File name:

keyconfig.exe

Full analysis: https://app.any.run/tasks/c323317e-f7b4-4df0-ac31-55cb5b6c68dd
Verdict: Malicious activity
Analysis date: May 19, 2024, 04:22:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E7139C67C785E92CE7BC62E521EC44DF

SHA1:

C76F7D321C5F5974EF7115E6A7346C42376E3FA9

SHA256:

97A541B761A262CA48FBD2A39A5F978C2A9EC071F1BD1951F5BAB77C212442BD

SSDEEP:

98304:UvkNrTjbA/HSVVi9EUz4riPvKL9yA3SEMcdRAn4TlZYHFLa:D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • keyconfig.exe (PID: 3976)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • keyconfig.exe (PID: 3976)

  • INFO

    • Checks supported languages

      • keyconfig.exe (PID: 3976)

    • Reads the computer name

      • keyconfig.exe (PID: 3976)

    • Create files in a temporary directory

      • keyconfig.exe (PID: 3976)

    • Manual execution by a user

      • WINWORD.EXE (PID: 2040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:01:04 17:47:34+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 541184
InitializedDataSize: 437248
UninitializedDataSize: -
EntryPoint: 0x63713
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 3.0.294.14
ProductVersionNumber: 3.0.294.14
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Process default
CharacterSet: Unicode
CompanyName: -
FileDescription: -
FileVersion: -
LegalCopyright: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start keyconfig.exe winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2040"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\systemsireland.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3976"C:\Users\admin\AppData\Local\Temp\keyconfig.exe" C:\Users\admin\AppData\Local\Temp\keyconfig.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\keyconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 369
Read events
5 875
Write events
180
Delete events
314

Modification events

(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\KEYCONFIG.EXE63B5BBB6001B8F6C
Operation:writeName:Name
Value:
KEYCONFIG.EXE
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\KEYCONFIG.EXE63B5BBB6001B8F6C
Operation:writeName:UsesMapper
Value:
00000000
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Name
Value:
KEYCONFIG.EXE
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Id
Value:
KEYCONFIG.EXE63B5BBB6001B8F6C
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Version
Value:
00080000
(PID) Process:(3976) keyconfig.exeKey:HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:MostRecentStart
Value:
D567912CA4A9DA01
(PID) Process:(2040) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:g<9
Value:
673C3900F8070000010000000000000000000000
(PID) Process:(2040) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2040) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2040) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
Executable files
14
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR2037.tmp.cvr
MD5:
SHA256:
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\kcpict.mfxexecutable
MD5:0D53DDBF2FF0E14095AB0937CB5D8F37
SHA256:086F67DDCE4B4EEF249788453F0A0CD3C68D7A8866BB57A69A75B174AF3DF0F2
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\Joystick2.mfxexecutable
MD5:08260414D68ACD15D002047678CF4F78
SHA256:E057B85BBB0064E4CCFE17BE3F2700D1F5D675290C57C4BC0ADFC7DA7E9D7C26
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\kccombo.mfxexecutable
MD5:8D4D15D53523929CAD87D54F1BC29CA8
SHA256:E3CD2FCA88515C46F618D1AFA5F4607856BFAD4B40BE77AE401271102227C274
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\kcini.mfxexecutable
MD5:9B470F29FB1D571B63E517D822D295A0
SHA256:C98A74E5B67FB292BBA29ADA9D9A9693B327046EF4AAA5F0ACE86908CD77C67F
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\kcfile.mfxexecutable
MD5:EEBAEAADC1536E8A8FA22743E68D4339
SHA256:77EC3848B5490A9F3F1746144FE50AC3C5DB96F12A34B7F65DA036A943B6E03E
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\ctrlx.mfxexecutable
MD5:CEB8B2E522D0AAAECDF69B3BCC89A530
SHA256:3407EB12F6BACEC5EBD4DF96FF3FD34741A3919FD46C2EC527364C5F1E753A65
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\mmfs2.dllexecutable
MD5:9BE48E032E099597FFAD68903F80BA8F
SHA256:B101F784E3F11B1EA4304ADEE3C82C3010E566D268104DAD164487ECA642507A
3976keyconfig.exeC:\Users\admin\AppData\Local\Temp\2c75d783-57cb-4bfe-a188-cded245471be.FusionApp\KcButton.mfxexecutable
MD5:A8190D2CE298A35B71F7892765C536C9
SHA256:8B6751DAE773F53A25BD5ABF202C0A19669D5C3D64580902DBA33257E3EFB84B
2040WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:75F62BE52A1CF7334090894A4073B0FA
SHA256:00127BE2F470D718D348E194EB03824B55E2CA41437B50C47CF6164CA7732E27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
keyconfig.exe