Edit tour

Windows Analysis Report
MSDisplay_MultiDev_v1.0.0.18.0.exe

Overview

General Information

Sample Name:	MSDisplay_MultiDev_v1.0.0.18.0.exe
Analysis ID:	838207
MD5:	f505cbcab0670a376c866de177a5c097
SHA1:	18ded789bc554fda5941aa2707df9a78de44c7c5
SHA256:	7be04791df7cc79fc8427098bf9e3c11206e54d2d613d470e4b4d5855451e816
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Changes security center settings (notifications, updates, antivirus, firewall)

Obfuscated command line found

Creates an undocumented autostart registry key

Uses 32bit PE files

Creates files inside the driver directory

Queries the volume information (name, serial number etc) of a device

Drops certificate files (DER)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates files inside the system directory

PE file contains sections with non-standard names

Stores files to the Windows start menu directory

Found dropped PE file which has not been started or loaded

Enables driver privileges

Adds / modifies Windows certificates

Drops PE files

Contains capabilities to detect virtual machines

Enables security privileges

Spawns drivers

Creates or modifies windows services

Queries disk information (often used to detect virtual machines)

Classification

Process Tree

System is w10x64_ra

svchost.exe (PID: 6596 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 9520A99E77D6196D0D09833146424113)

SgrmBroker.exe (PID: 6636 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: C51AA0BB954EA45E85572E6CC29BA6F4)

svchost.exe (PID: 6672 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: 9520A99E77D6196D0D09833146424113)

MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 6848 cmdline: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe MD5: F505CBCAB0670A376C866DE177A5C097)

MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 6880 cmdline: "C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$40132,2556185,806912,C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe" MD5: 7EC9CFAB450831249D70152183B3E844)

devcon.exe (PID: 7148 cmdline: "C:\Program Files\MS USB Display\tool\x64\devcon.exe" dp_add "C:\Program Files\MS USB Display\lib_usb\MSUSBDisplay.inf" USB\VID_534D&PID_6021&MI_03 MD5: 8C7D36AD908F5F1A5E39F95AC92581F5)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

devcon.exe (PID: 1032 cmdline: "C:\Program Files\MS USB Display\tool\x64\devcon.exe" install "C:\Program Files\MS USB Display\idd\indirectdisplaybus\indirectdisplaybus.inf" root\IndirectDisplayBus MD5: 8C7D36AD908F5F1A5E39F95AC92581F5)

conhost.exe (PID: 4700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

devcon.exe (PID: 1868 cmdline: "C:\Program Files\MS USB Display\tool\x64\devcon.exe" update "C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\indirectdisplaydriver0.inf" MS\IddBus MD5: 8C7D36AD908F5F1A5E39F95AC92581F5)

conhost.exe (PID: 1984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

devcon.exe (PID: 6920 cmdline: "C:\Program Files\MS USB Display\tool\x64\devcon.exe" update "C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\indirectdisplaydriver1.inf" MS\IddBus1 MD5: 8C7D36AD908F5F1A5E39F95AC92581F5)

conhost.exe (PID: 1288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

devcon.exe (PID: 2568 cmdline: "C:\Program Files\MS USB Display\tool\x64\devcon.exe" update "C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\indirectdisplaydriver2.inf" MS\IddBus2 MD5: 8C7D36AD908F5F1A5E39F95AC92581F5)

conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

devcon.exe (PID: 6596 cmdline: "C:\Program Files\MS USB Display\tool\x64\devcon.exe" restart =display MD5: 8C7D36AD908F5F1A5E39F95AC92581F5)

conhost.exe (PID: 652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)

svchost.exe (PID: 2508 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: 9520A99E77D6196D0D09833146424113)

drvinst.exe (PID: 6200 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\MSUSBDisplay.inf" "9" "410771dbb" "00000000000001B0" "WinSta0\Default" "00000000000001B4" "208" "C:\Program Files\MS USB Display\lib_usb" MD5: 100997A8B475B1D1B173BE8941DFE1A6)

