File name:

Wireless_AutoSwitch_XPV.1.5.7.4.msi

Full analysis: https://app.any.run/tasks/4ae87b0a-94fd-4c70-a272-948278f249bb
Verdict: Malicious activity
Analysis date: August 08, 2023, 13:30:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Keywords: Installer,MSI,Database, Code page: 1252, Name of Creating Application: MakeMsi version 22.121, a free tool by Dennis Bareis (http://dennisbareis.com/makemsi.htm), Security: 0, Revision Number: {3C5F3653-7418-4BB7-88F4-B05F964C129C}, Template: Intel;1033, Number of Pages: 110, Title: Wireless AutoSwitch XPV, Subject: 1.5.7.4 (created Tue Jan 24 2023 at 11:41:53am), Number of Words: 2, Create Time/Date: Tue Jan 24 16:42:01 2023, Total Editing Time: Tue Jan 24 16:42:01 2023, Comments: Wireless AutoSwitch XPV, Author: Sase Sham, Inc., Last Saved By: Sase Sham, Inc.
MD5:

36C443162D63A82070AA3E3B2C5BF7B5

SHA1:

0D79047D6D530EDF6A0E70AA8754612E640D85BF

SHA256:

8C841EB4C765E8BD71CEAFFCD618A275B5DC3FCB48C65DDCC77CFE9BC73C9BB3

SSDEEP:

49152:J/PXtY5Akhd0LVSUl3zaYQNQiJx4YD6pdfFl7YTAiWl:ZtY5Ae0hS0aOgxVD2fFl7X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • msiexec.exe (PID: 1000)

    • Application was dropped or rewritten from another process

      • WrlsAutoSW.exs (PID: 3200)
      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Loads dropped or rewritten executable

      • WrlsAutoSW.exs (PID: 3200)
      • WrlsAutoSW Toggle.exe (PID: 3572)
      • regsvr32.exe (PID: 3736)

  • SUSPICIOUS

    • Executes as Windows Service

      • WrlsAutoSW.exs (PID: 3200)
      • VSSVC.exe (PID: 616)

  • INFO

    • The process checks LSA protection

      • VSSVC.exe (PID: 616)
      • wmpnscfg.exe (PID: 1040)
      • msiexec.exe (PID: 1000)
      • msiexec.exe (PID: 1872)
      • WrlsAutoSW.exs (PID: 3200)
      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Reads the computer name

      • WrlsAutoSW.exs (PID: 3200)
      • wmpnscfg.exe (PID: 1040)
      • msiexec.exe (PID: 1000)
      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1000)

    • Reads the machine GUID from the registry

      • wmpnscfg.exe (PID: 1040)
      • msiexec.exe (PID: 1000)
      • WrlsAutoSW.exs (PID: 3200)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1040)
      • msiexec.exe (PID: 1000)
      • WrlsAutoSW.exs (PID: 3200)
      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1040)
      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Creates files in the program directory

      • WrlsAutoSW.exs (PID: 3200)

    • Creates files or folders in the user directory

      • WrlsAutoSW Toggle.exe (PID: 3572)

    • Create files in a temporary directory

      • msiexec.exe (PID: 1000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (79.6)
.mst | Windows SDK Setup Transform Script (9)
.msp | Windows Installer Patch (7.4)
.doc | Microsoft Word document (old ver.) (2.7)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastModifiedBy: Sase Sham, Inc.
Author: Sase Sham, Inc.
Comments: Wireless AutoSwitch XPV
TotalEditTime: 2023:01:24 16:42:01
CreateDate: 2023:01:24 16:42:01
Words: 2
Subject: 1.5.7.4 (created Tue Jan 24 2023 at 11:41:53am)
Title: Wireless AutoSwitch XPV
Pages: 110
Template: Intel;1033
RevisionNumber: {3C5F3653-7418-4BB7-88F4-B05F964C129C}
Security: None
Software: MakeMsi version 22.121, a free tool by Dennis Bareis (http://dennisbareis.com/makemsi.htm)
CodePage: Windows Latin 1 (Western European)
Keywords: Installer,MSI,Database
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe wmpnscfg.exe no specs vssvc.exe no specs regsvr32.exe no specs wrlsautosw.exs no specs wrlsautosw toggle.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
616C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
1000C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1040"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
1872"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Wireless_AutoSwitch_XPV.1.5.7.4.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3200"C:\Program Files\Wireless AutoSwitch\WrlsAutoSW.exs"C:\Program Files\Wireless AutoSwitch\WrlsAutoSW.exsservices.exe
User:
SYSTEM
Company:
Sase Sham, Inc.
Integrity Level:
SYSTEM
Description:
WrlsAutoSW XPV
Exit code:
0
Version:
1.5.7.4
Modules
Images
c:\program files\wireless autoswitch\wrlsautosw.exs
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
3572"C:\Program Files\Wireless AutoSwitch\WrlsAutoSW Toggle.exe" C:\Program Files\Wireless AutoSwitch\WrlsAutoSW Toggle.exeexplorer.exe
User:
admin
Company:
Sase Sham, Inc.
Integrity Level:
MEDIUM
Description:
WrlsAutoSW Toggle
Exit code:
0
Version:
1.3.2
Modules
Images
c:\program files\wireless autoswitch\wrlsautosw toggle.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3736"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wireless AutoSwitch\IsLicense30.dll"C:\Windows\System32\regsvr32.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
Total events
4 756
Read events
4 726
Write events
16
Delete events
14

