File name:

gifski_1.14.4_x64_en-US.msi

Full analysis: https://app.any.run/tasks/d32f5446-1530-4455-a7d6-7e4cb75d6a43
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 02, 2025, 19:29:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: gifski, Author: gif, Keywords: Installer, Comments: This installer database contains the logic and data required to install gifski., Template: x64;0, Revision Number: {58B42AF4-0E2D-4410-9220-72638105900B}, Create Time/Date: Sat Feb 10 18:36:30 2024, Last Saved Time/Date: Sat Feb 10 18:36:30 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

FC8D75004695113ACEDB02FDF78F9891

SHA1:

1246132B8B90EBAD01F6AF69DED035BB751BC06C

SHA256:

CA8D260448A885CD238B36FB5B6A448FA734565A196FFA9CFDC8A7EDB22E4E55

SSDEEP:

98304:tZ98qnAQRUTFxueRj4WQRxuuPLW2cEP0G6RfgKheFTie8c4k7zsa3GNOdJA5JgTl:1WnXc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5184)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 2504)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 1948)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 7064)

    • Starts process via Powershell

      • powershell.exe (PID: 5184)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7064)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 7064)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 5184)

    • Manipulates environment variables

      • powershell.exe (PID: 5184)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 5184)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5184)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 5184)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • MicrosoftEdgeUpdate.exe (PID: 2504)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 2504)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5348)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5684)
      • MicrosoftEdgeUpdate.exe (PID: 4540)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2356)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeUpdate.exe (PID: 4444)

    • Application launched itself

      • setup.exe (PID: 6704)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6460)
      • msiexec.exe (PID: 7064)

    • An automatically generated document

      • msiexec.exe (PID: 6460)

    • Manages system restore points

      • SrTasks.exe (PID: 3396)

    • Checks supported languages

      • msiexec.exe (PID: 4648)
      • msiexec.exe (PID: 7064)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeUpdate.exe (PID: 4540)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2356)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5348)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5684)
      • MicrosoftEdgeUpdate.exe (PID: 2464)
      • MicrosoftEdgeUpdate.exe (PID: 6312)
      • MicrosoftEdgeUpdate.exe (PID: 4444)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)
      • setup.exe (PID: 6704)
      • setup.exe (PID: 2552)

    • Reads the computer name

      • msiexec.exe (PID: 7064)
      • msiexec.exe (PID: 4648)
      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeUpdate.exe (PID: 4540)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5348)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2356)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5684)
      • MicrosoftEdgeUpdate.exe (PID: 2464)
      • MicrosoftEdgeUpdate.exe (PID: 4444)
      • MicrosoftEdgeUpdate.exe (PID: 6312)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)
      • setup.exe (PID: 6704)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7064)

    • Disables trace logs

      • powershell.exe (PID: 5184)

    • Checks proxy server information

      • powershell.exe (PID: 5184)
      • MicrosoftEdgeUpdate.exe (PID: 2464)
      • MicrosoftEdgeUpdate.exe (PID: 4444)

    • The sample compiled with english language support

      • powershell.exe (PID: 5184)
      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeUpdate.exe (PID: 4444)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)
      • setup.exe (PID: 6704)
      • setup.exe (PID: 2552)

    • Launching a file from a Registry key

      • MicrosoftEdgeUpdate.exe (PID: 2504)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 2464)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 2504)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 2464)
      • MicrosoftEdgeUpdate.exe (PID: 4444)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 4444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: gifski
Author: gif
Keywords: Installer
Comments: This installer database contains the logic and data required to install gifski.
Template: x64;0
RevisionNumber: {58B42AF4-0E2D-4410-9220-72638105900B}
CreateDate: 2024:02:10 18:36:30
ModifyDate: 2024:02:10 18:36:30
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
21
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe slui.exe no specs microsoftedge_x64_138.0.3351.121.exe setup.exe no specs setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1380"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1948C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2356"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.65\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.65\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.65\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2464"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNjUiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7OEExNDgzQTktNzJCNy00N0Y5LUJCMDQtOTM1NEYwNEEwQkFDfSIgdXNlcmlkPSJ7QjAxNzk1OTEtMjFDMi00RUMxLUJGQUEtM0U2Q0I0QTExRTczfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFMjE5MDZGNS0zRThGLTQ5RDktQUY4NC04Q0JFNUMwN0EwNjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS42NSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTY1MTU5Njc1MjYiIGluc3RhbGxfdGltZV9tcz0iNDcyIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2504C:\Users\admin\AppData\Local\Temp\EU2E69.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EU2E69.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\temp\eu2e69.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2552C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{E82645FF-1D6C-40F8-B808-C469178867FB}\EDGEMITMP_55D57.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=138.0.7204.184 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{E82645FF-1D6C-40F8-B808-C469178867FB}\EDGEMITMP_55D57.tmp\setup.exe --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=138.0.3351.121 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7970df4c8,0x7ff7970df4d4,0x7ff7970df4e0C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{E82645FF-1D6C-40F8-B808-C469178867FB}\EDGEMITMP_55D57.tmp\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Version:
138.0.3351.121
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{e82645ff-1d6c-40f8-b808-c469178867fb}\edgemitmp_55d57.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3396C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4444"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4540"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4648C:\Windows\syswow64\MsiExec.exe -Embedding E78C6DB602A2D02BFDE053D916317E7D CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
15 287
Read events
13 998
Write events
1 233
Delete events
56

