| File name: | MSDisplay_MultiDev_v1.0.0.18.0.exe |
| Full analysis: | https://app.any.run/tasks/55f1a350-e550-4760-8cdf-d3b3fa07928a |
| Verdict: | Malicious activity |
| Analysis date: | October 25, 2023, 20:18:29 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | F505CBCAB0670A376C866DE177A5C097 |
| SHA1: | 18DED789BC554FDA5941AA2707DF9A78DE44C7C5 |
| SHA256: | 7BE04791DF7CC79FC8427098BF9E3C11206E54D2D613D470E4B4D5855451E816 |
| SSDEEP: | 49152:jNJb0uRDKiHjoapN8J827nsjoRf8HIjkpr6PbdVKeO3dFIyKc+Kq:joKDfD4827MoRf8HnUdyd+yKn |
MALICIOUS
Drops the executable file immediately after the start
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3908)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 1840)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2976)
- devcon.exe (PID: 4072)
- drvinst.exe (PID: 3692)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
- devcon.exe (PID: 3560)
- drvinst.exe (PID: 3044)
- drvinst.exe (PID: 2636)
- devcon.exe (PID: 3692)
- drvinst.exe (PID: 2372)
- drvinst.exe (PID: 2556)
- unins000.exe (PID: 2424)
Creates a writable file the system directory
- drvinst.exe (PID: 3692)
- drvinst.exe (PID: 3044)
- drvinst.exe (PID: 2636)
- drvinst.exe (PID: 2372)
- drvinst.exe (PID: 2556)
Application was dropped or rewritten from another process
- devcon.exe (PID: 4072)
- devcon.exe (PID: 3560)
- devcon.exe (PID: 3692)
- devcon.exe (PID: 2460)
- WinUsbDisplay.exe (PID: 1848)
- WinUsbDisplay.exe (PID: 3300)
- WinUsbDisplay.exe (PID: 2104)
- WinUsbDisplay.exe (PID: 3220)
- unins000.exe (PID: 3572)
- unins000.exe (PID: 2424)
- _iu14D2N.tmp (PID: 2768)
- unins000.exe (PID: 3328)
- unins000.exe (PID: 3068)
Loads dropped or rewritten executable
- WinUsbDisplay.exe (PID: 1848)
- WinUsbDisplay.exe (PID: 3300)
- WinUsbDisplay.exe (PID: 3220)
- WinUsbDisplay.exe (PID: 2104)
SUSPICIOUS
Reads the Windows owner or organization settings
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 1232)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
- _iu14D2N.tmp (PID: 2768)
The process drops C-runtime libraries
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
Drops a system driver (possible attempt to evade defenses)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
- devcon.exe (PID: 4072)
- drvinst.exe (PID: 3692)
- devcon.exe (PID: 3560)
- drvinst.exe (PID: 2636)
- drvinst.exe (PID: 3044)
- devcon.exe (PID: 3692)
- drvinst.exe (PID: 2372)
- drvinst.exe (PID: 2556)
Process drops legitimate windows executable
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
Creates files in the driver directory
- drvinst.exe (PID: 3692)
- drvinst.exe (PID: 3044)
- drvinst.exe (PID: 2636)
- drvinst.exe (PID: 2372)
- drvinst.exe (PID: 2556)
Checks Windows Trust Settings
- drvinst.exe (PID: 3692)
- devcon.exe (PID: 3560)
- drvinst.exe (PID: 3044)
- drvinst.exe (PID: 2636)
- devcon.exe (PID: 3692)
- drvinst.exe (PID: 2372)
- drvinst.exe (PID: 2556)
Reads settings of System Certificates
- rundll32.exe (PID: 2476)
- devcon.exe (PID: 3560)
- devcon.exe (PID: 3692)
- rundll32.exe (PID: 3384)
- sipnotify.exe (PID: 1588)
Reads security settings of Internet Explorer
- devcon.exe (PID: 3560)
- devcon.exe (PID: 3692)
Executes as Windows Service
- VSSVC.exe (PID: 2888)
Reads the Internet Settings
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
- sipnotify.exe (PID: 1588)
Application launched itself
- WinUsbDisplay.exe (PID: 1848)
- unins000.exe (PID: 3572)
The process executes via Task Scheduler
- sipnotify.exe (PID: 1588)
Starts itself from another location
- unins000.exe (PID: 2424)
Starts application with an unusual extension
- unins000.exe (PID: 2424)
INFO
Checks supported languages