Modification events

(PID) Process:(1040) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{9E28AE6A-1FA4-494D-83E9-35F4866C35E3}\{554C5F18-D668-4AC6-AE2B-7CD6C3833FB7}
Operation:delete keyName:(default)
Value:
(PID) Process:(1040) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{9E28AE6A-1FA4-494D-83E9-35F4866C35E3}
Operation:delete keyName:(default)
Value:
(PID) Process:(1040) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{8D86A374-2CEB-4BD0-BC9F-E9C5646581D1}
Operation:delete keyName:(default)
Value:
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
72
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000008C62D6BA16B0D901C80700002C0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Leave)
Value:
400000000000000064514ABC16B0D901C80700002C0A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Enter)
Value:
400000000000000064514ABC16B0D901C80700002C0A0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1000) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Leave)
Value:
400000000000000034645DBC16B0D901C80700002C0A0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
Executable files
14
Suspicious files
10
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1000msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\WrlsAutoSWLog.txt
MD5:
SHA256:
1000msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{ea91580e-0fa8-49f5-b329-82de949d7af5}_OnDiskSnapshotPropbinary
MD5:57C4739F1BE21496E70D57C304518B68
SHA256:38612E569AA9F3F68764035972765EC1F2C2F918415D3634E8259D5B987D1CCF
1000msiexec.exeC:\Windows\Installer\fd141.msiexecutable
MD5:36C443162D63A82070AA3E3B2C5BF7B5
SHA256:8C841EB4C765E8BD71CEAFFCD618A275B5DC3FCB48C65DDCC77CFE9BC73C9BB3
1000msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:57C4739F1BE21496E70D57C304518B68
SHA256:38612E569AA9F3F68764035972765EC1F2C2F918415D3634E8259D5B987D1CCF
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\WrlsOn.exeexecutable
MD5:27E6162FD067D4945465E09D0F380832
SHA256:244D710AB3F450E723EDF6CA528C61C5C3542BD02EAADAF85E01334387BB2D7E
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\wbdLA44I.dllexecutable
MD5:161CF63E4C819B1F111D8A1A067BA397
SHA256:B127E2920C64B5BFA855D426DA6AB42F67EE2154DB0294EB3C50496FED3D184D
1000msiexec.exeC:\Windows\Installer\MSID410.tmpbinary
MD5:A53FFF4513C5499D03346F1405084232
SHA256:4083E65573A668558C5AF812C13112BB6169E4FCC4AC6839096A185CBD8460B8
1000msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF25815A9BC682AE9E.TMPbinary
MD5:E04BE6D40CFDD12ACC2FCBE1ABE55DBC
SHA256:1C997B3767D910E493E6544E2445589B7745112E1215059A5D2267D4E0CCF9E0
1000msiexec.exeC:\Program Files\Wireless AutoSwitch\wrlsswV64.exeexecutable
MD5:CDBAE64001AC9838AF57792D4065A00C
SHA256:0EB71D235CD74CB66171FB0C8736D5BF76A5FDCC84A6542C411F2FD70D2132F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
3284
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Wireless_AutoSwitch_XPV.1.5.7.4.msi