rundll32.exe (PID: 2476 cmdline: rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7e09768-3410-4444-b1d2-e0b7886720f1} Global\{f21d5126-d58b-9449-be56-9c74edde3b9c} C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.inf C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.cat MD5: F68AF942FD7CCC0E7BAB1A2335D2AD26)

drvinst.exe (PID: 5372 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{4f28a4ee-4f02-fd4b-b4ab-c641fe84e6a5}\indirectdisplaybus.inf" "9" "45a813563" "000000000000019C" "WinSta0\Default" "00000000000001AC" "208" "c:\program files\ms usb display\idd\indirectdisplaybus" MD5: 100997A8B475B1D1B173BE8941DFE1A6)

drvinst.exe (PID: 6656 cmdline: DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem7.inf" "indirectdisplaybus.inf:c14ce884432a57a1:IndirectDisplayBus_Device:10.49.31.666:root\indirectdisplaybus," "45a813563" "000000000000019C" MD5: 100997A8B475B1D1B173BE8941DFE1A6)

IndirectDisplayBus.sys (PID: 4 cmdline: MD5: AB54EBBCB994C461CCD00DF6012C979B)

svchost.exe (PID: 5844 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: 9520A99E77D6196D0D09833146424113)

cleanup

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7e09768-3410-4444-b1d2-e0b7886720f1} Global\{f21d5126-d58b-9449-be56-9c74edde3b9c} C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.inf C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.cat

Source: C:\Windows\System32\drvinst.exe	Mutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4700:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:652:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4700:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1288:120:WilError_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:652:304:WilStaging_02

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp

File created: C:\Program Files\MS USB Display

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{509DC88F-BC75-4AED-B511-9892EAD1AE48}}_is1

Source: MSDisplay_MultiDev_v1.0.0.18.0.exe

Static file information: File size 3275933 > 1048576

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\unins000.dat
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-CPSEL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-M8EPE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-K5OOJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-UFQ2L.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-RDLS7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-BCJ08.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-I379N.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-HU23B.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-C6QMJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\is-GQQN7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\tool
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\tool\arm64
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\tool\arm64\is-NFRRI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\tool\x64
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\tool\x64\is-SNENH.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\tool\x64\is-23N2J.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\tool\x86
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\tool\x86\is-I7QM3.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\tool\x86\is-72M4S.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\video_driver
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\video_driver\is-ETMH0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\video_driver\is-HMJOS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\video_driver\x64
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\video_driver\x64\is-3VMOJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\video_driver\x64\is-2C1GB.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\video_driver\x86
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\video_driver\x86\is-I5A5F.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\video_driver\x86\is-DJS68.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy\is-7CVUF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy\is-SOASQ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy\x64
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy\x64\is-V32EN.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy\x64\is-VL4BF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy\x64\is-E8IBG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy\x86
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy\x86\is-AVMSV.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\displayproxy\x86\is-0QEAF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\lib_usb
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\lib_usb\is-81ET8.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\lib_usb\is-T2J7E.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\lib_usb\amd64
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\lib_usb\amd64\is-CINNI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\lib_usb\amd64\is-PT0QG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\lib_usb\x86
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\lib_usb\x86\is-4AJ4C.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\lib_usb\x86\is-JKEU0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaybus
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\is-KK37C.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\is-6AV4H.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x64
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x64\is-7F2TI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x86
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x86\is-BBMUU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\is-VF8R4.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\is-U4EIA.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x64
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x64\is-KHGPI.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x86
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x86\is-2TVU1.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\is-AS7LJ.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\is-3S2HL.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x64
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x64\is-LKLT5.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x86
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x86\is-MLVJ0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\is-E04DG.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\is-IQAK7.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x64
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x64\is-GCO13.tmp
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x86
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Directory created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x86\is-D9APK.tmp

Source: MSDisplay_MultiDev_v1.0.0.18.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Obfuscated command line found

Source: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp "C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$40132,2556185,806912,C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe"
Source: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp "C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$40132,2556185,806912,C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe"

