msconfig.exe

  • File Path: C:\Windows\system32\msconfig.exe
  • Description: System Configuration Utility

Screenshot

msconfig.exe

Hashes

Type Hash
MD5 39009536CAFE30C6EF2501FE46C9DF5E
SHA1 6FF7B4D30F31186DE899665C704A105227704B72
SHA256 93D2604F7FDF7F014AC5BEF63AB177B6107F3CFC26DA6CBD9A7AB50C96564A04
SHA384 6D986C02F542F6CCD0BF894856474F14291809CD0AF95911D885F559777B4AA49C9A232801466C65B21CC8F9F084993F
SHA512 95C9A8BC61C79108634F5578825544323E3D980AE97A105A325C58BC0E44B1D500637459969602F08D6D23D346BAEC6ACD07D8351803981000C797190D48F03A
SSDEEP 3072:8BwZsm+TLNr4gR2oiQC0oBXrJZu0rIAfUd0/HlGJRA15:ZZs5FhRdiQC0AXrHuOUdSGJRW
IMP 48D24FD6767DEDAF3D3F9B0CAA18321E
PESHA1 AA7B92AFC96B2F7C10EFFEA7385268DACC6B4F00
PE256 C069BE7136E283742E415BE1D8AA52CEE89F7CE027DE181610722FE91F8A3E40

Runtime Data

Window Title:

System Configuration

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\MFC42u.dll.mui File
(R-D) C:\Windows\System32\en-US\msconfig.exe.mui File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\msconfig.exe
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: msconfig.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04/detection

File Similarity (ssdeep match)

File Score
C:\windows\system32\msconfig.exe 44
C:\Windows\system32\msconfig.exe 41
C:\WINDOWS\system32\msconfig.exe 33
C:\Windows\system32\msconfig.exe 44
C:\WINDOWS\system32\msconfig.exe 47
C:\Windows\system32\msconfig.exe 41

Possible Misuse

The following table contains possible examples of msconfig.exe being misused. While msconfig.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_msconfig_gui.yml title: UAC Bypass Using MSConfig Token Modification - File DRL 1.0
sigma file_event_win_uac_bypass_msconfig_gui.yml description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml title: UAC Bypass Using MSConfig Token Modification - Process DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml CommandLine: '"C:\Windows\system32\msconfig.exe" -5' DRL 1.0
LOLBAS Msconfig.yml Name: Msconfig.exe  
LOLBAS Msconfig.yml Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows  
LOLBAS Msconfig.yml - Command: Msconfig.exe -5  
LOLBAS Msconfig.yml Usecase: Code execution using Msconfig.exe  
LOLBAS Msconfig.yml - Path: C:\Windows\System32\msconfig.exe  
malware-ioc nukesped_lazarus .msconfig.exe``{:.highlight .language-cmhg} © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.