File name:

lockoutstatus.msi

Full analysis: https://app.any.run/tasks/104faebb-6367-4774-b382-a20d07ce34d3
Verdict: Malicious activity
Analysis date: November 07, 2023, 13:26:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Code page: 1252, Last Printed: Tue Aug 5 23:07:09 2003, Create Time/Date: Tue Aug 5 23:07:09 2003, Name of Creating Application: Windows Installer, Title: Account Lockout Status, Subject: Account Lockout Status, Author: Microsoft Corporation, Keywords: Install,MSI, Comments: This installer database contains the logic and data required to install lockoutstatus.exe, Template: Intel;1033, Last Saved By: v-smgum, Revision Number: {9F07C480-365C-4413-9CEE-090C495C045A}, Last Saved Time/Date: Tue Sep 23 23:56:29 2003, Number of Pages: 150, Number of Words: 0, Security: 0
MD5:

D4287D92721A5376D358085F198642EE

SHA1:

B23AC1FE1301E38B21C508DA25C60C6918BE38E9

SHA256:

41EEFFD543430788404E3AE099C197CB45D426CFE7C7FF6A2942DC5AAAA1E0BC

SSDEEP:

6144:6KXDeXvO1F5f/EqrGybxFVQmkRrvjJb/c3ix+DWMH:6K5xFVQmS/Jb/1w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3484)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 3496)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 3484)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • msiexec.exe (PID: 3744)

    • Checks whether a specific file exists (SCRIPT)

      • msiexec.exe (PID: 3744)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3484)

  • INFO

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 3484)
      • msiexec.exe (PID: 3744)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3440)

    • Checks supported languages

      • msiexec.exe (PID: 3484)
      • msiexec.exe (PID: 3744)

    • Reads the computer name

      • msiexec.exe (PID: 3484)
      • msiexec.exe (PID: 3744)

    • Application launched itself

      • msiexec.exe (PID: 3484)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3484)

    • Reads Environment values

      • msiexec.exe (PID: 3744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (86)
.mst | Windows SDK Setup Transform Script (9.7)
.doc | Microsoft Word document (old ver.) (2.9)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
LastPrinted: 2003:08:05 22:07:09
CreateDate: 2003:08:05 22:07:09
Software: Windows Installer
Title: Account Lockout Status
Subject: Account Lockout Status
Author: Microsoft Corporation
Keywords: Install,MSI
Comments: This installer database contains the logic and data required to install lockoutstatus.exe
Template: Intel;1033
LastModifiedBy: v-smgum
RevisionNumber: {9F07C480-365C-4413-9CEE-090C495C045A}
ModifyDate: 2003:09:23 22:56:29
Pages: 150
Words: -
Security: None
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3440"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\lockoutstatus.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3484C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3496C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3744C:\Windows\system32\MsiExec.exe -Embedding 00E1A5C129B7DCDCF18524CA31D08149C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
8 657
Read events
8 606
Write events
40
Delete events
11

Modification events

(PID) Process:(3440) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
72
(PID) Process:(3484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000008C62D6BA16B0D901C80700002C0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Leave)
Value:
400000000000000064514ABC16B0D901C80700002C0A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Enter)
Value:
400000000000000064514ABC16B0D901C80700002C0A0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Leave)
Value:
400000000000000034645DBC16B0D901C80700002C0A0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Leave)
Value:
4000000000000000781D5ABD16B0D901C80700002C0A0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3484) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Leave)
Value:
4000000000000000781D5ABD16B0D901C80700002C0A0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
Executable files
3
Suspicious files
9
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3484msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3484msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:C53B7E8ADB4F86E25FEE6831C5261B5F
SHA256:F90B89590B8411BCD45CA03D290DDE8B821F119095FF7594248442A1EA9F846C
3484msiexec.exeC:\Windows\Installer\16accf.msiexecutable
MD5:D4287D92721A5376D358085F198642EE
SHA256:41EEFFD543430788404E3AE099C197CB45D426CFE7C7FF6A2942DC5AAAA1E0BC
3484msiexec.exeC:\Program Files\Windows Resource Kits\Tools\lockoutstatus.exeexecutable
MD5:7D1F8EB96344261B225E80AC241EF10B
SHA256:D09E1034999356BE721A11F260330DC444C0FC643736F54263D79D2D1B487542
3484msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFFC7B4A863C0CA53C.TMPbinary
MD5:85BBD665EE73D1E41F4337DAED7B06A6
SHA256:0C665A7040D3503324F6702A7E0950E208BCBA5089676B6DD692A9117A0722C9
3484msiexec.exeC:\Config.Msi\16acd1.rbsbinary
MD5:FD489F7A67FF1B31B451E6DDE056CE40
SHA256:682125E4EF42C1FE4A498A8F6B91D218BEF0A417BC4E13995638BCC375EEAC5C
3484msiexec.exeC:\Windows\Installer\16acd0.ipibinary
MD5:0F96BB7D3E47E47161FA86D029620ABE
SHA256:920BDA67F2E80FF5409DE6C7AE4FF2E0FB9F6E65213926A44E5480B7D11862DC
3484msiexec.exeC:\Windows\Installer\SourceHash{226A2297-C599-47D6-B991-9350172DBD10}binary
MD5:BF09D6B1DA8894E6D90EB5951819D1DD
SHA256:CD2F875A692A0B5F2833FB8D5A8AA31922CDB9F984176A760502DDEC8655E99E
3484msiexec.exeC:\Windows\Installer\16acd2.msiexecutable
MD5:D4287D92721A5376D358085F198642EE
SHA256:41EEFFD543430788404E3AE099C197CB45D426CFE7C7FF6A2942DC5AAAA1E0BC
3484msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFADB023ABB46A0283.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lockoutstatus.msi