Edit tour

Windows Analysis Report
DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Overview

General Information

Sample name:	DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe
Analysis ID:	1538410
MD5:	dacc5eb0638261f3c44a3f0bd1cc5ea1
SHA1:	bb57e14f1df59b3ad73f388c7a37bd008b57f22f
SHA256:	680614bf60ff1f1f408e8457ff288ca8a22e1939ba5415fe0c9df082b04dd594
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Compliance

Score:	49
Range:	0 - 100

Signatures

Tries to delay execution (extensive OutputDebugStringW loop)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the driver directory

Creates files inside the system directory

Creates processes with suspicious names

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Execution From GUID Like Folder Names

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64_ra

DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe (PID: 1388 cmdline: "C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe" MD5: DACC5EB0638261F3C44A3F0BD1CC5EA1)

additional.exe (PID: 6692 cmdline: "C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\" MD5: 1CFBB324EEB5BB5635F593AABC2CBAB5)

conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

DL6C3C.exe (PID: 6296 cmdline: DL6C3C.exe /exelang 2057 DL_INSTALL_AUDIO=Yes DL_NO_EULA=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{82526EEF-64FA-465A-9900-592AA20D44BD}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6D95.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror0 DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_VMM_FIRMWARE_INCLUDED="No" DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG" MD5: 3A6406BA15C24660FD43A91B81E6AB45)

DL6C3C.exe (PID: 6748 cmdline: "C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe" /i C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkIDD.msi /lv C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG AI_EUIMSI=1 APPDIR="C:\Program Files\DisplayLink Core Software" M_DIR="C:\ProgramData\Microsoft" SECONDSEQUENCE="1" CLIENTPROCESSID="6296" AI_MORE_CMD_LINE=1 MD5: 3A6406BA15C24660FD43A91B81E6AB45)

msiexec.exe (PID: 4872 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6628 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 94024F9F8BD1D3638DCAEE8B74C7EA90 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6716 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 974BD1C330F60C48087D2F1BF259B4BF C MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3268 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7D931FF378BB0B801383919D978EEAE0 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3652 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 74644EEC4A25804F6BC0B9ED2A06AE76 MD5: E5DA170027542E25EDE42FC54C929077)

taskkill.exe (PID: 4336 cmdline: taskkill.exe /f /im DisplayLinkTrayApp.exe /im DisplayLinkUI.exe /t MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)

conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 3744 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 23A62B8C91BCD058BBC9425B5A3E0538 E Global\MSI0000 MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4984 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3AE1FDA64AA5ECDB06105BC78B949EB3 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

drvinst.exe (PID: 6384 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{073afcc1-74b6-014d-a1ff-5f367b711623}\dlusbaudio.inf" "9" "7d2fb252b" "00000000000000D4" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\DisplayLink Core Software\Drivers" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

drvinst.exe (PID: 4204 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{45f50a8f-b0eb-b54b-a38a-d204d968e6fa}\dlcdcncm.inf" "9" "72d21657f" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "C:\Program Files\DisplayLink Core Software\Drivers" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\DisplayLink Core Software\DisplayLinkTrayApp.exe" -basicMode, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 4872, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DisplayLinkTrayApp

Sigma detected: Suspicious Execution From GUID Like Folder Names

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe" /i C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkIDD.msi /lv C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG AI_EUIMSI=1 APPDIR="C:\Program Files\DisplayLink Core Software" M_DIR="C:\ProgramData\Microsoft" SECONDSEQUENCE="1" CLIENTPROCESSID="6296" AI_MORE_CMD_LINE=1, CommandLine: "C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe" /i C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkIDD.msi /lv C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG AI_EUIMSI=1 APPDIR="C:\Program Files\DisplayLink Core Software" M_DIR="C:\ProgramData\Microsoft" SECONDSEQUENCE="1" CLIENTPROCESSID="6296" AI_MORE_CMD_LINE=1, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe, ParentCommandLine: DL6C3C.exe /exelang 2057 DL_INSTALL_AUDIO=Yes DL_NO_EULA=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{82526EEF-64FA-465A-9900-592AA20D44BD}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6D95.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror0 DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_VMM_FIRMWARE_INCLUDED="No" DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG", ParentImage: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe, ParentProcessId: 6296, ParentProcessName: DL6C3C.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe" /i C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkIDD.msi /lv C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG AI_EUIMSI=1 APPDIR="C:\Program Files\DisplayLink Core Software" M_DIR="C:\ProgramData\Microsoft" SECONDSEQUENCE="1" CLIENTPROCESSID="6296" AI_MORE_CMD_LINE=1, ProcessId: 6748, ProcessName: DL6C3C.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\End User Licence Agreement_EN.rtf
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\AddOnApi64.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\RunAfterMsiexec.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\3rd_party_licences.txt
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\dl.ico
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\DisplayLinkTrayApp.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlcdcncm.cat
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlcdcncm.inf
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlcdcncm660.sys
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb.cat
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb.inf
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb2.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb3.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb4.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlusbaudio.cat
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlusbaudio.inf
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlusbaudio.sys
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlusbaudio_x64.sys
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\ella-dock-release.spkg
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\firefly-monitor-release.spkg
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\navarro-dock-release.spkg
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\ridge-dock-release.spkg

