File name:

DisplayLink Support Tool for Windows.exe

Full analysis: https://app.any.run/tasks/11bafa55-1524-45a9-b89e-e3699a0a409b
Verdict: Malicious activity
Analysis date: June 26, 2024, 09:50:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
upx
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

0BC1C5E4115C2284E13C60E43DF3A288

SHA1:

86378C10971FE48D32187CAA78B0249BED5FE0FC

SHA256:

E3FF349D256ABD70FBB1D0844EF562E9752112C179C2BBA9609329DAED6C0AE7

SSDEEP:

49152:auCqXG8KCrfYW5VkvdRbZSW40mE1ylntFzi36nPt6qSL7o4eUYmbs2gVhYM0RyVq:75Drp5VkvdRxpmEYntFe3kP/SL7o4VYW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • DisplayLink Support Tool for Windows.exe (PID: 3392)
      • DisplayLink Support Tool for Windows.exe (PID: 2748)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • DisplayLink Support Tool for Windows.exe (PID: 3392)
      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • Application launched itself

      • DisplayLink Support Tool for Windows.exe (PID: 3392)

    • Reads the Internet Settings

      • DisplayLink Support Tool for Windows.exe (PID: 3392)
      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • Detected use of alternative data streams (AltDS)

      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • Executable content was dropped or overwritten

      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • Starts CMD.EXE for commands execution

      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 3360)
      • cmd.exe (PID: 2308)

    • The executable file from the user directory is run by the CMD process

      • USBDeview.exe (PID: 3484)
      • DevManView.exe (PID: 2864)
      • DevManView.exe (PID: 2532)
      • USBDeview.exe (PID: 2008)

    • Creates/Modifies COM task schedule object

      • dxdiag.exe (PID: 1616)

    • Reads settings of System Certificates

      • dxdiag.exe (PID: 1616)

    • Process uses IPCONFIG to discover network configuration

      • cmd.exe (PID: 312)

    • Uses RUNDLL32.EXE to load library

      • DisplayLink Support Tool for Windows.exe (PID: 2748)

  • INFO

    • Checks supported languages

      • DisplayLink Support Tool for Windows.exe (PID: 3392)
      • DisplayLink Support Tool for Windows.exe (PID: 2748)
      • DlCompatCheck.exe (PID: 2100)
      • DlCompatCheck.exe (PID: 1044)
      • msiexec.exe (PID: 3692)
      • USBDeview.exe (PID: 3484)
      • DevManView.exe (PID: 2864)

    • Reads mouse settings

      • DisplayLink Support Tool for Windows.exe (PID: 3392)
      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • Reads the computer name

      • DisplayLink Support Tool for Windows.exe (PID: 3392)
      • DisplayLink Support Tool for Windows.exe (PID: 2748)
      • DlCompatCheck.exe (PID: 2100)
      • DlCompatCheck.exe (PID: 1044)
      • msiexec.exe (PID: 3692)
      • USBDeview.exe (PID: 3484)
      • DevManView.exe (PID: 2864)

    • Reads the machine GUID from the registry

      • DisplayLink Support Tool for Windows.exe (PID: 2748)
      • msiexec.exe (PID: 3692)

    • Create files in a temporary directory

      • DisplayLink Support Tool for Windows.exe (PID: 2748)
      • DlCompatCheck.exe (PID: 2100)
      • DlCompatCheck.exe (PID: 1044)

    • UPX packer has been detected

      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • Reads CPU info

      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • Reads Environment values

      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • Checks Windows language

      • DisplayLink Support Tool for Windows.exe (PID: 2748)

    • NirSoft software is detected

      • DevManView.exe (PID: 2864)
      • USBDeview.exe (PID: 3484)
      • USBDeview.exe (PID: 2008)
      • DevManView.exe (PID: 2532)

    • Reads the software policy settings

      • dxdiag.exe (PID: 1616)