Source: MSDisplay_MultiDev_v1.0.0.18.0.exe

Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\video_driver\x86\is-I5A5F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyKmd.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\x86\is-I7QM3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x64\is-7F2TI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\WinUsbDisplay.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x86\DisplayProxyKmd.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x86\indirectdisplaydriver0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x64\IndirectDisplayDriver1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x86\IndirectDisplayBus.sys (copy)	Jump to dropped file
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	File created: C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\x86\libusb0_x86.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x86\IndirectDisplayDriver2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x64\is-GCO13.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\lib_usb\x86\is-4AJ4C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x86\is-MLVJ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\libyuv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x86\IndirectDisplayDriver1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\video_driver\x64\is-3VMOJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x64\IndirectDisplayBus.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\is-I379N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\x64\is-SNENH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x64\is-E8IBG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\arm64\is-NFRRI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\x64\is-23N2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\is-UFQ2L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\is-RDLS7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\libVMonitor.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x64\is-LKLT5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\x64\devcon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x86\is-BBMUU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x64\indirectdisplaydriver0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Users\user\AppData\Local\Temp\is-P1C7O.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	File created: C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\amd64\SETCCB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x86\is-D9APK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\video_driver\x64\dfmirage.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\video_driver\x86\dfmirage.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\lib_usb\x86\libusb0.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\lib_usb\amd64\is-PT0QG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\arm64\devcon.exe (copy)	Jump to dropped file
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	File created: C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\amd64\libusb0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\x86\dpinst.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\video_driver\x86\is-DJS68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\lib_usb\amd64\libusb0.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\x86\devcon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\is-CPSEL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\is-M8EPE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x64\is-KHGPI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\video_driver\x64\is-2C1GB.tmp	Jump to dropped file
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	File created: C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\x86\SETD6B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\is-BCJ08.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x64\is-VL4BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x86\is-AVMSV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\x86\is-72M4S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\video_driver\x64\dfmirage.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\video_driver\x86\dfmirage.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x64\is-V32EN.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe	File created: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x86\is-2TVU1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\tool\x64\dpinst.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x86\DisplayProxyUmd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x86\is-0QEAF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x64\IndirectDisplayDriver2.dll (copy)	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\dfmirage\DEVICE0 Attach.ToDesktop

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MS USB Display
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MS USB Display\MS USB Display.lnk
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MS USB Display\Uninstall MS USB Display.lnk

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\dfmirage\DEVICE0

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Usb Display
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Usb Display

Source: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\video_driver\x86\is-I5A5F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyKmd.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x64\is-7F2TI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\tool\x86\is-I7QM3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\WinUsbDisplay.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x86\DisplayProxyKmd.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x86\indirectdisplaydriver0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x64\IndirectDisplayDriver1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x86\IndirectDisplayBus.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x86\IndirectDisplayDriver2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x64\is-GCO13.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\lib_usb\x86\is-4AJ4C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x86\is-MLVJ0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\libyuv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x86\IndirectDisplayDriver1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\video_driver\x64\is-3VMOJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x64\IndirectDisplayBus.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\is-I379N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x64\is-E8IBG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\tool\arm64\is-NFRRI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\tool\x64\is-23N2J.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\is-UFQ2L.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\is-RDLS7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\libVMonitor.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x64\is-LKLT5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaybus\x86\is-BBMUU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x64\indirectdisplaydriver0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P1C7O.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\amd64\SETCCB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x86\is-D9APK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\video_driver\x64\dfmirage.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\video_driver\x86\dfmirage.sys (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\lib_usb\amd64\is-PT0QG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\tool\arm64\devcon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\tool\x86\dpinst.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\video_driver\x86\is-DJS68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\tool\x86\devcon.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\is-CPSEL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\is-M8EPE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x64\is-KHGPI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\video_driver\x64\is-2C1GB.tmp	Jump to dropped file
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\x86\SETD6B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\is-BCJ08.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x64\is-VL4BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x86\is-AVMSV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\tool\x86\is-72M4S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\video_driver\x64\dfmirage.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\video_driver\x86\dfmirage.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x64\is-V32EN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x86\is-2TVU1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\tool\x64\dpinst.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x86\DisplayProxyUmd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x64\IndirectDisplayDriver2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Dropped PE file which has not been started: C:\Program Files\MS USB Display\displayproxy\x86\is-0QEAF.tmp	Jump to dropped file