Creates install or setup log file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\INF\setupapi.app.log

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\End User Licence Agreement_EN.rtf
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\DisplayLink Core Software\End User Licence Agreement_EN.rtf

PE / OLE file has a valid certificate

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: z:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: x:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: v:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: t:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: r:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: p:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: n:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: l:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: j:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: h:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: f:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: b:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: y:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: w:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: u:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: s:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: q:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: o:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: m:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: k:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: i:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: g:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: e:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: c:
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: a:

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackgroundGray.bmp
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData\Local

Networking

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

System Summary

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe

File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM_W10\ARM64\dlcdcncm660.sys

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{cece1d3f-e74a-f249-88a0-1b90332bb107}

Creates files inside the system directory

Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	File created: C:\Windows\INF\oem0.PNF
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	File created: C:\Windows\INF\oem1.PNF
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	File created: C:\Windows\INF\oem3.PNF
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\44e40c.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE62F.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE67E.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8D0.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE92F.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE99E.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE9CD.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA2C.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEA8B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEAF9.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB39.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB69.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEB89.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEBA9.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF06.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF26.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF75.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFA15.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFA64.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFAB3.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFB50.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFBBF.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC4C.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC9B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFD87.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFDB7.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFEC1.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI26C.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI328.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI377.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\controlPanelIcon.exe
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5BA.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI60A.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI639.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBF7.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB538.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\INF\setupapi.app.log
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\dlusbaudio.inf_amd64_a428131a0367c25a
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIE62F.tmp

PE file contains executable resources (Code or Archives)

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Resource name: EXE type: PE32 executable (console) Intel 80386, for MS Windows
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Resource name: EXE type: Microsoft Cabinet archive data, many, 2407 bytes, 3 files, at 0x44 +A "AddProduct.reg" +A "ImportSettings.reg", flags 0x4, ID 4937, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression

Uses 32bit PE files

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus29.evad.winEXE@26/93@1/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files\DisplayLink Core Software

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DisplayLinkSetupPrevInstanceDetector

Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

File created: C:\Users\user\AppData\Local\Temp\DLSD610.log

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe "C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe"
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe "C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\"
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe "C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe" -y -o"C:\Users\user\AppData\Local\Temp\DL2.tmp\"
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe DL6C3C.exe /exelang 2057 DL_INSTALL_AUDIO=Yes DL_NO_EULA=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{82526EEF-64FA-465A-9900-592AA20D44BD}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6D95.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror0 DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_VMM_FIRMWARE_INCLUDED="No" DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 94024F9F8BD1D3638DCAEE8B74C7EA90 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 974BD1C330F60C48087D2F1BF259B4BF C
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe DL6C3C.exe /exelang 2057 DL_INSTALL_AUDIO=Yes DL_NO_EULA=Yes DL_PROMOTE_STORE_APP=Yes DL_PRODUCT_NAME="DisplayLink Graphics" DL_BRANDING_UPGRADE_CODE="{78A36ACD-80D5-490f-B4C4-83D7FCC08391}" DL_BRANDING_PRODUCT_CODE="{82526EEF-64FA-465A-9900-592AA20D44BD}" DL_BRANDING_CAB="C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6D95.tmp" DL_BRANDING_NEW_DEVICE_ACTIVITY=mirror0 DL_ID_USBDRIVER_PATH="C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64" DL_HOTDESK_SERVICE="No" DL_INSTALL_ANALYTICS=Yes DL_VMM_FIRMWARE_INCLUDED="No" DL_TEMP_DIR="C:\Users\user\AppData\Local\Temp\DL2.tmp\" /lv "C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 94024F9F8BD1D3638DCAEE8B74C7EA90 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 974BD1C330F60C48087D2F1BF259B4BF C
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe "C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe" /i C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkIDD.msi /lv C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG AI_EUIMSI=1 APPDIR="C:\Program Files\DisplayLink Core Software" M_DIR="C:\ProgramData\Microsoft" SECONDSEQUENCE="1" CLIENTPROCESSID="6296" AI_MORE_CMD_LINE=1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7D931FF378BB0B801383919D978EEAE0
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 74644EEC4A25804F6BC0B9ED2A06AE76
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /f /im DisplayLinkTrayApp.exe /im DisplayLinkUI.exe /t
Source: C:\Windows\System32\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 23A62B8C91BCD058BBC9425B5A3E0538 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3AE1FDA64AA5ECDB06105BC78B949EB3 E Global\MSI0000
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe "C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe" /i C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkIDD.msi /lv C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG AI_EUIMSI=1 APPDIR="C:\Program Files\DisplayLink Core Software" M_DIR="C:\ProgramData\Microsoft" SECONDSEQUENCE="1" CLIENTPROCESSID="6296" AI_MORE_CMD_LINE=1
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{073afcc1-74b6-014d-a1ff-5f367b711623}\dlusbaudio.inf" "9" "7d2fb252b" "00000000000000D4" "WinSta0\Default" "0000000000000178" "208" "C:\Program Files\DisplayLink Core Software\Drivers"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7D931FF378BB0B801383919D978EEAE0
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 74644EEC4A25804F6BC0B9ED2A06AE76
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 23A62B8C91BCD058BBC9425B5A3E0538 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3AE1FDA64AA5ECDB06105BC78B949EB3 E Global\MSI0000
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{45f50a8f-b0eb-b54b-a38a-d204d968e6fa}\dlcdcncm.inf" "9" "72d21657f" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "C:\Program Files\DisplayLink Core Software\Drivers"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\taskkill.exe taskkill.exe /f /im DisplayLinkTrayApp.exe /im DisplayLinkUI.exe /t

Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: devobj.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: spinf.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: devrtl.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: drvstore.dll
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: lpk.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msihnd.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: tsappcmp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msiso.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: mshtml.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: srpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: jscript9.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msimtf.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: d2d1.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: jscript.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: lpk.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msihnd.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: tsappcmp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: spinf.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\End User Licence Agreement_EN.rtf
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\AddOnApi64.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\RunAfterMsiexec.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\3rd_party_licences.txt
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\dl.ico
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\DisplayLinkTrayApp.exe
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlcdcncm.cat
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlcdcncm.inf
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlcdcncm660.sys
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb.cat
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb.inf
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb2.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb3.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlidusb4.dll
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlusbaudio.cat
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlusbaudio.inf
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlusbaudio.sys
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\dlusbaudio_x64.sys
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\ella-dock-release.spkg
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\firefly-monitor-release.spkg
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\navarro-dock-release.spkg
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\DisplayLink Core Software\Drivers\ridge-dock-release.spkg

PE / OLE file has a valid certificate

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static PE information: certificate valid

PE file has a big code size

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static file information: File size 66460600 > 1048576

PE file has a big raw section

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x151600
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3da9a00

PE file contains a mix of data directories often seen in goodware

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

PE file contains a valid data directory to section mapping

Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Creates processes with suspicious names

Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	File created: \displaylink usb graphics software for windows11.5 m1-exe.exe
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	File created: \displaylink usb graphics software for windows11.5 m1-exe.exe
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	File created: \displaylink usb graphics software for windows11.5 m1-exe.exe
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	File created: \displaylink usb graphics software for windows11.5 m1-exe.exe

Drops PE files

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\cl_5963.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF75.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\FileOperations.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkDriverSwapService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\shi8D41.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9096.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio_x64.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\DisplayLink Core Software\AddOnApi64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\decoder.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM_W10\x64\dlcdcncm660.sys	Jump to dropped file
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC9B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\tempFiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkHotDeskService.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\DisplayLink Core Software\RunAfterMsiexec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\DisplayLink Core Software\DisplayLinkTrayApp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	File created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb3.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF75.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFC9B.tmp			Jump to dropped file

Creates install or setup log file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\INF\setupapi.app.log

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File created: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\End User Licence Agreement_EN.rtf
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\DisplayLink Core Software\End User Licence Agreement_EN.rtf

Boot Survival

Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DisplayLinkTrayApp
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DisplayLinkTrayApp

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Section loaded: OutputDebugStringW count: 322
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: OutputDebugStringW count: 871
Source: C:\Windows\System32\msiexec.exe	Section loaded: OutputDebugStringW count: 488

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Memory allocated: 7390000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Memory allocated: 8270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Memory allocated: 8340000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Memory allocated: 8990000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Memory allocated: 79D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Memory allocated: 88D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Memory allocated: 79F0000 memory commit \| memory reserve \| memory write watch

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cl_5963.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF75.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\FileOperations.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkDriverSwapService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi8D41.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\lzmaextractor.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb4.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio_x64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9096.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\DisplayLink Core Software\AddOnApi64.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\decoder.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM_W10\x64\dlcdcncm660.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFC9B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\tempFiles.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkHotDeskService.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\DisplayLink Core Software\RunAfterMsiexec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\DisplayLink Core Software\DisplayLinkTrayApp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD} FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackgroundGray.bmp
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	File opened: C:\Users\user\AppData\Local

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe

Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe "C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe" /i C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkIDD.msi /lv C:\Users\user\AppData\Local\Temp\DLC6CDE.LOG AI_EUIMSI=1 APPDIR="C:\Program Files\DisplayLink Core Software" M_DIR="C:\ProgramData\Microsoft" SECONDSEQUENCE="1" CLIENTPROCESSID="6296" AI_MORE_CMD_LINE=1

Uses taskkill to terminate processes

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\System32\taskkill.exe taskkill.exe /f /im DisplayLinkTrayApp.exe /im DisplayLinkUI.exe /t

