DisplaySwitch.exe

  • File Path: C:\windows\SysWOW64\DisplaySwitch.exe
  • Description: Display Switch

Hashes

Type Hash
MD5 94CCF6030081F088DA5068DF780755AC
SHA1 10EBDF557889E2902C49EC203FC98C913F3F90E9
SHA256 1D5CBA061142691DF9D99380139653FAE326FF15FD12D8CC1B91EAD79194AA9D
SHA384 41AE687C61BE6977B7F8C2850AA08FECE5ABC055721DDCF2BEBF4630EF6A2DFFDE96C289AEF464882BE0A5C839D45A0F
SHA512 31EC8DC1882D163C6D1EABBBDAAC832FE6D39F823AEE1F3B618FC82E2C4FCD31EAF24C4DD0CE002B85BA76E617D56787BE55B895377D9990CB733C2A08900468
SSDEEP 3072:BXDJI17xZ5sp0pCJz+qHZuFFF3AfyGUpCvzHmcReMsY+kc:BNIF5s6GzXuX3PG/vzLbG

Signature

  • Status: Signature verified.
  • Serial: 330000004EA1D80770A9BBE94400000000004E
  • Thumbprint: DF3B9B7E5AEA1AA0B82EA25F542A6A00963AB890
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DisplaySwitch.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DisplaySwitch.exe being misused. While DisplaySwitch.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe DisplaySwitch.exe *' DRL 1.0
atomic-red-team T1546.008.md * Display Switcher: C:\Windows\System32\DisplaySwitch.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.