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp

Process information queried: ProcessInformation

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{c7e09768-3410-4444-b1d2-e0b7886720f1} global\{f21d5126-d58b-9449-be56-9c74edde3b9c} c:\windows\system32\driverstore\temp\{d4cea893-464e-c84d-a474-130257eafc14}\msusbdisplay.inf c:\windows\system32\driverstore\temp\{d4cea893-464e-c84d-a474-130257eafc14}\msusbdisplay.cat
Source: unknown	Process created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{4f28a4ee-4f02-fd4b-b4ab-c641fe84e6a5}\indirectdisplaybus.inf" "9" "45a813563" "000000000000019c" "winsta0\default" "00000000000001ac" "208" "c:\program files\ms usb display\idd\indirectdisplaybus"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{4f28a4ee-4f02-fd4b-b4ab-c641fe84e6a5}\indirectdisplaybus.inf" "9" "45a813563" "000000000000019c" "winsta0\default" "00000000000001ac" "208" "c:\program files\ms usb display\idd\indirectdisplaybus"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe c:\windows\system32\pnpui.dll,installsecuritypromptrundllw 20 global\{c7e09768-3410-4444-b1d2-e0b7886720f1} global\{f21d5126-d58b-9449-be56-9c74edde3b9c} c:\windows\system32\driverstore\temp\{d4cea893-464e-c84d-a474-130257eafc14}\msusbdisplay.inf c:\windows\system32\driverstore\temp\{d4cea893-464e-c84d-a474-130257eafc14}\msusbdisplay.cat

Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.cat VolumeInformation
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Queries volume information: C:\Program Files\MS USB Display\idd\indirectdisplaybus\indirectdisplaybus.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{89a7b30b-5d54-3847-bfe2-75606a79c7b8}\IndirectDisplayBus.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Source: C:\Windows\System32\svchost.exe	WMI Queries: AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"

Source: C:\Windows\System32\drvinst.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	11 Windows Service	11 Windows Service	23 Masquerading	OS Credential Dumping	13 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	11 Command and Scripting Interpreter	111 Registry Run Keys / Startup Folder	1 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	2 LSASS Driver	111 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	2 LSASS Driver	1 Process Injection	NTDS	2 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
MSDisplay_MultiDev_v1.0.0.18.0.exe	2%	ReversingLabs
MSDisplay_MultiDev_v1.0.0.18.0.exe	4%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	7%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	7%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\is-P1C7O.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-P1C7O.tmp\_isetup\_setup64.tmp	0%	Virustotal	Browse
C:\Program Files\MS USB Display\WinUsbDisplay.exe (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\WinUsbDisplay.exe (copy)	3%	Virustotal	Browse
C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyKmd.sys (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyKmd.sys (copy)	0%	Virustotal	Browse
C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd.dll (copy)	0%	Virustotal	Browse
C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd32.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd32.dll (copy)	0%	Virustotal	Browse
C:\Program Files\MS USB Display\displayproxy\x86\DisplayProxyKmd.sys (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\displayproxy\x86\DisplayProxyUmd.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\idd\indirectdisplaybus\x64\IndirectDisplayBus.sys (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\idd\indirectdisplaybus\x86\IndirectDisplayBus.sys (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x64\indirectdisplaydriver0.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x86\indirectdisplaydriver0.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x64\IndirectDisplayDriver1.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\x86\IndirectDisplayDriver1.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x64\IndirectDisplayDriver2.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\x86\IndirectDisplayDriver2.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\is-BCJ08.tmp	0%	ReversingLabs
C:\Program Files\MS USB Display\is-CPSEL.tmp	5%	ReversingLabs
C:\Program Files\MS USB Display\is-I379N.tmp	2%	ReversingLabs
C:\Program Files\MS USB Display\is-RDLS7.tmp	0%	ReversingLabs
C:\Program Files\MS USB Display\is-UFQ2L.tmp	0%	ReversingLabs
C:\Program Files\MS USB Display\lib_usb\amd64\is-PT0QG.tmp	0%	ReversingLabs
C:\Program Files\MS USB Display\lib_usb\x86\is-4AJ4C.tmp	0%	ReversingLabs
C:\Program Files\MS USB Display\tool\arm64\devcon.exe (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\tool\x64\devcon.exe (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\tool\x64\dpinst.exe (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\tool\x86\devcon.exe (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\tool\x86\dpinst.exe (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\video_driver\x64\dfmirage.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\video_driver\x64\dfmirage.sys (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\video_driver\x86\dfmirage.dll (copy)	0%	ReversingLabs
C:\Program Files\MS USB Display\video_driver\x86\dfmirage.sys (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\amd64\SETCCB.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\x86\SETD6B.tmp	0%	ReversingLabs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.109.8.45	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
52.109.88.191	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	838207
Start date and time:	2023-03-30 17:12:31 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	1
Number of existing processes analysed:	1
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample file name:	MSDisplay_MultiDev_v1.0.0.18.0.exe
Detection:	MAL
Classification:	mal60.evad.winEXE@34/119@0/13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.126.32.140, 20.190.160.14, 40.126.32.133, 20.190.160.20, 40.126.32.72, 40.126.32.68, 40.126.32.74, 20.190.160.17, 40.126.32.76, 40.126.32.138, 20.190.160.22
Excluded domains from analysis (whitelisted): prdv6a.aadg.msidentity.com, slscr.update.microsoft.com, login.live.com, www.tm.lg.prod.aadmsa.akadns.net, www.tm.v6.a.prd.aadg.trafficmanager.net, www.tm.v6.a.prd.aadg.akadns.net, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: C:\Program Files\MS USB Display\displayproxy\x86\DisplayProxyKmd.sys (copy)

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757

Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.8.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.88.191
Source: unknown	TCP traffic detected without corresponding DNS query: 52.109.8.45
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95

Source: unknown	Process created: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe
Source: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp "C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$40132,2556185,806912,C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe"
Source: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp "C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$40132,2556185,806912,C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe"
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" dp_add "C:\Program Files\MS USB Display\lib_usb\MSUSBDisplay.inf" USB\VID_534D&PID_6021&MI_03
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\MSUSBDisplay.inf" "9" "410771dbb" "00000000000001B0" "WinSta0\Default" "00000000000001B4" "208" "C:\Program Files\MS USB Display\lib_usb"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7e09768-3410-4444-b1d2-e0b7886720f1} Global\{f21d5126-d58b-9449-be56-9c74edde3b9c} C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.inf C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.cat
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" dp_add "C:\Program Files\MS USB Display\lib_usb\MSUSBDisplay.inf" USB\VID_534D&PID_6021&MI_03
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" install "C:\Program Files\MS USB Display\idd\indirectdisplaybus\indirectdisplaybus.inf" root\IndirectDisplayBus
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{4f28a4ee-4f02-fd4b-b4ab-c641fe84e6a5}\indirectdisplaybus.inf" "9" "45a813563" "000000000000019C" "WinSta0\Default" "00000000000001AC" "208" "c:\program files\ms usb display\idd\indirectdisplaybus"
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem7.inf" "indirectdisplaybus.inf:c14ce884432a57a1:IndirectDisplayBus_Device:10.49.31.666:root\indirectdisplaybus," "45a813563" "000000000000019C"
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" update "C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\indirectdisplaydriver0.inf" MS\IddBus
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" update "C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\indirectdisplaydriver1.inf" MS\IddBus1
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" update "C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\indirectdisplaydriver2.inf" MS\IddBus2
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" restart =display
Source: C:\Program Files\MS USB Display\tool\x64\devcon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" install "C:\Program Files\MS USB Display\idd\indirectdisplaybus\indirectdisplaybus.inf" root\IndirectDisplayBus
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" update "C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\indirectdisplaydriver0.inf" MS\IddBus
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" update "C:\Program Files\MS USB Display\idd\indirectdisplaydriver1\indirectdisplaydriver1.inf" MS\IddBus1
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" update "C:\Program Files\MS USB Display\idd\indirectdisplaydriver2\indirectdisplaydriver2.inf" MS\IddBus2
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8117b47f-4301-c348-a35a-e6484dccdb3c}\MSUSBDisplay.inf" "9" "410771dbb" "00000000000001B0" "WinSta0\Default" "00000000000001B4" "208" "C:\Program Files\MS USB Display\lib_usb"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{4f28a4ee-4f02-fd4b-b4ab-c641fe84e6a5}\indirectdisplaybus.inf" "9" "45a813563" "000000000000019C" "WinSta0\Default" "00000000000001AC" "208" "c:\program files\ms usb display\idd\indirectdisplaybus"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem7.inf" "indirectdisplaybus.inf:c14ce884432a57a1:IndirectDisplayBus_Device:10.49.31.666:root\indirectdisplaybus," "45a813563" "000000000000019C"
Source: C:\Windows\System32\drvinst.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c7e09768-3410-4444-b1d2-e0b7886720f1} Global\{f21d5126-d58b-9449-be56-9c74edde3b9c} C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.inf C:\Windows\System32\DriverStore\Temp\{d4cea893-464e-c84d-a474-130257eafc14}\MSUSBDisplay.cat
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Process created: C:\Program Files\MS USB Display\tool\x64\devcon.exe "C:\Program Files\MS USB Display\tool\x64\devcon.exe" restart =display