Modification events

(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000024B75CBCE303DC01981B0000480A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000B91A5FBCE303DC01981B0000F4150000E8030000010000000000000000000000D367ACFFD79F6F47853650D50EF2D07700000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000022EF6BBE303DC01981B0000480A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000022EF6BBE303DC01981B0000480A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000C17610BCE303DC01981B0000480A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000C17610BCE303DC01981B0000480A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000003ADA12BCE303DC01981B0000480A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000279517BCE303DC01981B0000480A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(1948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
Executable files
205
Suspicious files
16
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
7064msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
7064msiexec.exeC:\Windows\Installer\1915b1.msi
MD5:
SHA256:
7064msiexec.exeC:\Windows\Installer\1915b3.msi
MD5:
SHA256:
7064msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:E4AD65323995A68CCAB588CBF80E9481
SHA256:81609660EB1D240D4D867071111CE7FE320F4FA5DC2E40663705E828C7F98914
7064msiexec.exeC:\Windows\Temp\~DFF9AD1E9643805F27.TMPbinary
MD5:62073669DB051ACF4DB545E3AB7605ED
SHA256:A1BC04F4FFAF2B3560741FFA0E442BA5CB0E7F2C3B34CFC125DF057C87C3ED2C
7064msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{ffac67d3-9fd7-476f-8536-50d50ef2d077}_OnDiskSnapshotPropbinary
MD5:E4AD65323995A68CCAB588CBF80E9481
SHA256:81609660EB1D240D4D867071111CE7FE320F4FA5DC2E40663705E828C7F98914
7064msiexec.exeC:\Windows\Installer\{46DD93B8-DC02-469D-BD31-1DA22A03DEB9}\ProductIconimage
MD5:5B864D5D301126C69131EAF71ABD6C20
SHA256:836685D7404BBA609F0E0DC2A4373F303668BC083B759A3672C75CAC432D89B5
7064msiexec.exeC:\Program Files\gifski\gifski.exeexecutable
MD5:764ABCD604F7A4B908D22329CA3360C4
SHA256:4BC4A0734B459C39F430EA5E0679DF5313134C048C207EE8E3108D5685CE2002
7064msiexec.exeC:\Program Files\gifski\Uninstall gifski.lnkbinary
MD5:9AE57854530E19F12E43078CBB5DF63B
SHA256:CE9CB6EED39C3F51BD816E507E96CD45BAE6C71132BF33FD77C0228456BBBD0C
5184powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gxwiwhnp.jg3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
33
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7104
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7008
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7008
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1156
svchost.exe
GET
200
208.89.74.21:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/209bcf22-db22-4369-9d01-e5c1a213341e?P1=1754767780&P2=404&P3=2&P4=E9zgKucYIq%2fZnBKp8GdyNGopnmq5ptoIK5oBZ3lq2SGEVqGOStaBoJq6CRbc1RQzHzvSj6Yj2CQ9a%2bc5AlXwNA%3d%3d
unknown
whitelisted
1156
svchost.exe
HEAD
200
208.89.74.21:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/209bcf22-db22-4369-9d01-e5c1a213341e?P1=1754767780&P2=404&P3=2&P4=E9zgKucYIq%2fZnBKp8GdyNGopnmq5ptoIK5oBZ3lq2SGEVqGOStaBoJq6CRbc1RQzHzvSj6Yj2CQ9a%2bc5AlXwNA%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5968
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7104
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7104
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.26:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.66
  • 20.190.160.132
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.216.77.26
  • 23.216.77.27
  • 23.216.77.16
  • 23.216.77.20
  • 23.216.77.15
  • 23.216.77.21
  • 23.216.77.18
  • 23.216.77.22
  • 23.216.77.19
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
go.microsoft.com
  • 95.100.186.9
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 23.50.131.88
  • 23.50.131.87
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted

Threats

PID
Process
Class
Message
1156
svchost.exe
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gifski_1.14.4_x64_en-US.msi