msconfig.exe

  • File Path: C:\WINDOWS\system32\msconfig.exe
  • Description: System Configuration Utility

Screenshot

msconfig.exe

Hashes

Type Hash
MD5 E0213D06E94F975FBEC1AE40C3A022AC
SHA1 E331499D3ABCD669DD96907EB5526128E640AB71
SHA256 3DE8B511F44473F772E2F4EA12EA7D44101CA8B5C0436188AAA70DA9E8D70D14
SHA384 4B2810052B409498C8074A79295ECE52B705748368C6F0C2F05EEC4D00B00ED97A5F10B5DA767432ED62C0FDD1A8CCDD
SHA512 3679307B342D6754062594D4D4FAE7353AF3B5342C1AA837D366715188519DBF19A5125F088275571F2DD84F77C5188B5A16B0453D13FB786853166017CF5AB8
SSDEEP 6144:/EOrQ0qs3qMjcLjfq0ivnaHvvaZZvUdSGJRW:Bms3qM4XWaHvvarUd
IMP 4DDD0D0DB14FF662619FDC5ED12FBC62
PESHA1 988723DEF12261D014786540B818BBE07325A27D
PE256 DF80BB0E7779BA12009AE77A0B0FD8FD9867EDC7E2E252BE3964E0081B813462

Runtime Data

Window Title:

System Configuration

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\MFC42u.dll.mui File
(R-D) C:\Windows\System32\en-US\msconfig.exe.mui File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e\comctl32.dll.mui File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\system32\msconfig.exe
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\sechost.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: msconfig.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/3de8b511f44473f772e2f4ea12ea7d44101ca8b5c0436188aaa70da9e8d70d14/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\msconfig.exe 33
C:\windows\system32\msconfig.exe 33
C:\Windows\system32\msconfig.exe 36
C:\Windows\system32\msconfig.exe 33
C:\WINDOWS\system32\msconfig.exe 38
C:\Windows\system32\msconfig.exe 41

Possible Misuse

The following table contains possible examples of msconfig.exe being misused. While msconfig.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_msconfig_gui.yml title: UAC Bypass Using MSConfig Token Modification - File DRL 1.0
sigma file_event_win_uac_bypass_msconfig_gui.yml description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml title: UAC Bypass Using MSConfig Token Modification - Process DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml CommandLine: '"C:\Windows\system32\msconfig.exe" -5' DRL 1.0
LOLBAS Msconfig.yml Name: Msconfig.exe  
LOLBAS Msconfig.yml Description: MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows  
LOLBAS Msconfig.yml - Command: Msconfig.exe -5  
LOLBAS Msconfig.yml Usecase: Code execution using Msconfig.exe  
LOLBAS Msconfig.yml - Path: C:\Windows\System32\msconfig.exe  
malware-ioc nukesped_lazarus .msconfig.exe``{:.highlight .language-cmhg} © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.