Source: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Process:	C:\Users\user\AppData\Local\Temp\is-3SGKS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	298
Entropy (8bit):	4.709089164337212
Encrypted:	false
SSDEEP:
MD5:	7F4207EA1304993E8533B7A58F3A51B0
SHA1:	4BEB49C0869F6BA1E86033C5372A2F3DB3CC36C0
SHA-256:	EE8078A7D68D5F9B702C1F5E322D67227A6512E75247D9E950D497E753C62565
SHA-512:	63ACE6218308612522E86D4B925D51B4D3E7BD1E34D38662BD7C29F488AAF64EBE8B23D90A56235BE06FDB5E6D4151EAA86A2D617CCFCEA07414BF893AB75290
Malicious:	false
Reputation:	low
Preview:	If there is an exception in the program, feedback the file of WinUsbDisplay.log to technical support department .....1.The default location of this file is "C:\Users\xxx\AppData\Roaming\WinUsbDisplay\WinUsbDisplay.log"....2. you can also find the file of WinUsbDisplay.log by running logpath.bat...

Process:	C:\Users\user\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2633728
Entropy (8bit):	6.411321473236685
Encrypted:	false
SSDEEP:
MD5:	7EC9CFAB450831249D70152183B3E844
SHA1:	C98CF7641E799F17B784D74811DAC7600C4D4219
SHA-256:	664938FC6169E37700C45C0242006EDE97219AA0B873CC26C8DAF19647DBAA77
SHA-512:	DAC664E238B2251169E02C7BB939EC77E109B1CC211DF8B35ED3CB13A17339D1ACCBF7F9CC9E2450E8DA2800F4D1547BCF9B8525F953318AD31E5C542FCF4B4F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 7% Antivirus: Virustotal, Detection: 7%, Browse
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...L..\..................$..@........%.......%...@...........................)...........@......@...................@&.......%."6...p&.8....................................................`&.....................X.%.T....0&......................text.....$.......$................. ..`.itext...'....$..(....$............. ..`.data...T[....%..\....$.............@....bss.....u...p%..........................idata.."6....%..8...L%.............@....didata......0&.......%.............@....edata.......@&.......%.............@..@.tls....D....P&..........................rdata..]....`&.......%.............@..@.rsrc...8....p&.......%.............@..@..............'.......&.............@..@........................................................