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe dl6c3c.exe /exelang 2057 dl_install_audio=yes dl_no_eula=yes dl_promote_store_app=yes dl_product_name="displaylink graphics" dl_branding_upgrade_code="{78a36acd-80d5-490f-b4c4-83d7fcc08391}" dl_branding_product_code="{82526eef-64fa-465a-9900-592aa20d44bd}" dl_branding_cab="c:\users\user\appdata\local\temp\dl2.tmp\dl6d95.tmp" dl_branding_new_device_activity=mirror0 dl_id_usbdriver_path="c:\users\user\appdata\local\temp\dl2.tmp\dlidusb\x64" dl_hotdesk_service="no" dl_install_analytics=yes dl_vmm_firmware_included="no" dl_temp_dir="c:\users\user\appdata\local\temp\dl2.tmp\" /lv "c:\users\user\appdata\local\temp\dlc6cde.log"
Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe dl6c3c.exe /exelang 2057 dl_install_audio=yes dl_no_eula=yes dl_promote_store_app=yes dl_product_name="displaylink graphics" dl_branding_upgrade_code="{78a36acd-80d5-490f-b4c4-83d7fcc08391}" dl_branding_product_code="{82526eef-64fa-465a-9900-592aa20d44bd}" dl_branding_cab="c:\users\user\appdata\local\temp\dl2.tmp\dl6d95.tmp" dl_branding_new_device_activity=mirror0 dl_id_usbdriver_path="c:\users\user\appdata\local\temp\dl2.tmp\dlidusb\x64" dl_hotdesk_service="no" dl_install_analytics=yes dl_vmm_firmware_included="no" dl_temp_dir="c:\users\user\appdata\local\temp\dl2.tmp\" /lv "c:\users\user\appdata\local\temp\dlc6cde.log"
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe "c:\users\user\appdata\local\temp\dl2.tmp\dl6c3c.exe" /i c:\users\user\appdata\local\temp\{34cd39a3-d094-47b4-86f9-5bc6461cc0ad}\61cc0ad\displaylinkidd.msi /lv c:\users\user\appdata\local\temp\dlc6cde.log ai_euimsi=1 appdir="c:\program files\displaylink core software" m_dir="c:\programdata\microsoft" secondsequence="1" clientprocessid="6296" ai_more_cmd_line=1
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Process created: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe "c:\users\user\appdata\local\temp\dl2.tmp\dl6c3c.exe" /i c:\users\user\appdata\local\temp\{34cd39a3-d094-47b4-86f9-5bc6461cc0ad}\61cc0ad\displaylinkidd.msi /lv c:\users\user\appdata\local\temp\dlc6cde.log ai_euimsi=1 appdir="c:\program files\displaylink core software" m_dir="c:\programdata\microsoft" secondsequence="1" clientprocessid="6296" ai_more_cmd_line=1

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackgroundGray.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackground.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\publicSoftwareBanner.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDoing.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDoing.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackgroundGray.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\publicSoftwareBanner.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDoing.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackgroundGray.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackground.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\publicSoftwareBanner.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDoing.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDoing.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackgroundGray.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackground.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\publicSoftwareBanner.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlProgress.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDoing.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{cece1d3f-e74a-f249-88a0-1b90332bb107}\dlusbaudio.cat VolumeInformation

Source: C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	32 Masquerading	OS Credential Dumping	111 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	111 Virtualization/Sandbox Evasion	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	0%	ReversingLabs
DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM_W10\x64\dlcdcncm660.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLCDCNCM_W10\x64\dlcdcncm660.sys	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb2.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb4.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\x64\dlidusb4.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DLUSBAUDIO\dlusbaudio_x64.sys	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\additional.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\FileOperations.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\lzmaextractor.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\tempFiles.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\DL2.tmp\DL6C3C.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9096.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\cl_5963.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\shi8D41.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\decoder.dll	0%	ReversingLabs
C:\Program Files\DisplayLink Core Software\AddOnApi64.dll	0%	ReversingLabs
C:\Program Files\DisplayLink Core Software\DisplayLinkTrayApp.exe	0%	ReversingLabs
C:\Program Files\DisplayLink Core Software\RunAfterMsiexec.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkDriverSwapService.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}\61CC0AD\DisplayLinkHotDeskService.exe	0%	ReversingLabs
C:\Windows\Installer\MSIEF75.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIFC9B.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
206.23.85.13.in-addr.arpa	unknown	unknown	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538410
Start date and time:	2024-10-21 08:51:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe
Detection:	SUS
Classification:	sus29.evad.winEXE@26/93@1/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: C:\Users\user\AppData\Local\Temp\DL2.tmp\DLIDUSB\ARM64\dlidusb3.dll

