919EF621
7016	MacDrive 11.1.1.12 Setup.exe	C:\Users\admin\AppData\Local\Temp\{60686764-176D-4A98-A406-FD53A8278A9A}\.ba\thm.wxl		text
		MD5:F65ABBBE0C427FB3BF79B893F02E5AD9	SHA256:3A4FBB839544C4B4E80827FCB3AA91648BB73A1E84359F207264EC4BD468EE4F
7016	MacDrive 11.1.1.12 Setup.exe	C:\Users\admin\AppData\Local\Temp\{60686764-176D-4A98-A406-FD53A8278A9A}\.ba\1033\thm.wxl		xml
		MD5:87BC9DFD2F51F2EC4C5FCB0E6AE0A5A2	SHA256:50B5AA1FBDF058F74541E93069396105D38A250C765B384EFBC3DCAC77166A9C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1128	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
6604	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6640	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
1128	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
1128	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAGSP%2BlOMe6fksOUnAEg0Hk%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSY%2BQAyqcBl6zxPqFEOTI24pxAWAwQUpbTW6zbE52um38RkCwEqIAS4ZiMCEAUt4kVdGjAmIrKgctrDbWQ%3D	unknown	—	—	whitelisted
4844	MacDrive Service.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA9iL28hwv9dUh9yOh1H1i0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2680	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5336	SearchApp.exe	2.23.209.149:443	www.bing.com	Akamai International B.V.	GB	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	40.126.31.69:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3068	svchost.exe	40.126.31.69:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	142.250.186.110	whitelisted
www.bing.com	2.23.209.149 2.23.209.150 2.23.209.158 2.23.209.141 2.23.209.176 2.23.209.156 2.23.209.154 2.23.209.144 2.23.209.160 2.23.209.179 2.23.209.182 2.23.209.185 2.23.209.183 2.23.209.187 2.23.209.181 2.23.209.130 2.23.209.189 2.23.209.177 184.86.251.16 184.86.251.23 184.86.251.24 184.86.251.14 184.86.251.21 184.86.251.26 184.86.251.11 184.86.251.19 184.86.251.17	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.69 20.190.159.0 20.190.159.73 20.190.159.64 20.190.159.4 20.190.159.68 20.190.159.75 20.190.159.2 40.126.31.73 40.126.31.67 40.126.31.71	whitelisted
client.wns.windows.com	40.115.3.253 40.113.103.199 40.113.110.67	whitelisted
fd.api.iris.microsoft.com	20.74.47.205	whitelisted
th.bing.com	2.23.209.187 2.23.209.181 2.23.209.179 2.23.209.182 2.23.209.183 2.23.209.189 2.23.209.177 2.23.209.130 2.23.209.185 184.86.251.11 184.86.251.19 184.86.251.17 184.86.251.16 184.86.251.23 184.86.251.24 184.86.251.14 184.86.251.21 184.86.251.26	whitelisted
arc.msn.com	20.96.153.111	whitelisted
go.microsoft.com	184.28.89.167 23.213.166.81	whitelisted

Threats

No threats detected

Add for printing

Process	Message
MacDrive Service.exe	Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#000000001F500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe	Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000003FCB800000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe	Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000003FAAF00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe	Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe	Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#000000001F500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe	Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000003FCB800000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe	Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000003FAAF00000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
MacDrive Service.exe	Mount detected: \\?\STORAGE#Volume#{90cf3dd6-0af7-11ec-b480-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
OWCFSEventsService.exe	OWCFSEventsService.exe Information: 0 :
OWCFSEventsService.exe	Service Started

General Info

MacDrive 11.1.1.12 Setup.exe

D3A10E695F66D69FA0D0EA1939B14B45

2DBC490484835B4F40B6482208274389DDF54FB9

6C732E418C6E1EF469A7FBA49ADD8105267050A0C640A44E9886F5B9C21F977B

98304:NZpyGRtVZLW4GYdRQ7SPfzJH+OzRavv208a8JoY9C4t9PKGkGq5FaCp2h+cdxwv7:s337clQDKY/tHx3Ov+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Searches for installed software

Executable content was dropped or overwritten

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts itself from another location

Executes as Windows Service

Drops the executable file immediately after the start

Creates a software uninstall entry

Checks Windows Trust Settings

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Adds/modifies Windows certificates

Drops a system driver (possible attempt to evade defenses)

The process creates files with name similar to system file names

Creates files in the driver directory

Image mount has been detect

Creates or modifies Windows services

Creates/Modifies COM task schedule object

The process executes via Task Scheduler

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Application launched itself

Reads the machine GUID from the registry

Reads the software policy settings

Creates files or folders in the user directory

Executable content was dropped or overwritten

Reads Environment values

Starts application with an unusual extension

Creates or modifies Windows services

Reads CPU info

Reads Windows Product ID

Creates a software uninstall entry

Checks proxy server information

Manual execution by a user

Disables trace logs

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information