DisplaySwitch.exe

  • File Path: C:\Windows\SysWOW64\DisplaySwitch.exe
  • Description: Display Switch

Hashes

Type Hash
MD5 2E5E1B653778DE0E51ADD0BBE788B30A
SHA1 341F9A52A68E66B183C2E3262DC1E010B29612C0
SHA256 47BB2F510EFD927D4BDDF8F13503DDF077B1F0ED8427F64605DC9F60BD935B06
SHA384 28F29A661BE91D427207B5AE410BDEA7DFC821A4A7FC61B391D2B0A065F1D3F6296841443CEF4B0977FC45BA9019EB93
SHA512 E11C92D628C0D7CC1A9843C71360088B39FC3F84D6C7B87F26B7ABBD126599310239E6AEF0953C3F999C3C16AD2D2676ABF12A711A82A3BBDA3780806E7FA671
SSDEEP 3072:tfvk88Rh3rWekHas1C3UeVk27Ea1mm+9QnJRehnZ9T3UWi108J5wYPwR8U:FDshpwa6d6/t+9scCvjU

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DisplaySwitch.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DisplaySwitch.exe being misused. While DisplaySwitch.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe DisplaySwitch.exe *' DRL 1.0
atomic-red-team T1546.008.md * Display Switcher: C:\Windows\System32\DisplaySwitch.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.