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	11108705
Entropy (8bit):	6.4342482001436085
Encrypted:	false
SSDEEP:
MD5:	CCDA91CF3D8248F50C0961750E796126
SHA1:	81262FFC0269602896F28116B4A08E200EFF589C
SHA-256:	1232BBBEDFA512230E2C287B7B3388518EDF1C29AA9353DE74B3FAC2B6850473
SHA-512:	49ACEA26EFCCE7AB1464E154A2B2CBA849E667DAA583C719532393B8B6B60FB79022407C12DB63A70F7C7606DE76A7A570CEC315AF0C28017930EC1629E05EF0
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@..UY.@.....@.....@.....@.....@.....@......&.{34CD39A3-D094-47B4-86F9-5BC6461CC0AD}..DisplayLink Graphics..DisplayLinkIDD.msi.@.....@K....@.....@......controlPanelIcon.exe..&.{58E52469-F55E-445A-A4F9-A0EE0C20EE2E}.....@.....@.....@.....@.......@.....@.....@.......@......DisplayLink Graphics......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ClearStoredProperties....AI_RemoveAllTempFilesL...AI_RemoveAllTempFiles.@.......-..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........y.L..VL..VL..V...WA..V...W..V...WZ..V,..W]..V,..W[..V,..W...V...WN..V...WC..VL..V..V(..W\..V(..WM..V(..VM..VL..VM..V(..WM..VRichL..V........................PE..L...\|..b.........."!... ............N........................................@......\.....@.................................x...<........................#... ..........p...........................8...@.........................

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	89
Entropy (8bit):	1.518622607788485
Encrypted:	false
SSDEEP:
MD5:	6F3C76DA7405563DE2A122209ADAEEC8
SHA1:	552B61ED12BC40967ED7F66C95D31985116C4A0D
SHA-256:	EE2B960AFA4E2D88096363CA64FA670B8EE8793687A2C1E0F5C2C3B569227990
SHA-512:	641C783FFF042DBCC82CEB4F39446F79278D2A0AC2FE826528951BB955DB90591B70FB39903E25C401F584687D3EB9858E566BC87C7827FDD78DEE9AE529BB7F
Malicious:	false
Reputation:	unknown
Preview:	........C.:.\...........................C.:.\.....D.:.\...........................D.:.\..

Process:	C:\Users\user\Desktop\DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18112968
Entropy (8bit):	5.48477756514338
Encrypted:	false
SSDEEP:
MD5:	3A6406BA15C24660FD43A91B81E6AB45
SHA1:	23CDA8561C5FB81359B9A713D9838A831F88BADC
SHA-256:	0F697EF6C4289D9416D49E87D5BF9CB5A9D64D65B850F1E203498EED1F109E8F
SHA-512:	B6DCE965EC6C440CB89E9DDDC973D313CF3887F672B75282C2EEBFA09C8EB55E01523EF7A33A82A1CA4535642F97F35F35C26F00CBDB7FE72E0DBD741A7CEA15
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w._.3.1.3.1.3.1..2.>.1..4...1..7.2.1.S.5. .1.S.2.+.1.Q.4.0.1.S.4.V.1..5.).1..0.0.1..6.2.1.3.0...1.W.8.~.1.W..2.1.3..2.1.W.3.2.1.Rich3.1.........PE..L...,..b..........".... .\|#..........Q........#...@...........................6.....R'....@...................................+.(.....,..b..........@8...)....4..h..X\|&.p....................}&.......#.@.............#.......+.`....................text....{#......\|#................. ..`.rdata..,v....#..x....#.............@..@.data...$.....,..l....+.............@....rsrc....b....,..d...d,.............@..@.reloc...h....4..j....3.............@..B................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	74042
Entropy (8bit):	5.39040855858072
Encrypted:	false
SSDEEP:
MD5:	4FE525F5DDEB513C498FBDEF066B275A
SHA1:	4CF05B518A43B39EF00BAF1EF55F7B797F509783
SHA-256:	F2ABE92D5A83C954E7AD2713BF87726F3A1253BACEB2B348D73AEAE7579F7783
SHA-512:	929DDAF8407100698396C76FD835F513B5F6C0533BFEE5C4657ECEC658C5D025AAEEC939C0FD0379C5E01EBCFEAE4ED5CDB491A73093D5A96C0D98E5DE2E6D3B
Malicious:	false
Reputation:	unknown
Preview:	CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

Entrypoint:	0x4e4ae6
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66FBC81C [Tue Oct 1 09:59:56 2024 UTC]
TLS Callbacks:	0x4e5326, 0x4e523d
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	46278352cc455ded9a38a4a9c8364e52

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	09/09/2024 02:00:00 01/10/2025 01:59:59
Subject Chain	CN=DISPLAYLINK (UK) LIMITED, O=DISPLAYLINK (UK) LIMITED, L=Cambridge, C=GB, SERIALNUMBER=04811048, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=GB
Version:	3
Thumbprint MD5:	BABCCB0C2383D1B78CADAFE4A1FC7947
Thumbprint SHA-1:	14EDE26FC7CBDC2FBF6EAE710FC2C71044064D94
Thumbprint SHA-256:	219E11BD84617E4F230007438BC6FD1C870767DFB3BE57A1E0EBBCC241F1865A
Serial:	06DE742C7403D806990BAF658E1364BC

