DisplaySwitch.exe

  • File Path: C:\Windows\system32\DisplaySwitch.exe
  • Description: Display Switch

Hashes

Type Hash
MD5 B1C084BEDCFF3D4AB356687698B1BA82
SHA1 96128150CF6F9EB6E9AE43D4BEE43B2552ED70DE
SHA256 94CD03DFB938F5F0A999C77CA7FCC2320F6A8C570AC0F01A99A6DC9440C980D8
SHA384 D743933CF1E1544A789D5CCC44C0D501DD7E36121CA97C927F38CC2C223BEB4138E6F4754A02A9F418AF0F6575EC68FA
SHA512 B37FE0F7078591824792E9D9D78BB2322EAB626BA053EDB0C1C7812533E8BAEE4DE723B979546113734C33598108267FC4ABE267FC4B3429B390F939857FD0FD
SSDEEP 3072:XUG9few5ZOAQuZpxQo4/j5AwR9wqhZsEvkQ86AyLa7eygpPIHl:XUaGw5ZGuxQo4/j5NwqhZLDsqM

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DisplaySwitch.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of DisplaySwitch.exe being misused. While DisplaySwitch.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_install_reg_debugger_backdoor.yml - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' DRL 1.0
sigma sysmon_stickykey_like_backdoor.yml - '*cmd.exe DisplaySwitch.exe *' DRL 1.0
atomic-red-team T1546.008.md * Display Switcher: C:\Windows\System32\DisplaySwitch.exe MIT License. © 2018 Red Canary
atomic-red-team T1546.008.md | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: “osk.exe” | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.