    • Reads security settings of Internet Explorer

      • dxdiag.exe (PID: 1616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:10:13 10:20:42+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 356352
InitializedDataSize: 1228800
UninitializedDataSize: 1757184
EntryPoint: 0x2041f0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.33
ProductVersionNumber: 3.3.14.5
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
FileVersion: 1.0.1.33
Comments: http://www.autoitscript.com/autoit3/
FileDescription: DisplayLink Support Tool
ProductVersion: 3.3.14.5
LegalCopyright: DisplayLink
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
104
Monitored processes
41
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start displaylink support tool for windows.exe no specs THREAT displaylink support tool for windows.exe dlcompatcheck.exe no specs dlcompatcheck.exe no specs cmd.exe no specs powercfg.exe no specs msiexec.exe no specs cmd.exe no specs usbdeview.exe no specs cmd.exe no specs devmanview.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs dispdiag.exe no specs dxdiag.exe no specs cmd.exe no specs ipconfig.exe no specs rundll32.exe no specs dlcompatcheck.exe no specs cmd.exe no specs powercfg.exe no specs cmd.exe no specs usbdeview.exe no specs cmd.exe no specs devmanview.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs dispdiag.exe no specs dxdiag.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
312C:\Windows\system32\cmd.exe /c ipconfig /all >> "C:\Users\admin\Desktop\DisplayLink Support Files\DL_Windows_Logs_20240626_105104"\Network_Statistics.txtC:\Windows\System32\cmd.exeDisplayLink Support Tool for Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
656C:\Windows\system32\reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity" "C:\Users\admin\Desktop\DisplayLink Support Files\DL_Windows_Logs_20240626_105104\HKLM_Connectivity.txt"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
880C:\Windows\system32\reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity" "C:\Users\admin\Desktop\DisplayLink Support Files\DL_Windows_Logs_20240626_105219\HKLM_Connectivity.txt"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1044C:\Users\admin\AppData\Local\Temp\DlCompatCheck.exe -f C:\Users\admin\AppData\Local\Temp\DLCompatibilityProblems.logC:\Users\admin\AppData\Local\Temp\DlCompatCheck.exeDisplayLink Support Tool for Windows.exe
User:
admin
Company:
DisplayLink Corp.
Integrity Level:
HIGH
Description:
DlCompatCheck Application
Exit code:
1
Version:
7, 9, 595, 0
Modules
Images
c:\users\admin\appdata\local\temp\dlcompatcheck.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
1596C:\Windows\system32\reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration" "C:\Users\admin\Desktop\DisplayLink Support Files\DL_Windows_Logs_20240626_105104\HKLM_Configuration.txt"C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1616dxdiag.exe /whql:off /t C:\Users\admin\Desktop\DisplayLink Support Files\DL_Windows_Logs_20240626_105104\dxdiag.txtC:\Windows\System32\dxdiag.exeDisplayLink Support Tool for Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft DirectX Diagnostic Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dxdiag.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1756C:\Windows\system32\dispdiag.exe -out "C:\Users\admin\Desktop\DisplayLink Support Files\DL_Windows_Logs_20240626_105219\dispdiag.dat"C:\Windows\System32\dispdiag.exeDisplayLink Support Tool for Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Display Diagnostics
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1828cmd /c C:\Users\admin\AppData\Local\Temp\nirsoft\USBDeview.exe /shtml USBDeview.html /DisplayDisconnected 0 /DisplayHubs 1 /RetrieveUSBPower 1C:\Windows\System32\cmd.exeDisplayLink Support Tool for Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1832dxdiag.exe /whql:off /t C:\Users\admin\Desktop\DisplayLink Support Files\DL_Windows_Logs_20240626_105219\dxdiag.txtC:\Windows\System32\dxdiag.exeDisplayLink Support Tool for Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft DirectX Diagnostic Tool
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2008C:\Users\admin\AppData\Local\Temp\nirsoft\USBDeview.exe /shtml USBDeview.html /DisplayDisconnected 0 /DisplayHubs 1 /RetrieveUSBPower 1C:\Users\admin\AppData\Local\Temp\nirsoft\USBDeview.execmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
HIGH
Description:
Lists USB Devices
Exit code:
0
Version:
2.42
Total events
15 843
Read events
15 351
Write events
476
Delete events
16

Modification events

(PID) Process:(3392) DisplayLink Support Tool for Windows.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3392) DisplayLink Support Tool for Windows.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3392) DisplayLink Support Tool for Windows.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3392) DisplayLink Support Tool for Windows.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2100) DlCompatCheck.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:writeName:setupapi.app.log
Value:
4096
(PID) Process:(3584) powercfg.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3584) powercfg.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\powrprof.dll,-15
Value:
Balanced
(PID) Process:(3584) powercfg.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\powrprof.dll,-103
Value:
Require a password on wakeup
(PID) Process:(3584) powercfg.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\powrprof.dll,-118
Value:
No
(PID) Process:(3584) powercfg.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:@%SystemRoot%\system32\powrprof.dll,-123
Value:
Yes
Executable files
6
Suspicious files
51
Text files
23
Unknown types
0

Dropped files

PID
Process
Filename
Type
2748DisplayLink Support Tool for Windows.exeC:\Users\admin\Desktop\DisplayLink Support Files\DL_Windows_Logs_20240626_105104\DlCompatCheck.logtext
MD5:844098483AD75D79CE9067DD15C5C97D
SHA256:549220442E63F7BB0C9B1923633E728A1EA60FACBD7E1F92A9B1B1F313030C88
2748DisplayLink Support Tool for Windows.exeC:\Users\admin\AppData\Local\Temp\autE599.tmpimage
MD5:2659D3A035F1C99E61B8EB4D52EBAC9D
SHA256:D0E4ACEB246F58FAA81A7A87EA79935C87BADFB25C6505BC7082237E104EF063
2748DisplayLink Support Tool for Windows.exeC:\Users\admin\AppData\Local\Temp\DisplayLink_SMALL.jpgimage
MD5:2659D3A035F1C99E61B8EB4D52EBAC9D
SHA256:D0E4ACEB246F58FAA81A7A87EA79935C87BADFB25C6505BC7082237E104EF063
2100DlCompatCheck.exeC:\Windows\INF\setupapi.app.logtext
MD5:A17FB7B3130EF48FD499D78EB5631BDC
SHA256:B16E3251AF264C86761160392E3543038A5292D40226C7289865AAE24EBC09C6
2748DisplayLink Support Tool for Windows.exeC:\Users\admin\Desktop\DisplayLink Support Files\DL_Windows_Logs_20240626_105104\System_Details.txttext
MD5:5A2C049056977C76D6B4C3D11D9C1A99
SHA256:82A860334734A173048965259DBB95EC1F1B3F6C4F3D5DBE045A134BC49FE60A
2748DisplayLink Support Tool for Windows.exeC:\Users\admin\AppData\Local\Temp\DlCompatCheck.exeexecutable
MD5:AE938BAE9D5095D766B37C41E8A3B87B
SHA256:1456F7E3A66923551D13D4343DE8F32D4195F0714B43E4C066BF8E5B8217B6C3
2748DisplayLink Support Tool for Windows.exeC:\Users\admin\AppData\Local\Temp\autF22D.tmpbinary
MD5:B270D09386196C2578FE5780FD39999D
SHA256:40159172678628F1FB91801874A6F801081F17125F8F78578349298AE92DA64A
2100DlCompatCheck.exeC:\Users\admin\AppData\Local\Temp\DlCompatCheck.logtext
MD5:41E790EFDC6117F8AA26BA88ACFBBCF8
SHA256:E77AE83B37233922671165B3DE3500FC5186126EF15E314AC4FA74F0C36266E6
2748DisplayLink Support Tool for Windows.exeC:\Users\admin\AppData\Local\Temp\nirsoft\DevManView.exeexecutable
MD5:54B5D67F7F9CFD8AAA372B9DED7DD2C1
SHA256:A25DA6EBA384B23DA9C9DF68B1BD30A9E4281D6E597AE89F348203E2B706C74D
2748DisplayLink Support Tool for Windows.exeC:\Users\admin\AppData\Local\Temp\nirsoft\DevManView.chmchm
MD5:3AF895E450BD9647B3915B3C0751EA35
SHA256:3F14C08223BE88C86DB564CD84396E5A5D5250EB240150BCEAB2A5D2FB977CFE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
2564
svchost.exe
239.255.255.250:3702
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DisplayLink Support Tool for Windows.exe