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19f8e4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b4000	0x3da9921	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3f5f200	0x29b8	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f5e000	0x11220	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x176f70	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x176fe0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1700a0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x153000	0x4d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x19f568	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15147a	0x151600	3ac5ae97dc10d1daf0e2a33b22015dd8	False	0.4584495993886625	data	6.473959204257922	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x153000	0x4e644	0x4e800	a9ef1f0445e53629e90c9b5d78b963dd	False	0.3912781150477707	data	5.058407048212059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a2000	0x1175c	0x4200	d8854f601fbf78299ec241a9d2dd1425	False	0.16927083333333334	data	4.222343272253959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1b4000	0x3da9921	0x3da9a00	eb9d149f3207736b3b0327096eb58fa4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3f5e000	0x11220	0x11400	fe615aaf7741378afbb233c2905a3123	False	0.5677932518115942	data	6.579172551273885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
EXE	0x1b4a14	0x24	ASCII text, with no line terminators			1.2222222222222223
EXE	0x1b4a38	0x1b8	data			0.2772727272727273
EXE	0x1b4bf0	0x1a91678	PE32 executable (console) Intel 80386, for MS Windows			0.9189538955688477
EXE	0x1c46268	0x1105be0	PE32 executable (GUI) Intel 80386, for MS Windows			0.4041585922241211
EXE	0x2d4be48	0x11461c8	PE32 executable (GUI) Intel 80386, for MS Windows			0.4041585922241211
EXE	0x3e92010	0x330f	Microsoft Cabinet archive data, many, 2407 bytes, 3 files, at 0x44 +A "AddProduct.reg" +A "ImportSettings.reg", flags 0x4, ID 4937, number 1, extra bytes 20 in head, 1 datablock, 0x1 compression			0.7892280621222554
RT_BITMAP	0x3e95320	0x1714c	Device independent bitmap graphic, 500 x 63 x 24, image size 0, resolution 3780 x 3780 px/m			0.08170086735773217
RT_ICON	0x3eac46c	0x32028	Device independent bitmap graphic, 256 x 512 x 24, image size 196608			0.023965045889474713
RT_ICON	0x3ede494	0xc828	Device independent bitmap graphic, 128 x 256 x 24, image size 49152			0.04420374707259953
RT_ICON	0x3eeacbc	0x70a8	Device independent bitmap graphic, 96 x 192 x 24, image size 27648			0.05554785020804438
RT_ICON	0x3ef1d64	0x4ee8	Device independent bitmap graphic, 80 x 160 x 24, image size 19200			0.0654950495049505
RT_ICON	0x3ef6c4c	0x4048	Device independent bitmap graphic, 72 x 144 x 24, image size 15552			0.07571706368497812
RT_ICON	0x3efac94	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12288			0.12889408099688474
RT_ICON	0x3efdebc	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 6912			0.11941112322791712
RT_ICON	0x3effb64	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3072			0.14598765432098765
RT_ICON	0x3f0080c	0x748	Device independent bitmap graphic, 24 x 48 x 24, image size 1728			0.2140557939914163
RT_ICON	0x3f00f54	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 768			0.24426605504587157
RT_ICON	0x3f012bc	0x32028	Device independent bitmap graphic, 256 x 512 x 24, image size 196608			0.023965045889474713
RT_ICON	0x3f332e4	0xc828	Device independent bitmap graphic, 128 x 256 x 24, image size 49152			0.04420374707259953
RT_ICON	0x3f3fb0c	0x70a8	Device independent bitmap graphic, 96 x 192 x 24, image size 27648			0.05554785020804438
RT_ICON	0x3f46bb4	0x4ee8	Device independent bitmap graphic, 80 x 160 x 24, image size 19200			0.0654950495049505
RT_ICON	0x3f4ba9c	0x4048	Device independent bitmap graphic, 72 x 144 x 24, image size 15552			0.07571706368497812
RT_ICON	0x3f4fae4	0x3228	Device independent bitmap graphic, 64 x 128 x 24, image size 12288			0.12889408099688474
RT_ICON	0x3f52d0c	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 6912			0.11941112322791712
RT_ICON	0x3f549b4	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3072			0.14598765432098765
RT_ICON	0x3f5565c	0x748	Device independent bitmap graphic, 24 x 48 x 24, image size 1728			0.2140557939914163
RT_ICON	0x3f55da4	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 768			0.24426605504587157
RT_DIALOG	0x3f5610c	0xb8	data			0.7282608695652174
RT_STRING	0x3f561c4	0x112	data			0.6204379562043796
RT_STRING	0x3f562d8	0x41e	data			0.38330170777988615
RT_STRING	0x3f566f8	0x3bc	data			0.4205020920502092
RT_STRING	0x3f56ab4	0x43a	data			0.4075785582255083
RT_STRING	0x3f56ef0	0x44c	data			0.4163636363636364
RT_STRING	0x3f5733c	0x43c	data			0.3763837638376384
RT_STRING	0x3f57778	0x50c	data			0.3684210526315789
RT_STRING	0x3f57c84	0x4d0	data			0.42207792207792205
RT_STRING	0x3f58154	0x456	data			0.3792792792792793
RT_STRING	0x3f585ac	0x3a0	data			0.41810344827586204
RT_STRING	0x3f5894c	0x4ba	data			0.36198347107438017
RT_STRING	0x3f58e08	0x456	data			0.41621621621621624
RT_STRING	0x3f59260	0x47a	data			0.37085514834205935
RT_STRING	0x3f596dc	0x2ac	data			0.5818713450292398
RT_STRING	0x3f59988	0x2d0	data			0.5972222222222222
RT_STRING	0x3f59c58	0x468	data			0.3723404255319149
RT_STRING	0x3f5a0c0	0x4c2	data			0.39901477832512317
RT_STRING	0x3f5a584	0x46a	data			0.3805309734513274
RT_STRING	0x3f5a9f0	0x476	data			0.4246935201401051
RT_STRING	0x3f5ae68	0x49e	data			0.3824027072758037
RT_STRING	0x3f5b308	0x418	data			0.42366412213740456
RT_STRING	0x3f5b720	0x442	data			0.3587155963302752
RT_STRING	0x3f5bb64	0x424	data			0.41509433962264153
RT_STRING	0x3f5bf88	0x42c	data			0.36891385767790263
RT_STRING	0x3f5c3b4	0x436	data			0.4044526901669759
RT_STRING	0x3f5c7ec	0x442	data	Norwegian	Norway	0.38256880733944953
RT_STRING	0x3f5cc30	0x1d2	data	Chinese	China	0.6223175965665236
RT_STRING	0x3f5ce04	0x20c	data			0.6240458015267175
RT_RCDATA	0x3f5d010	0x128	data			0.6993243243243243
RT_GROUP_ICON	0x3f5d138	0x92	data			0.6986301369863014
RT_GROUP_ICON	0x3f5d1cc	0x92	data			0.6986301369863014
RT_VERSION	0x3f5d260	0x384	data			0.45
RT_MANIFEST	0x3f5d5e4	0x33d	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (769), with CRLF line terminators	English	United States	0.5331724969843185

