File name:

keyconfig.exe

Full analysis: https://app.any.run/tasks/c323317e-f7b4-4df0-ac31-55cb5b6c68dd
Verdict: Malicious activity
Analysis date: May 19, 2024, 04:22:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E7139C67C785E92CE7BC62E521EC44DF

SHA1:

C76F7D321C5F5974EF7115E6A7346C42376E3FA9

SHA256:

97A541B761A262CA48FBD2A39A5F978C2A9EC071F1BD1951F5BAB77C212442BD

SSDEEP:

98304:UvkNrTjbA/HSVVi9EUz4riPvKL9yA3SEMcdRAn4TlZYHFLa:D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • keyconfig.exe (PID: 3976)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • keyconfig.exe (PID: 3976)

  • INFO

    • Create files in a temporary directory

      • keyconfig.exe (PID: 3976)

    • Checks supported languages

      • keyconfig.exe (PID: 3976)

    • Reads the computer name

      • keyconfig.exe (PID: 3976)

    • Manual execution by a user

      • WINWORD.EXE (PID: 2040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:01:04 17:47:34+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 541184
InitializedDataSize: 437248
UninitializedDataSize: -
EntryPoint: 0x63713
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.0.294.14
ProductVersionNumber: 3.0.294.14
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Process default
CharacterSet: Unicode
CompanyName: -
FileDescription: -
FileVersion: -
LegalCopyright: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start keyconfig.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2040"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\systemsireland.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3976"C:\Users\admin\AppData\Local\Temp\keyconfig.exe" C:\Users\admin\AppData\Local\Temp\keyconfig.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\keyconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 369
Read events
5 875
Write events
180
Delete events
314

Modification events

(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\KEYCONFIG.EXE63B5BBB6001B8F6C
Operation:writeName:Name
Value:
KEYCONFIG.EXE
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\KEYCONFIG.EXE63B5BBB6001B8F6C
Operation:writeName:UsesMapper
Value:
00000000
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Name
Value:
KEYCONFIG.EXE
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Id
Value:
KEYCONFIG.EXE63B5BBB6001B8F6C
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Version
Value:
00080000
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:MostRecentStart
Value:
D567912CA4A9DA01
(PID) Process:(2040) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:g<9
Value:
673C3900F8070000010000000000000000000000
(PID) Process:(2040) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2040) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2040) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
Executable files
14
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2037.tmp.cvr
MD5:
SHA256:
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\kcwctrl.mfxexecutable
MD5:425AE02CF4DCCA251D82CDA80661E520
SHA256:A48287F514771F44411F154606643645F25DFDE5E4F21E1DBDA0C520387100A4
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\KcButton.mfxexecutable
MD5:A8190D2CE298A35B71F7892765C536C9
SHA256:8B6751DAE773F53A25BD5ABF202C0A19669D5C3D64580902DBA33257E3EFB84B
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\kcpict.mfxexecutable
MD5:0D53DDBF2FF0E14095AB0937CB5D8F37
SHA256:086F67DDCE4B4EEF249788453F0A0CD3C68D7A8866BB57A69A75B174AF3DF0F2
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\mmfs2.dllexecutable
MD5:9BE48E032E099597FFAD68903F80BA8F
SHA256:B101F784E3F11B1EA4304ADEE3C82C3010E566D268104DAD164487ECA642507A
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\kccombo.mfxexecutable
MD5:8D4D15D53523929CAD87D54F1BC29CA8
SHA256:E3CD2FCA88515C46F618D1AFA5F4607856BFAD4B40BE77AE401271102227C274
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\ToolTip.mfxexecutable
MD5:75461906DCFD9D69DE7A1C117A747C05
SHA256:4433790016E32B806C9BF80D0BC8D9BA5711FD4F50414212FF38D0F32B247356
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\ctrlx.mfxexecutable
MD5:CEB8B2E522D0AAAECDF69B3BCC89A530
SHA256:3407EB12F6BACEC5EBD4DF96FF3FD34741A3919FD46C2EC527364C5F1E753A65
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\pngflt.iftexecutable
MD5:D57365CA275388910BE7B09D95EE65B9
SHA256:DF948630FDB53DDAD68D66994F5D2B18A67DF32478B6B8B3720C28F40BDE7B1F
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\waveflt.sftexecutable
MD5:57EA61DD14314EF155E80C6A0BE8A664
SHA256:92A5053CF5973A6AA228C738D55387F12F1DFA8A837D7B938C60F05B6B56B3AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
keyconfig.exe