DisplaySwitch.exe

  • File Path: C:\windows\system32\DisplaySwitch.exe
  • Description: Display Switch

Hashes

Type Hash
MD5 179606714C1C3B2CDB842CBC861F70D2
SHA1 00244C64C8DABA611073657510BB8EA017A5A52F
SHA256 48D65601F501A99C4DBD6AC4501DEDCBA462E9E38507F089A10A5FEA45E512B4
SHA384 51F6852CA079EF8E6732998872A2C48BF1A55816A91979800D259F63080D9D1F6BCA5DEF6248CCADE48E1AAE0D746A1C
SHA512 F8938DF719D77A2E45735272533AC4C1875909C5800FB5DF0080E009AF75AA3887C8A08FA90B38622BEB9EFDF8337A01E1EBE2598D99419D3F61616A4A9A0E86
SSDEEP 3072:gRtOiZ6kTM/mxkMJ1yVXkathV1Ic5p2R1bB5j5cOqJ4MG7Jb+KuAPR11X:+wOattvaR77JAaPp

Signature

  • Status: Signature verified.
  • Serial: 330000004EA1D80770A9BBE94400000000004E
  • Thumbprint: DF3B9B7E5AEA1AA0B82EA25F542A6A00963AB890
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DisplaySwitch.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DisplaySwitch.exe being misused. While DisplaySwitch.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe DisplaySwitch.exe *' DRL 1.0
atomic-red-team T1546.008.md * Display Switcher: C:\Windows\System32\DisplaySwitch.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.