DLL	Import
COMCTL32.dll
KERNEL32.dll	ResetEvent, WaitForMultipleObjects, FormatMessageA, WideCharToMultiByte, GetEnvironmentVariableW, GetCurrentDirectoryW, CreateDirectoryW, DeleteFileW, FlushFileBuffers, GetFileAttributesW, GetFileInformationByHandle, GetFileTime, GetFullPathNameW, RemoveDirectoryW, SetEndOfFile, SetFileAttributesW, SetFilePointerEx, DeviceIoControl, CreateDirectoryExW, CopyFileExW, AreFileApisANSI, MultiByteToWideChar, FindResourceExW, IsValidLocale, GetUserDefaultUILanguage, Process32Next, Process32First, CreateToolhelp32Snapshot, GetSystemInfo, SetEvent, GetBinaryTypeW, GetModuleHandleW, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, SetCurrentDirectoryW, OutputDebugStringW, MoveFileExW, SizeofResource, CreateMutexW, GetLastError, LockResource, WriteConsoleW, HeapSize, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, ResumeThread, SetThreadPriority, GetCurrentThread, CreateThread, Sleep, FormatMessageW, GetLocalTime, GetCurrentThreadId, RaiseException, IsDebuggerPresent, OutputDebugStringA, FindNextFileA, FindFirstFileA, GetModuleHandleA, GetModuleFileNameA, GetTempPathA, CreateFileW, CreateFileA, GetTickCount, QueryPerformanceFrequency, QueryPerformanceCounter, VerifyVersionInfoW, IsWow64Process, GetProductInfo, GetVersionExA, VerSetConditionMask, LocalFree, LocalAlloc, LoadLibraryExA, GetModuleHandleExW, GetModuleFileNameW, FreeLibrary, GetSystemWow64DirectoryW, GetSystemWindowsDirectoryW, GetSystemDirectoryW, OpenProcess, GetCurrentProcessId, GetCurrentProcess, WaitForSingleObject, CloseHandle, FindNextFileW, FindFirstFileW, FindClose, SetLastError, GetProcAddress, FindResourceW, LoadResource, InitializeCriticalSection, SetStdHandle, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindFirstFileExW, HeapReAlloc, ReadConsoleW, EnumSystemLocalesW, GetUserDefaultLCID, GetTimeFormatW, GetDateFormatW, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, GetFileSizeEx, GetFileType, HeapAlloc, HeapFree, ExitProcess, ReadFile, VirtualQuery, RtlUnwind, LoadLibraryW, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, TryEnterCriticalSection, InterlockedPushEntrySList, InterlockedPopEntrySList, ReleaseSemaphore, DuplicateHandle, VirtualFree, VirtualProtect, VirtualAlloc, FreeLibraryAndExitThread, GetThreadTimes, UnregisterWait, GetStdHandle, GetTempFileNameW, GetTempPathW, GetExitCodeProcess, CreateProcessW, CopyFileW, MoveFileW, FileTimeToSystemTime, GetVersionExW, LoadLibraryExW, IsBadReadPtr, IsBadWritePtr, IsBadStringPtrW, CreateEventW, WriteFile, GetStringTypeW, WaitForSingleObjectEx, SwitchToThread, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, EncodePointer, DecodePointer, GetCPInfo, CompareStringW, LCMapStringW, GetLocaleInfoW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, GetStartupInfoW, InitializeSListHead, CreateTimerQueue, SignalObjectAndWait, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject
USER32.dll	SetCursor, MessageBoxW, GetMessageW, CreateDialogParamW, PostMessageW, GetWindowRect, DestroyWindow, SetWindowPos, SetWindowTextW, ShowWindow, GetDesktopWindow, SendMessageW, IsWindow, GetSystemMetrics, SendNotifyMessageW, LoadCursorW, GetDlgItem, TranslateMessage, CopyRect, OffsetRect, DispatchMessageW, IsDialogMessageW
ADVAPI32.dll	SetThreadToken, RegEnumValueW, RegEnumKeyA, InitiateSystemShutdownA, StartServiceA, QueryServiceConfigA, DeleteService, ControlService, ConvertStringSecurityDescriptorToSecurityDescriptorA, QueryServiceStatusEx, RegEnumKeyW, RegDeleteValueW, GetUserNameW, CreateProcessAsUserW, OpenThreadToken, RegEnumValueA, RegEnumKeyExA, RegDeleteKeyA, RegOpenCurrentUser, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegDeleteValueA, RegCreateKeyExA, RegOpenKeyExW, RegOpenUserClassesRoot, ConvertSecurityDescriptorToStringSecurityDescriptorW, ConvertStringSidToSidA, ConvertSidToStringSidA, SetSecurityInfo, GetSecurityInfo, SetEntriesInAclA, OpenServiceA, OpenSCManagerA, CreateServiceW, CloseServiceHandle, RegSetValueExW, RegQueryValueExW, RegCreateKeyExW, RegCloseKey, LookupPrivilegeValueA, LookupAccountSidA, RevertToSelf, ImpersonateLoggedOnUser, GetTokenInformation, GetLengthSid, DuplicateTokenEx, DuplicateToken, CopySid, AdjustTokenPrivileges, OpenProcessToken, AllocateAndInitializeSid, FreeSid, CheckTokenMembership