- wmpnscfg.exe (PID: 1620)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3908)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3204)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 1840)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 1232)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2976)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 568)
- drvinst.exe (PID: 3692)
- devcon.exe (PID: 4072)
- devcon.exe (PID: 3560)
- drvinst.exe (PID: 3044)
- drvinst.exe (PID: 2636)
- devcon.exe (PID: 3692)
- drvinst.exe (PID: 2372)
- drvinst.exe (PID: 2556)
- devcon.exe (PID: 2460)
- WinUsbDisplay.exe (PID: 1848)
- IMEKLMG.EXE (PID: 464)
- IMEKLMG.EXE (PID: 316)
- WinUsbDisplay.exe (PID: 2104)
- WinUsbDisplay.exe (PID: 3300)
- wmpnscfg.exe (PID: 3616)
- wmpnscfg.exe (PID: 4044)
- wmpnscfg.exe (PID: 2276)
- wmpnscfg.exe (PID: 3980)
- unins000.exe (PID: 2424)
- WinUsbDisplay.exe (PID: 3220)
- unins000.exe (PID: 3572)
- unins000.exe (PID: 3328)
- unins000.exe (PID: 3068)
- _iu14D2N.tmp (PID: 2768)
Reads the computer name
- wmpnscfg.exe (PID: 1620)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3204)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 1232)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 568)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
- drvinst.exe (PID: 3692)
- devcon.exe (PID: 4072)
- drvinst.exe (PID: 3044)
- devcon.exe (PID: 3560)
- devcon.exe (PID: 3692)
- drvinst.exe (PID: 2636)
- drvinst.exe (PID: 2372)
- drvinst.exe (PID: 2556)
- devcon.exe (PID: 2460)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
- WinUsbDisplay.exe (PID: 1848)
- IMEKLMG.EXE (PID: 464)
- IMEKLMG.EXE (PID: 316)
- WinUsbDisplay.exe (PID: 2104)
- wmpnscfg.exe (PID: 2276)
- wmpnscfg.exe (PID: 3616)
- wmpnscfg.exe (PID: 4044)
- wmpnscfg.exe (PID: 3980)
- unins000.exe (PID: 3572)
- unins000.exe (PID: 2424)
- _iu14D2N.tmp (PID: 2768)
- unins000.exe (PID: 3328)
- unins000.exe (PID: 3068)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 1620)
- drvinst.exe (PID: 3692)
- devcon.exe (PID: 4072)
- drvinst.exe (PID: 3044)
- devcon.exe (PID: 3560)
- drvinst.exe (PID: 2636)
- devcon.exe (PID: 3692)
- drvinst.exe (PID: 2372)
- drvinst.exe (PID: 2556)
- wmpnscfg.exe (PID: 3616)
- wmpnscfg.exe (PID: 4044)
- wmpnscfg.exe (PID: 2276)
- wmpnscfg.exe (PID: 3980)
Create files in a temporary directory
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3908)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 1840)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2976)
- devcon.exe (PID: 4072)
- devcon.exe (PID: 3560)
- devcon.exe (PID: 3692)
- unins000.exe (PID: 2424)
Application was dropped or rewritten from another process
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3204)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 1232)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 568)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
Manual execution by a user
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
- WinUsbDisplay.exe (PID: 2104)
- IMEKLMG.EXE (PID: 464)
- IMEKLMG.EXE (PID: 316)
- wmpnscfg.exe (PID: 4044)
- wmpnscfg.exe (PID: 2276)
- explorer.exe (PID: 2304)
- cmd.exe (PID: 3944)
- WinUsbDisplay.exe (PID: 3220)
- wmpnscfg.exe (PID: 3616)
- explorer.exe (PID: 2164)
- wmpnscfg.exe (PID: 3980)
- unins000.exe (PID: 3572)
- unins000.exe (PID: 3328)
- control.exe (PID: 2880)
Creates files in the program directory
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
- WinUsbDisplay.exe (PID: 1848)
Creates files or folders in the user directory
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
- WinUsbDisplay.exe (PID: 1848)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 2476)
- rundll32.exe (PID: 3384)
- sipnotify.exe (PID: 1588)
Process checks are UAC notifies on
- IMEKLMG.EXE (PID: 316)
- IMEKLMG.EXE (PID: 464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (53.5) |
|---|---|---|
| .exe | | | InstallShield setup (21) |
| .exe | | | Win32 EXE PECompact compressed (generic) (20.2) |
| .exe | | | Win32 Executable (generic) (2.1) |
| .exe | | | Win16/32 Executable Delphi generic (1) |
EXIF
EXE
| ProductVersion: | 1.0.0.18.0 |
|---|---|
| ProductName: | MS USB Display |
| OriginalFileName: | |
| LegalCopyright: | Copyright © MS 2020 |
| FileVersion: | 1.0.0.18.0 |
| FileDescription: | MS USB Display Setup |
| CompanyName: | MS |
| Comments: | ´Ë°²×°³ÌÐòÓÉ Inno Setup ¹¹½¨¡£ |
| CharacterSet: | ASCII |
| LanguageCode: | Chinese (Simplified) |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 1.0.0.18 |
| FileVersionNumber: | 1.0.0.18 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 6 |
| ImageVersion: | 6 |
| OSVersion: | 6 |
| EntryPoint: | 0xa6ed0 |
| UninitializedDataSize: | - |
| InitializedDataSize: | 125952 |
| CodeSize: | 679936 |
| LinkerVersion: | 2.25 |
| PEType: | PE32 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| TimeStamp: | 2019:04:30 03:47:23+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Total processes
148
Monitored processes
43
Malicious processes
24
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 316 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 464 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 568 | "C:\Users\admin\AppData\Local\Temp\is-BHQKU.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$1101CA,2556185,806912,C:\Users\admin\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe" | C:\Users\admin\AppData\Local\Temp\is-BHQKU.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp | — | MSDisplay_MultiDev_v1.0.0.18.0.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 1232 | "C:\Users\admin\AppData\Local\Temp\is-1SSRS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$B01D0,2556185,806912,C:\Users\admin\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe" /SPAWNWND=$1701A2 /NOTIFYWND=$5035E | C:\Users\admin\AppData\Local\Temp\is-1SSRS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp | — | MSDisplay_MultiDev_v1.0.0.18.0.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup Exit code: 2 Version: 1.0.0.0 Modules
| |||||||||||||||
| 1588 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | — | taskeng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: sipnotify Exit code: 0 Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
| 1620 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1840 | "C:\Users\admin\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe" /SPAWNWND=$1701A2 /NOTIFYWND=$5035E | C:\Users\admin\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe | MSDisplay_MultiDev_v1.0.0.18.0.tmp | ||||||||||||
User: admin Company: MS Integrity Level: HIGH Description: MS USB Display Setup Exit code: 2 Version: 1.0.0.18.0 Modules
| |||||||||||||||
| 1848 | "C:\Program Files\MS USB Display\WinUsbDisplay.exe" firstinstall | C:\Program Files\MS USB Display\WinUsbDisplay.exe | — | MSDisplay_MultiDev_v1.0.0.18.0.tmp | |||||||||||
User: admin Company: MS Integrity Level: HIGH Description: Windows USB Display Exit code: 0 Version: 1.0.0.7 Modules
| |||||||||||||||
| 2064 | netstat -aon | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2104 | "C:\Program Files\MS USB Display\WinUsbDisplay.exe" | C:\Program Files\MS USB Display\WinUsbDisplay.exe | — | explorer.exe | |||||||||||
User: admin Company: MS Integrity Level: MEDIUM Description: Windows USB Display Exit code: 0 Version: 1.0.0.7 Modules
| |||||||||||||||
Total events
42 564
Read events
42 072
Write events
458
Delete events
34
Modification events
| (PID) Process: | (1620) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{DBE651D6-5D94-4309-B0F6-C6B1C166D2F5}\{CC168C0C-46D7-4832-8542-C5F00ED61A27} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1620) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{DBE651D6-5D94-4309-B0F6-C6B1C166D2F5} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1620) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{30FDD517-EE35-48A0-BBB7-88CECA095FBA} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1232) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (1232) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: AE49ED7C02010598DFBDA64346A91C2DAAFDCD08FC885D5597F3977AF05A5365 | |||
| (PID) Process: | (1232) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Owner |
Value: D004000096F229718007DA01 | |||
| (PID) Process: | (1232) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4072) devcon.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3692) drvinst.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3692) drvinst.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 |
| Operation: | write | Name: | Blob |
Value: 7A000000010000000C000000300A06082B06010505070309190000000100000010000000CB9DD0FCEAAA492F75CE292C21BBFBDD53000000010000007E000000307C301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301F06092B06010401A032010230123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D0020005200360000006200000001000000200000002CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69140000000100000014000000AE6C05A39313E2A2E7E2D71CD6C7F07FC86753A01D0000000100000010000000521F5C98970D19A8E515EF6EEB6D48EF7F000000010000000C000000300A06082B060105050703097E00000001000000080000000000042BEB77D5010300000001000000140000008094640EB5A7A1CA119C1FDDD59F810263A7FBD10F0000000100000030000000EA09C51D4C3A334CE4ACD2BC08C6A9BE352E334F45C4FCCFCAB63EDB9F82DC87D4BD2ED2FADAE11163FB954809984FF1090000000100000056000000305406082B0601050507030206082B06010505070303060A2B0601040182370A030C060A2B0601040182370A030406082B0601050507030406082B0601050507030906082B0601050507030106082B06010505070308200000000100000087050000308205833082036BA003020102020E45E6BB038333C3856548E6FF4551300D06092A864886F70D01010C0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523631133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3134313231303030303030305A170D3334313231303030303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523631133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820222300D06092A864886F70D01010105000382020F003082020A02820201009507E873CA66F9EC14CA7B3CF70D08F1B4450B2C82B448C6EB5B3CAE83B841923314A46F7FE92ACCC6B0886BC5B689D1C6B2FF14CE511421EC4ADD1B5AC6D687EE4D3A1506ED64660B9280CA44DE73944EF3A7897F4F786308C812506D42662F4DB979284D521A8A1A80B719810E7EC48ABC644C211C4368D73D3C8AC5B266D5909AB73106C5BEE26D3206A61EF9B9EBAAA3B8BFBE826350D0F01889DFE40F79F5EAA21F2AD2702E7BE7BC93BB6D53E2487C8C100738FF66B277617EE0EA8C3CAAB4A4F6F3954A12076DFD8CB289CFD0A06177C85874B0D4233AF75D3ACAA2DB9D09DE5D442D90F181CD5792FA7EBC50046334DF6B9318BE6B36B239E4AC2436B7F0EFB61C135793B6DEB2F8E285B773A2B835AA45F2E09D36A16F548AF172566E2E88C55142441594EEA3C538969B4E4E5A0B47F30636497730BC7137E5A6EC210875FCE661163F77D5D99197840A6CD4024D74C014EDFD39FB83F25E14A104B00BE9FEEE8FE16E0BB208B36166096AB1063A659659C0F035FDC9DA288D1A118770810AA89A751D9E3A8605009EDB80D625F9DC059E27594C76395BEAF9A5A1D8830FD1FFDF3011F985CF3348F5CA6D64142C7A584FD34B0849C595641A630E793DF5B38CCA58AD9C4245796E0E87195C54B165B6BF8C9BDC13E90D6FB82EDC676EC98B11B584148A0019708379919791D41A27BF371E3207D814633C284CAF0203010001A3633061300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E04160414AE6C05A39313E2A2E7E2D71CD6C7F07FC86753A0301F0603551D23041830168014AE6C05A39313E2A2E7E2D71CD6C7F07FC86753A0300D06092A864886F70D01010C050003820201008325EDE8D1FD9552CD9EC004A09169E65CD084DEDCADA24FE84778D66598A95BA83C877C028AD16EB71673E65FC05498D574BEC1CDE21191AD23183DDDE1724496B4955EC07B8E99781643135657B3A2B33BB577DC4072ACA3EB9B353EB10821A1E7C443377932BEB5E79C2C4CBC4329998E30D3AC21E0E31DFAD80733765400222AB94D202E7068DAE553FC835CD39DF2FF440C4466F2D2E3BD46001A6D02BA255D8DA13151DD54461C4DDB9996EF1A1C045CA615EF78E079FE5DDB3EAA4C55FD9A15A96FE1A6FBDF7030E9C3EE4246EDC2930589FA7D637B3FD071817C00E898AE0E7834C325FBAF0A9F206BDD3B138F128CE2411A487A73A07769C7B65C7F82C81EFE581B282BA86CAD5E6DC005D27BB7EB80FE2537FE029B68AC425DC3EEF5CCDCF05075D236699CE67B04DF6E0669B6DE0A09485987EB7B14607A64AA6943EF91C74CEC18DD6CEF532D8C99E15EF2723ECF54C8BD67ECA40F4C45FFD3B93023074C8F10BF8696D9995AB499571CA4CCBB158953BA2C050FE4C49E19B11834D54C9DBAEDF71FAF24950478A803BBEE81E5DA5F7C8B4AA1907425A7B33E4BC82C56BDC7C8EF38E25C92F079F79C84BA742D6101207E7ED1F24F07595F8B2D4352EB460C94E1F566477977D5545B1FAD2437CB455A4EA04448C8D8B099C5158409F6D64949C065B8E61A716EA0A8F182E8453E6CD602D70A6783055AC9A410 | |||
Executable files
103
Suspicious files
85
Text files
15
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3840 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\unins000.exe | executable | |
MD5:DEF2E0EFA04057381F04119980D6D4E4 | SHA256:3E9EE9509BB992CFE08EF8605B2F10F0B633D8B26BF6D2DCC2C5D2C94F37A3D4 | |||
| 1840 | MSDisplay_MultiDev_v1.0.0.18.0.exe | C:\Users\admin\AppData\Local\Temp\is-1SSRS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp | executable | |
MD5:7EC9CFAB450831249D70152183B3E844 | SHA256:664938FC6169E37700C45C0242006EDE97219AA0B873CC26C8DAF19647DBAA77 | |||
| 3840 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\config.ini | text | |
MD5:AB5BD4D46AA4F19ED52961F81635AD76 | SHA256:A1C6CEDAB9EC5850C98D5FED2CB0A2253FBBCCA7B8C5974F57F34FBDE4DC3C3F | |||
| 3684 | MSDisplay_MultiDev_v1.0.0.18.0.exe | C:\Users\admin\AppData\Local\Temp\is-BHQKU.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp | executable | |
MD5:7EC9CFAB450831249D70152183B3E844 | SHA256:664938FC6169E37700C45C0242006EDE97219AA0B873CC26C8DAF19647DBAA77 | |||
| 3840 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\is-7AHED.tmp | text | |
MD5:AB5BD4D46AA4F19ED52961F81635AD76 | SHA256:A1C6CEDAB9EC5850C98D5FED2CB0A2253FBBCCA7B8C5974F57F34FBDE4DC3C3F | |||
| 3840 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\is-KCI3E.tmp | executable | |
MD5:4AAB73E5792E49227E5843C0207E7BFD | SHA256:85AF24188A2040F61F008C50620835B9DDCEA0F4C1707447EC11002D55ED134E | |||
| 3840 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\is-PHSOT.tmp | executable | |
MD5:10BB929E9FD8B028738B46F4D3EA741E | SHA256:8817EAF691058E091E3A240547B74C3E396DAFF1312F66971274C1D30C55BDE1 | |||
| 3840 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\WinUsbDisplay.exe | executable | |
MD5:4AAB73E5792E49227E5843C0207E7BFD | SHA256:85AF24188A2040F61F008C50620835B9DDCEA0F4C1707447EC11002D55ED134E | |||
| 3840 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\libyuv.dll | executable | |
MD5:1954CD248E65C7C5C2D3D93DD7F91604 | SHA256:761EC2283460F3E641F9C815A015698B3EB77090808768A4BF3C17439CCD0018 | |||
| 3840 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\is-0TJGG.tmp | executable | |
MD5:7EC9CFAB450831249D70152183B3E844 | SHA256:664938FC6169E37700C45C0242006EDE97219AA0B873CC26C8DAF19647DBAA77 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 23.214.232.9:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133427423872340000 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2656 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
— | — | 23.214.232.9:80 | query.prod.cms.rt.microsoft.com | Reliance Jio Infocomm Limited | IN | unknown |
— | — | 239.255.255.250:1900 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |