File name:

gifski_1.14.4_x64_en-US.msi

Full analysis: https://app.any.run/tasks/d32f5446-1530-4455-a7d6-7e4cb75d6a43
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 02, 2025, 19:29:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: gifski, Author: gif, Keywords: Installer, Comments: This installer database contains the logic and data required to install gifski., Template: x64;0, Revision Number: {58B42AF4-0E2D-4410-9220-72638105900B}, Create Time/Date: Sat Feb 10 18:36:30 2024, Last Saved Time/Date: Sat Feb 10 18:36:30 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

FC8D75004695113ACEDB02FDF78F9891

SHA1:

1246132B8B90EBAD01F6AF69DED035BB751BC06C

SHA256:

CA8D260448A885CD238B36FB5B6A448FA734565A196FFA9CFDC8A7EDB22E4E55

SSDEEP:

98304:tZ98qnAQRUTFxueRj4WQRxuuPLW2cEP0G6RfgKheFTie8c4k7zsa3GNOdJA5JgTl:1WnXc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5184)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 2504)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 1948)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 7064)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 5184)

    • Starts process via Powershell

      • powershell.exe (PID: 5184)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 7064)

    • Manipulates environment variables

      • powershell.exe (PID: 5184)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7064)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 5184)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5184)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • MicrosoftEdgeUpdate.exe (PID: 2504)

    • Process drops legitimate windows executable

      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • powershell.exe (PID: 5184)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5348)
      • MicrosoftEdgeUpdate.exe (PID: 4540)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2356)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5684)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeUpdate.exe (PID: 4444)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 2504)

    • Application launched itself

      • setup.exe (PID: 6704)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 6460)

    • Checks supported languages

      • msiexec.exe (PID: 4648)
      • msiexec.exe (PID: 7064)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5348)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2356)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5684)
      • MicrosoftEdgeUpdate.exe (PID: 2464)
      • MicrosoftEdgeUpdate.exe (PID: 4540)
      • MicrosoftEdgeUpdate.exe (PID: 4444)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)
      • setup.exe (PID: 6704)
      • MicrosoftEdgeUpdate.exe (PID: 6312)
      • setup.exe (PID: 2552)

    • Manages system restore points

      • SrTasks.exe (PID: 3396)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6460)
      • msiexec.exe (PID: 7064)

    • Reads the computer name

      • msiexec.exe (PID: 7064)
      • msiexec.exe (PID: 4648)
      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeUpdate.exe (PID: 4540)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5348)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 2356)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 5684)
      • MicrosoftEdgeUpdate.exe (PID: 2464)
      • MicrosoftEdgeUpdate.exe (PID: 6312)
      • MicrosoftEdgeUpdate.exe (PID: 4444)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)
      • setup.exe (PID: 6704)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7064)

    • Checks proxy server information

      • powershell.exe (PID: 5184)
      • MicrosoftEdgeUpdate.exe (PID: 2464)
      • MicrosoftEdgeUpdate.exe (PID: 4444)

    • Disables trace logs

      • powershell.exe (PID: 5184)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)

    • The sample compiled with english language support

      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)
      • powershell.exe (PID: 5184)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 1380)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 2504)
      • MicrosoftEdgeUpdate.exe (PID: 4444)
      • MicrosoftEdge_X64_138.0.3351.121.exe (PID: 7076)
      • setup.exe (PID: 2552)
      • setup.exe (PID: 6704)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 2464)

    • Launching a file from a Registry key

      • MicrosoftEdgeUpdate.exe (PID: 2504)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 2504)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 2464)
      • MicrosoftEdgeUpdate.exe (PID: 4444)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 4444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: gifski
Author: gif
Keywords: Installer
Comments: This installer database contains the logic and data required to install gifski.
Template: x64;0
RevisionNumber: {58B42AF4-0E2D-4410-9220-72638105900B}
CreateDate: 2024:02:10 18:36:30
ModifyDate: 2024:02:10 18:36:30
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
21
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe slui.exe no specs microsoftedge_x64_138.0.3351.121.exe setup.exe no specs setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1380"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1948C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2356"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.65\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.65\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.65\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2464"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNjUiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7OEExNDgzQTktNzJCNy00N0Y5LUJCMDQtOTM1NEYwNEEwQkFDfSIgdXNlcmlkPSJ7QjAxNzk1OTEtMjFDMi00RUMxLUJGQUEtM0U2Q0I0QTExRTczfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFMjE5MDZGNS0zRThGLTQ5RDktQUY4NC04Q0JFNUMwN0EwNjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS42NSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTY1MTU5Njc1MjYiIGluc3RhbGxfdGltZV9tcz0iNDcyIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2504C:\Users\admin\AppData\Local\Temp\EU2E69.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EU2E69.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\temp\eu2e69.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2552C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{E82645FF-1D6C-40F8-B808-C469178867FB}\EDGEMITMP_55D57.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=138.0.7204.184 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{E82645FF-1D6C-40F8-B808-C469178867FB}\EDGEMITMP_55D57.tmp\setup.exe --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=138.0.3351.121 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7970df4c8,0x7ff7970df4d4,0x7ff7970df4e0C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{E82645FF-1D6C-40F8-B808-C469178867FB}\EDGEMITMP_55D57.tmp\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Version:
138.0.3351.121
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{e82645ff-1d6c-40f8-b808-c469178867fb}\edgemitmp_55d57.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3396C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4444"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4540"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserverC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.65
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4648C:\Windows\syswow64\MsiExec.exe -Embedding E78C6DB602A2D02BFDE053D916317E7D CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
15 287
Read events
13 998
Write events
1 233
Delete events
56

Modification events

(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000024B75CBCE303DC01981B0000480A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000B91A5FBCE303DC01981B0000F4150000E8030000010000000000000000000000D367ACFFD79F6F47853650D50EF2D07700000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000022EF6BBE303DC01981B0000480A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000022EF6BBE303DC01981B0000480A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000C17610BCE303DC01981B0000480A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000C17610BCE303DC01981B0000480A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000003ADA12BCE303DC01981B0000480A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000279517BCE303DC01981B0000480A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7064) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(1948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
Executable files
205
Suspicious files
16
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
7064msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
7064msiexec.exeC:\Windows\Installer\1915b1.msi
MD5:
SHA256:
7064msiexec.exeC:\Windows\Installer\1915b3.msi
MD5:
SHA256:
7064msiexec.exeC:\Program Files\gifski\gifski.exeexecutable
MD5:764ABCD604F7A4B908D22329CA3360C4
SHA256:4BC4A0734B459C39F430EA5E0679DF5313134C048C207EE8E3108D5685CE2002
7064msiexec.exeC:\Windows\Installer\{46DD93B8-DC02-469D-BD31-1DA22A03DEB9}\ProductIconimage
MD5:5B864D5D301126C69131EAF71ABD6C20
SHA256:836685D7404BBA609F0E0DC2A4373F303668BC083B759A3672C75CAC432D89B5
7064msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:62073669DB051ACF4DB545E3AB7605ED
SHA256:A1BC04F4FFAF2B3560741FFA0E442BA5CB0E7F2C3B34CFC125DF057C87C3ED2C
7064msiexec.exeC:\Windows\Temp\~DF15F4B67AE08EFFBE.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
7064msiexec.exeC:\Windows\Installer\MSI1831.tmpbinary
MD5:1E9E5C58E28EFA1E544EEB81982C1576
SHA256:08FCB0C01AD5B0141F5C5D9681C2ABDC3E0B43D5A5CEF036524FC7C54D77B721
7064msiexec.exeC:\Windows\Temp\~DFF9AD1E9643805F27.TMPbinary
MD5:62073669DB051ACF4DB545E3AB7605ED
SHA256:A1BC04F4FFAF2B3560741FFA0E442BA5CB0E7F2C3B34CFC125DF057C87C3ED2C
7064msiexec.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\gifski\gifski.lnkbinary
MD5:F920C582CD0719D70938256D9FD9D2B0
SHA256:50C461A4E7286AEE2826CEDF42619BE0765ECF23AD9F7F44B9883D1DB1819A41
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
33
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7104
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.26:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1156
svchost.exe
GET
200
208.89.74.21:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/209bcf22-db22-4369-9d01-e5c1a213341e?P1=1754767780&P2=404&P3=2&P4=E9zgKucYIq%2fZnBKp8GdyNGopnmq5ptoIK5oBZ3lq2SGEVqGOStaBoJq6CRbc1RQzHzvSj6Yj2CQ9a%2bc5AlXwNA%3d%3d
unknown
whitelisted
7008
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1156
svchost.exe
HEAD
200
208.89.74.21:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/209bcf22-db22-4369-9d01-e5c1a213341e?P1=1754767780&P2=404&P3=2&P4=E9zgKucYIq%2fZnBKp8GdyNGopnmq5ptoIK5oBZ3lq2SGEVqGOStaBoJq6CRbc1RQzHzvSj6Yj2CQ9a%2bc5AlXwNA%3d%3d
unknown
whitelisted
7008
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5968
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7104
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7104
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.26:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.138
  • 40.126.32.74
  • 20.190.160.66
  • 20.190.160.132
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.130
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.216.77.26
  • 23.216.77.27
  • 23.216.77.16
  • 23.216.77.20
  • 23.216.77.15
  • 23.216.77.21
  • 23.216.77.18
  • 23.216.77.22
  • 23.216.77.19
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
go.microsoft.com
  • 95.100.186.9
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 23.50.131.88
  • 23.50.131.87
whitelisted
config.edge.skype.com
  • 150.171.22.17
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
gifski_1.14.4_x64_en-US.msi