File Type:	data
Category:	dropped
Size (bytes):	576
Entropy (8bit):	5.059635826240281
Encrypted:	false
SSDEEP:
MD5:	FD0EF31614A6FC085134F1301106DD00
SHA1:	C2D3C9CABC5E2CC4EE4B4DBC0FCB0E0F1BD3FDF5
SHA-256:	DF6CB483EE9217FC57376CA74FA2EB34EE8E90D51AAE6C376114B7D0080B834C
SHA-512:	02F2F1F88DDC5C271863DFCB717F127F0B8CE0CAF30B9531567D08831C1E42A765EBA25DF7BF1CD136CD9FAEFC70309F79908544AE72AA52F4D19088BB531BAA
Malicious:	false
Reputation:	low
Preview:	.6...AAAAAAA...AAAAA...A.A.A/ALAAAAAAAAAAAbA5AtA.!.AGA.A.bbA.A`A.].A%A.A...A AHA...AVA.A.n.AKA.A6d.A.A.A6.A~AEA...6.A.A..Ab.A...A...A...An.LA..bA...A..bA..#A..bA5..A...6#.qA.^tA..&A.5.6..A..bA..A...6`.~A.G.6N..A..bA2..A...A6#.A.-.A.#.A...A.#cA...6#.A.bA..A...An..A...A..A..bA..A. bA..A.tbA.SAA.AbA.S.A.6.AF..A.L.A`..A...AN.A...A..(A.}.A...A.1.A...A..A...A...AV..A..AQ.yA._.AE.MA...A\|.A...AU..A...6...A...6...A.?.6...A.H.A..A.9bAK.XA...A...A...A..DA..A...A.%bAZ.A.;b.q..A.#b...7A...Aw..A68.AAA.AtA.6...........................................................

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1748 "Signature", at 0x68 WinDirPath
Category:	dropped
Size (bytes):	7716
Entropy (8bit):	3.4489822560212957
Encrypted:	false
SSDEEP:
MD5:	6CEAEA33FCE6D6F6CF9F8FA4980D866A
SHA1:	A5D858E53D561DBC4F02EA9B2A4087611072C7FF
SHA-256:	AFE4ED85EB6DB63E4D63962AE7D3D5E62A7EA8195213D75695EF88869EB19499
SHA-512:	7976BE8DF145B21A0AF621C60FCD92A94BE0C39CD96AE49EA40F71D0C94A5F2C2BB12B64657A259A1DA1B201A2AD15FEAEFD09878EAAEBB3874DB491CFF5F787
Malicious:	false
Reputation:	low
Preview:	................2...H......f.c..........................,.......P...............h............... .......C.:.\.W.i.n.d.o.w.s.....0...................................................................................................P...............................................................................p...............\....................................................................................................................................................................... .......,...........................................................................4...............................................................................................................................T...................................H...........................................................`...................................................................@...d...............................................................................................................................

Entrypoint:	0x4a6ed0
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5CC7C54B [Tue Apr 30 03:47:23 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	eb5bc6ff6263b364dfbfb78bdb48ed59

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb5000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3000	0xf1c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0x19dc4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb7000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb32e0	0x240	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb4000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa47a0	0xa4800	False	0.35706568199088146	data	6.3889818358526504	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa6000	0x1668	0x1800	False	0.5400390625	data	5.901230511226496	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa8000	0x37a4	0x3800	False	0.36083984375	data	5.046702820762568	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xac000	0x676c	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb3000	0xf1c	0x1000	False	0.366455078125	data	4.879899770580934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb4000	0x1a4	0x200	False	0.345703125	data	2.712872162409855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb5000	0x9a	0x200	False	0.2578125	data	1.8895623989294017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb6000	0x18	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb7000	0x5d	0x200	False	0.189453125	data	1.3824199855691357	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0x19dc4	0x19e00	False	0.20505925422705315	data	5.5005810458446724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0xb85e8	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China
RT_ICON	0xb8c50	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China
RT_ICON	0xb8f38	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China
RT_ICON	0xb9060	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China
RT_ICON	0xb9f08	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China
RT_ICON	0xba7b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China
RT_ICON	0xbad18	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China
RT_ICON	0xcb540	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China
RT_ICON	0xcdae8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China
RT_ICON	0xceb90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China
RT_STRING	0xceff8	0x360	data
RT_STRING	0xcf358	0x260	data
RT_STRING	0xcf5b8	0x45c	data
RT_STRING	0xcfa14	0x40c	data
RT_STRING	0xcfe20	0x2d4	data
RT_STRING	0xd00f4	0xb8	data
RT_STRING	0xd01ac	0x9c	data
RT_STRING	0xd0248	0x374	data
RT_STRING	0xd05bc	0x398	data
RT_STRING	0xd0954	0x368	data
RT_STRING	0xd0cbc	0x2a4	data
RT_RCDATA	0xd0f60	0x10	data
RT_RCDATA	0xd0f70	0x2c4	data
RT_RCDATA	0xd1234	0x2c	data
RT_GROUP_ICON	0xd1260	0x92	data	Chinese	China
RT_VERSION	0xd12f4	0x52c	data	Chinese	China
RT_MANIFEST	0xd1820	0x5a4	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4539cc
__dbk_fcall_wrapper	2	0x40d3dc
dbkFCallWrapperAddr	1	0x4af63c

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MSDisplay_MultiDev_v1.0.0.18.0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Program Files\MS USB Display\Feedback Note.txt (copy)

C:\Program Files\MS USB Display\WinUsbDisplay.exe (copy)

C:\Program Files\MS USB Display\config.ini (copy)

C:\Program Files\MS USB Display\displayproxy\DisplayProxyKmd.inf (copy)

C:\Program Files\MS USB Display\displayproxy\displayproxy.cat (copy)

C:\Program Files\MS USB Display\displayproxy\is-7CVUF.tmp

C:\Program Files\MS USB Display\displayproxy\is-SOASQ.tmp

C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyKmd.sys (copy)

C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd.dll (copy)

C:\Program Files\MS USB Display\displayproxy\x64\DisplayProxyUmd32.dll (copy)

C:\Program Files\MS USB Display\displayproxy\x64\is-E8IBG.tmp

C:\Program Files\MS USB Display\displayproxy\x64\is-V32EN.tmp

C:\Program Files\MS USB Display\displayproxy\x64\is-VL4BF.tmp

C:\Program Files\MS USB Display\displayproxy\x86\DisplayProxyKmd.sys (copy)

C:\Program Files\MS USB Display\displayproxy\x86\DisplayProxyUmd.dll (copy)

C:\Program Files\MS USB Display\displayproxy\x86\is-0QEAF.tmp

C:\Program Files\MS USB Display\displayproxy\x86\is-AVMSV.tmp

C:\Program Files\MS USB Display\idd\indirectdisplaybus\IndirectDisplayBus.inf (copy)

C:\Program Files\MS USB Display\idd\indirectdisplaybus\indirectdisplaybus.cat (copy)

C:\Program Files\MS USB Display\idd\indirectdisplaybus\is-6AV4H.tmp

C:\Program Files\MS USB Display\idd\indirectdisplaybus\is-KK37C.tmp

C:\Program Files\MS USB Display\idd\indirectdisplaybus\x64\IndirectDisplayBus.sys (copy)

C:\Program Files\MS USB Display\idd\indirectdisplaybus\x64\is-7F2TI.tmp

C:\Program Files\MS USB Display\idd\indirectdisplaybus\x86\IndirectDisplayBus.sys (copy)

C:\Program Files\MS USB Display\idd\indirectdisplaybus\x86\is-BBMUU.tmp

C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\IndirectDisplayDriver0.cat (copy)

C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\IndirectDisplayDriver0.inf (copy)

C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\is-U4EIA.tmp

C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\is-VF8R4.tmp

C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x64\indirectdisplaydriver0.dll (copy)

C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x64\is-KHGPI.tmp

C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x86\indirectdisplaydriver0.dll (copy)

C:\Program Files\MS USB Display\idd\indirectdisplaydriver0\x86\is-2TVU1.tmp

Windows Analysis Report
MSDisplay_MultiDev_v1.0.0.18.0.exe

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre