DisplaySwitch.exe

  • File Path: C:\WINDOWS\system32\DisplaySwitch.exe
  • Description: Display Switch

Hashes

Type Hash
MD5 312D71D22C13B095678A5C26D73B6824
SHA1 42EECB89DF977B859FCD4BE91AC4CD642D920A55
SHA256 8E1484A283EBC8ED5F28970AB2EA5B488C5DCA50B93C1209E5B2098552D294B9
SHA384 2333451BB0BAEC90CE644B4D761B69DDCCBD3063E0F6F6F6A1ADBB0AE146B603F9A66B0D27F048E396FBDF7DDE3D2797
SHA512 E985F2EE680B2D5933281EE5883E6828EAAD61BD9884EBEA613EF6A29E098434FCD44E807EC37883BCE5FB834BAAE59E2E86D96BAB2DD702CB9370CC3A40226E
SSDEEP 3072:1fp3NHIF5Ni1dZpbS57m0KZkxj3O4LvkJ20/mSLTWVXrSY6t:t3WNiHS57m0KIj3NL+/JDt

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DisplaySwitch.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DisplaySwitch.exe being misused. While DisplaySwitch.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe DisplaySwitch.exe *' DRL 1.0
atomic-red-team T1546.008.md * Display Switcher: C:\Windows\System32\DisplaySwitch.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.