SETUPAPI.dll	SetupDiCallClassInstaller, SetupDiEnumDeviceInfo, SetupDiGetClassDevsA, CM_Get_Sibling, SetupDiGetDeviceInstallParamsA, SetupCopyOEMInfW, SetupDiGetINFClassW, SetupGetInfFileListW, SetupDiClassNameFromGuidW, CM_Locate_DevNodeA, CM_Get_DevNode_Registry_PropertyA, CM_Get_Child, SetupDiSetDeviceInstallParamsA, SetupDiOpenDevRegKey, SetupDiGetDeviceInterfaceDetailA, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInstanceIdA, SetupDiGetDeviceRegistryPropertyA, SetupDiDeleteDevRegKey, SetupDiRemoveDevice, SetupDiGetClassDevsW, SetupDiDestroyDriverInfoList, SetupDiEnumDriverInfoA, SetupDiBuildDriverInfoList, SetupDiGetDeviceInstanceIdW, SetupDiGetDeviceRegistryPropertyW, SetupDiDestroyDeviceInfoList, CM_Get_DevNode_Status, CM_Get_Device_IDA, SetupDiClassGuidsFromNameA, SetupDiSetClassInstallParamsA
SHLWAPI.dll	SHCopyKeyA, SHGetValueW, SHDeleteKeyA
SHELL32.dll	SHFileOperationW, ShellExecuteW
ole32.dll	CoCreateGuid, StringFromGUID2

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

C:\Config.Msi\44e40d.rbs

C:\Program Files\DisplayLink Core Software\AddOnApi64.dll

C:\Program Files\DisplayLink Core Software\DisplayLinkTrayApp.exe

C:\Program Files\DisplayLink Core Software\End User Licence Agreement_EN.rtf

C:\Program Files\DisplayLink Core Software\RunAfterMsiexec.exe

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\FileOperations.dll

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\New

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\Up

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\banner.jpg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\cmdlinkarrow

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\completi

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\custicon

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialog.jpg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackground.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dialogBackgroundGray.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlImageButton.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\dlProgress.png

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\exclamic

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\info

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\insticon

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\lzmaextractor.dll

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\publicSoftwareBanner.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDoing.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDoing.svg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioDone.svg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioError.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioError.svg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.bmp

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioPending.svg

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\radioWaiting.gif

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\removico

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\repairic

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\tabback

C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_6296\tempFiles.dll

Windows Analysis Report
DisplayLink USB Graphics Software for Windows11.5 M1-EXE.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre