File name:

MSDisplay_MultiDev_v1.0.0.18.0.exe

Full analysis: https://app.any.run/tasks/55f1a350-e550-4760-8cdf-d3b3fa07928a
Verdict: Malicious activity
Analysis date: October 25, 2023, 20:18:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F505CBCAB0670A376C866DE177A5C097

SHA1:

18DED789BC554FDA5941AA2707DF9A78DE44C7C5

SHA256:

7BE04791DF7CC79FC8427098BF9E3C11206E54D2D613D470E4B4D5855451E816

SSDEEP:

49152:jNJb0uRDKiHjoapN8J827nsjoRf8HIjkpr6PbdVKeO3dFIyKc+Kq:joKDfD4827MoRf8HnUdyd+yKn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3908)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 1840)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2976)
      • devcon.exe (PID: 4072)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
      • drvinst.exe (PID: 3692)
      • devcon.exe (PID: 3560)
      • drvinst.exe (PID: 3044)
      • drvinst.exe (PID: 2636)
      • devcon.exe (PID: 3692)
      • drvinst.exe (PID: 2372)
      • unins000.exe (PID: 2424)
      • drvinst.exe (PID: 2556)

    • Creates a writable file the system directory

      • drvinst.exe (PID: 3692)
      • drvinst.exe (PID: 2636)
      • drvinst.exe (PID: 3044)
      • drvinst.exe (PID: 2372)
      • drvinst.exe (PID: 2556)

    • Application was dropped or rewritten from another process

      • devcon.exe (PID: 4072)
      • devcon.exe (PID: 3692)
      • devcon.exe (PID: 3560)
      • WinUsbDisplay.exe (PID: 3300)
      • WinUsbDisplay.exe (PID: 2104)
      • WinUsbDisplay.exe (PID: 3220)
      • unins000.exe (PID: 3572)
      • unins000.exe (PID: 2424)
      • _iu14D2N.tmp (PID: 2768)
      • unins000.exe (PID: 3068)
      • WinUsbDisplay.exe (PID: 1848)
      • devcon.exe (PID: 2460)
      • unins000.exe (PID: 3328)

    • Loads dropped or rewritten executable

      • WinUsbDisplay.exe (PID: 1848)
      • WinUsbDisplay.exe (PID: 3300)
      • WinUsbDisplay.exe (PID: 2104)
      • WinUsbDisplay.exe (PID: 3220)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 1232)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
      • _iu14D2N.tmp (PID: 2768)

    • Process drops legitimate windows executable

      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)

    • The process drops C-runtime libraries

      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)

    • Drops a system driver (possible attempt to evade defenses)

      • devcon.exe (PID: 4072)
      • drvinst.exe (PID: 3692)
      • devcon.exe (PID: 3560)
      • drvinst.exe (PID: 3044)
      • drvinst.exe (PID: 2636)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
      • devcon.exe (PID: 3692)
      • drvinst.exe (PID: 2372)
      • drvinst.exe (PID: 2556)

    • Creates files in the driver directory

      • drvinst.exe (PID: 3692)
      • drvinst.exe (PID: 3044)
      • drvinst.exe (PID: 2636)
      • drvinst.exe (PID: 2372)
      • drvinst.exe (PID: 2556)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 3692)
      • devcon.exe (PID: 3560)
      • drvinst.exe (PID: 2636)
      • drvinst.exe (PID: 3044)
      • devcon.exe (PID: 3692)
      • drvinst.exe (PID: 2372)
      • drvinst.exe (PID: 2556)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2888)

    • Reads settings of System Certificates

      • rundll32.exe (PID: 2476)
      • devcon.exe (PID: 3560)
      • devcon.exe (PID: 3692)
      • rundll32.exe (PID: 3384)
      • sipnotify.exe (PID: 1588)

    • Reads security settings of Internet Explorer

      • devcon.exe (PID: 3560)
      • devcon.exe (PID: 3692)

    • Reads the Internet Settings

      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
      • sipnotify.exe (PID: 1588)

    • Application launched itself

      • WinUsbDisplay.exe (PID: 1848)
      • unins000.exe (PID: 3572)

    • The process executes via Task Scheduler

      • sipnotify.exe (PID: 1588)

    • Starts itself from another location

      • unins000.exe (PID: 2424)

    • Starts application with an unusual extension

      • unins000.exe (PID: 2424)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 1620)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 1232)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3204)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
      • devcon.exe (PID: 4072)
      • drvinst.exe (PID: 3692)
      • devcon.exe (PID: 3560)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 568)
      • drvinst.exe (PID: 3044)
      • drvinst.exe (PID: 2636)
      • devcon.exe (PID: 3692)
      • drvinst.exe (PID: 2372)
      • drvinst.exe (PID: 2556)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
      • WinUsbDisplay.exe (PID: 1848)
      • IMEKLMG.EXE (PID: 464)
      • IMEKLMG.EXE (PID: 316)
      • WinUsbDisplay.exe (PID: 2104)
      • wmpnscfg.exe (PID: 3616)
      • wmpnscfg.exe (PID: 4044)
      • wmpnscfg.exe (PID: 2276)
      • wmpnscfg.exe (PID: 3980)
      • unins000.exe (PID: 3572)
      • unins000.exe (PID: 2424)
      • _iu14D2N.tmp (PID: 2768)
      • unins000.exe (PID: 3328)
      • devcon.exe (PID: 2460)
      • unins000.exe (PID: 3068)

    • Create files in a temporary directory

      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 1840)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3908)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2976)
      • devcon.exe (PID: 4072)
      • devcon.exe (PID: 3560)
      • devcon.exe (PID: 3692)
      • unins000.exe (PID: 2424)

    • Checks supported languages

      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3204)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3908)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 1232)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 1840)
      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2976)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 568)
      • wmpnscfg.exe (PID: 1620)
      • devcon.exe (PID: 4072)
      • drvinst.exe (PID: 3692)
      • devcon.exe (PID: 3560)
      • drvinst.exe (PID: 3044)
      • drvinst.exe (PID: 2636)
      • drvinst.exe (PID: 2372)
      • devcon.exe (PID: 3692)
      • drvinst.exe (PID: 2556)
      • devcon.exe (PID: 2460)
      • WinUsbDisplay.exe (PID: 1848)
      • IMEKLMG.EXE (PID: 464)
      • WinUsbDisplay.exe (PID: 3300)
      • IMEKLMG.EXE (PID: 316)
      • WinUsbDisplay.exe (PID: 2104)
      • wmpnscfg.exe (PID: 3616)
      • wmpnscfg.exe (PID: 4044)
      • wmpnscfg.exe (PID: 2276)
      • WinUsbDisplay.exe (PID: 3220)
      • wmpnscfg.exe (PID: 3980)
      • unins000.exe (PID: 3572)
      • unins000.exe (PID: 2424)
      • _iu14D2N.tmp (PID: 2768)
      • unins000.exe (PID: 3328)
      • unins000.exe (PID: 3068)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 1620)
      • devcon.exe (PID: 4072)
      • drvinst.exe (PID: 3692)
      • devcon.exe (PID: 3560)
      • drvinst.exe (PID: 2636)
      • drvinst.exe (PID: 3044)
      • devcon.exe (PID: 3692)
      • drvinst.exe (PID: 2372)
      • drvinst.exe (PID: 2556)
      • wmpnscfg.exe (PID: 3616)
      • wmpnscfg.exe (PID: 4044)
      • wmpnscfg.exe (PID: 2276)
      • wmpnscfg.exe (PID: 3980)

    • Application was dropped or rewritten from another process

      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3204)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 568)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 1232)

    • Creates files in the program directory

      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
      • WinUsbDisplay.exe (PID: 1848)

    • Creates files or folders in the user directory

      • MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 3840)
      • WinUsbDisplay.exe (PID: 1848)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 2476)
      • rundll32.exe (PID: 3384)
      • sipnotify.exe (PID: 1588)

    • Manual execution by a user

      • MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 3684)
      • IMEKLMG.EXE (PID: 464)
      • WinUsbDisplay.exe (PID: 2104)
      • IMEKLMG.EXE (PID: 316)
      • wmpnscfg.exe (PID: 3616)
      • wmpnscfg.exe (PID: 4044)
      • wmpnscfg.exe (PID: 2276)
      • explorer.exe (PID: 2304)
      • cmd.exe (PID: 3944)
      • wmpnscfg.exe (PID: 3980)
      • WinUsbDisplay.exe (PID: 3220)
      • explorer.exe (PID: 2164)
      • unins000.exe (PID: 3572)
      • unins000.exe (PID: 3328)
      • control.exe (PID: 2880)

    • Process checks are UAC notifies on

      • IMEKLMG.EXE (PID: 464)
      • IMEKLMG.EXE (PID: 316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

ProductVersion: 1.0.0.18.0
ProductName: MS USB Display
OriginalFileName:
LegalCopyright: Copyright © MS 2020
FileVersion: 1.0.0.18.0
FileDescription: MS USB Display Setup
CompanyName: MS
Comments: ´Ë°²×°³ÌÐòÓÉ Inno Setup ¹¹½¨¡£
CharacterSet: ASCII
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.18
FileVersionNumber: 1.0.0.18
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: 6
OSVersion: 6
EntryPoint: 0xa6ed0
UninitializedDataSize: -
InitializedDataSize: 125952
CodeSize: 679936
LinkerVersion: 2.25
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
TimeStamp: 2019:04:30 03:47:23+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
43
Malicious processes
24
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start msdisplay_multidev_v1.0.0.18.0.exe no specs msdisplay_multidev_v1.0.0.18.0.tmp no specs msdisplay_multidev_v1.0.0.18.0.exe msdisplay_multidev_v1.0.0.18.0.tmp no specs msdisplay_multidev_v1.0.0.18.0.exe no specs msdisplay_multidev_v1.0.0.18.0.tmp no specs msdisplay_multidev_v1.0.0.18.0.exe msdisplay_multidev_v1.0.0.18.0.tmp no specs devcon.exe no specs drvinst.exe no specs rundll32.exe no specs vssvc.exe no specs devcon.exe no specs drvinst.exe no specs rundll32.exe no specs drvinst.exe no specs devcon.exe no specs drvinst.exe no specs rundll32.exe no specs drvinst.exe no specs devcon.exe no specs winusbdisplay.exe no specs winusbdisplay.exe no specs sipnotify.exe no specs imeklmg.exe no specs imeklmg.exe no specs winusbdisplay.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs cmd.exe no specs netstat.exe no specs explorer.exe no specs winusbdisplay.exe no specs wmpnscfg.exe no specs explorer.exe no specs unins000.exe no specs unins000.exe _iu14d2n.tmp no specs unins000.exe no specs control.exe no specs unins000.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\userenv.dll
464"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\userenv.dll
c:\windows\system32\usp10.dll
568"C:\Users\admin\AppData\Local\Temp\is-BHQKU.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$1101CA,2556185,806912,C:\Users\admin\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe" C:\Users\admin\AppData\Local\Temp\is-BHQKU.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmpMSDisplay_MultiDev_v1.0.0.18.0.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-bhqku.tmp\msdisplay_multidev_v1.0.0.18.0.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1232"C:\Users\admin\AppData\Local\Temp\is-1SSRS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$B01D0,2556185,806912,C:\Users\admin\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe" /SPAWNWND=$1701A2 /NOTIFYWND=$5035E C:\Users\admin\AppData\Local\Temp\is-1SSRS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmpMSDisplay_MultiDev_v1.0.0.18.0.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup
Exit code:
2
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\is-1ssrs.tmp\msdisplay_multidev_v1.0.0.18.0.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
1588C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
1620"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
1840"C:\Users\admin\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe" /SPAWNWND=$1701A2 /NOTIFYWND=$5035E C:\Users\admin\Desktop\MSDisplay_MultiDev_v1.0.0.18.0.exe
MSDisplay_MultiDev_v1.0.0.18.0.tmp
User:
admin
Company:
MS
Integrity Level:
HIGH
Description:
MS USB Display Setup
Exit code:
2
Version:
1.0.0.18.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\users\admin\desktop\msdisplay_multidev_v1.0.0.18.0.exe
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
1848"C:\Program Files\MS USB Display\WinUsbDisplay.exe" firstinstallC:\Program Files\MS USB Display\WinUsbDisplay.exeMSDisplay_MultiDev_v1.0.0.18.0.tmp
User:
admin
Company:
MS
Integrity Level:
HIGH
Description:
Windows USB Display
Exit code:
0
Version:
1.0.0.7
Modules
Images
c:\program files\ms usb display\winusbdisplay.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\winmm.dll
2064netstat -aonC:\Windows\System32\NETSTAT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Netstat Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netstat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\iphlpapi.dll
2104"C:\Program Files\MS USB Display\WinUsbDisplay.exe" C:\Program Files\MS USB Display\WinUsbDisplay.exeexplorer.exe
User:
admin
Company:
MS
Integrity Level:
MEDIUM
Description:
Windows USB Display
Exit code:
0
Version:
1.0.0.7
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\ms usb display\winusbdisplay.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winmm.dll
Total events
42 564
Read events
42 072
Write events
458
Delete events
34

Modification events

(PID) Process:(1620) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{DBE651D6-5D94-4309-B0F6-C6B1C166D2F5}\{CC168C0C-46D7-4832-8542-C5F00ED61A27}
Operation:delete keyName:(default)
Value:
(PID) Process:(1620) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{DBE651D6-5D94-4309-B0F6-C6B1C166D2F5}
Operation:delete keyName:(default)
Value:
(PID) Process:(1620) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{30FDD517-EE35-48A0-BBB7-88CECA095FBA}
Operation:delete keyName:(default)
Value:
(PID) Process:(1232) MSDisplay_MultiDev_v1.0.0.18.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(1232) MSDisplay_MultiDev_v1.0.0.18.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
AE49ED7C02010598DFBDA64346A91C2DAAFDCD08FC885D5597F3977AF05A5365
(PID) Process:(1232) MSDisplay_MultiDev_v1.0.0.18.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
D004000096F229718007DA01
(PID) Process:(1232) MSDisplay_MultiDev_v1.0.0.18.0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete keyName:(default)
Value:
(PID) Process:(4072) devcon.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3692) drvinst.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3692) drvinst.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1
Operation:writeName:Blob
Value:
7A000000010000000C000000300A06082B06010505070309190000000100000010000000CB9DD0FCEAAA492F75CE292C21BBFBDD53000000010000007E000000307C301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0301F06092B06010401A032010230123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D0020005200360000006200000001000000200000002CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69140000000100000014000000AE6C05A39313E2A2E7E2D71CD6C7F07FC86753A01D0000000100000010000000521F5C98970D19A8E515EF6EEB6D48EF7F000000010000000C000000300A06082B060105050703097E00000001000000080000000000042BEB77D5010300000001000000140000008094640EB5A7A1CA119C1FDDD59F810263A7FBD10F0000000100000030000000EA09C51D4C3A334CE4ACD2BC08C6A9BE352E334F45C4FCCFCAB63EDB9F82DC87D4BD2ED2FADAE11163FB954809984FF1090000000100000056000000305406082B0601050507030206082B06010505070303060A2B0601040182370A030C060A2B0601040182370A030406082B0601050507030406082B0601050507030906082B0601050507030106082B06010505070308200000000100000087050000308205833082036BA003020102020E45E6BB038333C3856548E6FF4551300D06092A864886F70D01010C0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523631133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3134313231303030303030305A170D3334313231303030303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523631133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820222300D06092A864886F70D01010105000382020F003082020A02820201009507E873CA66F9EC14CA7B3CF70D08F1B4450B2C82B448C6EB5B3CAE83B841923314A46F7FE92ACCC6B0886BC5B689D1C6B2FF14CE511421EC4ADD1B5AC6D687EE4D3A1506ED64660B9280CA44DE73944EF3A7897F4F786308C812506D42662F4DB979284D521A8A1A80B719810E7EC48ABC644C211C4368D73D3C8AC5B266D5909AB73106C5BEE26D3206A61EF9B9EBAAA3B8BFBE826350D0F01889DFE40F79F5EAA21F2AD2702E7BE7BC93BB6D53E2487C8C100738FF66B277617EE0EA8C3CAAB4A4F6F3954A12076DFD8CB289CFD0A06177C85874B0D4233AF75D3ACAA2DB9D09DE5D442D90F181CD5792FA7EBC50046334DF6B9318BE6B36B239E4AC2436B7F0EFB61C135793B6DEB2F8E285B773A2B835AA45F2E09D36A16F548AF172566E2E88C55142441594EEA3C538969B4E4E5A0B47F30636497730BC7137E5A6EC210875FCE661163F77D5D99197840A6CD4024D74C014EDFD39FB83F25E14A104B00BE9FEEE8FE16E0BB208B36166096AB1063A659659C0F035FDC9DA288D1A118770810AA89A751D9E3A8605009EDB80D625F9DC059E27594C76395BEAF9A5A1D8830FD1FFDF3011F985CF3348F5CA6D64142C7A584FD34B0849C595641A630E793DF5B38CCA58AD9C4245796E0E87195C54B165B6BF8C9BDC13E90D6FB82EDC676EC98B11B584148A0019708379919791D41A27BF371E3207D814633C284CAF0203010001A3633061300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E04160414AE6C05A39313E2A2E7E2D71CD6C7F07FC86753A0301F0603551D23041830168014AE6C05A39313E2A2E7E2D71CD6C7F07FC86753A0300D06092A864886F70D01010C050003820201008325EDE8D1FD9552CD9EC004A09169E65CD084DEDCADA24FE84778D66598A95BA83C877C028AD16EB71673E65FC05498D574BEC1CDE21191AD23183DDDE1724496B4955EC07B8E99781643135657B3A2B33BB577DC4072ACA3EB9B353EB10821A1E7C443377932BEB5E79C2C4CBC4329998E30D3AC21E0E31DFAD80733765400222AB94D202E7068DAE553FC835CD39DF2FF440C4466F2D2E3BD46001A6D02BA255D8DA13151DD54461C4DDB9996EF1A1C045CA615EF78E079FE5DDB3EAA4C55FD9A15A96FE1A6FBDF7030E9C3EE4246EDC2930589FA7D637B3FD071817C00E898AE0E7834C325FBAF0A9F206BDD3B138F128CE2411A487A73A07769C7B65C7F82C81EFE581B282BA86CAD5E6DC005D27BB7EB80FE2537FE029B68AC425DC3EEF5CCDCF05075D236699CE67B04DF6E0669B6DE0A09485987EB7B14607A64AA6943EF91C74CEC18DD6CEF532D8C99E15EF2723ECF54C8BD67ECA40F4C45FFD3B93023074C8F10BF8696D9995AB499571CA4CCBB158953BA2C050FE4C49E19B11834D54C9DBAEDF71FAF24950478A803BBEE81E5DA5F7C8B4AA1907425A7B33E4BC82C56BDC7C8EF38E25C92F079F79C84BA742D6101207E7ED1F24F07595F8B2D4352EB460C94E1F566477977D5545B1FAD2437CB455A4EA04448C8D8B099C5158409F6D64949C065B8E61A716EA0A8F182E8453E6CD602D70A6783055AC9A410
Executable files
103
Suspicious files
85
Text files
15
Unknown types
4

Dropped files

PID
Process
Filename
Type
3908MSDisplay_MultiDev_v1.0.0.18.0.exeC:\Users\admin\AppData\Local\Temp\is-A2G8F.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmpexecutable
MD5:7EC9CFAB450831249D70152183B3E844
SHA256:664938FC6169E37700C45C0242006EDE97219AA0B873CC26C8DAF19647DBAA77
3684MSDisplay_MultiDev_v1.0.0.18.0.exeC:\Users\admin\AppData\Local\Temp\is-BHQKU.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmpexecutable
MD5:7EC9CFAB450831249D70152183B3E844
SHA256:664938FC6169E37700C45C0242006EDE97219AA0B873CC26C8DAF19647DBAA77
3840MSDisplay_MultiDev_v1.0.0.18.0.tmpC:\Program Files\MS USB Display\is-PHSOT.tmpexecutable
MD5:10BB929E9FD8B028738B46F4D3EA741E
SHA256:8817EAF691058E091E3A240547B74C3E396DAFF1312F66971274C1D30C55BDE1
3840MSDisplay_MultiDev_v1.0.0.18.0.tmpC:\Program Files\MS USB Display\libyuv.dllexecutable
MD5:1954CD248E65C7C5C2D3D93DD7F91604
SHA256:761EC2283460F3E641F9C815A015698B3EB77090808768A4BF3C17439CCD0018
2976MSDisplay_MultiDev_v1.0.0.18.0.exeC:\Users\admin\AppData\Local\Temp\is-AR1AL.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmpexecutable
MD5:7EC9CFAB450831249D70152183B3E844
SHA256:664938FC6169E37700C45C0242006EDE97219AA0B873CC26C8DAF19647DBAA77
3840MSDisplay_MultiDev_v1.0.0.18.0.tmpC:\Program Files\MS USB Display\libusb0.dllexecutable
MD5:A969E398CC9319DD9BD9EEDCAE288DA7
SHA256:3165D5E9212E9C4F009A594F67BD9E6D899B026CE1E3B0D6EBB994F423D6B1D1
3840MSDisplay_MultiDev_v1.0.0.18.0.tmpC:\Program Files\MS USB Display\is-3IK4E.tmpexecutable
MD5:1954CD248E65C7C5C2D3D93DD7F91604
SHA256:761EC2283460F3E641F9C815A015698B3EB77090808768A4BF3C17439CCD0018
3840MSDisplay_MultiDev_v1.0.0.18.0.tmpC:\Program Files\MS USB Display\WinUsbDisplay.exeexecutable
MD5:4AAB73E5792E49227E5843C0207E7BFD
SHA256:85AF24188A2040F61F008C50620835B9DDCEA0F4C1707447EC11002D55ED134E
3840MSDisplay_MultiDev_v1.0.0.18.0.tmpC:\Program Files\MS USB Display\is-A42P4.tmpimage
MD5:2098EF97358FBBDFAE0206BBCB4E2234
SHA256:DE96747834EF6ED07618AA7EB89F643444F3BA01140EED263468C08A0B7BF8FE
1840MSDisplay_MultiDev_v1.0.0.18.0.exeC:\Users\admin\AppData\Local\Temp\is-1SSRS.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmpexecutable
MD5:7EC9CFAB450831249D70152183B3E844
SHA256:664938FC6169E37700C45C0242006EDE97219AA0B873CC26C8DAF19647DBAA77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
23.214.232.9:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133427423872340000
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
23.214.232.9:80
query.prod.cms.rt.microsoft.com
Reliance Jio Infocomm Limited
IN
unknown
239.255.255.250:1900
unknown

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 23.214.232.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MSDisplay_MultiDev_v1.0.0.18.0.exe